IE flaws stats stark, but omit big picture

According to a Washington Post blogger, there were 284 days in 2006 when unpatched flaws in Internet Explorer were vulnerable to exploit code. Should you never let your organisation use the browser again?

Is it safe?

That's the question Laurence Olivier's sadistic Nazi dentist asked Dustin Hoffman over and over again as he plucked out Hoffman's teeth sans Novocain in the 1976 thriller Marathon Man.

Crooks are going to go to the low-hanging fruit. They like to write attacks for a mass audience.
Avivah Litan
vice president and research directorGartner Inc.
Hoffman didn't know the answer to Olivier's cryptic question. But picture yourself in that same dentist's char asked a similar simple question: Is Microsoft Explorer safe? No. It's not safe. Nothing is safe.

The Washington Post's computer security blogger, Brian Krebs, raised a few eyebrows earlier this month when he announced that Microsoft's Internet Explorer was "unsafe" for 284 days in 2006.

Krebs arrived at that number (nearly nine months of the year) by compiling the amount of time it took for Microsoft to release a patch for critical flaws in Internet Explorer for which exploit code was publicly available on the Web. He added that there were at least 98 days in 2006 in which no software fixes were available from Microsoft for Explorer flaws that "criminals were actively using to steal personal and financial data from users."

Krebs took a look at Mozilla's Firefox, Explorer's closest competitor, and found there were only nine days in 2006 when exploit code for a serious security hole was available online before Mozilla issued a patch.

Those numbers side by side seem pretty stark, but is it a fair comparison?

"Not only is it fair to the level it goes, but it doesn't take into account that most people don't actually patch software as soon as a patch is available," said Richard Steinnon, chief marketing officer at Sunnyvale, Calif.-based Fortinet Inc., an information security vendor.

Avivah Litan, vice president and research director at Gartner Inc. in Stamford, Conn., said the 284 days of vulnerability seems accurate, but she said it's also a reflection of Explorer's 80% market share.

"If you were a thief, would you go after 80% of the market or 9%?" Litan said. "Crooks are going to go to the low-hanging fruit. They like to write attacks for a mass audience."

Analyst Natalie Lambert at Cambridge, Mass.-based Forrester Research Inc., didn't dispute Krebs' numbers, but she also said market share was a big part of the problem for Microsoft.

"The days are the days. You can take it at face value," she said. "I just feel that people are going to target Microsoft Explorer more than Firefox because of the market share. I don't think this shows that Microsoft is less secure, but that they do have their work cut out for them. They've got people who are attacking all of their products."

Lambert said Microsoft has improved its response to vulnerabilities, but she added the company has a way to go. She said Krebs' analysis doesn't establish that Explorer is less secure than other browsers. Instead, she said, it highlights the need for all software vendors to improve their policies for patching known vulnerabilities. She also said Vista and Internet Explorer 7, which was released in November, should further improve security for Microsoft. However, she cautioned that they are no silver bullets for exploitable code.

Lambert said the entire software industry has a problem with flawed code, and all vendors need to take a more aggressive approach to dealing with active exploits.

"I think all vendors need to add additional resources to make sure they are patching software with as much timeliness as necessary," Lambert said.

She said Krebs' findings also highlight the need for IT managers to make sure they have good patch management policies in place.

Steinnon said a number like 284 days will help IT organizations highlight to management why it's so difficult to manage and update Explorer and other Microsoft products.

He said businesses and consumers should use Explorer only when absolutely necessary.

More on IT security
IT security threats/spyware resource center

Security, disaster recovery top SMB predictions for 2007 
"The only reason you should use Internet Explorer is if some of the online applications you use, such as banking, don't let you log in with another browser," he said.

In a statement sent to this reporter, a Microsoft spokesperson didn't dispute Krebs' findings, but suggested his methodology doesn't tell the whole story.

"When a security issue threatens customers, the Microsoft Security Response Center quickly mobilizes several specially focused teams to investigate, fix and learn from security vulnerabilities," the spokesperson said.

She added that delays in issuing patches are usually tied to several issues. Microsoft developers might find a problem with a patch while testing it. Or they might spend time looking for other related security issues to ensure a comprehensive patch. Other delays are related to whether changes could affect compatibility with other applications. She added that some problems are at an architectural level and require significant changes that take more time to test.

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Read more on Operating systems software