IE6 Was Unsafe 284 Days In 2006

An anonymous reader sends us to the Washington Post's Security Fix blog, where Brian Krebs has toted up the total vulnerability days for IE6 users in 2006. From the article: "For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users... In contrast, Internet Explorer's closest competitor in terms of market share — Mozilla's Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."

Nothing to see here...

[Thansal]

you know the drill.

My bet is that the number that COUNTS is probably larger (also larger for FF), the number of days where there was a vulnerability that was known by malicious groups, just not publicly posted.

There are three main factors for this

[Toreo+asesino]

1. IE != OpenSource - many eyes are better than few for finding & fixing defects.

2. Desktop integration - across Windows 98, ME, 2000, XP and to a lesser extent Vista.

3. Application integration - there are tonnes of apps writen either embedded in IE, or using IE as a view-port to data, screens, etc.

All of the above (and more) make IE6 a bitch to keep updated quickly and easily. Breaking not just a browser, but OS shell, and tied-apps with a dodgy patch isn't an option for Microsoft and they know it (despite the odd rogue update that slips through the net).

Re:There are three main factors for this

[HappySqurriel]

In my opinion, one of the biggest problems Microsoft faces is that web-page structure and syntax is not handled the same way a C++ program's structure and sytax are (as an example); you can make hundreds of syntax and structural mistakes in HTML, CSS and Javascript and IE will still attempt to display your page. I could be wrong, but I heard a couple of years ago that the majority of code in web browsers was not dealing with displaying correct HTML but was dealing with correcting mistakes to display a page. If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.

Re:There are three main factors for this

[dennypayne]

You can't just expect people to go and recode all their webpages so that they don't have invalid HTML in there. Why not? Why do we always reward mediocrity? Denny

This article is absurd

[acidrain]

I wonder what windows would add up too

IE and windows are really one big insecurity mash-up that is hard to see individually. Remember the Netscrape lawsuit over bundling IE? When M$ was arguing in court that taking something as insecure as a web browser and tightly integrating it into something that is supposed to be secure like an OS was required for their continued innovation.

Anyway, I think this is absurd. IE6 had a patch available. It was IE7. M$ released IE7 as a "high priority security update" via their built in update process. In the same way that the patch for Firefox was distributed as a later version of the browser through their built in update process. I fail to see the difference. I can see this ending up on slashdot, but the Washington Post really should know better.

The washington Post should know better. As

For IE?

> But how long were vulnerabilities actually LIVE (as in some one was trying to exploit them) in the wild? That is much more interesting to me, everything else is just sorta old hat.

Most likely 365 days out of the year.

This was based on published exploit data only, not private exploits. The people that use those like to keep them quiet so that they remain useful for a longer period of time.