Internet Explorer Vulnerabilities Increase 100%

An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

Re:Surprise!

[ArcadeMan]

Yeah, but no other browser can claim a 100% increase in vulnerabilities!

Take THAT, Apple, Mozilla, Google and Opera!

Re:Surprise!

[sproketboy]

Dude, tell us what you really think.

Eh?

[Sockatume]

I can't see where the 100% figure comes from. The report says that IE attacks hit a record high in exploited zero-days in the first half of 2013, but they're now much lower.

Re:Eh?

[SQLGuru]

Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

Re: Eh?

[Chewbacon]

Looks like Windows XP era browsers and now unsupported browser versions. So it's no surprise since Microsoft took their hands off of the products that all these exploits come out of the woodwork.

Re:Eh?

[BasilBrush]

What are you finding unclear about this graphic?

http://www.net-security.org/im...

Re: Eh?

[IamTheRealMike]

Did YOU look at the graph? The bars are comparing all of 2013 against the first half of 2014 (obviously, as the second half is in the future). So the fact that IE already matched last year's record is where the 100% figure comes from - it's another way to say "doubled". Unless the second half of 2014 has a lower exploit rate then the conclusion will be correct.

Re: Eh?

[Sockatume]

Shouldn't that be worded "vulnerabilities will have increased 100%, assuming this trend continues" and not "vulnerabilities have increased 100%"? At any rate I'm sure you're right that it's what the article author meant.

Re: Eh?

[Rhipf]

OK I'll admit that I didn't notice the H1 in the graph right away but...

Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have. It would have been better if the author had compared the first half of 2013 to the first half of 2014. At least that way the comparison is grounded in facts not speculation.

Re:Eh?

[IRGlover]

the graph compares all of 2013 with the first half of 2014. The implication being that, if so far this year there have been as many vulnerabilities as all of last year, then by the end of the year there will be twice as many. It is very poor analysis as there might be no more bugs found this year, a million bugs found this year, or something in between.

Re: Eh?

[crimson+tsunami]

No they really have already increased 100%.
The trend may continue in the future or it may not, but as of right now the amount of vulnerabilities per unit time is twice as much,or 100% more, than in the past.
Eye-balling from the graph, last year averaged ~10 per month, this year is averaging ~20 per month. A 100% increase.

Re: Eh?

[sexconker]

The number of vulnerabilities per time is not the same as the number of vulnerabilities.
You can't say the number of vulnerabilities has increased 100% by using two measurements of vulnerabilities / time and then normalizing both with respect to time. That gets you a normalized number of vulnerabilities per time, not a normalized number of vulnerabilities.

Re:Eh?

[khallow]

And half a year pass isn't very long compared to a year, amirite?

Re: Eh?

[crimson+tsunami]

So how can you compare any numbers like this if you don't relate them to a timeframe? Are you trying to say that the graph gives no information whatsoever about the change in number of vulnerabilities? As that seems like nonsense to me.
Comparing this 6 months to the previous 6 months is a clear doubling, unless you have data to show vulnerabilities only ever occur in the first half of any given year. The graph is a summary of the data, clearly the researchers who have access to the raw data would have told us about such weird distribution, and it would be fraudulent of them not to.
Are they intentionally misleading us, or are people here simply slightly confused comparing 1 year of results to 6 months?

Re: Eh?

[sexconker]

It's simple: You can't say an amount has increased by X when you're comparing rates.
If they want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Re: Eh?

[crimson+tsunami]

The first 6 months of 2014 has seen a 100% increase in vulnerabilities compared to the previous 6 months.
They already mentioned that the timeframe of interest in the first line of the summary was 6 months.
The amount 133 is ~twice as big as 65.
The amount has increased by more than 100%.

Re: Eh?

[BasilBrush]

They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.

Re: Eh?

[BasilBrush]

Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have.

The rate has increased precisely 104% already. There is no need for a common divisor when calculating rates.

Re:Eh?

[BasilBrush]

The rate last year was 130 vulns per six months. The rate this year is 266 per six months.

Now what are you quibbling about?

Re: Eh?

[sexconker]

They want to say the number of vulnerabilities increased in a certain period, then they have to compare that to another period of the same length.

Not true. You can work out the average speed of a car over 10 miles and do a straight comparison with compare another car over 20 miles. There is no difference here. It's simply a rate. You don't need a common divisor.

If you have 10 vulnerabilities from January 1st through June 30th of 2014 and you have 10 vulnerabilities from January first through December 31st of 2013, that does not mean the number of vulnerabilities has increased by 100%.
The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.

They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities. That's fine, and it's pretty safe to assume it will end up being fairly accurate. But you cannot say the total number of vulnerabilities has increased 100% unless you're directly comparing total numbers and not rates. The rate of vulnerabilities is 100% higher, vulnerabilities in 2014 are on track to be 100% higher, and possibly the number of vulnerabilities in the first half of 2014 IS 100% higher than the number of vulnerabilities in the first half of 2013, or second half, or last 3 days, or whatever you want to compare against.

They're comparing rates and extrapolating predicted totals and then making a factual claim regarding the totals for 2014. That's simply wrong. 2014's totals are not yet known, we simply have a lower bound. Compare rates and make your claim based on the rates, or compare 6 months in 2014 to 6 months in 2013. Which 6 months is up to you - you could choose the first half, the second half, the even months, the odd months, the months with the most vulnerabilities, the months with the least vulnerabilities, etc.

Re: Eh?

[sexconker]

The first 6 months of 2014 has seen a 100% increase in vulnerabilities compared to the previous 6 months.

Neither TFS nor TFA say that. It uses the following numbers for IE.

Year - National Vulnerability Database - Exploit-DB
2013 - 130 - 11
H1-2014 - 133 - 3

They already mentioned that the timeframe of interest in the first line of the summary was 6 months.

Of 2014. They're comparing it to all of 2013.

The amount 133 is ~twice as big as 65.

Where are you getting 65? It's not mentioned anywhere in the report. Here's the report. CTRL+F 65.

The amount has increased by more than 100%.

No, the rate has. The amount in 2014 thus far is a little more than the amount in all of 2013. You can look up all the CVEs for IE and repeat their research and specifically divide 2013 up into 1st half and 2nd half if you want to compare totals and make that claim regarding totals.

Re: Eh?

[BasilBrush]

The number of vulnerabilities per time has, but the number has not. Both numbers are 10. 10 is 0% more than 10.

Yeah, that's what a rate is.

They're making a prediction on the total number of vulnerabilities based on the rate of vulnerabilities.

No they're not. You are. There is a point at which language pedantry becomes idiocy you know.

Re: Eh?

[crimson+tsunami]

divide 2013 up into 1st half and 2nd half if you want to compare totals and make that claim regarding totals.

I believe I already did. 130 divided by 2 is 65.
The amount for the first 6 months of 2014 is a 100% or more increase on the amount in the second half of 2013.
Or , The amount for 6 months of 2014 is a 100% or more increase on the corresponding period in 2013
Take your pick. I'm not sure why you think a 1 year time frame is somehow magical when counting amounts.

No actual numbers

[CastrTroy]

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

a trend underscored by a progressively shorter time to first patch for its past two releases

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report

Both IE exploits released in 2014 (CVE -2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

Re:No actual numbers

[Ol+Olsoc]

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

and

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?

Re:No actual numbers

[BasilBrush]

Looking at the graphic the raw number looks like about 130 for all of 2013, and slightly more for the first half of 2014.

Re:No actual numbers

[LordLimecat]

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Re:No actual numbers

[Ol+Olsoc]

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Have you considered WHOOSH?

But since you didn't quite get it.....

Do you think that IE going from 1 Vulnerability to 2 vulnerabilities is someonhow, in some way, anywhere even close to the dog's breakfast that IE is? Seriously?

Have you considered that using a quick patch as indication of the security is ever to be considered a good thing, an excellent ecample of just how darn secure a browser is? If they made a patch every 15 seconds from here to eternity, if would be proof of the best darn browser, most secure experience on earth?

Sorry, m'Lord. I gave that "analysis" every bit of respect it deserved.

Re:No actual numbers

[LordLimecat]

There WAS no 100% increase. The article misinterprets the graph, and the report that it references contradicts its analysis. IE rose from some ~130 vulns to some 140 vulns; thats not 100%, its like 5%.

Like Mugato, I feel like Im taking crazy pills here. Almost noone bothered to fact check the original report, but everyone has an opinion on it. Keep doing what you do, slashdot.

Re:No actual numbers

[Qzukk]

The article, headline, story and comments are all bullshit.

Assuming the graph is not also bullshit, the correct story is that in the first 6 months of 2014 (1H 2014 on the graph), IE has had more vulnerabilities than all of 2013. IF this keeps up, then by the end of 2014, IE will have had more than a 100% increase in the number of vulnerabilities over last year.

Re:No actual numbers

[LordLimecat]

Except that you cant predict the future, so you dont know how many will be reported by the end of 2014. Extrapolation only works when you have a reason to justify it; neither you, nor the article does, and the original paper does not make that (dumb) extrapolation.

New Microsoft CEO

[ArcadeMan]

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

If that happens, Firefox will be the odd one out as far as rendering is concerned.

Re:New Microsoft CEO

[gstoddart]

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit

Microsoft switch IE to use components written by someone else?

I place the likelihood of that as pretty small.

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

Re:New Microsoft CEO

[jones_supa]

Why? Trident is very fast and standards-compliant engine.

Re:New Microsoft CEO

[rescendent]

That would be a terrible thing; strong independent competition is a good thing; the browser scape would be far worse for it.

Re:New Microsoft CEO

[bumba2014]

jeh right...

Re:New Microsoft CEO

[Richard_at_work]

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

Re:New Microsoft CEO

[operagost]

Well, IE was originally created using Spyglass' code...

Re:New Microsoft CEO

[l0ungeb0y]

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

I believe you mean, "Not copied, ripped off, or acquired and gutted here"

Re:New Microsoft CEO

[ArhcAngel]

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

I'm not sure either the OP or this one understand what NIH means. It's part of the EEE philosophy. Look for a hot new technology in the consumer space. Identify the leaders in that space. Purchase one of the leaders and modify the technology so that it is no longer 100% compatible with anybody else's version of the tech. Market the hell out of your version and destroy the competition. Internet Explorer was licensed from Spyglass and all version of IE up to 6 were based on that code. In this case Microsoft was so desperate to beat Netscape they gave Internet Explorer away for free which really pissed Spyglass off because their license was based on revenue from sales of IE. In the end it worked too well and the industry was stuck with dependency on IE 6 for over a decade. If Microsoft can figure out a way to integrate Blink or Webkit and make it work I don't see why they wouldn't as long as they can monetize it in some way.

Re:New Microsoft CEO

[holostarr]

I actually believe it would be beneficial if all browser switched to webkit/blink. Having everyone switch to the same engine is not the same as having only one dominant browser. The issue in the past was that IE was the dominant browser and was only developed and maintained by Microsoft, however, with webkit/blink its not a single entity contributing to the development, everyone who is using it actively improving it. I think Microsoft joining the effort will improve browser compatibility.

Re:New Microsoft CEO

[Princeofcups]

Microsoft switch IE to use components written by someone else?

I place the likelihood of that as pretty small.

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

Considering that IE is based on Mosaic, SQLServer is based on Sybase, etc. etc., I don't think Microsoft has ever really "invented anything here."

Re:New Microsoft CEO

[ArcadeMan]

I fourth this post.

Re:New Microsoft CEO

[Richard_at_work]

I'm not sure what the point of your post is other than a typical bitching about Microsofts past.

Odd Conclusion

[bveldkamp]

That's an odd conclusion to draw from the report. What it actually says is:

1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
2. Number of public exploits in IE decreases from 11 to 3 in that same period
3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11

Re:Odd Conclusion

[BasilBrush]

We seem to be having a lot of astroturf from MS today.

IE Exploits.
2013 = 130
H1-2014 = 133.

Bearing in mind the year vs half-year, that's a 104% increase. So no it's not an odd conclusion at all.

Re:Odd Conclusion

[Sockatume]

If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.

Re:Odd Conclusion

[crimson+tsunami]

Staying the same numerical value is a '100% increase' if the time-frame you are discussing is 1/2 as long as before.
Don't worry, you're not the only person to fail at reading comprehension while trying to display you mathematical prowess.

Re:Odd Conclusion

[BasilBrush]

Don't blame it on the writing. There was a chart, and a table at the end, both perfectly clear. And terseness means they were both very easy to find. I expect slashdotters to be able to read a simple bar chart - to read the labels as well as the length of the bars. If they can't, GTFO.

Sensationalist subject

Reporting on a 'percentage increase' in vulnerabilities really doesn't give you an idea of how large of a problem there really is. I didn't read TFA after seeing the garbage headline, but it's probably not worth my time. If there were no vulnerabilities and suddenly there was one, that's an increase of an infinite percent!!! Also, does this mean the number of vulnerabilites increase, or just the ones that people were aware of? Another worthless Microsoft bashing article, nothing to see here. Head on over to Soylent News for some more interesting stories that might actually be worth reading.

Re:Surprise!

[bumba2014]

I also do not understand, those people still using MSIE, they even send me articles which say that MSIE is more secure as Firefox or Chrome... Well I never have had an trojaner or virus from using Firefox/Mozilla the last +10 years. Have had a lot of problems until I stopped using that big piece of shit/crap MSIE. But of course like Einstein said two things are infinite, the cosmos and human stupidity. And he wasn't sure about the cosmos....

Re:Surprise!

Don't worry--those who were responsible for that browser were all just sacked.
 
... and those who were responsible for sacking the browser writers were all sacked.

A rule of thumb..

[js3]

if someone gives you a percentage they are trying to make it better or worse than it actually is.

Re:A rule of thumb..

[oodaloop]

if someone gives you a percentage they are trying to make it better or worse than it actually is.

And contrariwise, if they give you raw numbers, it's the opposite. That's logic!

Re:A rule of thumb..

[gstoddart]

Well, around 80% of the time at least. ;-)

Re:A rule of thumb..

[Andrio]

If someone mods you up, your post's karma will increase by 33%

Re:A rule of thumb..

[mark_reh]

60% of the time, it works EVERY time!

https://www.youtube.com/watch?...

No privileges to install Cr or Fx

[tepples]

I also do not understand, those people still using MSIE

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Re:No privileges to install Cr or Fx

[Cro+Magnon]

Recently, at my job, we got an email saying that Firefox was considered "at your own risk", and only those with a business need would be allowed to use it. Luckily, IE choked on one of our sites, and I used that as my justification for FF.

Re:No privileges to install Cr or Fx

Posting AC just because...

In a previous life, I was prohibited from installing FF/Chrome in any way whatsoever, as only a certain image was allowed, and everything in the image had to get vetted by a regulation compliance committee, a legal team, a license vetting team, and so on. So, it was MSIE or no browser.

The good news is that Chrome can come as a signed MSI file, and FrontMotion has repackaged FF as a MSI for easy mass pushes.

MSIE has a unique place. In the enterprise, FIPS 140-2 and Common Criteria certifications are a must, and even though that doesn't mean much... it does when the auditors come to town.

Were it left to me, I'd include Chrome's MSI. Chrome with its virtual machine isn't 100%, but it does a good job at mitigating attacks. Installing EMET is another layer that is useful (although also not 100%.)

Re:No privileges to install Cr or Fx

[GerbilKor]

Internal websites/apps that only work in one browser are understandable. I am baffled by the numerous public-facing government websites that, to this day, only work in IE. I haven't seen a non-government site do that since, I don't know, early 2000's maybe?

Re:No privileges to install Cr or Fx

[irrational_design]

I've found that people who have always used IE are set in their ways and naturally distrust Firefox or Chrome. My father-in-law has always used IE and was having trouble with it. I got him to install Firefox and try it, but I could tell he totally didn't trust it and I have no doubt that he is still using IE.

Re:No privileges to install Cr or Fx

[theronb]

IE was required at work but after talking with a a helpdesk tech who admitted they mostly used FF or Chrome, I installed FF on my workstation. Then I got an email from network services that I'd better cut it out; they have lots of in-house stuff on intranet sites that requires active-X. Then I retired, so now all is good.

Re:No privileges to install Cr or Fx

[podmate]

I am one of those people. We are stuck on IE 9 and won't be moving anytime soon. I work at a VERY security aware entity who have everything locked down, but they will only let us use IE 9. We are allowed to use unapproved software or hardware, but have to get the approval of the CIO which is beyond difficult to get.

Re:No privileges to install Cr or Fx

[LurkingSince1999]

I also do not understand, those people still using MSIE

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Yup. Still at IE8 on my US Gov't workstation. At least they allow us FF now, though the helpdesk is complaining that frequency of FF updates is burdensome to them. Those poor, misguided children have never heard of FF ESR.

Re:No privileges to install Cr or Fx

[tepples]

people at work who lack privileges [...] to run executables from writable directories.

There are portable version of FF & Chrome

These people can't run a "portable version" that the IT department hasn't approved.

Vulnerabilities did not increase

[WD]

Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

100% Increase

[JD-1027]

I'm betting it had more than one vulnerability...

http://xkcd.com/1102/

This is a surprise?

[BCW2]

History shows that more than 80% of windows vulnerabilities are IE based. Only the gullible and foolish would use such an unsecure and worthless piece of crapware. IE has never been good M$ couldn't even give it away when Netscape cost money. Nobody would use it when it was free. M$ had to incorporate it into the OS before they got any real market share.

^Microsoft^Slashdot Beta

[OffTheLip]

FTFY

Re:Surprise!

[pr0nbot]

I think your post constitutes a 100% increase in the number of times I've heard Opera mentioned this year.

Re:Surprise!

[ArcadeMan]

Mynd you, møøse bites Kan be pretti nasti...

Which IE? 4, 5, 6.....10? 11?

[Tomsk70]

Another 'news' article that contains almost nothing.

Still, at least it's not another news article by someone pretending that a reseller of hardware would have no interest in pushing old tin.

Re:Surprise!

[lister+king+of+smeg]

You think that is bad I know someone who is still running Aol.

Re:Surprise!

[LordLimecat]

Neither can IE. It has a ~5-10% increase.

The summary is absolute garbage; it implies that the number of vulnerabilities is doubled (it isnt), that IE security is worse (but public exploits are reduced from last year, and mean time to patch is vastly reduced), and that its always been worse (last year, Chrome and Firefox had more exploits than IE).

Unsurprisingly, everyone here took the bait.

Re:Surprise!

[fahrbot-bot]

Don't worry--those who were responsible for that browser were all just sacked.
... and those who were responsible for sacking the browser writers were all sacked.

Thankfully, my 401k is heavily invested in many and various Sack businesses ... Retirement here I come!

Business plan

[jbmartin6]

1. Write software to sandbox $APPLICATION
2. Release report exaggerating "increase in vulnerabilities" in $APPLICATION
3. Profit!

IE dangerous, but useful for now...

[LessThanObvious]

I use I.E. for one reason these days. Every company I end up working for has some internal business application that only gets tested and supported on I.E. and this is particularly the case after I lock down Firefox for actual web browsing. These kind of internal business applications often fail with even minimal security restrictions.

I hold out little hope that apps designed to be run in controlled environments will ever work with a decently locked down browser. The issue is that the most vulnerable business users will take their corporate issued laptop with I.E. and default settings and use that as if it's sane to use that configuration on the internet.

Re:Surprise!

[dave562]

Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.

US-CERT firt post was right at the end :)

[martiniturbide]

US-CERT used to post a report some time ago advising to switch to other browser, after a few hours they changed the statement.

http://martin.iturbide.com/2014/04/do-you-trust-us-cert.html

No privileges to install Cr or Fx

[jpenguin]

There are portable version of FF & Chrome

Re:Surprise!

[onix]

Depends on how those bugs were discovered. If reported by the outside community, chances are hackers might have exploited them before they were patched. Also, the hacker community culture is important. Avoidance is prudent. If a red honda civic is a target for crime, then drive a blue toyota corolla.

Bromide.

[westlake]

(!) This article appears to be written like an advertisement. Please help improve it by rewriting promotional content from a neutral point of view and removing any inappropriate external links.

Bromium

Microsoft is now counting Flash vulns as IE vulns

[benjymouse]

Microsoft patches to IE include patches to vulns in Flash - which is embedded in IE. The increase in vulnerabilities is the result of the horrible Flash code.

Yes actual numbers

[crimson+tsunami]

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were.

How this was modded insightful I'll never know.
Someone must be exploiting a vulnerability in your pdf viewer/browser that is causing it to not work properly (IE maybe), because mine clearly shown in the appendix at the bottom.
Internet explorer:
2013 130 vulnerabilities
H1-2014 133 vulnerabilities

Re:Surprise!

[RaceProUK]

Looking at the raw figures in the report, the count is up from 130 to... 133. That's an increase of 2.3%. Even extrapolated to a full year, it's a 5.6% rise.

Re:Tepples has a great point

[tepples]

A strength of IE is here - nothing else truly really "integrates" as well (in my professional development experience thusfar) into Intranet internal to corporate environs quite as well

Why was this moderated down, other than knee-jerk ad hominem?

close

[crimson+tsunami]

Close, but no cigar. last year was 65 per six months, this year its 133 per six months.

Second user?

[RockDoctor]

Does this mean that IE has acquired a second user? And do they use it simultaneously?