As though there weren’t already enough reasons not to use Internet Explorer, Brian Krebs with the Washington Post recently took an in-depth look at browser vulnerabilities. They weren’t just little bugs he was looking at, this was large, dangerous vulnerabilities that potentially gave criminals access to sensitive information. He took a look at the number one market share holder for web browsers, Internet Explorer with 80 percent of the share, and compared it to Firefox, the next leading browser. In a nut shell, Internet Explorer had significant vulnerabilities that remained unpatched for an astonishing 284 days last year. Compare that with Firefox’s diminutive nine days of a security hole without a patch, and that ought to tell you that if you’re using Internet Explorer, you may want to checkout alternative browsers (Opera, Firefox, Flock, etc.).
When taking a look at Internet Explorer, Brian says:
“for a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.”
Continuing on, when taking a look at Firefox, he says:
“Mozilla’s Firefox browser — experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.”
Also interesting is that Brian contacted Microsoft with his results, and the people he spoke with really had no objections to what he found. In at least 10 different instances last year, there were detailed instructions published on the web on how to “leverage critical vulnerabilities” before Microsoft had a patch to fix them.
Below is a graph that gives a good visual on when the browser vulnerabilities were publicly disclosed, and when they were actively exploited.
If you’re an Internet Explorer user, I’d be skeptical about continuing use, especially when it appears that nearly every day, your browser was under attack last year. With the Vista consumer release just around the corner, hopefully Microsoft will approach Vista vulnerabilities more aggressively than they have Internet Explorer. There will certainly be plenty of awful people with the intentions of finding any vulnerability that they can, and using it for their gain.
So does pre-IE7 include browsers that Microsoft no longer supports like IE3, IE4 or IE5? If so, that is really an unfair comparison as no software company is going to supply patches for a product forever.
I’m pretty confident that this comparison was with Internet Explorer 6 because IE7 was not released until late October.
I also assume that if the comparison was made with previous versions of IE, that they’re also doing the same with previous versions of Firefox. Mozilla has stopped updating the Firefox 1.0.X line of products so any vulnerabilities found won’t be fixed as well.
Since the vulnerabilities in those previous version dont’ get fixed, it wouldn’t make sense to compare it to those. There’s always going to be vulnerabilities in previous versions- but they won’t fix it because they’ve stopped supporting it.
There are so many good browsers now-a-days there really isn’t any reason for someone to to be using IE. If a person is a die hard windows user (or doesn’t know there are alternatives) they can choose from Firefox, Seamonkey, Opera, Maxthon, etc.
Yes, the [en.wikipedia.org]
Alas only a handful that are any good!
I wonder if some people actually use the “unknown” ones in the list. I also wonder which one has the lowest market share.
This statistics is very useful.
Now I can show it anyone, any non-tech people on my job, and they all will agree to install Firefox over IE. 
This is the same Linux vs Windows, Open Source vs Commercial Application, Mac vs PC fecal matter we hear everyday. People are not exploiting vulnerabilities in Firefox, not because they are not there but because the user base is not large enough, why exploit a flaw that only 2% of internet users have? When the market shares are equal lets talk again.
That’s very true Daryl, and it’s something that needs to be taken very seriously. This is something that has protected both Mac OS X and Linux the same, since they are able to focus on developing useful and productive features without worrying as much about the hackers who are trying to take advantage of every little nook and cranny.