Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE6 Was Unsafe 284 Days In 2006

Posted by kdawson on from the barn-door-of-vulnerability dept.

An anonymous reader sends us to the Washington Post's Security Fix blog, where Brian Krebs has toted up the total vulnerability days for IE6 users in 2006. From the article: "For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users... In contrast, Internet Explorer's closest competitor in terms of market share — Mozilla's Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem."

23 of 137 comments (clear)

  1. I hope stuff like this makes the paper by RiotXIX · · Score: 5, Insightful

    Then it might affect people who don't already know it.

    --
    "You know you don't act like a scientist, you're more like a game show host." Dana Barret
  2. Hazards of monoculture by Kelson · · Score: 4, Insightful

    Consider that this would be less of an issue if IE weren't used by 70-90% (depending on where you look) of web surfers. Most-used and least-secure is a disastrous combination. This is why alternatives are important. If the space broke down at, say, 30% IE, 30% Gecko, 15% Safari, 15% Opera and 10% random, malware authors would have to go to a lot more effort to exploit the majority.

  3. Nothing to see here... by Thansal · · Score: 4, Interesting

    you know the drill.

    My bet is that the number that COUNTS is probably larger (also larger for FF), the number of days where there was a vulnerability that was known by malicious groups, just not publicly posted.

    --
    Do Or Do Not, There Is No Spoon, There Is Only Zuul. Everything in the above post is probably opinion.
    1. Re:Nothing to see here... by T-Ranger · · Score: 3, Insightful

      They live in the wild for as long as the product has been shipping, of course. Unfortunately, thats not a useful number. Products ship with bugs, known and unknown to their developers. A "secure" product may eventually become "insecure" because new techniques were developed. (Yes, differing companies/groups have different methodologies/standards/reputations for producing and shipping secure products, but thats a separate discussion all together)

      A theoretically useful number would be the number of days from when an exploit was exploited until it was patched, except we would never know this first number. Sure, we may eventually track down through legal means when a petty criminal first used an exploit. But the real worry isn't the punks skimming for CC numbers, its the foreign powers, corporate espionage, SPECTRE agents and the like. And they get away with it without it ever being public. So you just can't get this number.

      The only two possible numbers that we ("we" being "the good guys", or at least "the general public") can reasonably come up are the number of days that publicly-known problems are unresolved, and the number of days before a vendor is notified of a problem, before it is resolved. The later would be hard, if possible at all, to get with any level of reliability and consistency. "When were we notified? When the message was sent? When our systems received it? When our lawyers reviewed it? When a developer reviewed it? When the CAB came out with a recommendation?"

      The only date measuring the beginning-of-badness that can be developed independently, and consistently, is the date of public notification.

  4. all a matter of perspective by macadamia_harold · · Score: 5, Funny

    IE6 Was Unsafe 284 Days In 2006

    Of course the flip side of this story is that IE6 was safe for 81 days in 2006.

    Obviously, the solution is to shorten the year to 81 days.

    --
    Push Button, Receive Bacon
    1. Re:all a matter of perspective by peeg · · Score: 2

      Hey now, that's almost 3 months of safety. That's like a record for IE.

  5. There are three main factors for this by Toreo+asesino · · Score: 5, Interesting

    1. IE != OpenSource - many eyes are better than few for finding & fixing defects.

    2. Desktop integration - across Windows 98, ME, 2000, XP and to a lesser extent Vista.

    3. Application integration - there are tonnes of apps writen either embedded in IE, or using IE as a view-port to data, screens, etc.

    All of the above (and more) make IE6 a bitch to keep updated quickly and easily. Breaking not just a browser, but OS shell, and tied-apps with a dodgy patch isn't an option for Microsoft and they know it (despite the odd rogue update that slips through the net).

    --
    throw new NoSignatureException();
    1. Re:There are three main factors for this by HappySqurriel · · Score: 3, Interesting

      In my opinion, one of the biggest problems Microsoft faces is that web-page structure and syntax is not handled the same way a C++ program's structure and sytax are (as an example); you can make hundreds of syntax and structural mistakes in HTML, CSS and Javascript and IE will still attempt to display your page. I could be wrong, but I heard a couple of years ago that the majority of code in web browsers was not dealing with displaying correct HTML but was dealing with correcting mistakes to display a page. If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.

    2. Re:There are three main factors for this by dennypayne · · Score: 2, Interesting

      You can't just expect people to go and recode all their webpages so that they don't have invalid HTML in there. Why not? Why do we always reward mediocrity? Denny
      --
      Erecting the wall of separation between church and state is absolutely essential in a free society. - Thomas Jefferson
  6. That's nothing by hellfire · · Score: 2, Funny

    My truck was unsafe 365 days. I could have been in an accident on any one of those days!

    --

    "All great wisdom is contained in .signature files"

  7. This is why I used SetSAFER by reh187 · · Score: 3, Informative

    Nothing like a quick Software Restriction Policy to "disallow" the use of IE :-)

    I also have to admit, that since FireFox 2.0, I can trictly tell my browser which to sites to masquerade as IE.

    Quite handy if I do say so myself...

    --
    Sarcasm is the recourse of a weak mind...
    --
  8. What does this mean? by __aaclcg7560 · · Score: 3, Funny

    If IE6 was unsafe for nine months out of the year, what did it give birth to? Inquiring minds want to know...

    1. Re:What does this mean? by Aqua_boy17 · · Score: 2, Funny

      So THAT's where the Zune came from.

      --
      What if the Hokey Pokey really is what it's all about?
  9. Re:Imagine that.. by ubergenius · · Score: 3, Informative

    While normally I'd agree with you, the article is from the Washington Post, and is very well supported. Not to mention that there is little "bashing" and much more statistical support.

    I am by no means a Microsoft hater. I use many of their products (specifically Windows and Office) because they are simply better than the alternatives, even the free ones. However, I am also not a Microsoft zealot, and realize the company has it's flaws (not talking about business practices, just software) and IE is one of them. I have been with Firefox for several years now, and while that is not perfect either, it is far superior to IE. That isn't intended to be MS bashing, just the cold, hard truth.

    --
    Student Manager - Take control of your education!
  10. Re:I wonder by Anonymous Coward · · Score: 2, Funny

    Are you basing that on anything scientific? No. Just an uninformed opinion.

    Welcome to Slashdot. Try the ramen.

  11. Dealing with broken code by Kelson · · Score: 3, Informative
    If IE could simply not display incorrect HTML and CSS the code base should be far smaller, which in turn should make it easier to maintain and probably more secure.

    True. Unfortunately, we've got a decade and a half worth of web pages that were built sloppily. Not all of them, but enough to be an issue, especially since many of them are effectively abandoned and don't have anyone to fix the errors. If it had been designed that way from the beginning, it would be feasible, but there's all that legacy data to deal with. Any HTML browser designed to run on the web, and not just on, say a local set of help pages, has to do something with those pages. Dave Hyatt (of Safari fame) made some interesting comments on the issue when discussing XML error handling in browsers -- basically, learning from the consequences of that decision to tolerate HTML errors without specifying how to recover from them.

    Things are a bit better with CSS, as there are explicit rules for how to handle broken code (basically, ignore it and skip to the next line). The bigger problem there is handling code that was written to older, broken implementations -- the IE5 box model, for instance -- and trying to determine whether a page was built for the spec or for the broken implementation. This gets into quirks mode, and doctype sniffing, and things get kind of hairy.

    (Then there's the fact that HTML and CSS are both designed with extensibility in mind... any unfamiliar tags or attributes in HTML are supposed to be ignored, so an HTML 3.2 browser can still do something useful with an HTML 4.0 page. But that's a slightly different issue.)

  12. Lobbyist hat on by greymond · · Score: 2, Funny

    At MS it is our commitment to better our security on all our applications. In 2006 we spent over 284 days researching and developing a series of bug fixes for our IE product line. This gave us over 98 days where IE was impenetrable to attackers and didn't require the need for any patches. Mozilla would like to claim that there product is safer than ours, yet they admit themselves that they had a period of 9 days where their browser was highly vulnerable to hackers and exploits. IE offers a web experience unsurpassed by any other browsers, compatible with every major website online today. If you choose to use an alternative browser it will still have flaws, but MS Windows allows you to choose, and having choices is what MS is all about. Would you really not want to have a choice in web browsers? Would you really want to only have Firefox and that be the end all be all to browsers? People need to have a choice, that's part of why this great country of America was founded.

    --
    Ave Molech Setting
  13. I'M A WINDOWS GUY by eno2001 · · Score: 3, Funny

    I use IE for everything and I've never once been hacked by these supposed security holes. I do all kinds of stuff like online banking, eTrade, eBay, online shopping, the works! And it's totally secure because it's all encrypted. Sure, I've had something like $24,000 worth of charges applied to my credit cards that weren't mine, but that wasn't because of IE. That was because I made the mistake of dealing with a few companies that use Linux or some Unix variant (heh, sounds like a disease we're talking about here instead of an OS) for their web portals and they probably got rooted. Open source software is just not safe. The hackers are all over it since it's all out in the open. Once they get a chance to look at how it works, they can easily make it do their bidding. At least Microsoft has the sense to keep stuff private. NO hackers in the entire world could figure any of that stuff out because there just isn't any single person as smart as Bill Gates and his crack team of developers. I wouldn't touch Firefox with a ten foot pole since it's open source. Although they only report the bugs they think they've found, there are probably billions more than MS has in IE because the hackers have a roadmap with open source. It says, "Here's the keys to the kingdom. Come hack me". I Trust MS products because MS is all about making great, innovative software that is secure and robust and stable.

    NOTE: The above post is merely a parody of the Windows user who's "got religion". A reasonable Windows user knows better. A reasonable *nix user knows better. Let the games begin...

    --
    -"...bad old ideas look confusingly fresh when they are packaged as technology" - Jaron Lanier (Digital Maoism on Edge.o
    1. Re:I'M A WINDOWS GUY by cyber-vandal · · Score: 2, Informative

      The idea is you post it without the disclaimer and laugh at all the flames ;-)

    2. Re:I'M A WINDOWS GUY by Abcd1234 · · Score: 2, Insightful

      You mean troll?

  14. No IE 7 for Windows 2000 by tepples · · Score: 2, Informative

    Anyway, I think this is absurd. IE6 had a patch available. It was IE7

    Replacing Microsoft Internet Explorer 6 Service Pack 1 with Windows Internet Explorer 7 requires replacing Microsoft Windows 2000 Professional with Microsoft Windows XP Professional. Not all users of Windows 2000 want to pay for the patch. Mozilla, on the other hand, plans to continue to make its products compatible with Windows 2000 even through the 3.0 series.

  15. Re:This article is absurd by Bertie · · Score: 2, Insightful

    Completely different approach, though. It's not "integrated into the OS" as such, it's just a wrapper for other functionality which it calls upon as and when necessary. The effect is very similar from where the user's sitting, but underneath there's a clear separation between it and the components it provides an outlet for. Personally I think it's rather elegant.

  16. As Long As IE Runs ActiveX by Master+of+Transhuman · · Score: 2, Informative

    it's unsafe.

    Which means it was unsafe for the last 365 days of last year.

    I just did another five hour spyware cleaning last night (which still isn't complete). A fifteen-year-old kid managed to bring a Dell PC to its knees over just a few days of browsing the wrong sites.

    The kid was visiting the client. The kid has an Apple at home - so he didn't know what he was doing was death to Windows...:-)

    --
    Richard Steven Hack - This sig is TOO GODDAMN SHORT TO DO ANYTHING USEFUL WITH! MORONS!