Over the last month, Washington Post blogger Brian Krebs has been speaking to security researchers so that he could compile data on security vulnerabilities found in Microsoft software. After analyzing the results, what Krebs found was not unexpected, but at the same time still hard to believe: for most of 2006, Internet Explorer (IE) was vulnerable to known, unpatched exploits.
Krebs' numbers show that for 284 days last year, exploit code was publicly available for unpatched vulnerabilities in IE6 and below. Even worse, for 98 days last year, hackers were knowingly exploiting unpatched flaws in the browser in order to gain access to people's personal data. All in all, there were ten cases of exploit code being published to the 'Net prior to Microsoft's fixing of the bug.
At this point, you must be asking how Krebs came up with those figures. Here's how it was done:
First, a note on the methodology behind this blog post: The data presented here builds on a project I began in late 2005 looking back on three years of efforts by Microsoft to address only the most severe security holes in its software. I conducted that same research again last month, individually contacting nearly all of the security researchers who submitted reports of critical flaws in Microsoft products to learn from them not only the dates that they had submitted their findings to the company, but also any other security trends or anomalies they observed in working with the world's largest software maker.
Yes, there's plenty of room for error in Krebs' methodology, but he also makes note of the fact that he presented his findings to Microsoft before writing the article. "The officials I dealt with helpfully concurred or quibbled slightly with some of my findings, but the company raised no objections that would materially affect the results presented in this particular study of IE flaws," he said.
For the sake of comparison, Krebs also questioned security experts about Firefox's vulnerabilities. What he found was that there were only nine days out of last year where exploit code was circulating the Internet for a known hole in Firefox.
Taking a high-level view of Krebs' results, I'm not surprised in the least. As he points out, IE has roughly 80 percent market share and it runs on the most widely used operating system in the world. For a hacker, publishing some new exploit code for IE and making Windows users' lives miserable is a great way to gain some anonymous notoriety. Frankly, Internet Explorer is the ultimate target for Black Hats.
What do you take away from Krebs' report? Would you attribute the numbers to the popularity of the browsers? If Firefox were as popular as IE, do you think it would suffer a similar fate?