Internet Explorer unsafe for 284 days in 2006 – UPDATE1

Internet Explorer was unsafe for 284 days in 2006? No way. Okay, it’s absolutely possible given the number of exploits and if you read the chart, it seems like it’s exploited for a majority of the time. Brian Krebs of the Washington Post also mentions Mozilla was only exploited for nine days out of last year.
Somehow, we believe this was misleading. Why? Here are two other articles found on different exploits in Firefox last year.
Research time for more Firefox exploits? Two seconds in Google with the words of “firefox exploit 2006“.
We’re all for Internet Explorer being bad, and Firefox being better than IE, but Firefox had its share (although a lot less) of exploits last year. The WaPo analysis slightly misconstrues the facts by lowballing Firefox exploits.
UPDATE (11:00PM): Since Mr Readthearticle actually wanted to bicker about the semantics of critical failures with Firefox in 2006 since obviously he doesn’t read vulnerability reports like we do from CERT, here’s a couple to justify our case in Firefox critical vulnerabilities that were deemed “critical” and “system access” in 2006. In 2006, Secunia reported 13 vulnerabilities. Of those 13, 22% of them were system access related.
The National Vulnerability Database from NIST also confirms more critical system access based vulnerabilities with Firefox along with CERT findings in 2006.
All in all, while Firefox is the better of the two and Mozilla releases faster turnaround times than Microsoft by every means, the Krebs study still misses out on crucial Firefox vulnerabilities besides the single instance he pointed out. The numbers don’t sway to Microsoft’s side by any means, but we weren’t wrong when we said there were more than one.
Slashdot < WaPo

  • Readthearticle

    Nice try.
    The first “other” exploit you link to was widely discredited as a joke by the so-called researchers who presented it, who later admitted they’d made it up. Google the name Mischa Spiegelmock if you don’t believe me.
    The second one is hardly a flaw that could be used to hijack a Firefox user’s computer remotely.
    Or perhaps you didn’t read the criteria of the Post’s study: The Post’s story looked at “critical” vulnerabilities in IE, and its comparison to Firefox was based on critical flaws in Firefox, or those that could be used to take control over the user’s machine.

  • Readthearticle

    Nice try.
    The first “other” exploit you link to was widely discredited as a joke by the so-called researchers who presented it, who later admitted they’d made it up. Google the name Mischa Spiegelmock if you don’t believe me.
    The second one is hardly a flaw that could be used to hijack a Firefox user’s computer remotely.
    Or perhaps you didn’t read the criteria of the Post’s study: The Post’s story looked at “critical” vulnerabilities in IE, and its comparison to Firefox was based on critical flaws in Firefox, or those that could be used to take control over the user’s machine.

  • Mr ReadtheArticle

    Thanks for the update, but I’m afraid this latest update misses the point as well. Okay, so 22 percent of Mozilla’s security updates last year were critical (according to Secunia). The comparison made between Mozilla and IE was about unpatched flaws for which exploit code were available. Care to shed some light on how many of these 13 Firefox vulnerabilities were both critical AND had exploit code available before a patch?

  • Mr ReadtheArticle

    Thanks for the update, but I’m afraid this latest update misses the point as well. Okay, so 22 percent of Mozilla’s security updates last year were critical (according to Secunia). The comparison made between Mozilla and IE was about unpatched flaws for which exploit code were available. Care to shed some light on how many of these 13 Firefox vulnerabilities were both critical AND had exploit code available before a patch?

  • Since you don’t care to read release notes, there’s the link direct from Mozilla outside of security firms that track the issues. Everything is deemed critical and remote code execution, and go figure…. there’s a lot more than “1”.
    Outside of that, I personally remember seeing these reported on Bugtraq as an advisory. Krebs’ article only mentions one where the patch took longer than a few days, but all of these can still be found to be more than 9 nines worth of vulnerable status.
    The point is, from a logic standpoint, everyone that’s installed a patch from Mozilla between 1.501 and 2 has seen more than 1 critical exploit patched. Thus, showing one single example of the critical and remote exploit patch outside of MFSA 2006-08 proves that the “nine days” time limit was incorrect.
    If the nine days time limit was dictated to say…. Opera, I perhaps could see it seeing that exploits are rarely even reported on that browser. Even so, I would raise an eyebrow at any single digit days of “exploitable” time in a year considering in the security world that’s rather an outrageous claim for such a high profile browser.

  • darkmoon

    Since you don’t care to read release notes, there’s the link direct from Mozilla outside of security firms that track the issues. Everything is deemed critical and remote code execution, and go figure…. there’s a lot more than “1”.
    Outside of that, I personally remember seeing these reported on Bugtraq as an advisory. Krebs’ article only mentions one where the patch took longer than a few days, but all of these can still be found to be more than 9 nines worth of vulnerable status.
    The point is, from a logic standpoint, everyone that’s installed a patch from Mozilla between 1.501 and 2 has seen more than 1 critical exploit patched. Thus, showing one single example of the critical and remote exploit patch outside of MFSA 2006-08 proves that the “nine days” time limit was incorrect.
    If the nine days time limit was dictated to say…. Opera, I perhaps could see it seeing that exploits are rarely even reported on that browser. Even so, I would raise an eyebrow at any single digit days of “exploitable” time in a year considering in the security world that’s rather an outrageous claim for such a high profile browser.