Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Security

Internet Explorer Vulnerabilities Increase 100% 137

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.
This discussion has been archived. No new comments can be posted.

Internet Explorer Vulnerabilities Increase 100%

Comments Filter:
  • No actual numbers (Score:5, Insightful)

    by CastrTroy (595695) on Thursday July 24, 2014 @07:29AM (#47521699) Homepage
    Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

    a trend underscored by a progressively shorter time to first patch for its past two releases

    Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report

    Both IE exploits released in 2014 (CVE -2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

    Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

  • Odd Conclusion (Score:5, Insightful)

    by bveldkamp (1838948) on Thursday July 24, 2014 @07:31AM (#47521707)
    That's an odd conclusion to draw from the report. What it actually says is:

    1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
    2. Number of public exploits in IE decreases from 11 to 3 in that same period
    3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11
  • Re:Eh? (Score:5, Insightful)

    by SQLGuru (980662) on Thursday July 24, 2014 @07:38AM (#47521747) Journal

    Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/ [bromium.com]) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

    All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

  • by Ol Olsoc (1175323) on Thursday July 24, 2014 @07:39AM (#47521751)

    Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

    and

    Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

    You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?

  • by oodaloop (1229816) on Thursday July 24, 2014 @07:55AM (#47521845)

    if someone gives you a percentage they are trying to make it better or worse than it actually is.

    And contrariwise, if they give you raw numbers, it's the opposite. That's logic!

  • I also do not understand, those people still using MSIE

    I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

  • Re:Odd Conclusion (Score:2, Insightful)

    by Sockatume (732728) on Thursday July 24, 2014 @09:48AM (#47522485)

    If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.

  • by LordLimecat (1103839) on Thursday July 24, 2014 @01:44PM (#47524213)

    There WAS no 100% increase. The article misinterprets the graph, and the report that it references contradicts its analysis. IE rose from some ~130 vulns to some 140 vulns; thats not 100%, its like 5%.

    Like Mugato, I feel like Im taking crazy pills here. Almost noone bothered to fact check the original report, but everyone has an opinion on it. Keep doing what you do, slashdot.

Those who can, do; those who can't, write. Those who can't write work for the Bell Labs Record.

Working...