Slashdot Mirror

← Back to Stories (view on slashdot.org)

Internet Explorer Vulnerabilities Increase 100%

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

32 of 137 comments (clear)

  1. Re:Surprise! by ArcadeMan · · Score: 5, Funny

    Yeah, but no other browser can claim a 100% increase in vulnerabilities!

    Take THAT, Apple, Mozilla, Google and Opera!

    --
    Get free satoshi (Bitcoin) and Dogecoins
  2. Eh? by Sockatume · · Score: 4, Informative

    I can't see where the 100% figure comes from. The report says that IE attacks hit a record high in exploited zero-days in the first half of 2013, but they're now much lower.

    --
    No kidding!!! What do you say at this point?
    1. Re:Eh? by SQLGuru · · Score: 4, Insightful

      Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

      All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

    2. Re:Eh? by BasilBrush · · Score: 2

      What are you finding unclear about this graphic?

      http://www.net-security.org/im...

    3. Re: Eh? by Sockatume · · Score: 2

      Shouldn't that be worded "vulnerabilities will have increased 100%, assuming this trend continues" and not "vulnerabilities have increased 100%"? At any rate I'm sure you're right that it's what the article author meant.

      --
      No kidding!!! What do you say at this point?
    4. Re: Eh? by Rhipf · · Score: 2

      OK I'll admit that I didn't notice the H1 in the graph right away but...

      Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have. It would have been better if the author had compared the first half of 2013 to the first half of 2014. At least that way the comparison is grounded in facts not speculation.

    5. Re: Eh? by crimson+tsunami · · Score: 2

      No they really have already increased 100%.
      The trend may continue in the future or it may not, but as of right now the amount of vulnerabilities per unit time is twice as much,or 100% more, than in the past.
      Eye-balling from the graph, last year averaged ~10 per month, this year is averaging ~20 per month. A 100% increase.

    6. Re: Eh? by BasilBrush · · Score: 2

      Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have.

      The rate has increased precisely 104% already. There is no need for a common divisor when calculating rates.

  3. No actual numbers by CastrTroy · · Score: 4, Insightful
    Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

    a trend underscored by a progressively shorter time to first patch for its past two releases

    Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report

    Both IE exploits released in 2014 (CVE -2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

    Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

    --

    Anthropic principle: We see the universe the way it is because if it were different we would not be here to see it.
    1. Re:No actual numbers by Ol+Olsoc · · Score: 3, Insightful

      Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

      and

      Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

      You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?

      --
      The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
    2. Re:No actual numbers by BasilBrush · · Score: 4, Informative

      Looking at the graphic the raw number looks like about 130 for all of 2013, and slightly more for the first half of 2014.

  4. New Microsoft CEO by ArcadeMan · · Score: 4, Interesting

    Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

    If that happens, Firefox will be the odd one out as far as rendering is concerned.

    --
    Get free satoshi (Bitcoin) and Dogecoins
    1. Re:New Microsoft CEO by gstoddart · · Score: 3, Interesting

      Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit

      Microsoft switch IE to use components written by someone else?

      I place the likelihood of that as pretty small.

      Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

      --
      Lost at C:>. Found at C.
    2. Re:New Microsoft CEO by jones_supa · · Score: 3, Informative

      Why? Trident is very fast and standards-compliant engine.

    3. Re:New Microsoft CEO by l0ungeb0y · · Score: 2

      Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

      I believe you mean, "Not copied, ripped off, or acquired and gutted here"

    4. Re:New Microsoft CEO by Princeofcups · · Score: 2

      Microsoft switch IE to use components written by someone else?

      I place the likelihood of that as pretty small.

      Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

      Considering that IE is based on Mosaic, SQLServer is based on Sybase, etc. etc., I don't think Microsoft has ever really "invented anything here."

      --
      The only thing worse than a Democrat is a Republican.
  5. Odd Conclusion by bveldkamp · · Score: 5, Insightful

    That's an odd conclusion to draw from the report. What it actually says is:

    1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
    2. Number of public exploits in IE decreases from 11 to 3 in that same period
    3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11

    1. Re:Odd Conclusion by BasilBrush · · Score: 5, Informative

      We seem to be having a lot of astroturf from MS today.

      IE Exploits.
      2013 = 130
      H1-2014 = 133.

      Bearing in mind the year vs half-year, that's a 104% increase. So no it's not an odd conclusion at all.

  6. Re:Surprise! by Anonymous Coward · · Score: 5, Funny

    Don't worry--those who were responsible for that browser were all just sacked.
     
    ... and those who were responsible for sacking the browser writers were all sacked.

  7. A rule of thumb.. by js3 · · Score: 3, Interesting

    if someone gives you a percentage they are trying to make it better or worse than it actually is.

    --
    did you forget to take your meds?
    1. Re:A rule of thumb.. by oodaloop · · Score: 3, Insightful

      if someone gives you a percentage they are trying to make it better or worse than it actually is.

      And contrariwise, if they give you raw numbers, it's the opposite. That's logic!

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
  8. No privileges to install Cr or Fx by tepples · · Score: 3, Insightful

    I also do not understand, those people still using MSIE

    I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

    1. Re:No privileges to install Cr or Fx by Cro+Magnon · · Score: 2

      Recently, at my job, we got an email saying that Firefox was considered "at your own risk", and only those with a business need would be allowed to use it. Luckily, IE choked on one of our sites, and I used that as my justification for FF.

      --
      Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
    2. Re:No privileges to install Cr or Fx by GerbilKor · · Score: 2

      Internal websites/apps that only work in one browser are understandable. I am baffled by the numerous public-facing government websites that, to this day, only work in IE. I haven't seen a non-government site do that since, I don't know, early 2000's maybe?

  9. Vulnerabilities did not increase by WD · · Score: 3, Interesting

    Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

    Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

  10. 100% Increase by JD-1027 · · Score: 3, Funny

    I'm betting it had more than one vulnerability...

    http://xkcd.com/1102/

  11. This is a surprise? by BCW2 · · Score: 2

    History shows that more than 80% of windows vulnerabilities are IE based. Only the gullible and foolish would use such an unsecure and worthless piece of crapware. IE has never been good M$ couldn't even give it away when Netscape cost money. Nobody would use it when it was free. M$ had to incorporate it into the OS before they got any real market share.

    --
    Professional Politicians are not the solution, they ARE the problem.
  12. Re:Surprise! by pr0nbot · · Score: 5, Funny

    I think your post constitutes a 100% increase in the number of times I've heard Opera mentioned this year.

  13. Re:Surprise! by ArcadeMan · · Score: 2

    Mynd you, møøse bites Kan be pretti nasti...

    --
    Get free satoshi (Bitcoin) and Dogecoins
  14. Re:Surprise! by LordLimecat · · Score: 3, Informative

    Neither can IE. It has a ~5-10% increase.

    The summary is absolute garbage; it implies that the number of vulnerabilities is doubled (it isnt), that IE security is worse (but public exploits are reduced from last year, and mean time to patch is vastly reduced), and that its always been worse (last year, Chrome and Firefox had more exploits than IE).

    Unsurprisingly, everyone here took the bait.

  15. Re:Surprise! by dave562 · · Score: 2

    Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.

  16. Microsoft is now counting Flash vulns as IE vulns by benjymouse · · Score: 2

    Microsoft patches to IE include patches to vulns in Flash - which is embedded in IE. The increase in vulnerabilities is the result of the horrible Flash code.

    --
    Reading slashdot one-liner: (irm http://rss.slashdot.org/Slashdot/slashdot).rdf.item | fl title,desc*