Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE6 Was Unsafe 284 Days In 2006

Posted by kdawson on from the barn-door-of-vulnerability dept.

An anonymous reader sends us to the Washington Post's Security Fix blog, where Brian Krebs has toted up the total vulnerability days for IE6 users in 2006. From the article: "For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users... In contrast, Internet Explorer's closest competitor in terms of market share — Mozilla's Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."

6 of 137 comments (clear)

  1. This is why I used SetSAFER by reh187 · · Score: 3, Informative

    Nothing like a quick Software Restriction Policy to "disallow" the use of IE :-)

    I also have to admit, that since FireFox 2.0, I can trictly tell my browser which to sites to masquerade as IE.

    Quite handy if I do say so myself...

    --
    Sarcasm is the recourse of a weak mind...
    --
  2. Re:Imagine that.. by ubergenius · · Score: 3, Informative

    While normally I'd agree with you, the article is from the Washington Post, and is very well supported. Not to mention that there is little "bashing" and much more statistical support.

    I am by no means a Microsoft hater. I use many of their products (specifically Windows and Office) because they are simply better than the alternatives, even the free ones. However, I am also not a Microsoft zealot, and realize the company has it's flaws (not talking about business practices, just software) and IE is one of them. I have been with Firefox for several years now, and while that is not perfect either, it is far superior to IE. That isn't intended to be MS bashing, just the cold, hard truth.

    --
    Student Manager - Take control of your education!
  3. Dealing with broken code by Kelson · · Score: 3, Informative
    If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.

    True. Unfortunately, we've got a decade and a half worth of web pages that were built sloppily. Not all of them, but enough to be an issue, especially since many of them are effectively abandoned and don't have anyone to fix the errors. If it had been designed that way from the beginning, it would be feasible, but there's all that legacy data to deal with. Any HTML browser designed to run on the web, and not just on, say a local set of help pages, has to do something with those pages. Dave Hyatt (of Safari fame) made some interesting comments on the issue when discussing XML error handling in browsers -- basically, learning from the consequences of that decision to tolerate HTML errors without specifying how to recover from them.

    Things are a bit better with CSS, as there are explicit rules for how to handle broken code (basically, ignore it and skip to the next line). The bigger problem there is handling code that was written to older, broken implementations -- the IE5 box model, for instance -- and trying to determine whether a page was built for the spec or for the broken implementation. This gets into quirks mode, and doctype sniffing, and things get kind of hairy.

    (Then there's the fact that HTML and CSS are both designed with extensibility in mind... any unfamiliar tags or attributes in HTML are supposed to be ignored, so an HTML 3.2 browser can still do something useful with an HTML 4.0 page. But that's a slightly different issue.)

  4. No IE 7 for Windows 2000 by tepples · · Score: 2, Informative

    Anyway, I think this is absurd. IE6 had a patch available. It was IE7

    Replacing Microsoft Internet Explorer 6 Service Pack 1 with Windows Internet Explorer 7 requires replacing Microsoft Windows 2000 Professional with Microsoft Windows XP Professional. Not all users of Windows 2000 want to pay for the patch. Mozilla, on the other hand, plans to continue to make its products compatible with Windows 2000 even through the 3.0 series.

  5. Re:I'M A WINDOWS GUY by cyber-vandal · · Score: 2, Informative

    The idea is you post it without the disclaimer and laugh at all the flames ;-)

  6. As Long As IE Runs ActiveX by Master+of+Transhuman · · Score: 2, Informative

    it's unsafe.

    Which means it was unsafe for the last 365 days of last year.

    I just did another five hour spyware cleaning last night (which still isn't complete). A fifteen-year-old kid managed to bring a Dell PC to its knees over just a few days of browsing the wrong sites.

    The kid was visiting the client. The kid has an Apple at home - so he didn't know what he was doing was death to Windows...:-)

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!