Slashdot Mirror
IE6 Was Unsafe 284 Days In 2006
An anonymous reader sends us to the Washington Post's Security Fix blog, where Brian Krebs has toted up the total vulnerability days for IE6 users in 2006. From the article: "For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users... In contrast, Internet Explorer's closest competitor in terms of market share — Mozilla's Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
I wonder what windows would add up too, Anyway, goes to show you that Firefox has its bugs, but i beat ALOT less then IE6
WulframII - Free Online Mutiplayer 3D Tank Shooting Game
Then it might affect people who don't already know it.
"You know you don't act like a scientist, you're more like a game show host." Dana Barret
Consider that this would be less of an issue if IE weren't used by 70-90% (depending on where you look) of web surfers. Most-used and least-secure is a disastrous combination. This is why alternatives are important. If the space broke down at, say, 30% IE, 30% Gecko, 15% Safari, 15% Opera and 10% random, malware authors would have to go to a lot more effort to exploit the majority.
you know the drill.
My bet is that the number that COUNTS is probably larger (also larger for FF), the number of days where there was a vulnerability that was known by malicious groups, just not publicly posted.
Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
IE6 Was Unsafe 284 Days In 2006
Of course the flip side of this story is that IE6 was safe for 81 days in 2006.
Obviously, the solution is to shorten the year to 81 days.
Push Button, Receive Bacon
1. IE != OpenSource - many eyes are better than few for finding & fixing defects.
2. Desktop integration - across Windows 98, ME, 2000, XP and to a lesser extent Vista.
3. Application integration - there are tonnes of apps writen either embedded in IE, or using IE as a view-port to data, screens, etc.
All of the above (and more) make IE6 a bitch to keep updated quickly and easily. Breaking not just a browser, but OS shell, and tied-apps with a dodgy patch isn't an option for Microsoft and they know it (despite the odd rogue update that slips through the net).
throw new NoSignatureException();
My truck was unsafe 365 days. I could have been in an accident on any one of those days!
"All great wisdom is contained in .signature files"
Nothing like a quick Software Restriction Policy to "disallow" the use of IE :-)
I also have to admit, that since FireFox 2.0, I can trictly tell my browser which to sites to masquerade as IE.
Quite handy if I do say so myself...
Sarcasm is the recourse of a weak mind...
--
If IE6 was unsafe for nine months out of the year, what did it give birth to? Inquiring minds want to know...
For a total 284 days in 2006 (or more than nine months out of the year)
Yep, it took them nine months to get that baby.
Have you read my journal today?
While normally I'd agree with you, the article is from the Washington Post, and is very well supported. Not to mention that there is little "bashing" and much more statistical support.
I am by no means a Microsoft hater. I use many of their products (specifically Windows and Office) because they are simply better than the alternatives, even the free ones. However, I am also not a Microsoft zealot, and realize the company has it's flaws (not talking about business practices, just software) and IE is one of them. I have been with Firefox for several years now, and while that is not perfect either, it is far superior to IE. That isn't intended to be MS bashing, just the cold, hard truth.
Student Manager - Take control of your education!
I'd just like to see the piece of code that made an year last more than 265 days :)
Were there only 284 days in 2006? http://developers.slashdot.org/article.pl?sid=06/1 2/21/1836240/
Unless you count that whole password theft bug as serious. Wasn't that shown to still exist in 2.01?
I wonder what windows would add up too
IE and windows are really one big insecurity mash-up that is hard to see individually. Remember the Netscrape lawsuit over bundling IE? When M$ was arguing in court that taking something as insecure as a web browser and tightly integrating it into something that is supposed to be secure like an OS was required for their continued innovation.
Anyway, I think this is absurd. IE6 had a patch available. It was IE7. M$ released IE7 as a "high priority security update" via their built in update process. In the same way that the patch for Firefox was distributed as a later version of the browser through their built in update process. I fail to see the difference. I can see this ending up on slashdot, but the Washington Post really should know better.
The washington Post should know better. As-- http://thegirlorthecar.com funny dating game for guys
Out of how many? Uh?
Rome taught me patience and assiduous application to detail. Virtues which temper the boldness of great, general views.
according to that page, that vulnerability was never patched...
> But how long were vulnerabilities actually LIVE (as in some one was trying to exploit them) in the wild? That is much more interesting to me, everything else is just sorta old hat.
Most likely 365 days out of the year.
This was based on published exploit data only, not private exploits. The people that use those like to keep them quiet so that they remain useful for a longer period of time.
NCSA is the one who wrote IE's core. Specifically, blame Marc Andreessen. But of course Slashdot will Ignore The Truth (tm), as always.
True. Unfortunately, we've got a decade and a half worth of web pages that were built sloppily. Not all of them, but enough to be an issue, especially since many of them are effectively abandoned and don't have anyone to fix the errors. If it had been designed that way from the beginning, it would be feasible, but there's all that legacy data to deal with. Any HTML browser designed to run on the web, and not just on, say a local set of help pages, has to do something with those pages. Dave Hyatt (of Safari fame) made some interesting comments on the issue when discussing XML error handling in browsers -- basically, learning from the consequences of that decision to tolerate HTML errors without specifying how to recover from them.
Things are a bit better with CSS, as there are explicit rules for how to handle broken code (basically, ignore it and skip to the next line). The bigger problem there is handling code that was written to older, broken implementations -- the IE5 box model, for instance -- and trying to determine whether a page was built for the spec or for the broken implementation. This gets into quirks mode, and doctype sniffing, and things get kind of hairy.
(Then there's the fact that HTML and CSS are both designed with extensibility in mind... any unfamiliar tags or attributes in HTML are supposed to be ignored, so an HTML 3.2 browser can still do something useful with an HTML 4.0 page. But that's a slightly different issue.)
At MS it is our commitment to better our security on all our applications. In 2006 we spent over 284 days researching and developing a series of bug fixes for our IE product line. This gave us over 98 days where IE was impenetrable to attackers and didn't require the need for any patches. Mozilla would like to claim that there product is safer than ours, yet they admit themselves that they had a period of 9 days where their browser was highly vulnerable to hackers and exploits. IE offers a web experience unsurpassed by any other browsers, compatible with every major website online today. If you choose to use an alternative browser it will still have flaws, but MS Windows allows you to choose, and having choices is what MS is all about. Would you really not want to have a choice in web browsers? Would you really want to only have Firefox and that be the end all be all to browsers? People need to have a choice, that's part of why this great country of America was founded.
Ave Molech Setting
I use IE for everything and I've never once been hacked by these supposed security holes. I do all kinds of stuff like online banking, eTrade, eBay, online shopping, the works! And it's totally secure because it's all encrypted. Sure, I've had something like $24,000 worth of charges applied to my credit cards that weren't mine, but that wasn't because of IE. That was because I made the mistake of dealing with a few companies that use Linux or some Unix variant (heh, sounds like a disease we're talking about here instead of an OS) for their web portals and they probably got rooted. Open source software is just not safe. The hackers are all over it since it's all out in the open. Once they get a chance to look at how it works, they can easily make it do their bidding. At least Microsoft has the sense to keep stuff private. NO hackers in the entire world could figure any of that stuff out because there just isn't any single person as smart as Bill Gates and his crack team of developers. I wouldn't touch Firefox with a ten foot pole since it's open source. Although they only report the bugs they think they've found, there are probably billions more than MS has in IE because the hackers have a roadmap with open source. It says, "Here's the keys to the kingdom. Come hack me". I Trust MS products because MS is all about making great, innovative software that is secure and robust and stable.
NOTE: The above post is merely a parody of the Windows user who's "got religion". A reasonable Windows user knows better. A reasonable *nix user knows better. Let the games begin...
-"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
Replacing Microsoft Internet Explorer 6 Service Pack 1 with Windows Internet Explorer 7 requires replacing Microsoft Windows 2000 Professional with Microsoft Windows XP Professional. Not all users of Windows 2000 want to pay for the patch. Mozilla, on the other hand, plans to continue to make its products compatible with Windows 2000 even through the 3.0 series.
Hmm... all hail the Washington Post for very neutral reporting on this one. Although I am BY NO MEANS a defender of Microsoft I feel we have to put this in perspective. How much market share does Microsoft hold vz Mozilla? I would imagine that the people trying to find security exploits are for the most part looking at Internet Explorer... not only does it still hugely command market share, but it's also the choice for less savvy users. A little like a virus comparison between say Macs and PCs... its all a matter of statistics.
This is just more FUD. You can slice and dice statistics to prove almost any point.
That TFA can only document "safe" status regarding known vulnerabilities for IE or real browsers.
Someone needs to report that IE (6 and 7) has had craptastic standards support for 2195 days of this century (as of 4 Jan 2007).
IE has been unsafe every day it has existed. There were no "safe" days, ever.
Funny that you say that as I am here reading slashdot in IE7 for Windows XP Pro SP2 and it is currently consuming 94MB VM and 79MB RAM with just two tabs open for slashdot. While whenever I use Firefox 1.5.0.9 at home (yeah, I'm at work) it only consumes 80MB VM and 50MB RAM with 22 tabs open (I read a lot of linear algrabra and various other informative resources about OpenGL, along with slashdot tab, garagegames, and of course torrentflux going too ;).
So, I have to say that IE7 definitely consumes more memory or it never frees anything, and I've had IE7 process running for only 20 minutes with two tabs right now (slashdot.org and this article) and I leave Firefox 1.5 running 24/7 cause I hate waiting for it to load every morning with so many tabs.
I made thousands of dollars -- more than half my company's gross revenue -- cleaning up spyware in 2006. A lot of it, probably 30% or 40%, was on fully patched machines with current anti-virus software. Almost every time I read about exploit code becoming available for a zero-day vulnerability, my phone starts to ring.
I have one customer who gets hit three or four times a year. Each time, I get $75 to $150 for booting his system to Windows PE and cleaning off the pests. He's running McAfee Enterprise 8.0i (from his job) with all the "Unwanted Programs Policy" settings maxed out, and he still gets hit, and I still get paid. (I think it may be due to his Web surfing habits, but I don't ask and he doesn't tell).
If Microsoft ever delivers a really secure OS and browser, I may need to go get a job... after all the XP machines die off, that is. Since I still see Windows 98 and ME boxes running (some plugged directly into Comcast cable modems), I suspect that will be a few years yet.
I thought it was in the 360 range.
IE6 sucked 365 days out of the year.
sig has been sent away for a few small repairs...
it's unsafe.
Which means it was unsafe for the last 365 days of last year.
I just did another five hour spyware cleaning last night (which still isn't complete). A fifteen-year-old kid managed to bring a Dell PC to its knees over just a few days of browsing the wrong sites.
The kid was visiting the client. The kid has an Apple at home - so he didn't know what he was doing was death to Windows...:-)
Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!
Assuming firefox (2.0.0.1) is open, you are reading this post.
Check memory consumption (windows XP, currently FF consuming 37Mb)
Cntl-click on reply to this 21 times (giving 22 open tabs, 57Mb)
Open each tab, scroll on page.
Close each of 21 tabs (leaving 2, 45mb)
repeat (52mb)
repeat (58mb)
repeat (60mb)
Now I couldn't claim this as somehow exploitable, but it does highlight the behavior during browsing does have an effect on the memory usage. Especially when even a quality product has a memory leak.
If the market was free, there would be no monoculture and IE share would be close to 0%. A market for lemons would assure some people would always use IE, but most people would chose the obviously superior offerings. That IE continues to enjoy significant market share is a good indicator of continued anti-competitive practices: threats to vendors, abuse of data formats, hostility to user preference and other abuse.
The real sting is that Microsoft continues to enjoy an OS majority share. They won't for long.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
The real surprise was that there actually days when the browser was safe. I would like to see what the stats on IE7 will be at the end of 2007 http://www.cybertopcops.com/
www.cybertopcops.com
My truck was unsafe 365 days. I could have been in an accident on any one of those days!
True, but most people don't. Your truck has a better than four minute half life on any road and far fewer than 90% of all trucks are actually owned by malware that takes them for spins and bank robberies while you are not looking.
Microsoft my not kill as many people as trucks do, but that's not a mater of reliability. The power required to use a computer is not as high as motor vehicles, yet.
DMCA, Hollings, Palladium. What might have sounded like paranoia is now common sense.
http://www.ie7.com/
The author must have forgotten that 2006 was 365 days long, not 284.
It's not my system, Anonymous Coward, it's his. I didn't build it, sell it to him, or install it. He does what he wants with it; I am paid only to fix it and make recommendations.
You must be an idiot, if you don't understand that.
Man, the glass is always half empty for some people. How 'bout "IE6 was risk free for double-digit days in '06!"
Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
;)
It's worth noting that I'm betting that nine days was only how long it took for Mozilla to ship the "official" patch to "official" places...I'll bet a number of distros had downstream patches available (at least for submission) within 24 hours.
For anyone doubting ESR's written claim about FOSS's superior ability to squash bugs, you only need to take note of examples like this to know that he was right. Given enough eyeballs, all bugs are indeed shallow.
*Dodges tomatoes headed in my direction with cries of "slavish, unquestioning fanboy!"*
You're making the assumption that the memory usage SHOULD be the same. There could be all sorts of dirty data structures that don't get cleaned up immediately even when they're invalidated. What you should do is to repeat those steps until 1) the memory usage stays the same, or 2) the program crashes
If 1) occurs, then it isn't leaking.
If 2) occurs, then you can factor in time, and see if memory usage and behavior varies by that. If time isn't a factor, then I would look at the number of times it takes to crash firefox, make a value judgement about whether or not a user is likely to reproduce it, and rank the importance of the leak in that context.
I know that people like to imagine that complicated pieces of software should be bulletproof to the point of perfection, but I think it's better to think of it as an evolving organism. You're always going to have your quirky vestigial/legacy features, your annoying design flaws, and some outright fatal viruses. To stay on that analogy and bring it back around to the point of this story, Firefox is developing resistances to diseases quicker than IE.
Its called a "cache"
Get the "CacheStatus" extension, and you can manage how much cache you want FF to use.
Guess what folks! Connecting your computer to the internet was unsafe 365 days last year!
Check out my lame java blog at www.javachopshop.com
Firefox - far superior? Get real. This is a simple to understand reason why Firefox isn't even a complete browser: It doesn't support ActiveX or ASP technology. It's easier to say you have a more secure browser if you just don't include certain features of a browser. I can say I have the most secure broswer but in fine print I'll write except we don't support Java, Javascript, ASP, JSP, ActiveX, ASP, XML, or any other language I missed but HTML.
Check this out: http://news.com.com/Hackers+claim+zero-day+flaw+in +Firefox/2100-1002_3-6121608.html
I love this quote too:
"The hackers claim they know of about 30 unpatched Firefox flaws. They don't plan to disclose them, instead holding onto the bugs."
Flamebait? Predictable. Pfftph. LMAO @ koh for making me his virtual foe.
Thank god it wasn't a leap year!