Fuzzy Logic said:
So these sites know everything that's happening on the Internet? Obviously
a certain 'critical mass' of machines needs to be attacked before these
sites are aware that the vulnerability is being exploited.
A few years ago I read a post from a self proclaimed hacker
who claimed to have discovered and been exploiting a then recently
reported flaw in IE for over a year, of course he may well
have been spouting hot air.
The risk of falling victim to a flaw while it hasn't reached your 'critical
mass' must be miniscule.
So you are saying that I am not exposed becuase there is a known (by a few
people) vulnerability but becuase hardly anyone knows about it I am not at
risk?
Isn't that just security by obscurity?
I would say it is, however by keeping the vulnerability secret you
are placed at no additional risk than you were when using the browser
before the vulnerability was discovered.
Publishing details about a flaw before it is fixed and users
have had sufficient opportunity to update would expose the users
to an unnecessary risk. The recent firefox work around
mitigated the most serious vulnerability, but it did not eliminate
all risk, neither did it guarantee that a hacker couldn't find
a similar flaw to get the exploit working again. It would
have been better it hadn't been leaked.
Unless you use a browser that only renders text with no support
for scripting or images, then your browser is highly likely to contain
a number of as yet undiscovered bugs, all complex software inevitably
does. A few of these bugs will be exploitable, although the severity
can be minimalised by good design. So you can be fairly confident
that even after you apply the latest patch to whatever browser you
use, your browser is still vulnerable.
It's not the number of flaws in IE that make it arguably less safe
than other browsers, it is that they have often been made public
before Microsoft have had sufficient time to patch them and
the sometimes prolonged amount of time it has taken to produce
a fix.