IE 'Unsafe' 98% Of 2004, Says ScanIT - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

03:19 PM

IE 'Unsafe' 98% Of 2004, Says ScanIT

As Mozilla and Microsoft executives argue about which browser--Firefox or Internet Explorer--is more secure, fans of the former have numbers on their side, says a security firm.

As Mozilla and Microsoft executives argue about which browser -- Firefox or Internet Explorer -- is more secure, fans of the former have numbers on their side, a Belgian security consultancy said this week.

According to Brussels-based ScanIT, users of Microsoft's Internet Explorer (IE) were "unsafe" 98 percent of the time during 2004, while Mozilla users -- which would include those using Mozilla and Firefox -- were "unsafe" only 15 percent of last year.

ScanIT determined the unsafe periods by examining the life spans of vulnerabilities in IE, Mozilla, and Opera -- a Norwegian browser that has a nearly insignificant share of the U.S. market -- which could be exploited remotely by attackers. By documenting the time between the disclosure of the vulnerability and when a patch was issued, ScanIT calculated the total number of days each browser was vulnerable. It also matched those vulnerable dates against periods when out-in-the-wild exploits were making the rounds.

IE was vulnerable all but seven days of 2004, or 98 percent of the year. "There was only one period in 2004 when there were no publicly known remote code execution bugs," said ScanIT's report. "Between the 12th and the 19th of October. That means a fully patched Internet Explorer installation was known to be unsafe for 98 percent of 2004."

During 200 days (54 percent of the time), there was a worm or virus on the loose that exploited one of the unpatched IE vulnerabilities. (ScanIT's IE vulnerability timeline can be found here.)

In comparison, Firefox (and the other Mozilla browsers) was vulnerable only 56 days in 2004 (15 percent of the time) during off-and-on stretches starting in May. At no time in 2004 were worms or viruses circulating that exploited one of the unpatched Firefox vulnerabilities.

"In 2004, Mozilla was not targeted by malware writers," ScanIT's report said to explain why Firefox wasn't at risk last year. "But this might change as Mozilla software gains popularity."

Even then, however, ScanIT said Mozilla/Firefox may still have an advantage over IE. "Security researchers seem to be more inclined to report vulnerabilities privately to the Mozilla development team rather than publish them immediately," said the report. "This might be because the Mozilla project produces free open-source software, and being nice to it is considered 'A Good Thing.'" ScanIT also considered Mozilla's bug bounty, which pays $500 to users reporting critical flaws, as playing a part.

Naturally, Mozilla Foundation executives touted the ScanIT data. "Their research points out that Microsoft's IE was 'unsafe' for 98 percent of 2004, while we were 'unsafe' only 15 percent of the time," said Chris Hofmann, chief of engineering at Mozilla. "This is really the metric that makes the most sense to most users." Earlier in the week, in fact, Mitchell Baker, the president of Mozilla, claimed that her foundation's browsers were inherently more secure because they weren't tied to the Windows operating system, and rejected the idea that a boost in market share would make Firefox more vulnerable.

Her head of engineer tweaked that message a bit in an e-mail to TechWeb. "People really should be looking at the architecture of the browsers and the source of potential vulnerability," said Mozilla's Hofmann. "Browsers share many of the same architectural components, but it's been Microsoft proprietary extensions to the browser such as ActiveX, and the complex Microsoft Security Zone model, where the most severe exploits have surfaced in the past and continue to be exploited.

"Microsoft has made strides in securing these areas in [Windows XP] SP2, but in some ways they were Band-Aids on an insecure architecture."

Microsoft, of course, doesn't see it that way. In his blog, IE product manager Dave Massy first defended his browser. "As we develop IE we go through very thorough and stringent security reviews to ensure that every change is secure and does not expose the user to attack."

Next, he took issue with Baker's claim that IE would always have more bugs because it was tied so tightly to Windows. "The security of any browser is irrelevant if it is part of the operating system," Massy said. "If we are to debate security of browsers then let's bring in relevant arguments and accurate details about different possible attacks rather than rely on the irrational fear that because IE is part of the operating system it must be exposing OS functionality to the Web."

Interestingly, a third party -- Alfred Huger, the vice president of engineering for Symantec's security research group -- isn't sure which browser will be less or more secure going forward, but is sure of one thing: attackers will continue to focus on browsers.

"Everyone has a browser, so it's the biggest possible audience," he said. "Hackers will be targeting Web clients with greater effort in 2005, something that's definitely going to get a lot of attention."

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
2020 State of DevOps Report
2020 State of DevOps Report
Download this report today to learn more about the key tools and technologies being utilized, and how organizations deal with the cultural and process changes that DevOps brings. The report also examines the barriers organizations face, as well as the rewards from DevOps including faster application delivery, higher quality products, and quicker recovery from errors in production.
Data Science: How the Pandemic Has Affected 10 Popular Jobs
Cynthia Harvey, Freelance Journalist, InformationWeek,  9/9/2020
The Growing Security Priority for DevOps and Cloud Migration
Joao-Pierre S. Ruth, Senior Writer,  9/3/2020
Dark Side of AI: How to Make Artificial Intelligence Trustworthy
Guest Commentary, Guest Commentary,  9/15/2020
Register for InformationWeek Newsletters
Current Issue
IT Automation Transforms Network Management
In this special report we will examine the layers of automation and orchestration in IT operations, and how they can provide high availability and greater scale for modern applications and business demands.
White Papers
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll