2005 Patch Times for Firefox and Internet Explorer
On Sunday, The Washington Post published an excerpt from a blog post I wrote a week ago about how long it takes Mozilla to issue updates for critical flaws in its various products, particularly the Firefox Web browser.
In the paper version of the story, I decided to focus in more on comparing how long Microsoft and Mozilla took last year to release updates for critical flaws in their respective browsers. In that piece, I wrote that over the past year, Mozilla averaged about 21 days before it issued fixes for flaws in Firefox, compared with the 135 days it took for Microsoft to address problems in Internet Explorer.
For at least 38 days in 2005, IE was vulnerable to unpatched critical security flaws that were being exploited actively by viruses, worms and spyware. For at least 256 days last year, Internet Explorer contained unpatched vulnerabilities where the exploit method had been publicly disclosed but was not necessarily being used.
We put together a calendar graphic to illustrate the time frames last year in which each browser was vulnerable to known exploits and publicly disclosed security flaws. You can view it either by clicking on the image in this blog post or on this link.
Their analysis found that that "a fully patched Internet Explorer installation was known to be unsafe for 98 percent of 2004. And for 200 days (that is 54 percent of the time) in 2004 there was a worm or virus in the wild exploiting one of those unpatched vulnerabilities." For Firefox, there were 56 days in 2004 (15 percent of the year) where a publicly known remote-code execution in Mozilla had not yet been thwarted with a patch, and zero days in which malware was found exploiting one of the vulnerabilities.
Posted by: DOUGman | February 15, 2006 5:38 PM | Report abuse
Posted by: Eggoman | February 15, 2006 8:11 PM | Report abuse
Posted by: David Gerard | February 16, 2006 7:48 AM | Report abuse
Posted by: wpreader | February 16, 2006 10:16 AM | Report abuse
Posted by: gman | February 17, 2006 10:42 AM | Report abuse
Posted by: Daniel Descheneaux | February 18, 2006 8:35 AM | Report abuse
Posted by: Watkin | March 2, 2006 7:41 PM | Report abuse
The comments to this entry are closed.