Internet Explorer Vulnerabilities Increase 100%

An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

Re:Surprise!

[ArcadeMan]

Yeah, but no other browser can claim a 100% increase in vulnerabilities!

Take THAT, Apple, Mozilla, Google and Opera!

Re:Surprise!

[sproketboy]

Dude, tell us what you really think.

Eh?

[Sockatume]

I can't see where the 100% figure comes from. The report says that IE attacks hit a record high in exploited zero-days in the first half of 2013, but they're now much lower.

Re:Eh?

[SQLGuru]

Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

Re: Eh?

[Chewbacon]

Looks like Windows XP era browsers and now unsupported browser versions. So it's no surprise since Microsoft took their hands off of the products that all these exploits come out of the woodwork.

Re:Eh?

[BasilBrush]

What are you finding unclear about this graphic?

http://www.net-security.org/im...

Re:Eh?

[Rhipf]

Did you even look at that graph?
It does show a slight increase for IE but definitely not 100%.
At best this shows and increase from ~125 vulnerabilities to ~135. That's ~10% not 100%.

Re: Eh?

[IamTheRealMike]

Did YOU look at the graph? The bars are comparing all of 2013 against the first half of 2014 (obviously, as the second half is in the future). So the fact that IE already matched last year's record is where the 100% figure comes from - it's another way to say "doubled". Unless the second half of 2014 has a lower exploit rate then the conclusion will be correct.

Re: Eh?

[Sockatume]

Shouldn't that be worded "vulnerabilities will have increased 100%, assuming this trend continues" and not "vulnerabilities have increased 100%"? At any rate I'm sure you're right that it's what the article author meant.

Re: Eh?

[Rhipf]

OK I'll admit that I didn't notice the H1 in the graph right away but...

Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have. It would have been better if the author had compared the first half of 2013 to the first half of 2014. At least that way the comparison is grounded in facts not speculation.

Re:Eh?

[IRGlover]

the graph compares all of 2013 with the first half of 2014. The implication being that, if so far this year there have been as many vulnerabilities as all of last year, then by the end of the year there will be twice as many. It is very poor analysis as there might be no more bugs found this year, a million bugs found this year, or something in between.

Re: Eh?

[crimson+tsunami]

No they really have already increased 100%.
The trend may continue in the future or it may not, but as of right now the amount of vulnerabilities per unit time is twice as much,or 100% more, than in the past.
Eye-balling from the graph, last year averaged ~10 per month, this year is averaging ~20 per month. A 100% increase.

Re: Eh?

[sexconker]

The number of vulnerabilities per time is not the same as the number of vulnerabilities.
You can't say the number of vulnerabilities has increased 100% by using two measurements of vulnerabilities / time and then normalizing both with respect to time. That gets you a normalized number of vulnerabilities per time, not a normalized number of vulnerabilities.

Re:Eh?

[khallow]

And half a year pass isn't very long compared to a year, amirite?

Re: Eh?

[crimson+tsunami]

So how can you compare any numbers like this if you don't relate them to a timeframe? Are you trying to say that the graph gives no information whatsoever about the change in number of vulnerabilities? As that seems like nonsense to me.
Comparing this 6 months to the previous 6 months is a clear doubling, unless you have data to show vulnerabilities only ever occur in the first half of any given year. The graph is a summary of the data, clearly the researchers who have access to the raw data would have told us about such weird distribution, and it would be fraudulent of them not to.
Are they intentionally misleading us, or are people here simply slightly confused comparing 1 year of results to 6 months?

Re: Eh?

[sexconker]

It's simple: You can't say an amount has increased by X when you're comparing rates.
If they want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Re: Eh?

[crimson+tsunami]

The first 6 months of 2014 has seen a 100% increase in vulnerabilities compared to the previous 6 months.
They already mentioned that the timeframe of interest in the first line of the summary was 6 months.
The amount 133 is ~twice as big as 65.
The amount has increased by more than 100%.

Re: Eh?

[BasilBrush]

They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.

Re: Eh?

[BasilBrush]

Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have.

The rate has increased precisely 104% already. There is no need for a common divisor when calculating rates.

Re:Eh?

[BasilBrush]

The rate last year was 130 vulns per six months. The rate this year is 266 per six months.

Now what are you quibbling about?

Re: Eh?

[sexconker]

They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.

If you have 10 vulnerabilities from January 1st through June 30th of 2014 and you have 10 vulnerabilities from January first through December 31st of 2013, that does not mean the number of vulnerabilities has increased by 100%.
The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.

They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities. That's fine, and it's pretty safe to assume it will end up being fairly accurate. But you cannot say the total number of vulnerabilities has increased 100% unless you're directly comparing total numbers and not rates. The rate of vulnerabilities is 100% higher, vulnerabilities in 2014 are on track to be 100% higher, and possibly the number of vulnerabilities in the first half of 2014 IS 100% higher than the number of vulnerabilities in the first half of 2013, or second half, or last 3 days, or whatever you want to compare against.

They're comparing rates and extrapolating predicted totals and then making a factual claim regarding the totals for 2014. That's simply wrong. 2014's totals are not yet known, we simply have a lower bound. Compare rates and make your claim based on the rates, or compare 6 months in 2014 to 6 months in 2013. Which 6 months is up to you - you could choose the first half, the second half, the even months, the odd months, the months with the most vulnerabilities, the months with the least vulnerabilities, etc.

Re: Eh?

[sexconker]

The first 6 months of 2014 has seen a 100% increase in vulnerabilities compared to the previous 6 months.

Neither TFS nor TFA say that. It uses the following numbers for IE.

Year - National Vulnerability Database - Exploit-DB
2013 - 130 - 11
H1-2014 - 133 - 3

They already mentioned that the timeframe of interest in the first line of the summary was 6 months.

Of 2014. They're comparing it to all of 2013.

The amount 133 is ~twice as big as 65.

Where are you getting 65? It's not mentioned anywhere in the report. Here's the report. CTRL+F 65.

The amount has increased by more than 100%.

No, the rate has. The amount in 2014 thus far is a little more than the amount in all of 2013. You can look up all the CVEs for IE and repeat their research and specifically divide 2013 up into 1st half and 2nd half if you want to compare totals and make that claim regarding totals.

Re: Eh?

[BasilBrush]

The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.

Yeah, that's what a rate is.

They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities.

No they're not. You are. There is a point at which language pedantry becomes idiocy you know.

Re: Eh?

[crimson+tsunami]

divide 2013 up into 1st half and 2nd half if you want to compare totals and make that claim regarding totals.

I believe I already did. 130 divided by 2 is 65.
The amount for the first 6 months of 2014 is a 100% or more increase on the amount in the second half of 2013.
Or , The amount for 6 months of 2014 is a 100% or more increase on the corresponding period in 2013
Take your pick. I'm not sure why you think a 1 year time frame is somehow magical when counting amounts.

Re: Eh?

If you have 10 vulnerabilities from January 1st through June 30th of 2014

If you have a number per a unit of time, that's already a rate.

They're making a prediction on the total number of vulnerabilities

There is no prediction, they are just choosing a different time period to you.

The number/amount/size/scalar 133 is ~100% more than the number/amount/size/scalar 65.

Re: Eh?

If you have 10 vulnerabilities from January 1st through June 30th of 2014 and you have 10 vulnerabilities from January first through December 31st of 2013, that does not mean the number of vulnerabilities has increased by 100%.

Yea it does. You had 10 at the end of 2013 and now you have 20.
If you want to reset the number to 0 then you are artificially forcing them to use rates instead of the raw amount that you seem so fond of.
If you want to be really pedantic and count from zero in 2014 the amount went from 0 to 1 to 2 to 3 etc up to 133.
1 to 2 is a 100% increase
2 to 4 is also a 100% increase
4 to 8 is another 100% increase
8 to 16 again and so on.
And then the headline is a massive understatement.

No actual numbers

[CastrTroy]

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

a trend underscored by a progressively shorter time to first patch for its past two releases

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report

Both IE exploits released in 2014 (CVE -2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

Re:No actual numbers

[Ol+Olsoc]

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

and

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?

Re:No actual numbers

[BasilBrush]

Looking at the graphic the raw number looks like about 130 for all of 2013, and slightly more for the first half of 2014.

Re:No actual numbers

[LordLimecat]

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Re:No actual numbers

Maybe next-time you could comprehend the article, rather than just read it.
Unless you do understand a 100% increase when you already have the most vulnerabilities is a bad thing and you're just a MS shill doing damage control.

Re:No actual numbers

[Ol+Olsoc]

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Have you considered WHOOSH?

But since you didn't quite get it.....

Do you think that IE going from 1 Vulnerability to 2 vulnerabilities is someonhow, in some way, anywhere even close to the dog's breakfast that IE is? Seriously?

Have you considered that using a quick patch as indication of the security is ever to be considered a good thing, an excellent ecample of just how darn secure a browser is? If they made a patch every 15 seconds from here to eternity, if would be proof of the best darn browser, most secure experience on earth?

Sorry, m'Lord. I gave that "analysis" every bit of respect it deserved.

Re:No actual numbers

[LordLimecat]

IE had fewer vulnerabilities last year than Chrome, or Firefox. This year it has more. Thats not a slam dunk, or an indication that IE is a dogs breakfast.

Ie has been substantially rewritten since the IE6 days, and is a sort-of-decent browser these days. These days its firefox thats the dogs breakfast; the only saving grace it has is its low userbase and its strong extension support that can plug some of the glaring holes (like its crappy 1-process architecture, its lack of sandboxing for anything, etc).

Re:No actual numbers

[LordLimecat]

There WAS no 100% increase. The article misinterprets the graph, and the report that it references contradicts its analysis. IE rose from some ~130 vulns to some 140 vulns; thats not 100%, its like 5%.

Like Mugato, I feel like Im taking crazy pills here. Almost noone bothered to fact check the original report, but everyone has an opinion on it. Keep doing what you do, slashdot.

Re:No actual numbers

[Qzukk]

The article, headline, story and comments are all bullshit.

Assuming the graph is not also bullshit, the correct story is that in the first 6 months of 2014 (1H 2014 on the graph), IE has had more vulnerabilities than all of 2013. IF this keeps up, then by the end of 2014, IE will have had more than a 100% increase in the number of vulnerabilities over last year.

Re:No actual numbers

Wow, doubling down on stupid instead of having a closer look at the information, that's like a 100% increase in stupidity.

The article clearly states in 2013 there were 130 vulnerabilities in IE and in the first 6 months of 2014 there have already been 133 vulnerabilities.

You misinterpreted the graph, clearly didn't read the article. Now you have the audacity to complain about fact-checking? Lay off the crazy pills for a bit, or at least ask Microsoft to lower the dosage for you.

Re:No actual numbers

[LordLimecat]

Except that you cant predict the future, so you dont know how many will be reported by the end of 2014. Extrapolation only works when you have a reason to justify it; neither you, nor the article does, and the original paper does not make that (dumb) extrapolation.

Re:No actual numbers

But I can predict the past.

Anyone who knows how many months there are in a year (12 btw), like the headline writer for example, can tell that the amount has doubled when comparing 6 month periods.
Either
1) The amount has increased 100% (or more) compared to the previous 6 months
or
2) The amount has increased 100% (or more) compared to the corresponding 6 month period the previous year
or
3) Both

No prediction or extrapolation needed. Just knowledge of the number or months in a year and some simple logic.

New Microsoft CEO

[ArcadeMan]

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

If that happens, Firefox will be the odd one out as far as rendering is concerned.

Re:New Microsoft CEO

[gstoddart]

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit

Microsoft switch IE to use components written by someone else?

I place the likelihood of that as pretty small.

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

Re:New Microsoft CEO

[jones_supa]

Why? Trident is very fast and standards-compliant engine.

Re:New Microsoft CEO

[rescendent]

That would be a terrible thing; strong independent competition is a good thing; the browser scape would be far worse for it.

Re:New Microsoft CEO

[bumba2014]

jeh right...

Re:New Microsoft CEO

[Richard_at_work]

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

Re:New Microsoft CEO

[operagost]

Well, IE was originally created using Spyglass' code...

Re:New Microsoft CEO

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

If that happens, Firefox will be the odd one out as far as rendering is concerned.

Gosh I hope not. Have you any idea how many bugs there are in Blink/Webkit?

More seriously, the web desperately needs to maintain the current situation of there being multiple rendering engines on the market; it's a large part of why we've managed to get to a relatively stable position now with decent standards compliance and new features going through the standards process rather than just being added arbitrarily by the market leader.

We are in a much weaker position in this regard since Opera threw in the towel.

We've been in a monoculture environment with web browsers before. I really don't want to be in that position again. Sure it made life easier for web developers only having to care about one browser, but the downsides far outweighed that.

Re:New Microsoft CEO

Nope, MS suffers from Not Invented Here syndrome, despite the fact that nothing they ever made was actually invented there.

Re:New Microsoft CEO

I sure hope not.
Didn't we suffer enough with the IE monopoly? You want a new monopoly now?

Re:New Microsoft CEO

"Not Invented Here"

They are the Knights Who Say NIH.

Re:New Microsoft CEO

[l0ungeb0y]

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

I believe you mean, "Not copied, ripped off, or acquired and gutted here"

Re:New Microsoft CEO

[ArhcAngel]

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

I'm not sure either the OP or this one understand what NIH means. It's part of the EEE philosophy. Look for a hot new technology in the consumer space. Identify the leaders in that space. Purchase one of the leaders and modify the technology so that it is no longer 100% compatible with anybody else's version of the tech. Market the hell out of your version and destroy the competition. Internet Explorer was licensed from Spyglass and all version of IE up to 6 were based on that code. In this case Microsoft was so desperate to beat Netscape they gave Internet Explorer away for free which really pissed Spyglass off because their license was based on revenue from sales of IE. In the end it worked too well and the industry was stuck with dependency on IE 6 for over a decade. If Microsoft can figure out a way to integrate Blink or Webkit and make it work I don't see why they wouldn't as long as they can monetize it in some way.

Re:New Microsoft CEO

[holostarr]

I actually believe it would be beneficial if all browser switched to webkit/blink. Having everyone switch to the same engine is not the same as having only one dominant browser. The issue in the past was that IE was the dominant browser and was only developed and maintained by Microsoft, however, with webkit/blink its not a single entity contributing to the development, everyone who is using it actively improving it. I think Microsoft joining the effort will improve browser compatibility.

Re:New Microsoft CEO

[Princeofcups]

Microsoft switch IE to use components written by someone else?

I place the likelihood of that as pretty small.

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

Considering that IE is based on Mosaic, SQLServer is based on Sybase, etc. etc., I don't think Microsoft has ever really "invented anything here."

Re:New Microsoft CEO

I second this post.

Re:New Microsoft CEO

[ArcadeMan]

I fourth this post.

Re:New Microsoft CEO

What you're describing is completely EEE.

NIH has nothing to do with buying another company or licensing their tech. It means we will build everything from scratch inhouse even if there's a product already out there that we could use (or that we could EEE). We will not use Sun JVM, we will create our own JVM. We will not use Java, we will create C#. Etc etc you knobbler.

Re:New Microsoft CEO

[Richard_at_work]

I'm not sure what the point of your post is other than a typical bitching about Microsofts past.

Odd Conclusion

[bveldkamp]

That's an odd conclusion to draw from the report. What it actually says is:

1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
2. Number of public exploits in IE decreases from 11 to 3 in that same period
3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11

Re:Odd Conclusion

[BasilBrush]

We seem to be having a lot of astroturf from MS today.

IE Exploits.
2013 = 130
H1-2014 = 133.

Bearing in mind the year vs half-year, that's a 104% increase. So no it's not an odd conclusion at all.

Re:Odd Conclusion

[simplypeachy]

Pfft, as if any Windoze users have IE11 installed. Poppycock! Your figure of "80 days to 5" between "dinosaur" and "current" versions of Internet Explorer are of no relevance. You're clearly in the pay of Micro$haft.

Re:Odd Conclusion

[Sockatume]

If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.

Re:Odd Conclusion

Actually, that's 104% of the previous value, which would be a 4% increase. Or are you seriously trying to argue that staying the same is a "100% increase", and cutting by half is a "50% increase"?

Re:Odd Conclusion

Because Slashdotters are fucking idiots.

They've chased away anyone with a reasonable opinion by labeling them astroturfers and shills, and they wonder why the community is dying.

Re:Odd Conclusion

[crimson+tsunami]

Staying the same numerical value is a '100% increase' if the time-frame you are discussing is 1/2 as long as before.
Don't worry, you're not the only person to fail at reading comprehension while trying to display you mathematical prowess.

Re:Odd Conclusion

Not only that, but assuming the same time-frame, 133 is 102% of the previous value, not 104%. So math-fail in addition to reading-fail.

Re:Odd Conclusion

[BasilBrush]

Don't blame it on the writing. There was a chart, and a table at the end, both perfectly clear. And terseness means they were both very easy to find. I expect slashdotters to be able to read a simple bar chart - to read the labels as well as the length of the bars. If they can't, GTFO.

Sensationalist subject

Reporting on a 'percentage increase' in vulnerabilities really doesn't give you an idea of how large of a problem there really is. I didn't read TFA after seeing the garbage headline, but it's probably not worth my time. If there were no vulnerabilities and suddenly there was one, that's an increase of an infinite percent!!! Also, does this mean the number of vulnerabilites increase, or just the ones that people were aware of? Another worthless Microsoft bashing article, nothing to see here. Head on over to Soylent News for some more interesting stories that might actually be worth reading.

Default Browser FTW

Its pretty obvious that regardless of security measures it will always be the largest target because the demographic is people who aren't tech savvy and don't install a different browser on their store-bought windows machine. These are the same people who make up the majority of that 10% that fall for phishing attempts noted from the phishing article from earlier this morning. ...running an expired Norton 2009 that hasn't been working since the 6 month trial ran out.

A Ligh

A ligh perpetrated by the man to keep the browser down.

Re:Surprise!

[bumba2014]

I also do not understand, those people still using MSIE, they even send me articles which say that MSIE is more secure as Firefox or Chrome... Well I never have had an trojaner or virus from using Firefox/Mozilla the last +10 years. Have had a lot of problems until I stopped using that big piece of shit/crap MSIE. But of course like Einstein said two things are infinite, the cosmos and human stupidity. And he wasn't sure about the cosmos....

Re:Surprise!

[plover]

Samzenpus has always been a crappy, insecure editor who doesn't adhere to journalistic standards of integrity.

Color me unsurprised.

He's always been shit, and most of us keep reading as the site of last resort for nerd stuff which survived a long list of crappy, untrained editors who don't adhere to standards.

Piece of crap.

Slashdot has long since demonstrated they couldn't write a decent article if Rob Malda's life depended on it.

In fact, some day I home Anonymous Coward's life does depend on /..

See what I did there?

Go read The Fine Article before spouting your nonsense.

Surprise!

And we all thought that with complexity and bloat comes security?
This is why JavaScript, Adobe and Explorer are perfect together.
They really are "the" doorways to the Internet.

Re:Surprise!

Don't worry--those who were responsible for that browser were all just sacked.
 
... and those who were responsible for sacking the browser writers were all sacked.

A rule of thumb..

[js3]

if someone gives you a percentage they are trying to make it better or worse than it actually is.

Re:A rule of thumb..

[oodaloop]

if someone gives you a percentage they are trying to make it better or worse than it actually is.

And contrariwise, if they give you raw numbers, it's the opposite. That's logic!

Re:A rule of thumb..

[gstoddart]

Well, around 80% of the time at least. ;-)

Re:A rule of thumb..

Actually, this can be better formulate as: "If someone gives you numbers without any sort of reference, he is full of shit".

Re:A rule of thumb..

[Andrio]

If someone mods you up, your post's karma will increase by 33%

Re:A rule of thumb..

if someone gives you a percentage they are trying to make it better or worse than it actually is.

Heads I win, Tails you lose

Re:A rule of thumb..

[mark_reh]

60% of the time, it works EVERY time!

https://www.youtube.com/watch?...

Obligatory Colbert GIF

http://media.giphy.com/media/t...

No privileges to install Cr or Fx

[tepples]

I also do not understand, those people still using MSIE

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Re:No privileges to install Cr or Fx

[Cro+Magnon]

Recently, at my job, we got an email saying that Firefox was considered "at your own risk", and only those with a business need would be allowed to use it. Luckily, IE choked on one of our sites, and I used that as my justification for FF.

Re:No privileges to install Cr or Fx

Posting AC just because...

In a previous life, I was prohibited from installing FF/Chrome in any way whatsoever, as only a certain image was allowed, and everything in the image had to get vetted by a regulation compliance committee, a legal team, a license vetting team, and so on. So, it was MSIE or no browser.

The good news is that Chrome can come as a signed MSI file, and FrontMotion has repackaged FF as a MSI for easy mass pushes.

MSIE has a unique place. In the enterprise, FIPS 140-2 and Common Criteria certifications are a must, and even though that doesn't mean much... it does when the auditors come to town.

Were it left to me, I'd include Chrome's MSI. Chrome with its virtual machine isn't 100%, but it does a good job at mitigating attacks. Installing EMET is another layer that is useful (although also not 100%.)

Re:No privileges to install Cr or Fx

[GerbilKor]

Internal websites/apps that only work in one browser are understandable. I am baffled by the numerous public-facing government websites that, to this day, only work in IE. I haven't seen a non-government site do that since, I don't know, early 2000's maybe?

Re:No privileges to install Cr or Fx

I would have hated, to be the IT person that was forced to write that.

Re:No privileges to install Cr or Fx

So those browsing porn site will still use IE

Re:No privileges to install Cr or Fx

[irrational_design]

I've found that people who have always used IE are set in their ways and naturally distrust Firefox or Chrome. My father-in-law has always used IE and was having trouble with it. I got him to install Firefox and try it, but I could tell he totally didn't trust it and I have no doubt that he is still using IE.

Re:No privileges to install Cr or Fx

[theronb]

IE was required at work but after talking with a a helpdesk tech who admitted they mostly used FF or Chrome, I installed FF on my workstation. Then I got an email from network services that I'd better cut it out; they have lots of in-house stuff on intranet sites that requires active-X. Then I retired, so now all is good.

Re:No privileges to install Cr or Fx

[podmate]

I am one of those people. We are stuck on IE 9 and won't be moving anytime soon. I work at a VERY security aware entity who have everything locked down, but they will only let us use IE 9. We are allowed to use unapproved software or hardware, but have to get the approval of the CIO which is beyond difficult to get.

Re:No privileges to install Cr or Fx

[LurkingSince1999]

I also do not understand, those people still using MSIE

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Yup. Still at IE8 on my US Gov't workstation. At least they allow us FF now, though the helpdesk is complaining that frequency of FF updates is burdensome to them. Those poor, misguided children have never heard of FF ESR.

Re:No privileges to install Cr or Fx

[tepples]

people at work who lack privileges [...] to run executables from writable directories.

There are portable version of FF & Chrome

These people can't run a "portable version" that the IT department hasn't approved.

Re:No privileges to install Cr or Fx

http://it.slashdot.org/comment...

Vulnerabilities did not increase

[WD]

Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

So

Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

Are the hackers getting that much better, or is MS just writing that much poorer code? Plus Microsoft has a habit of refusing to patch known exploits as an extortion technique to get people to "upgrade".

100% Increase

[JD-1027]

I'm betting it had more than one vulnerability...

http://xkcd.com/1102/

This is a surprise?

[BCW2]

History shows that more than 80% of windows vulnerabilities are IE based. Only the gullible and foolish would use such an unsecure and worthless piece of crapware. IE has never been good M$ couldn't even give it away when Netscape cost money. Nobody would use it when it was free. M$ had to incorporate it into the OS before they got any real market share.

Re:This is a surprise?

M$ couldn't even give it away when Netscape cost money
Yeah they got to 98% market penetration. *NO* one at all used it /sarc

MS's browser was better, faster, and cheaper than netscape. Netscape would crash if you looked at it funny. It was not until about v20 that they finally got rid of that irritating quirk where it would stall out the whole browser if it could not authenticate a name and I use firefox and chrome every day now.

M$ had to incorporate it into the OS before they got any real market share.
It was well on its way to 50% of the market before that happened. Netscape sucked balls past about v2. Even then we only used netscape because it was better than mosaic. Pretty much everyone demanded MS put it in. Then pretty much everyone got mad when it happened. We begged them to do it. It was one less thing to mess around with on an desktop install. As it was already there.

The real pitty was MS decided to call v6 good enough and called it a day. They took a strong lead in the market and had the engineering chops to back it up and squandered it.

I remember the browser wars. MSIE6 was the awesome when it came out. No other browser touched it for features or speed. Compare it to chrome or even firefox now though and its garbage.

The only reason I ditched was I like my browser to not infect my computer if I look at it funny. That is the reason everyone else ditched. I would still use it as its 'jankyness' is less than the other two out there...

The only reason all the quirks became a big deal and a major pain is because MS dropped the ball then handed it over to mozilla and then said here score a goal while your at it we are on the piss.

^Microsoft^Slashdot Beta

[OffTheLip]

FTFY

Re:Surprise!

[pr0nbot]

I think your post constitutes a 100% increase in the number of times I've heard Opera mentioned this year.

Re:Surprise!

[ArcadeMan]

Mynd you, møøse bites Kan be pretti nasti...

Which IE? 4, 5, 6.....10? 11?

[Tomsk70]

Another 'news' article that contains almost nothing.

Still, at least it's not another news article by someone pretending that a reseller of hardware would have no interest in pushing old tin.

Re:Surprise!

[lister+king+of+smeg]

You think that is bad I know someone who is still running Aol.

XP still has 20% market? Maybe that helps.

Given the fact that XP still holds a big percentage of Windows users. I think you could draw on a conclusion that many are still using IE8. That's a attractive statistic
in itself. I have to wonder though given the rise in Chrome usage when the focus won't turn away from IE and towards Chrome. You know its going to happen and you know some attacks will be successful. Chrome has been hacked in contests just as much as IE or Firefox. A better option to stay safer online is use a less popular browser like Maxthon or Slimbrowser or even Opera as they are in the single digit user percentage and tend to be unattractive to hackers.
I think its a broken record to keep busting on IE because we all know because of its ties to Windows OS that it has more issues with security. Microsoft has made strides with thinks like Protected Mode and sand boxing. But its never going to fix the problems unless IE breaks its connection with Windows.

Re: Surprise!

Do they ever load up a punter and boot someone offline like it's 1997!?

Re:Surprise!

[LordLimecat]

Neither can IE. It has a ~5-10% increase.

The summary is absolute garbage; it implies that the number of vulnerabilities is doubled (it isnt), that IE security is worse (but public exploits are reduced from last year, and mean time to patch is vastly reduced), and that its always been worse (last year, Chrome and Firefox had more exploits than IE).

Unsurprisingly, everyone here took the bait.

Re:Surprise!

[LordLimecat]

Firefox was "more vulnerable" in 2013, and actually for several years post IE9, I believe it was generally considered LESS secure than MSIE due to its lack of common protections (like reduced privlege, sandboxing, etc).

The real surprise here is that people on a tech site continue to use awful metrics for judging things ("works for me", "everyone else hates it, must be bad").

Re:Surprise!

I know this might be tagged as -1 redundant / flamebait / trolling; but I honestly never expected the US to know what that the word sacked == fired

Re:Surprise!

[fahrbot-bot]

Don't worry--those who were responsible for that browser were all just sacked.
... and those who were responsible for sacking the browser writers were all sacked.

Thankfully, my 401k is heavily invested in many and various Sack businesses ... Retirement here I come!

Re:Surprise!

Neither can IE. It has a ~5-10% increase.

Just depends on how you look at the data and interpret the words. I say that there was a 0% increase...that is, the vulnerabilities were already there, the users just didn't know about them.

Business plan

[jbmartin6]

1. Write software to sandbox $APPLICATION
2. Release report exaggerating "increase in vulnerabilities" in $APPLICATION
3. Profit!

Re:Surprise!

Thats very likely not true at 0% are new...sometime the vulnerabilities are not there from a previous point in time, and get introduced via patches to other vulnerabilities.

IE dangerous, but useful for now...

[LessThanObvious]

I use I.E. for one reason these days. Every company I end up working for has some internal business application that only gets tested and supported on I.E. and this is particularly the case after I lock down Firefox for actual web browsing. These kind of internal business applications often fail with even minimal security restrictions.

I hold out little hope that apps designed to be run in controlled environments will ever work with a decently locked down browser. The issue is that the most vulnerable business users will take their corporate issued laptop with I.E. and default settings and use that as if it's sane to use that configuration on the internet.

Re:Surprise!

Come on! La traviata still kicks ass.

Re:Surprise!

[dave562]

Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.

US-CERT firt post was right at the end :)

[martiniturbide]

US-CERT used to post a report some time ago advising to switch to other browser, after a few hours they changed the statement.

http://martin.iturbide.com/2014/04/do-you-trust-us-cert.html

No privileges to install Cr or Fx

[jpenguin]

There are portable version of FF & Chrome

Re:Surprise!

Brilliant comeback!

Re:Surprise!

Wouldn't it be nice if there was an xkcd to explain your math!

Re:Surprise!

[onix]

Depends on how those bugs were discovered. If reported by the outside community, chances are hackers might have exploited them before they were patched. Also, the hacker community culture is important. Avoidance is prudent. If a red honda civic is a target for crime, then drive a blue toyota corolla.

Re:Surprise!

Take a closer look at the article. They've comparing the total exploits in 2013 with the exploits in the first half of 2014. Seeing slightly more in half the time does come out to more than 100 percent.

Bromide.

[westlake]

(!) This article appears to be written like an advertisement. Please help improve it by rewriting promotional content from a neutral point of view and removing any inappropriate external links.

Bromium

Microsoft is now counting Flash vulns as IE vulns

[benjymouse]

Microsoft patches to IE include patches to vulns in Flash - which is embedded in IE. The increase in vulnerabilities is the result of the horrible Flash code.

Yes actual numbers

[crimson+tsunami]

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were.

How this was modded insightful I'll never know.
Someone must be exploiting a vulnerability in your pdf viewer/browser that is causing it to not work properly (IE maybe), because mine clearly shown in the appendix at the bottom.
Internet explorer:
2013 130 vulnerabilities
H1-2014 133 vulnerabilities

Re:Surprise!

[RaceProUK]

Looking at the raw figures in the report, the count is up from 130 to... 133. That's an increase of 2.3%. Even extrapolated to a full year, it's a 5.6% rise.

aweome news!

i am sure there's plenty of people here that rely on windows, and microsoft products in general, being the swiss cheese of software in order to make a living.

Tepples has a great point... apk

I'd also like to add to it (having done ASP.NET & ASP coding in industrial/business environs): A strength of IE is here - nothing else truly really "integrates" as well (in my professional development experience thusfar) into Intranet internal to corporate environs quite as well including group policies/volume network-wide management & with as much easily done database connectivity (via many methods to many disparate db engines) & this is by "way of comparison" to other webbrowsers - correct me if/where I am 'wrong/off', but that's been MY experience on all those grounds noted (2).

So, that all "said & aside" - now, do I *espouse* the use of IE online on the PUBLIC internet? Sadly, no. Why?? The premise behind this very article - security.

Yes - It's got potential & MS is truly *trying* to standardize it as well as secure it (every patch Tuesday almost has IE patches for most all versions over time as an example thereof for instance) - however, it has a lot of security "holes" even now still!

(Sorry for 3rd repost - some demented little prick keeps downmodding my post, so just to show him "what's-what", in that I have NO posting limits like most ac's? To spite him, "here tis'" again...)

APK

P.S.=> Good point tepples, I agree, & merely wanted to "2nd your motion" & add on to it as a developer who's been exposed to some IE strengths in the business world since 1995 or so, onwards - what I noted IS one of them! apk

Re:Tepples has a great point

[tepples]

A strength of IE is here - nothing else truly really "integrates" as well (in my professional development experience thusfar) into Intranet internal to corporate environs quite as well

Why was this moderated down, other than knee-jerk ad hominem?

Tepples - you KNOW why! apk

It's a troll that has a grudge against me for *trying* me in technical debate & failing badly or my "spanking him" totally for his spouting falsehoods. He now "gets his revenge" by downmodding my posts (rampantly) via his registered user account &/or sockpuppets they use also, wherever they are (mostly on my posts on hosts files though) + then trolling me by ac posts afterwards (usually, or if they are dry of modpoints). They downmodded it here also -> http://it.slashdot.org/comment... when I reposted it, but apparently 'ran dry' of their effete modpoints when I posted it yet again here (not downmodded, yet @ least) -> http://it.slashdot.org/comment...

APK

P.S.=> The person doing it is *truly*, imo @ least, pitiful... apk

Re:Tepples has a great point

It's obviously the "posting ac just because" here http://it.slashdot.org/comment... who doesn't want his minus moderation of apk removed by posting using his registered user account.

close

[crimson+tsunami]

Close, but no cigar. last year was 65 per six months, this year its 133 per six months.

Second user?

[RockDoctor]

Does this mean that IE has acquired a second user? And do they use it simultaneously?