Network News

X My Profile
View More Activity

2005 Patch Times for Firefox and Internet Explorer

On Sunday, The Washington Post published an excerpt from a blog post I wrote a week ago about how long it takes Mozilla to issue updates for critical flaws in its various products, particularly the Firefox Web browser.

In the paper version of the story, I decided to focus in more on comparing how long Microsoft and Mozilla took last year to release updates for critical flaws in their respective browsers. In that piece, I wrote that over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems in Internet Explorer.

Web Browser Vulnerabilities Calendar
Click the image for a look at the length of time Firefox and IE were vulnerable to known flaws in 2005.

For at least 38 days in 2005, IE was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms and spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.

We put together a calendar graphic to illustrate the time frames last year in which each browser was vulnerable to known exploits and publicly disclosed security flaws. You can view it either by clicking on the image in this blog post or on this link.

I sort of borrowed the idea for this graph from the folks over at, who published a similar graphic last year comparing the 2004 patch times for Firefox and IE.

Their analysis found that that "a fully patched Internet Explorer installation was known to be unsafe for 98 percent of 2004. And for 200 days (that is 54 percent of the time) in 2004 there was a worm or virus in the wild exploiting one of those unpatched vulnerabilities." For Firefox, there were 56 days in 2004 (15 percent of the year) where a publicly known remote-code execution in Mozilla had not yet been thwarted with a patch, and zero days in which malware was found exploiting one of the vulnerabilities.

By Brian Krebs  |  February 15, 2006; 11:15 AM ET
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Microsoft Issues 7 Patches
Next: Apple Worm and More Mac Patches


...and people ask me why I mandate FIREfox over IE or install all the protection that I do (blocking scripts and locking out certain websites); an ounce of PAIN is worth it for the relief in knowing that the each underlings PC is safe from harm.

Posted by: DOUGman | February 15, 2006 5:38 PM | Report abuse

I've been using Firefox for a couple of months now ever since you pointed out the security issues you amplified in this article. While Firefox is not perfect, just knowing that it tries to be safer, and my Ad Aware program's lesser number of identified ads attests to that, is worth being in on the beginnings of product that is potentially outstanding. Thanks.

Posted by: Eggoman | February 15, 2006 8:11 PM | Report abuse

At this late stage, I have to say that anyone voluntarily running IE (as opposed to having to run it at work) has to take responsibility for their own actions. And if their company insists on IE instead of something else (Firefox or Opera) then the company will have earnt whatever happens to them as well.

Posted by: David Gerard | February 16, 2006 7:48 AM | Report abuse

Thanks Brian,

I really appreciate your effort in compiling this information. I'm very happy to have it all in one place now.

Keep up the good work.

Posted by: wpreader | February 16, 2006 10:16 AM | Report abuse


Can you help us non-Firefox users see how to use FireFox in a managed enterprise? Everything I see says you have to uninstall the previous version, and install the new one? Does FireFox not issues patches, just new versions? (Similar to Sun JVM)?

Posted by: gman | February 17, 2006 10:42 AM | Report abuse

Gman, Firefox version 1.5 downloads and installs security updates automatically - it was a concern in older versions and it has been addressed.

Since you're in a managed enterprise, you can easily deploy Firefox once with your remote installation tool, and make it the users' default browser. Voila! No more long hours wasted removing malware.

Posted by: Daniel Descheneaux | February 18, 2006 8:35 AM | Report abuse

imaymjaa uagougpsape

Posted by: Watkin | March 2, 2006 7:41 PM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company