S
Steve
http://windowssecrets.com/paid/0745465284 (subscription required?)
Some remarkable statistics comparing the major Web browsers have been
developed by Scanit NV, an international security firm. The company
painstakingly researched the dates when vulnerabilities were first
discovered in various browsers, and the dates when the holes were
subsequently patched.
The firm found that IE was wide open for a total of 200 days in 2004,
or 54% of the year, to exploits that were "in the wild" on the
Internet.
The Firefox browser and its older sibling Mozilla had no periods in
2004 when a security flaw went unpatched before exploits started
circulating on the Net. With the latest 1.0.4 upgrade, Firefox has
retained its "patch-before-hackers-can-strike" record so far in 2005,
as well.
These statistics are so important to understanding the "attack
surface" of the major browsers that we should break down this study
into its individual findings:
....IE suffered from unpatched security holes for 359 days in 2004.
According to Scanit, there were only 7 days out of 366 in 2004 during
which IE had no unpatched security holes. This means IE had no
official patch available against well-publicized vulnerabilities for
98% of the year.
....Attacks on IE weaknesses circulated "in the wild" for 200 of those
days. Scanit records the first sighting of actual working hacker code
on the Internet. In this way, the firm was able to determine how many
days an IE user was exposed to possible harm. When Microsoft released
a patch for an IE problem, Scanit "stopped the clock" on the period of
vulnerability.
....Mozilla and Firefox patched all vulnerabilities before hacker code
circulated. Scanit found that the Mozilla family of browsers, which
share the same code base, went only 26 days in 2004 during which a
Windows user was using a browser with a known security hole. Another
30 days involved a weakness that was only in the Mac OS version.
Scanit reports that each vulnerability was patched before exploits
were running on the Web. This resulted in zero days when a Mozilla or
Firefox user could have been infected.
The Opera browser also experienced no days during which unpatched
holes faced actual exploits, but Scanit began keeping statistics on
Opera only since September 2004.
Another security firm that tracks security holes in IE, Firefox, and
many other applications is Secunia. As of today, Secunia reports that
there are still 19 unpatched security flaws in IE, the most severe of
which is rated "highly critical." Firefox has only 4 unpatched flaws,
all of which are rated "less critical" or "not critical," the lowest
severity rating. Opera has none.
Some remarkable statistics comparing the major Web browsers have been
developed by Scanit NV, an international security firm. The company
painstakingly researched the dates when vulnerabilities were first
discovered in various browsers, and the dates when the holes were
subsequently patched.
The firm found that IE was wide open for a total of 200 days in 2004,
or 54% of the year, to exploits that were "in the wild" on the
Internet.
The Firefox browser and its older sibling Mozilla had no periods in
2004 when a security flaw went unpatched before exploits started
circulating on the Net. With the latest 1.0.4 upgrade, Firefox has
retained its "patch-before-hackers-can-strike" record so far in 2005,
as well.
These statistics are so important to understanding the "attack
surface" of the major browsers that we should break down this study
into its individual findings:
....IE suffered from unpatched security holes for 359 days in 2004.
According to Scanit, there were only 7 days out of 366 in 2004 during
which IE had no unpatched security holes. This means IE had no
official patch available against well-publicized vulnerabilities for
98% of the year.
....Attacks on IE weaknesses circulated "in the wild" for 200 of those
days. Scanit records the first sighting of actual working hacker code
on the Internet. In this way, the firm was able to determine how many
days an IE user was exposed to possible harm. When Microsoft released
a patch for an IE problem, Scanit "stopped the clock" on the period of
vulnerability.
....Mozilla and Firefox patched all vulnerabilities before hacker code
circulated. Scanit found that the Mozilla family of browsers, which
share the same code base, went only 26 days in 2004 during which a
Windows user was using a browser with a known security hole. Another
30 days involved a weakness that was only in the Mac OS version.
Scanit reports that each vulnerability was patched before exploits
were running on the Web. This resulted in zero days when a Mozilla or
Firefox user could have been infected.
The Opera browser also experienced no days during which unpatched
holes faced actual exploits, but Scanit began keeping statistics on
Opera only since September 2004.
Another security firm that tracks security holes in IE, Firefox, and
many other applications is Secunia. As of today, Secunia reports that
there are still 19 unpatched security flaws in IE, the most severe of
which is rated "highly critical." Firefox has only 4 unpatched flaws,
all of which are rated "less critical" or "not critical," the lowest
severity rating. Opera has none.