Critical Microsoft & Mozilla Patches for 2006
A couple of weeks ago, Security Fix published some data showing how risky it was for the average Windows user to browse the Web with Microsoft's Internet Explorer in 2006.
That analysis found that for 284 days in 2006, bad guys were either exploiting critical, unpatched security holes in IE or blueprints for said instructions were published online for any criminals to use. In contrast, the data showed that there just nine days in 2006 in which exploit code was available for similarly serious, unpatched security holes in Mozilla's Firefox browser.
A great number of people who commented on that story and sent e-mail about it have been asking to see the raw data that I used to compile that information. So, here it is:
When reviewing this data, it's important to keep in mind that I only looked at the patches that were labeled "critical" by Microsoft or Mozilla themselves. Also, I don't think it's particularly useful to compare all of Microsoft's critical vulnerabilities to every critical Mozilla patch and draw conclusions about browser safety, which is why my earlier analysis only compared the patch and vulnerability times for Internet Explorer and Firefox flaws for which there was exploit code available before a patch was shipped to fix the problem.
Overall, I found that it took an average of about 113 days for Microsoft to issue critical updates in 2006. If you just look at all critical IE flaws that Microsoft patched in 2006 (not just the bolded ones, which indicate either the availability of pre-patch exploit code or evidence of active, pre-patch exploitation), Microsoft took about 90 days to push out an update. However, when it came to the most serious IE flaws (the ones in bold), Microsoft shipped a fix in about 40 days.
This post wasn't meant to stir up the virtual hornet's nest that is the eternal IE vs. Firefox security and usability debate. I merely wanted to publish the data sets (which took a great deal of time to compile) because they could be useful for other researchers (plus, I already promised I'd publish them).
I roll with Firefox for most of my browsing needs, but still rely on IE7 for a handful of trusted sites. Surf with whatever browser makes you happy. But please, if you're still using IE6 and haven't upgraded to IE7 yet, stop fiddling around. If you're using an older version of Windows (IE7 doesn't work on anything older than XP), I would run -- not walk -- away from IE in favor of just about any other browser.
One final note: I have tried very hard to be as accurate as possible with these tables. But if you find a discrepancy or something that doesn't seem to add up, please leave a comment below or drop me a line. If I can verify an error or discrepancy in the data, I will fix it and note that I have done so.
Posted by: No Tellin | January 19, 2007 4:10 PM | Report abuse
Posted by: No Tellin | January 19, 2007 4:38 PM | Report abuse
Posted by: Michael | January 22, 2007 12:33 PM | Report abuse
Posted by: No Tellin | January 22, 2007 1:17 PM | Report abuse
Posted by: K.P. | January 23, 2007 10:50 AM | Report abuse
Posted by: DT | January 23, 2007 11:09 AM | Report abuse
Posted by: Bk | January 23, 2007 11:57 AM | Report abuse
Posted by: Melissa | February 1, 2007 5:30 AM | Report abuse
The comments to this entry are closed.