As though there weren’t already enough reasons not to use Internet Explorer, Brian Krebs with the Washington Post recently took an in-depth look at browser vulnerabilities. They weren’t just little bugs he was looking at, this was large, dangerous vulnerabilities that potentially gave criminals access to sensitive information. He took a look at the number one market share holder for web browsers, Internet Explorer with 80 percent of the share, and compared it to Firefox, the next leading browser. In a nut shell, Internet Explorer had significant vulnerabilities that remained unpatched for an astonishing 284 days last year. Compare that with Firefox’s diminutive nine days of a security hole without a patch, and that ought to tell you that if you’re using Internet Explorer, you may want to checkout alternative browsers (Opera, Firefox, Flock, etc.).
When taking a look at Internet Explorer, Brian says:
“for a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.”
Continuing on, when taking a look at Firefox, he says:
“Mozilla’s Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.”
Also interesting is that Brian contacted Microsoft with his results, and the people he spoke with really had no objections to what he found. In at least 10 different instances last year, there were detailed instructions published on the web on how to “leverage critical vulnerabilities” before Microsoft had a patch to fix them.
Below is a graph that gives a good visual on when the browser vulnerabilities were publicly disclosed, and when they were actively exploited.
If you’re an Internet Explorer user, I’d be skeptical about continuing use, especially when it appears that nearly every day, your browser was under attack last year. With the Vista consumer release just around the corner, hopefully Microsoft will approach Vista vulnerabilities more aggressively than they have Internet Explorer. There will certainly be plenty of awful people with the intentions of finding any vulnerability that they can, and using it for their gain.