Internet Explorer Vulnerabilities Increase 100% 137
An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.
Eh? (Score:5, Informative)
I can't see where the 100% figure comes from. The report says that IE attacks hit a record high in exploited zero-days in the first half of 2013, but they're now much lower.
Re:Eh? (Score:5, Insightful)
Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/ [bromium.com]) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.
All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.
Re: (Score:2)
What are you finding unclear about this graphic?
http://www.net-security.org/im... [net-security.org]
Re: Eh? (Score:2)
Did YOU look at the graph? The bars are comparing all of 2013 against the first half of 2014 (obviously, as the second half is in the future). So the fact that IE already matched last year's record is where the 100% figure comes from - it's another way to say "doubled". Unless the second half of 2014 has a lower exploit rate then the conclusion will be correct.
Re: (Score:3)
Shouldn't that be worded "vulnerabilities will have increased 100%, assuming this trend continues" and not "vulnerabilities have increased 100%"? At any rate I'm sure you're right that it's what the article author meant.
Re: (Score:3)
The trend may continue in the future or it may not, but as of right now the amount of vulnerabilities per unit time is twice as much,or 100% more, than in the past.
Eye-balling from the graph, last year averaged ~10 per month, this year is averaging ~20 per month. A 100% increase.
Re: (Score:2)
The number of vulnerabilities per time is not the same as the number of vulnerabilities.
You can't say the number of vulnerabilities has increased 100% by using two measurements of vulnerabilities / time and then normalizing both with respect to time. That gets you a normalized number of vulnerabilities per time, not a normalized number of vulnerabilities.
Re: (Score:2)
Comparing this 6 months to the previous 6 months is a clear doubling, unless you have data to show vulnerabilities only ever occur in the first half of any given year. The graph is a summary of the data, clearly the researchers who have access to the raw data would have told
Re: (Score:2)
It's simple: You can't say an amount has increased by X when you're comparing rates.
If they want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.
Re: (Score:2)
They already mentioned that the timeframe of interest in the first line of the summary was 6 months.
The amount 133 is ~twice as big as 65.
The amount has increased by more than 100%.
Re: (Score:2)
They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.
Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.
Re: (Score:2)
They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.
Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.
If you have 10 vulnerabilities from January 1st through June 30th of 2014 and you have 10 vulnerabilities from January first through December 31st of 2013, that does not mean the number of vulnerabilities has increased by 100%.
The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.
They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities. That's fine, and it's pretty safe to assume it will end up being f
Re: (Score:2)
The first 6 months of 2014 has seen a 100% increase in vulnerabilities compared to the previous 6 months.
Neither TFS nor TFA say that. It uses the following numbers for IE.
Year - National Vulnerability Database - Exploit-DB
2013 - 130 - 11
H1-2014 - 133 - 3
They already mentioned that the timeframe of interest in the first line of the summary was 6 months.
Of 2014. They're comparing it to all of 2013.
The amount 133 is ~twice as big as 65.
Where are you getting 65? It's not mentioned anywhere in the report. Here's the report. CTRL+F 65.
The amount has increased by more than 100%.
No, the rate has. The amount in 2014 thus far is a little more than the amount in all of 2013. You can look up all the CVEs for IE and repeat their research and specifically divide 2013 u
Re: (Score:2)
The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.
Yeah, that's what a rate is.
They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities.
No they're not. You are. There is a point at which language pedantry becomes idiocy you know.
Re: (Score:2)
divide 2013 up into 1st half and 2nd half if you want to compare totals and make that claim regarding totals.
I believe I already did. 130 divided by 2 is 65.
The amount for the first 6 months of 2014 is a 100% or more increase on the amount in the second half of 2013.
Or , The amount for 6 months of 2014 is a 100% or more increase on the corresponding period in 2013
Take your pick. I'm not sure why you think a 1 year time frame is somehow magical when counting amounts.
Re: (Score:2)
OK I'll admit that I didn't notice the H1 in the graph right away but...
Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have. It would have been better if the author had compared the first half of 2013 to the first half of 2014. At least that way the comparison is grounded in facts not speculation.
Re: (Score:3)
Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have.
The rate has increased precisely 104% already. There is no need for a common divisor when calculating rates.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
The rate last year was 130 vulns per six months. The rate this year is 266 per six months.
Now what are you quibbling about?
close (Score:2)
Re: Eh? (Score:2)
Looks like Windows XP era browsers and now unsupported browser versions. So it's no surprise since Microsoft took their hands off of the products that all these exploits come out of the woodwork.
No actual numbers (Score:5, Insightful)
Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report
Re:No actual numbers (Score:4, Insightful)
Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase
and
Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.
You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?
Re: (Score:2)
Have you considered reading the article before criticizing someone else's analysis of it?
Apparently not.
Re: (Score:2)
Have you considered reading the article before criticizing someone else's analysis of it?
Apparently not.
Have you considered WHOOSH?
But since you didn't quite get it.....
Do you think that IE going from 1 Vulnerability to 2 vulnerabilities is someonhow, in some way, anywhere even close to the dog's breakfast that IE is? Seriously?
Have you considered that using a quick patch as indication of the security is ever to be considered a good thing, an excellent ecample of just how darn secure a browser is? If they made a patch every 15 seconds from here to eternity, if would be proof of the best darn browser, mo
Re: (Score:1)
IE had fewer vulnerabilities last year than Chrome, or Firefox. This year it has more. Thats not a slam dunk, or an indication that IE is a dogs breakfast.
Ie has been substantially rewritten since the IE6 days, and is a sort-of-decent browser these days. These days its firefox thats the dogs breakfast; the only saving grace it has is its low userbase and its strong extension support that can plug some of the glaring holes (like its crappy 1-process architecture, its lack of sandboxing for anything, etc).
Re: (Score:2, Insightful)
There WAS no 100% increase. The article misinterprets the graph, and the report that it references contradicts its analysis. IE rose from some ~130 vulns to some 140 vulns; thats not 100%, its like 5%.
Like Mugato, I feel like Im taking crazy pills here. Almost noone bothered to fact check the original report, but everyone has an opinion on it. Keep doing what you do, slashdot.
Re: (Score:2)
The article, headline, story and comments are all bullshit.
Assuming the graph is not also bullshit, the correct story is that in the first 6 months of 2014 (1H 2014 on the graph), IE has had more vulnerabilities than all of 2013. IF this keeps up, then by the end of 2014, IE will have had more than a 100% increase in the number of vulnerabilities over last year.
Re: (Score:2)
Except that you cant predict the future, so you dont know how many will be reported by the end of 2014. Extrapolation only works when you have a reason to justify it; neither you, nor the article does, and the original paper does not make that (dumb) extrapolation.
Re:No actual numbers (Score:4, Informative)
Looking at the graphic the raw number looks like about 130 for all of 2013, and slightly more for the first half of 2014.
Yes actual numbers (Score:2)
Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were.
How this was modded insightful I'll never know.
Someone must be exploiting a vulnerability in your pdf viewer/browser that is causing it to not work properly (IE maybe), because mine clearly shown in the appendix at the bottom.
Internet explorer:
2013 130 vulnerabilities
H1-2014 133 vulnerabilities
New Microsoft CEO (Score:5, Interesting)
Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?
If that happens, Firefox will be the odd one out as far as rendering is concerned.
Re:New Microsoft CEO (Score:4, Interesting)
Microsoft switch IE to use components written by someone else?
I place the likelihood of that as pretty small.
Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.
Re: (Score:2)
In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.
Re: (Score:2)
In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.
I'm not sure either the OP or this one understand what NIH means. It's part of the EEE [wikipedia.org] philosophy. Look for a hot new technology in the consumer space. Identify the leaders in that space. Purchase one of the leaders and modify the technology so that it is no longer 100% compatible with anybody else's version of the tech. Market the hell out of your version and destroy the competition. Internet Explorer [wikipedia.org] was licensed from Spyglass [wikipedia.org] and all version of IE up to 6 were based on that code. In this case Microsoft w
Re: (Score:2)
I'm not sure what the point of your post is other than a typical bitching about Microsofts past.
Re: (Score:1)
Re: (Score:3)
Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.
I believe you mean, "Not copied, ripped off, or acquired and gutted here"
Re: (Score:3)
Microsoft switch IE to use components written by someone else?
I place the likelihood of that as pretty small.
Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.
Considering that IE is based on Mosaic, SQLServer is based on Sybase, etc. etc., I don't think Microsoft has ever really "invented anything here."
Re: (Score:2)
I fourth this post.
Re:New Microsoft CEO (Score:4, Informative)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Odd Conclusion (Score:5, Insightful)
1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
2. Number of public exploits in IE decreases from 11 to 3 in that same period
3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11
Re:Odd Conclusion (Score:5, Informative)
We seem to be having a lot of astroturf from MS today.
IE Exploits.
2013 = 130
H1-2014 = 133.
Bearing in mind the year vs half-year, that's a 104% increase. So no it's not an odd conclusion at all.
Re: (Score:2, Insightful)
If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.
Re: (Score:2)
Don't blame it on the writing. There was a chart, and a table at the end, both perfectly clear. And terseness means they were both very easy to find. I expect slashdotters to be able to read a simple bar chart - to read the labels as well as the length of the bars. If they can't, GTFO.
Re: (Score:2)
Don't worry, you're not the only person to fail at reading comprehension while trying to display you mathematical prowess.
Re: (Score:1)
Pfft, as if any Windoze users have IE11 installed. Poppycock! Your figure of "80 days to 5" between "dinosaur" and "current" versions of Internet Explorer are of no relevance. You're clearly in the pay of Micro$haft.
Sensationalist subject (Score:1)
Reporting on a 'percentage increase' in vulnerabilities really doesn't give you an idea of how large of a problem there really is. I didn't read TFA after seeing the garbage headline, but it's probably not worth my time. If there were no vulnerabilities and suddenly there was one, that's an increase of an infinite percent!!! Also, does this mean the number of vulnerabilites increase, or just the ones that people were aware of? Another worthless Microsoft bashing article, nothing to see here. Head on o
A rule of thumb.. (Score:4, Interesting)
if someone gives you a percentage they are trying to make it better or worse than it actually is.
Re:A rule of thumb.. (Score:4, Insightful)
if someone gives you a percentage they are trying to make it better or worse than it actually is.
And contrariwise, if they give you raw numbers, it's the opposite. That's logic!
Re: (Score:2)
Well, around 80% of the time at least. ;-)
Re: (Score:2)
60% of the time, it works EVERY time!
https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
If someone mods you up, your post's karma will increase by 33%
Vulnerabilities did not increase (Score:4, Interesting)
Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.
Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.
100% Increase (Score:4, Funny)
http://xkcd.com/1102/ [xkcd.com]
This is a surprise? (Score:3)
Which IE? 4, 5, 6.....10? 11? (Score:1)
Another 'news' article that contains almost nothing.
Still, at least it's not another news article by someone pretending that a reseller of hardware would have no interest in pushing old tin.
Business plan (Score:2)
2. Release report exaggerating "increase in vulnerabilities" in $APPLICATION
3. Profit!
IE dangerous, but useful for now... (Score:1)
I use I.E. for one reason these days. Every company I end up working for has some internal business application that only gets tested and supported on I.E. and this is particularly the case after I lock down Firefox for actual web browsing. These kind of internal business applications often fail with even minimal security restrictions.
I hold out little hope that apps designed to be run in controlled environments will ever work with a decently locked down browser. The issue is that the most vulnerable busine
US-CERT firt post was right at the end :) (Score:2)
http://martin.iturbide.com/2014/04/do-you-trust-us-cert.html
Bromide. (Score:2)
(!) This article appears to be written like an advertisement. Please help improve it by rewriting promotional content from a neutral point of view and removing any inappropriate external links.
Bromium [wikipedia.org]
Microsoft is now counting Flash vulns as IE vulns (Score:3)
Microsoft patches to IE include patches to vulns in Flash - which is embedded in IE. The increase in vulnerabilities is the result of the horrible Flash code.
Second user? (Score:2)
Re:Surprise! (Score:5, Funny)
Yeah, but no other browser can claim a 100% increase in vulnerabilities!
Take THAT, Apple, Mozilla, Google and Opera!
Re:Surprise! (Score:5, Funny)
Don't worry--those who were responsible for that browser were all just sacked.
... and those who were responsible for sacking the browser writers were all sacked.
Re: (Score:3)
Mynd you, møøse bites Kan be pretti nasti...
Re: (Score:2)
Don't worry--those who were responsible for that browser were all just sacked.
... and those who were responsible for sacking the browser writers were all sacked.
Thankfully, my 401k is heavily invested in many and various Sack businesses ... Retirement here I come!
Re:Surprise! (Score:5, Funny)
I think your post constitutes a 100% increase in the number of times I've heard Opera mentioned this year.
Re:Surprise! (Score:4, Informative)
Neither can IE. It has a ~5-10% increase.
The summary is absolute garbage; it implies that the number of vulnerabilities is doubled (it isnt), that IE security is worse (but public exploits are reduced from last year, and mean time to patch is vastly reduced), and that its always been worse (last year, Chrome and Firefox had more exploits than IE).
Unsurprisingly, everyone here took the bait.
Re: (Score:3)
Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Dude, tell us what you really think.
Re: (Score:1)
No privileges to install Cr or Fx (Score:4, Insightful)
I also do not understand, those people still using MSIE
I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.
Re: (Score:3)
Recently, at my job, we got an email saying that Firefox was considered "at your own risk", and only those with a business need would be allowed to use it. Luckily, IE choked on one of our sites, and I used that as my justification for FF.
Re: (Score:1)
Posting AC just because...
In a previous life, I was prohibited from installing FF/Chrome in any way whatsoever, as only a certain image was allowed, and everything in the image had to get vetted by a regulation compliance committee, a legal team, a license vetting team, and so on. So, it was MSIE or no browser.
The good news is that Chrome can come as a signed MSI file, and FrontMotion has repackaged FF as a MSI for easy mass pushes.
MSIE has a unique place. In the enterprise, FIPS 140-2 and Common Criteria
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
No privileges to install Cr or Fx (Score:1)
Re: (Score:2)
people at work who lack privileges [...] to run executables from writable directories.
There are portable version of FF & Chrome
These people can't run a "portable version" that the IT department hasn't approved.
Re: (Score:1)
Re: (Score:1)
I also do not understand, those people still using MSIE
I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.
Yup. Still at IE8 on my US Gov't workstation. At least they allow us FF now, though the helpdesk is complaining that frequency of FF updates is burdensome to them. Those poor, misguided children have never heard of FF ESR.
Re: (Score:2)
A strength of IE is here - nothing else truly really "integrates" as well (in my professional development experience thusfar) into Intranet internal to corporate environs quite as well
Why was this moderated down, other than knee-jerk ad hominem?
Re: (Score:2)
You think that is bad I know someone who is still running Aol.
Re: (Score:1)
Firefox was "more vulnerable" in 2013, and actually for several years post IE9, I believe it was generally considered LESS secure than MSIE due to its lack of common protections (like reduced privlege, sandboxing, etc).
The real surprise here is that people on a tech site continue to use awful metrics for judging things ("works for me", "everyone else hates it, must be bad").
Re: (Score:1)
Samzenpus has always been a crappy, insecure editor who doesn't adhere to journalistic standards of integrity.
Color me unsurprised.
He's always been shit, and most of us keep reading as the site of last resort for nerd stuff which survived a long list of crappy, untrained editors who don't adhere to standards.
Piece of crap.
Slashdot has long since demonstrated they couldn't write a decent article if Rob Malda's life depended on it.
In fact, some day I home Anonymous Coward's life does depend on /..
See what I did there?
Go read The Fine Article before spouting your nonsense.
^Microsoft^Slashdot Beta (Score:2)