Slashdot Mirror
IE6 Was Unsafe 284 Days In 2006
An anonymous reader sends us to the Washington Post's Security Fix blog, where Brian Krebs has toted up the total vulnerability days for IE6 users in 2006. From the article: "For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users... In contrast, Internet Explorer's closest competitor in terms of market share — Mozilla's Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."
Then it might affect people who don't already know it.
"You know you don't act like a scientist, you're more like a game show host." Dana Barret
Consider that this would be less of an issue if IE weren't used by 70-90% (depending on where you look) of web surfers. Most-used and least-secure is a disastrous combination. This is why alternatives are important. If the space broke down at, say, 30% IE, 30% Gecko, 15% Safari, 15% Opera and 10% random, malware authors would have to go to a lot more effort to exploit the majority.
Completely different approach, though. It's not "integrated into the OS" as such, it's just a wrapper for other functionality which it calls upon as and when necessary. The effect is very similar from where the user's sitting, but underneath there's a clear separation between it and the components it provides an outlet for. Personally I think it's rather elegant.
They live in the wild for as long as the product has been shipping, of course. Unfortunately, thats not a useful number. Products ship with bugs, known and unknown to their developers. A "secure" product may eventually become "insecure" because new techniques were developed. (Yes, differing companies/groups have different methodologies/standards/reputations for producing and shipping secure products, but thats a separate discussion all together)
A theoretically useful number would be the number of days from when an exploit was exploited until it was patched, except we would never know this first number. Sure, we may eventually track down through legal means when a petty criminal first used an exploit. But the real worry isn't the punks skimming for CC numbers, its the foreign powers, corporate espionage, SPECTRE agents and the like. And they get away with it without it ever being public. So you just can't get this number.
The only two possible numbers that we ("we" being "the good guys", or at least "the general public") can reasonably come up are the number of days that publicly-known problems are unresolved, and the number of days before a vendor is notified of a problem, before it is resolved. The later would be hard, if possible at all, to get with any level of reliability and consistency. "When were we notified? When the message was sent? When our systems received it? When our lawyers reviewed it? When a developer reviewed it? When the CAB came out with a recommendation?"
The only date measuring the beginning-of-badness that can be developed independently, and consistently, is the date of public notification.
You mean troll?