Network News

X My Profile
View More Activity

Internet Explorer Unsafe for 284 Days in 2006

Security Fix spent the past several weeks compiling statistics on how long it took some of the major software vendors to issue patches for security flaws in their products. Since Windows is the most-used operating system in the world, it makes sense to lead off with data on Microsoft's security updates in 2006.

Click the graphic for data on 2006 IE patches.

First, a note on the methodology behind this blog post: The data presented here builds on a project I began in late 2005 looking back on three years of efforts by Microsoft to address only the most severe security holes in its software. I conducted that same research again last month, individually contacting nearly all of the security researchers who submitted reports of critical flaws in Microsoft products to learn from them not only the dates that they had submitted their findings to the company, but also any other security trends or anomalies they observed in working with the world's largest software maker.

Several weeks prior to posting this information, I shared the data I had gathered with Microsoft. The officials I dealt with helpfully concurred or quibbled slightly with some of my findings, but the company raised no objections that would materially affect the results presented in this particular study of IE flaws. In fact, if you examine the links included in the vulnerability chart that accompanies this post, you can see for yourself how the data is supported by information posted on the Web over the past year.

Patching Internet Explorer in 2006

For all its touted security improvements, the release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.

Microsoft labels software vulnerabilities "critical" -- its most severe rating -- if the flaws could be exploited to criminal advantage without any action on the part of the user, or by merely convincing an IE user to click on a link, visit a malicious Web site, or open a specially crafted e-mail or e-mail attachment.

[The chart posted here shows the overlap of threats from various IE flaws throughout the year.]

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.

Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four "zero-day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain.

The first major flaw in a Windows program last year involved one that could be easily exploited via Internet Explorer. In late December 2005, experts tracked organized criminals hacking into sites and seeding them with code that installed password-stealing spyware on machines used by anyone who merely visited the sites with IE. Microsoft initially downplayed the severity of the attacks, until it became clear that the threat was fairly widespread and that thousands of customers had already been attacked in the span of a few days. The threat was seen as so severe that a large number of security experts urged users to download and install a patch produced by a third party until Microsoft developed an official fix.

In September, attackers would exploit an unpatched flaw in non-Microsoft Web server software to install malicious code on thousands of legitimate Web sites that could infect Windows machines when users merely browsed the sites with IE. Much like the IE flaw first detected in December 2005, this sophisticated attack by organized criminals also would prompt a series of third-party security patches in the days before Microsoft issued an official update.

Check back with Security Fix on Friday for a look at the number of vulnerabilities that Microsoft patched in its Office applications last year.

By Brian Krebs  |  January 4, 2007; 6:45 AM ET
Categories:  Fraud , From the Bunker , Latest Warnings , New Patches , Piracy , Safety Tips  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   StumbleUpon   Technorati   Google Buzz   Previous: Not Your Average Phishing Scam
Next: Take Me to Your (Adobe) Reader


I receive your column on my work computer, because I am responsible for certain aspects of the computer environment at our satellite office here in Reno, Nevada. Without violating copyright laws (I work for the Nevada State Attorney General's Office), how may I get a copy of your article to our Information Technology Department? It may be relevent to certain issues here in Nevada. I'd appreciate your assistance. Your article is quite timely! Thank you!

PS. Are you able to get my e-mail address from the Washington Post to return an answer? I hope so. I already subscribe, so they should have it, but, because of my job, I don't want everyone to have it.

Posted by: Patricia Peterman | January 4, 2007 11:23 AM | Report abuse

Great report! Why do they use IE? Are they nuts?

Posted by: Sune | January 4, 2007 11:23 AM | Report abuse

I receive your column on my work computer, because I am responsible for certain aspects of the computer environment at our satellite office here in Reno, Nevada. Without violating copyright laws (I work for the Nevada State Attorney General's Office), how may I get a copy of your article to our Information Technology Department? It may be relevent to certain issues here in Nevada. I'd appreciate your assistance. Your article is quite timely! Thank you!

PS. Are you able to get my e-mail address from the Washington Post to return an answer? I hope so. I already subscribe, so they should have it, but, because of my job, I don't want everyone to have it.

Posted by: Patricia Peterman | January 4, 2007 11:23 AM | Report abuse

Patricia -- Thanks. My e-mail address is linked at the bottom of the "About this Blog" page, here:

It's brian-dot-krebs-at-washingtonpost-dot-com

Posted by: Bk | January 4, 2007 11:34 AM | Report abuse

The bugs in IE6 will soon pale in comparison to those that the bad guys will find and exploit in Vista. 50 million lines of new code is a generous gift from Bill to the hackers. Be afraid. Be very afraid.

Posted by: NotAVistaGuy | January 4, 2007 11:59 AM | Report abuse

Shows why the need exist for people to switch to either opera[my browser]or firefox.

Posted by: fcsanders | January 4, 2007 12:14 PM | Report abuse

Why should we trust Brian Krebs' report as unbiased?

Posted by: MSFanBoy | January 4, 2007 12:25 PM | Report abuse


Your graph has one mistake. The setSlice() bug is most definitely in the wild, and was out well before it was even reported. If I remember correctly it was reported via an in the wild sighting.

If that's not enough, I've got a couple of in the wild samples for ya, still being used as of last week.


Posted by: David | January 4, 2007 12:55 PM | Report abuse

Looks like the September attack was predicted at the Redmond Magazine site:

Posted by: Nostrodomos | January 4, 2007 1:05 PM | Report abuse

Hi David,

Thanks for the pointer. Can you be more specific about what's incorrect? The graph says setslice was reported as being exploited in the wild as of Sept. 26.

Posted by: Bk | January 4, 2007 1:19 PM | Report abuse


You should look at the same data he did and arrive at your own conclusions as to his bias. Seems to me he simply presented facts, but who am I to say...

Posted by: Nobody's Fan | January 4, 2007 1:23 PM | Report abuse

After Microsoft waited so long to issue IE 7, it still had one bug that affects me, and I am sure others. I have an HP Officejet with the usual software, and I use the scanner feature frequently. In December the scanner died. HP support immediately guessed that I had installed IE 7, and said there is something there that affects HP software. At HP's suggestion, I went back to IE 6 (I only use it for one application, and not for browsing) and the problem disappeared. So much for Microsoft compatibility.

Posted by: dfnsatty | January 4, 2007 1:27 PM | Report abuse

Another in a long line of painfully obvious reasons to use FireFox....


Posted by: Mike | January 4, 2007 1:59 PM | Report abuse

I found the setSlice() bug back in June, the MoBB project posted details of the flaw in July, and I heard reports of it being used in the wild as far back as January of 2006. The eEye "Zero-Day Tracker" was updated to reflect this information.

Posted by: HD | January 4, 2007 2:04 PM | Report abuse

The work you have done at tracking the bugs is wonderful, but the presentation in the attached table is disturbingly bad.

Being unsafe for 284 days is bad, but unless you read the patch dates the table shows IE as being unsafe 365 days of the year.

(while that is probably true, that isn't what your data show).

It looks like from April 11th to May 31st there were no unpatched flaws, but the table has all of April and all of May blocked out as an unsafe period.

Maybe the problem is that I'm looking at it in Firefox, but as it sits the table is extremely misleading.

Posted by: Rich Gibson | January 4, 2007 2:15 PM | Report abuse

MSFanBoy: It doesn't matter if he is unbiased. He's stating facts, not opinions. And he discloses his methodology, so you can review it, should you choose.

Posted by: Chad | January 4, 2007 2:32 PM | Report abuse

Not to argue with the stats - but I think the article fails to address how MS's 2 month patch cycle affects the numbers.

The obvious way to reduce days at risk is to issue individual patches early, rather than in a bi-monthly package. But that bi-monthly cycle was adopted to a large degree as a result of complaints from sysadmins that wanted less frequent, predictable patch dates.

Posted by: john | January 4, 2007 4:00 PM | Report abuse

John -- I can't argue with you one bit, except on your "two month patch cycle" point. Actually, it looks like the average vulnerability takes about twice that long for Microsoft to fix (and of course Redmond issues fixes more or less on a once-a-month basis). This is something I plan to tackle in depth in an upcoming piece. Stay tuned, and thanks for your comment.

Posted by: Bk | January 4, 2007 4:09 PM | Report abuse

Biz Decision...

Mozilla or IE. It's a business decision. Truth is that they both have their fair share of vulnerabilities. Firefox's dev team seems to do a much better job issuing fixes for their bugs. IE has a built-in update mechanism. So do you want to work for your security? or do you want to easily not have to apply patches which don't yet exist?

I guess I'm in the first camp. I'd like to see an auto-update feature which could be used to pull the latest approved version of Firefox off a local or Internet web/ftp location. If the location is stored in a text file or a registry entry, that could be managed via GPO's, and a change in the approved version could be scheduled and executed at the will of the administrators for hundreds or thousands of workstations to update themselves with limited effort.

Posted by: Matthew Carpenter | January 4, 2007 4:28 PM | Report abuse

About autoupdates in Firefox - firefox updates itself starting from 1.5 version AFAIK.

About security flaws - firefox also has alot of flaws (i say so even though i prefer it over IE), and probably any browser on Windows will. its because Windows came out of single user msdos world and still have to maintain backwards compatibility with most of it, thats why OS components are easily accessible from broken application, i e most of OS security depends on application you write for it which is completely wrong. But when people open wallets they rely more on advertising and marketing thats why windows have won everywhere.

If you use product driven 100% by marketing dont expect good engineering design from it.

People waste alot of time securing every single application written for windows but it actually should be fixed in one place - in OS itself which suppose maintain security for the application, not vice versa. However its a big industy, big cash flow for support and upgrades, if everything will work perfectly that cash flow will disappear, so it probably will never get better unless business model changes.

Posted by: alj | January 4, 2007 5:11 PM | Report abuse

Another interesting study would be to determine how many days Microsoft recommended deactivating activeX during the year due to problems with Explorer,Outlook, Office and the base system

Posted by: John G. | January 4, 2007 5:15 PM | Report abuse

What does IE7's record look like so far? Even if the uptake of IE7 is low and it isn't yet available in all languages, it seems unfair to focus entirely on IE6's record. Most readers of this blog are going to choose between IE7 and other browsers, not between IE6 and other browsers.

It would also be nice to know IE7's record so far in order to predict whether 2007 will be a better year for the majority of IE users.

Posted by: Jesse Ruderman | January 4, 2007 5:27 PM | Report abuse

I would assert, that IE6, IE7, Mozilla, and Firefox had security flaws for 365 days last year. First, IE6 is used by 90% of the people, so hackers, focus there attention there, and not on the 10% or less that use mac, mozilla, or firefox. If Mozilla had 90% of the usuage, and the hackers focused their time on it, we would find that there are exploitable bugs. Same with Firefox, and even Mac. Because of this, as long as Mac, Mozilla, or Firefox are low in usuage they will be safer than Ie becuase IE is where the volume and Money is at.

Posted by: Iamnivek | January 4, 2007 6:08 PM | Report abuse

It won't get any better.

IE7 has already been quite thoroughly dissected by spammers, phishers, malware authors and others
who eagerly await its wide-scale deployment. Think of the climactic scene in "Force 10 from Navaronne" where the first few tiny rivulets of water begin to trickle from the face of the dam. Remember what comes next.

Anyone still using IE at this point is down on their knees begging to be hacked, phished, hijacked and spammed. Given that there all kinds of alternative browsers available for free, there's no excuse for sticking with it.
(including "it's our corporate policy". Find the imbecile responsible for that and fire

Posted by: Rich K | January 4, 2007 6:26 PM | Report abuse

Funny article since Firefox has had an unpatched vulnerability since 2004:

Actually IE has had less vulnerabilities than Firefox in 2006:

Get the rest of facts on other Firefox Myths here:

Posted by: Andrew | January 4, 2007 6:57 PM | Report abuse

Funny all these so called security experts recommend a browser with 216 vulnerabilities:

Yet they failed to mention the most secure graphical web browser for Windows = Opera:

If you want to inform people please do so honestly. The question remains why is Opera not mentioned in this report? Because it puts the overhyped Firefox to shame. If you claim to be using a certain browser for security and are using Firefox over Opera you are either misinformed or a Hypocrite.

Posted by: Andrew | January 4, 2007 7:03 PM | Report abuse

The monthly patch cycle demanded by admins is an interesting topic that you should discuss in your article. By sticking to the monthly patch cycle, Microsoft is effectively trading off the security of home users for the convenience of large corporate customers.

(Firefox also has a 6-8 week update cycle, but we'll always issue an out-of-cycle update if a zero-day exploit shows up.)

Posted by: Robert O'Callahan | January 4, 2007 7:16 PM | Report abuse

Microsoft has released out of cycle patches when it is necessary but not simply because of a bunch of media hype.

Posted by: Andrew | January 4, 2007 7:28 PM | Report abuse


Nice to see you here again. Why do you think it's unfair to focus on IE 6? After all, this study was done based on critical patches that Microsoft issued in 2006. As far as I'm aware, they didn't fix issue any of those for IE7. Further, IE7 wasn't officially pushed out to users until November of last year.

Posted by: Bk | January 4, 2007 7:46 PM | Report abuse

It is fair to focus on IE6 and its many security flaws. But I agree that the article puts forth Firefox as the only alternative to getting hacked.

First, there are other, more secure browsers, like Opera. Second, following a small list of rules of what not to do would prevent all but a handful of dunces from running afoul of these hackers.

I have used IE6 (and now IE7) exclusively since inception. I have not been hacked once. I have not gotten a single spyware infection. Nada. How did I pull off this miracle? Simple. I don't go to obviously dodgy sites. I don't surf porn. I don't mindlessly open email attachments. (I don't use any antivirus software, either--it's worthless.)

Microsoft is hopefully improving its track record. Vista is introducing a great feature: IE locked down with fewer privileges than even a restricted user account would be.

It really only takes about 15 minutes worth of education to teach someone how to avoid security vulnerabilities on ANY browser. Less time, I would suggest, than it takes to learn to use Firefox.

Firefox, by the way, still suffers from HUGE memory leaks and is slower and less stable than IE. Just throwing that out there for the Firefox fanboys.

Posted by: Brian | January 4, 2007 8:06 PM | Report abuse

Let's keep something in mind. The raw number of vulnerabilities is interesting, but the nuances are important.

Are the vulnerabilities (a) remotely exploitable? (b) easily exploitable? (c) exploitable without user assistance ["social engineering"] (d) exploitable without being easily noticed? (e) exploitable in a way that leads to
data compromise? (f) exploitable in a way that leads to system compromise? (g) etc.

All web browsers have bugs, of course, and some of them have a lot
of bugs. But the risk posed by hypothetical browser A with 200 bugs which don't have the properties I just enumerated
is much less than the risk posed by
a hypothetical browser B with 5 bugs, *all* of which have property (f). Which is why (hopefully) the people who deal with triaging those
problems prioritize them appropriately.

Curious, by the way, that the domain uses the
spammer tactic of anonymized domain registration. I wonder which Microsoft shill is behind it?

Posted by: Rich K | January 4, 2007 8:15 PM | Report abuse

Firefox has a vulnerability that fits every category you mentioned. Rich why are you hung up on Firefox? Why do you not mention Opera? Who's security record makes FF look like the wild west? I am so sick of these excuses by Firefox Fanboys as they ignore the vulnerability count that Firefox has racked up. So much so that it boasts MORE vulnerabilities in 2006 than IE. All the while completely ignoring Opera which puts Firefox to shame.

Posted by: Andrew | January 4, 2007 8:23 PM | Report abuse

No matter how you add the numbers those of us in the "anti-malware industry" know which browser gets sucessfully hit the most often.
It isn't FF or Opera.
When you're through playing games... dump IE.

Posted by: R. Morris | January 4, 2007 8:25 PM | Report abuse

Yes, that's right, Rich, we're all a bunch of shills. When you can't argue the point, argue the person, right?

Ask yourself why using a specific browser makes you feel better about yourself.

Posted by: Brian | January 4, 2007 8:28 PM | Report abuse

Of course IE is going to have the most known vulnerabilities since 85% or so of computer users have IE. That's what the hackers will try to exploit.

Give Firefox 85% marketshare and that will become the browser that's going to be targeted.

Notice that there are no known vulnerabilities for the web-browser for the BeOS. Is it because it's the most secure browser ever or because nobody wastes their time on something with 0.000000002% marketshare?

Posted by: JAFO | January 4, 2007 8:32 PM | Report abuse

Anyone in the Malware industry should know that those getting "hit" are manually infecting themselves while they try to "hit the monkey". Anyone in the Malware or Security industry should know better than to fuel the online propaganda of malware just auto installing on fully patched versions of IE. The reality is every since XP SP2 phishing based attacks and convincing the user to click on "yes" to install is what is infecting those who get infected. Why should I dump IE when I don't have any security issues?

Posted by: Andrew | January 4, 2007 8:34 PM | Report abuse

Andrew -- Maybe you were asleep for the first couple of weeks of the year, when an ungodly number of Windows users were hosed by the WMF flaw? Or during the setslice episode in Sept-Oct. The whole point of this analysis is that even people who were keeping up with service packs and monthly patches from microsoft were getting pwned this year by scammers. Yes, IE can be safe for people who know what they're doing, but for the vast majority of Windows users, it's been little more than a curse.

Posted by: WhoisAndrew | January 4, 2007 9:00 PM | Report abuse

An ungodly number? Please lets not overhype that. I deal with thousands of clients and not one was infected from that vulnerability. Either way Microsoft went out of cycle with that patch and you had a third party patch also available.

It is absolutely IMPOSSIBLE to determine if fully patched machines were being infected from manual installs or overhyped "auto-installs". When you deal with the public and customers on a regular basis you then realize they are the ones infecting themselves not some unpatched vulnerability in IE.

Posted by: Andrew | January 4, 2007 9:16 PM | Report abuse

Andrew - you're missing the point here I believe. The study was based on the vulnerabilities of IE 6.
It was NOT saying "you should use Firefox because it has less vulnerabilities". It was merely comparing IE6 to the next most popular browser.

Opera may SEEM more stable and secure - but so did Mozilla when it first came out.
No matter what browser people are using, the most popular browser will be hammered by hackers. If Opera ever became as popular as Firefox/IE, then you'd more than likely see the same problem with vulnerabilities.

Posted by: Talin | January 4, 2007 9:19 PM | Report abuse

AHAHA! Do the math, how many vulnerabilities would exist for Firefox if it had IE's market share? 1000+ !!!!! HAHAHA! What a stupid argument. The fact is Opera doesn't "seem" more secure it is! Lets not forget Firefox Extension vulnerabilities:

Opera is not mentioned because it's security record would make all the Firefox Fanboys cry at once.

Posted by: Andrew | January 4, 2007 9:25 PM | Report abuse

Andrew - you're still missing the point. The stats were comparing the two most common browsers.

It's not a debate about which browser out of all of them is more secure.

I don't see how I can put this in a simpler way for you to understand...

And saying that Opera is more secure is stupid. Until it's gone through the same amount of attention the other two have had from hackers, there's no way to tell.

Posted by: Talin | January 4, 2007 10:38 PM | Report abuse

What stats? Making assumptions on what was exploited? If one person somewhere exploited a vulnerability before it was disclosed, it was exploited. There is no way to accurately measure this. It is absolutely impossible to guess how vulnerable you were based on public disclosure dates and assumptions of exploitation. All you can measure is the number of vulnerabilities. This information and the "chart" are absolutely meaningless. The Firefox mention is for no other purpose then to try and make IE look worse.

I can damn well say Opera is more secure based on the only security data we can measure = vulnerabilities. You have absolutely no way to prove how much "attention" any browser received from "hackers". It is an irrefutable FACT that Opera is the most secure graphical web browser for Windows.

Posted by: Andrew | January 4, 2007 10:48 PM | Report abuse

Actually, I'm NOT hung up on Firefox: given how poor IE is, *any* browser out there is a better choice,
whether Firefox, Opera, Camino, Amaya, Dillo, Safari, or whatever.

Second, arguments based on market share can be dismissed: market share is not an intrinsic indicator of software quality. To put another way, The Bad Guys don't go
after IE because it's popular; they go after it because it's one of the
weakest (therefore best) points to attack.

Third, given Microsoft's long (and ongoing) history of using shills to do its dirty work, it wouldn't surprise me in the least to find that they're doing it again. Or maybe they're not. I don't really care, I'm just making the observation.

Fourth, you might want to consider
taking the time (and it does take considerable time) to get yourself inside some of the discussion groups used by spammers and the like. They have a far better grasp
of the impact of vulnerabilities than most, because the better their handle on it, the more money they can make. They've long since figured out that popularity means nothing; exploitability means everything. As a result, they don't pay the slightest attention to market share of anything -- browsers, mail clients, operating systems, web servers, it doesn't matter. They're interested in identifying the path to maximum profits via minimum effort, and if
that path leads through software
that's minimally or maximally deployed: they don't care.

Finally, sit back for a moment and consider this. Given that a web browser is one of the most-used
pieces of application software, don't you think that richest, most powerful software company, staffed by some of the smartest people they can find (and who are willing to work there), should be able to do
better than THIS?

That's a rhetorical question, by the way, as I think the real answer has already been provided by the mountain of evidence and experience that says they can't. I predict IE7 will simply continue the long tradition of massive security holes and miserable failure that we've come to expect.

Posted by: Rich K | January 4, 2007 11:23 PM | Report abuse

And the point flies by again...

I made no comment on the validity of the stats. Whether they're correct or not is a totally separate debate.

My point was that Opera is not mentioned as it is not one of the TWO MOST POPULAR BROWSERS. Netscape was not mentioned either. Nor MSN Explorer. Nor browsers on other OS's like MAC or Linux.
Yes, you love Opera. We know. It's beside the point whether it's more secure or not. It has no relevance to a comparison of the two most popular browsers.

As for Opera's vulnerabilities, there's no such thing as an "irrefutable FACT".

There is no such thing as a "Fact". a "Fact" is something "Known to be true" (or what the majority of people believe to be True). "Truth" is based on "Perception". "Perception" changes depending on the individual.

Since "Fact" is essentially based on "Perception", and "Perception" changes from person to person, "Facts" change from person to person.

ie: if you BELIEVE to be true, it doesn't make it true for others.

It simply means that your mind isn't open enough to accept that your perception is limited.

Posted by: Talin | January 4, 2007 11:23 PM | Report abuse

My post above was directed at Andrew btw.

I agree with Rich K.
From Microsoft's perspective: why spend money/time/resources on something that does not in turn make profit for the company?

Posted by: Talin | January 4, 2007 11:26 PM | Report abuse

Very useful report. Thanks.

Posted by: Jamal | January 4, 2007 11:35 PM | Report abuse

Anyone designing a browser that was concerned about customer security more than monopolizing customer share would not have integrated the browser into the OS in the first place.
IE7 and all its children pass file extensions along and say RUN it.
Pay no attention to the .gif running as an executable, it's a feature!

Posted by: R. Morris | January 4, 2007 11:54 PM | Report abuse

@Andrew: Way to go spreading FUD about something.

Sure, Opera *9.x* only had two advisories in 2006 because it was only released in June 2006:

Firefox *2.0.x* likewise only had two advisories in 2006:

Apples for apples, my friend.

Posted by: Spazimoto | January 5, 2007 12:19 AM | Report abuse

Andrew, you just don't seem to get it. For one, all three of those extension vulnerabilities you posted were fixed. Secondly, even if Firefox does have more known bugs than IE, the most severe unpatched flaw in Firefox is rated Less Critical by Secunia. Compare that with IE, whose most severe unpatched flaw is rated moderately critical. A while ago IE's most serious unpatched flaw was given the highest "Extremely Critical" rating.

Even if a browser had 200 flaws that weren't to do with stealing information, it is still safer than a browser with 5 flaws that allow total system control.

I don't really care that you cut your wrists over your browser religion but if you really want to make a debate then at least stop it with the twisting.

Posted by: Michael | January 5, 2007 12:38 AM | Report abuse

1. admin. want predictable patch update in every two weeks. this is why m$ is doing so.
2. Opera is more secure, faster (not all topic, but most) than FF and IE
3. IE does not render CSS as standard as FF/Opera, but it comes with tons of non-standard function that help MOST developers to finish their work quicker. That is why a lot of enterprise intranet or website still support IE in priority.

choose FF and ignore ALL these facts.

Otherwise, choose Opera or IE7+Maxthon

Posted by: bigBADguy | January 5, 2007 12:40 AM | Report abuse

Vulnerability lists from

Internet Explorer, 474:

Firefox, 216:

Opera, 58:

The latest versions of all are free.

Posted by: Futurepower® | January 5, 2007 1:04 AM | Report abuse

I'm posting a comment I received via e-mail from a Security Fix reader in the United Kingdom:

The article proves the point - open-source gets results, the Mozilla Foundation is open about their activities and anyone who reads over Bugzilla will know that the bugs are logged and seen to where necessity permits. This is the point of open-source software, if you want to change something about it, go ahead and do it. If you find a bug, report it on Bugzilla or if you feel adventurous, have a go at fixing it yourself.

I left IE for Firefox in 2004 and haven't looked back since, it's been more stable than IE and hasn't hung my system out to dry ala IE.

A vocal minority has made their views known about the Opera browser (which if I remember correctly was charged individually at $20) yet have failed to answer the obvious question - do you leave one proprietary software maker for another and go on blind faith that nothing untoward is going to happen to your PC/Mac or go with something that lets you know what the bugs are and have full access to the source code? Yes, Firefox does suffer from memory leaks unlike the scale of it's distant cousin Flock (so I'm told), but they will be sorted out.

Posted by: Bk | January 5, 2007 1:21 AM | Report abuse

RE: Posted by: Andrew | January 4, 2007 06:57 PM
firfox hasn't had vulnerability since 2004
{it is a non-critical bug in an ancient version onf firefox}

Posted by: Alan Doherty | January 5, 2007 1:23 AM | Report abuse

Interresting methodology, thank you!

I can't imagine why anyone would use IE -or- FF, Opera is simply outstanding in terms of speed, usability and security - it may take a bit of getting used to, but it is superior in every way.

It seems IE is the choice of the ignorant masses, unknowing of the fact that it is inferior, or unable to understand why. In some way, IE is like cigarette smoking - dangerous, unhealthy, irresponsible. But it is the thing to do, if not for any logical reason then just by the sheer momentum. "everyone does it". consequences take time to fester. Good luck, IE users of the world. And have fun poaching the lemmings, phishers and hijackers of the world.

Posted by: Hilarious | January 5, 2007 4:43 AM | Report abuse

To be fair, it would be interesting to have these metrics :
- How much time between Microsoft being notified about a security issue and the said issue officially (or not) published.
- Same for Firefox.

Seeing how some security issues have been sitting in bugzilla for *years* (with restricted access), and seeing how people may be more inclined to release security issues for Microsoft products in the wild, even before Microsoft itself gets notified, that would make these results much less interesting.

Firefox has this advantage that most of the security issues that each new version fixes are published the day the version fixing the issues is released.

If Firefox security bugs were getting published as Microsoft security bugs were, I doubt the gap would be so large...

Posted by: glandium | January 5, 2007 4:52 AM | Report abuse

Great report! The result is quite 'expected'. I dare not to use IE long time back.
My family members often use my computer online. To discourage them from using IE, I have deleted all desktop and menu shortcuts to invoke IE. It's simply much safer to use Firefox.
Opera is safe and fast too. But the add-ons feature of Firefox provides greater power.

Posted by: Vee | January 5, 2007 5:04 AM | Report abuse

Just an observation. Even when patches are released, that doesn't mean that all the machines out there are automatically updated. So vulnerabilities exist long after the patch has been released.

The solution (or so it seems to me) is to write better code so that these issues don't arise in the first place.

Posted by: Bruce Harrison | January 5, 2007 5:28 AM | Report abuse would be funny if it wasn't so sad how misleading it is. It's incredibly biased, and uses utterly worthless statistics to 'prove' points.

If Firefox has more 'security' bugs, but they are either hard to use or don't allow you to do much (many just crash the browser, or are only hypothetical or potential holes that they fix), but IE has just one bug whereby just visiting a site in IE lets people instantly hack your computer, which browser is more secure? Firefox has had almost no vulnerabilities of this severity, and IE has had MANY just last year. Heck they had three in a row where they hadn't even patched the previous one before the next one was out.

To truly get a picture of which browser is more secure, you need to take into account:

1) Start with the number of vulnerabilities (including old ones that are not fixed, so IE is probably worse here already)

2) Weight each of those on how severe they were (IE's security relative to Firefox becomes much worse here)

3) Weight each one of those depending on how long they were publicly known for (a real Mozilla strong point here, IE loses even more). For bonus points, weight differently based on time for it being manually available and being put on auto-update.

4) That gives you the theoretical level of vulnerability if none were exploited. To then get the practical level of vulnerability, you need to weight each of these by how many days they were being actively exploited.

By this much more accurate statistical measure, Firefox would definitely come out significantly better than IE (as in relatively over 100 times more not 'a little bit better').

You can 'prove' almost anything with statistics, the key is to have statistics that actually mean something.

Posted by: Ian | January 5, 2007 5:37 AM | Report abuse

By the way, by this measure, Opera (probably Safari too) would come out much more secure relatively to Firefox. This is partly due to lack of market share.

I think it more shows how bad Microsoft are than anything.

Posted by: Ian | January 5, 2007 5:39 AM | Report abuse

Let the browser wars begin eh?
I see the religious zealots have come here to camp.
In perspective:
1) The author cannot name ALL of the browsers in the market. There are some browsers which have few users but might be highly secure. Opera is a third "up and coming" offering. More competition is better, because it breaks up the efforts of the hackers.
2) The stats guys stating 85% 95% etc use IE are losing sight of the actual numbers. If a hacker can gain control over 1 million PCs because those people use an obscure browser, that is far better and easier than "trying" to hit 100 million people who allow MS to do all the security for them. However, I concede and these people will also, that MS does a very poor security job for managing their client PCs. Vista will give MS the chance of controlling hundreds of millions of PCs (eventually) and then the numbers will show where the vulnerability lies.
3) Someone mentioned some sites that debunk the Firefox is better. Does that person use the CERT site at all where they asked people to "not use IE for browsing"? This is the first time they ever did that. But facts often get in the way of religious arguments like this.
4) All software is vulnerable if the OS it rides on offers vulnerabilities. Did the author of this piece take this into account that the Firefox on Windows was vulnerable whereas on Linux it was not?
5) Maybe an article on all browsers that had more than 500,000 downloads be reviewed. This would satisfy the whiners of "they didn't include xyz browser". There is only so much space allowed in an article. Maybe statements like IE vs all non-IE browsers? No can't do that, then the MS zealots will say that it is a hit piece. See what I mean?

Posted by: AnonCle | January 5, 2007 9:10 AM | Report abuse

"The officials I dealt with helpfully concurred or quibbled slightly with some of my findings, but the company raised no objections that would materially affect the results presented in this particular study of IE flaws."

Could you disclose those argumentations from Microsoft?

Also, could you include Opera and Safari?

Posted by: Anonymous | January 5, 2007 9:46 AM | Report abuse

Opera IS more secure than Firefox which is far more secure than IE. Period.

For all of you ranting about marketshare a mixing it with security, go * yourself.

Market share affects the exposure of the application BUT it does _not_ matter if a software is more secure through its robustness or its obscurity. Try to get this into your head.

Granted, Opera may be more secure because no one bothers to make an exploit for it.
But it says only WHY Opera is secure. It does not change the fact it is.

FYI the way security is implemented in Opera is that there are huge numbers of traps in code that exit(crash) the application. Therefore most of the flaws found not even patched, they are just fixed in next version as to crash a browser is inconvienient sometimes however it does not compromise one's security.

One has to remember, security of an applications come mostly from the phylosophy its programmers used. From its inception Opera was focused on speed and security. It is their design goal.
Mozilla was allways about functionality and security.
IE was allways about marketshare. security was implemented only as a bonus, it was never considered fundamental design goal.

That kinda sums it up.

Posted by: mino | January 5, 2007 11:26 AM | Report abuse


thanks for your hard work collecting and checking all those data. I have some notes and remarks about little things that are wrong or missing and I also have some personal thoughts regarding the subject. So here they are:

===Specific notes and remarks===

1) You write:
"Several weeks prior to posting this information, I shared the data I had gathered with Microsoft."
But you are posting this on January the 4th and you're referring to events that took place on Dec. 14 (possibly even Dec. 31). I guess you must have shared data only about the first months of the year. It really is a detail but the obvious contradiction will make some people think: "hey this man is not really careful when it comes to the details and this research is all about details - let's move on".

2) R. Gibson left a comment stating that "It looks like from April 11th to May 31st there were no unpatched flaws, but the table has all of April and all of May blocked out as an unsafe period."
I agree with him and believe that it would be important to fix the table. Otherwise some people might think that you did it on purpose. That's not just because they will mis-characterize you but because it means that they will read everything else with a filter of suspicion blocking the truth.

3) It would definitely be good to include the response you got from Microsoft regarding your research. Here is why: I just read your post and the comments. Now in order to arrive to a safe conclusion I must also check all or at least a lot of the links in the chart (so that I can be sure you are not making any mistakes or misinterpretations). If you include Microsoft's response and it's not addressing any real issue then I really need to check nothing more. If there was anything wrong they would surely be pointing out because its their name they are protecting.

===Personal thoughts===

I've read your post (and those on the same subject regarding previous years). I've observed the tables and the dates (I haven't yet followed the links to verify them - for now I'll take it for granted that you haven't done any major mistake) and my first thought was "What!?... that's soooo bad... Oh c'mon! it can't be true" (no disrespect here - I'm just talking about people's normal reaction to bad news). So correct me if I'm wrong but do you really mean that Microsoft is as disrespectful to it's customers as can be? I mean here is the situation:

There are millions of PCs running YOUR software and you KNOW that this software has specific BUGs that render the system absolutely vulnerable to KNOWN attacks. And you also have some BILLIONS of cash in the bank. And you say to the press that you are working soooo hard. But for some years you still have the same problems... and guess what: you still have those billions of cash in the bank... Well, excuse me but I think you ought to spend A LOT OF THEM before claiming that you're really doing everything you can and that you really respect your customers.

So, is it so bad or am I missing something?

P.S. sorry about my English - it's not my native language.

Posted by: Nick Demou | January 5, 2007 12:30 PM | Report abuse

Hilarious> [Opera] may take a bit of getting used to, but it is superior in every way.

Earnest question: does Opera have the equivalent of the following Firefox extensions?

NoScript: provides control of JavaScript per web server, and Flash, Java, and other plugin control per embed.

TamperData: allows arbitrary manipulation of POST form fields and HTTP request headers during form submission.

SessionSaver: restores complete browser context, including tab histories, after restart.

Vertigo: arranges tabs vertically along left edge of browser Window instead of at the top.

Tab History: new tabs opened from links in other pages inherit history.

OpenNewWindowFromHere: clones the current tab in a new tab or window.

ReloadEvery: schedules reload of a given page at user-selected interval.

Posted by: antibozo | January 5, 2007 1:00 PM | Report abuse


Thanks for the questions and comments. I began collecting this data back in October, and then kept adding more and more until Microsoft shipped its final round on patches on Dec. 12. After that patch rollout, they sent me a revised copy of their times for the spreadsheet I put together.

To your second point, I asked our graphics designer here to put that chart together based upon a really awful Gantt graph I'd done, with specific instructions to try as hard as possible to get the data on all one page so that the reader didn't have to scroll through several pages worth of vertical data (this was based on feedback I got from a great many readers when I did this project last year). I see your point, but if you look at the dates that accompany each vulnerability in graph, you can draw your own conclusions. More importantly, you can even tally up the dates and compare them to the final analysis in the blog.

To your last question, I'm working on making the entire data set of Microsoft patches for 2006 presentable and available on the blog. It will be published, along with Microsoft's version, as soon as that's done. There's a chance I may hold it for a short time to go with another piece I'm working on though.

Posted by: Bk | January 5, 2007 1:14 PM | Report abuse

pretty interesting article!

finally I think we will never agree on which browser is really the most secure one, nor can I really judge. Basically I use Firefox because of its features, and as long as I'm using the auto-updates and some anti-virus and avoid clicking on strange links, I feel pretty good. Additionally you can incredibly increase your own security by using Firefox Addons like "NoScript", which blocks all scripts but the ones of sites you trust - all with one click. This very site for example is totally script-blocked on my computer - bad luck for the bad guy trying their Java tricks on me. I agree I'm still vulnerable to WMF stuff, but there is no ABSOLUTE security. Okok, this problem can be easily tackled. Just modify the addon "AdBlocker" to block everything ending to .WMF Who needs WMF anywhay?

I NEED to combine security with a browser I like and which I can adapt to my needs. This all isn't possible with Opera or IE. I don't like Firefox out-of-the-box, but I love it after installing my favourite addons. Can you say the same for Opera?

Posted by: Jurgen | January 5, 2007 6:21 PM | Report abuse

A little bit about Opera.

I would like the Opera browser to be successful in the marketplace. It'd be nice to have another viable choice; the competitive pressure would help keep the Mozilla folks (and others) on their toes; and so on.

However...Opera has a major problem. It's not open-source. Because it's not open-source, it can't be peer-reviewed. And because it can't be peer-reviewed, it can't be audited for security problems. (Nor can it be fixed in the field by third parties.)

(Let me pause here to make I'm clear about my point. Just because
something is open-source doesn't mean it's secure -- of course not!
But it's certainly true that when something is closed-source, it can't be secure *because it hasn't been subjected to the kind of peer
review that's necessary to show that it's secure*. We only have "their" word for it. Not good enough.)

We've seen this so many times now that the movie is worn in the sprockets. It's become clear that we, the computing profession, do not yet know how to write secure code -- not in the context of large applications, at least. The very best algorithm we have -- so far -- is:

1. Write code.
2. Put code in front of many clueful eyeballs.
3. Pay attention.

That's not a desirable state of affairs, and people are working on changing it. But it's all we've got right now, which means that anybody who's serious about writing secure code *must* open it to peer review.

If they won't...then everyone's collective eyebrows should go up at any claim of supposed "security". After all -- to paraphrase a quote from an old ACM paper about Unix -- it's not secure until everyone knows exactly how it works and it's still secure.

Besides...if the bad guys want the source, they'll get it. And they *will* peer-review it, except the manner in which they'll "share their findings" isn't very collegial.

So. If the Opera folks want to compete with the Mozilla folks, they've got to open-source the browser. Let's see just how good that code really is.

Posted by: Rich K | January 5, 2007 6:56 PM | Report abuse

There is zero correlation between open source software and security, stability, or usability. Perhaps a negative correlation, actually.

Posted by: Brian | January 5, 2007 9:17 PM | Report abuse

Re: "there is zero correlation".

Perhaps you have not been paying attention during the last several decades while the largest, most successful project in the history of computing was built on open source.

It's called "the Internet", and you're soaking in it.

See "Information Wants to be Valuable", at

which is now a bit dated in terms of specifics, but still remains valid in terms of overall impact. (More so, in some cases: the first item notes that Apache ran half the web sites on the 'net. Now it's two-thirds.)

We are seeing the end -- I most certainly hope -- of the silly idea that computer science should for some nebulous reason(s) be exempted from the peer review that is in an integral part of other fields of endeavor: science, medicine, law, engineering, etc.

For example, we don't take the word of engineers that a bridge will stand up: we want architectural drawings, measurements, calculations, tests, review and more review. We don't take the word of a pharmaceutical company that their new drug will do what they say: we want biochemistry, lab tests, human trials, independent testing, and more review.

This is how we give ourselves a fighting chance of catching mistakes before they have widespread consequences. It usually works -- and when it doesn't, the process itself is often changed to address that.
The rise of open-source is thus just a reflection of the maturation of the field; it demonstrates a growing realization that if CS is intent on truly being a "science", that scientific methods -- including open peer review -- must be brought to bear.

People who won't produce their code are the snake-oil salesmen of the age: "oh, just trust me, this does what we say it does!". It's time -- past time -- that we gave them a ride out of own. They're obsolete.

Posted by: Rich K | January 5, 2007 10:18 PM | Report abuse

"Earnest question: does Opera have the equivalent of the following Firefox extensions?"

Top 150 Popular Firefox Extensions and Opera =>

Posted by: 369 | January 6, 2007 3:33 AM | Report abuse

369, that was informative. Thanks.

Posted by: antibozo | January 6, 2007 4:43 AM | Report abuse

The argument that IE6 was actually more secure than Firefox in 2006 because it had more security vulnerabilities is a misleading one: it only works if you ignore all the reports of in-the-wild malware actually using IE6 exploits to install itself. It's rather like saying bank A was more secure than bank B last year because a security audit found the bank fixed 100 insecure locks, windows and security cameras and bank B only fixed 50- while ignoring the fact that bank B was robbed several times in the last year because the security problems weren't fixed until long after the bad guys found out about them.

Arguing that bank B was more secure requires that you ignore all those inconvenient bank robberies at bank B and concentrate on the security 'vulnerabilities' at bank A, even if they were fixed before anybody took advantage of them!

The author of Firefox Myths/Poptech blog has done just that. For one thing he pops up all over the internet under various names telling us that Firefox is insecure with x vulnerabilities.

Then he tells us that any vulnerability is as bad as another because there is no way to measure the seriousness.

Of course the vulnerabilities that were exploited in IE6 during the periods they remained unpatched were noticed on malicious web sites by organisations such as Websense, Sophos, McAfee, Sunbelt, SANS- and even Microsoft reported limited attacts. Andrew, the author of Firefox Myths/Poptech, has repeatedly denied that these exploits ever occurred. He has even gone as far as to state that Microsoft reported no attacks for one exploit when the Microsoft website itself reports attacks.

There is a way to measure the ill effects of any security vulnerability: that is to look at how easy the vulnerability was to exploit, if an exploit emerged in the wild, if the exploit was used on malicious websites, and how long the vulnerability remained unpatched. Anybody who dismisses these factors and says all vulnerabilities are the same has no credibility.

It's game over for IE6: it simply was far less secure than Firefox. That's why it is at the top of SANS Top-20 Internet Security Attack Targets (2006 Annual Update)

Game on for IE7, Firefox and indeed Opera.

Posted by: FreewheelinFrank | January 6, 2007 5:41 AM | Report abuse

A comment for all those people that write "IE is not secure but FF is at least as much or even a little bit more insecure because [insert any reason here]":

You leave close to an abandoned airport. Your neighbourhood Mike is a good father and he loves his son John who really likes racing. John is a good son also and he is careful and he respects the laws. So one day he wants to go to this one-on-one race and you see Mike thinking about it for a while and then he must be saying, "OK" and he gives him something that looks like... Oh! boy, these are the keys of the ferari! That'll be a really boring race you think because no other kid around here has anything even half that powerful. Still wathcing the ferari will be fun so you go take a look from the rear window. And you take a look and you see that the competition is riding a... hah! A Yugo :-). Poor guys. You smile take your martini and go relax on the sofa. And then the race begins and the ferari has left the Yugo far behind. But then the Yugo approaches a little bit more every minute and after a while you are not even sure whether John is first or not. Now you are sitting in a long distance and you don't see very well without your glasses and they seem... well, he _must_ be first... but even if he is the Yugo is so close...
Now tell me, Do you have any doubt about how good Johnny's driving was?

For those that don't see the point here I'll have to repeat something I wrote in another comment this time in this particular context:

There are millions of PCs running YOUR software and you KNOW that this software has specific BUGs that render the system absolutely vulnerable to KNOWN attacks. And you also have some BILLIONS of cash in the bank. And you say to the press that you are working soooo hard. But for some years you still have the same problems... and guess what: you still have those billions of cash in the bank... And at the same time a loosely organized and compared to YOU severely under-founded group of people present an other product for which a debate exists regarding whether it is superior or not both in terms of features and in terms of security.

Does anybody note a HUGE imbalance here? Billions of cash, ability to hire the best programmers in the world, 98% market share, many years in the field: and the result? Well Internet Explorer is "maybe better", "maybe worse" depending on whom you ask. For Gods shake people, IS THIS THE BEST THEY CAN DO?!

Excuse me but I think it isn't. I think they got our money and put most of them in the bank and not to their RnD department. And I hold them responsible for that and even if their products are a little bit better or a little bit more secure I wont be the fool to give them more money. Because you know what? They're gonna send their IE team for vacations the moment they return to their 98% share and it will be as painful as it was the last time for us. You go ahead and become their next supporter just because you like this little feature over there or think they are a little bit more secure by that metric over here.

Posted by: Nick Demou | January 6, 2007 11:34 AM | Report abuse

After reading through all of the comments here and sorting out the good and bad, I thought that I would throw in my 2 cents here.

I've been using Firefox for a long time now. All of the main browsers (IE, Firefox, Opera) have had their ups and downs over recent years. IE is the 'easiest' to use because everyone makes sure that things work for it ... whether standards compliant or not! Opera has very fast rendering and is a fine piece of free software ... but with limited customization.

Which brings me to the reason I use Firefox. First, no matter what certain "stats" say, I AM safer using Firefox because IE is prone to 'drive-by' installs. I have been using Firefox since Phoenix 0.7 and have NEVER had the security problems that my IE-using counterparts did.

Second, I cannot live without the great extensions that are offered for Firefox. There can really be no argument that Firefox is "hands down" the most 'modular' browser out there. The extent of available customization and browser addons (especially for blocking web annoyances) is unparalleled by any other browser. If you think Firefox is leaking memory, spend $30 and stuff some more it your machine, "cheapy". I have 1 gig/memory and use a bunch of addons in Firefox and have never had a noticeable memory problem with it.

Because I feel there are really no blatant security flaws in Firefox that do not usually show up in IE too, I couldn't imagine giving up Firefox's addon features for ANY reason. I'll take Firefox with its minor problems over any of its competitors ... anyday!

.... rick752
(author: Easylist filters for Adblock Plus)

Posted by: rick752 | January 6, 2007 4:10 PM | Report abuse

antibozo> Earnest question: does Opera have the equivalent of the following Firefox extensions?

NoScript: no, but I personally find privoxy to be the superior choice for this.

TamperData: no, but i find paros superb for this

SessionSaver: built-in

Vertigo: no

as for the rest of them, i don't see much use for them, although if you have such special requirements i can see why ff is nice. the big cool thing about opera is it is very streamlined in terms of having clever built-in hotkeys, mouse gestures and tabbed browsing that togheter make it extremely convenient without any modification after install.

Posted by: antibozo | January 5, 2007 01:00 PM

Posted by: Anonymous | January 6, 2007 7:37 PM | Report abuse



most of your features are build-in for a long time in Opera.
You should definately give the browser a try!

I'm also using it and that NOT because it's the most secure Browser (Mozilla + Linux is also a quite safe combination), but because I really love it's features and speed!
So.. I'm using "Session Safer" and "OpenNewWindowFromHere:" already for a couple of years ;-)

Posted by: jkhgf | January 6, 2007 8:20 PM | Report abuse

jkhgf> most of your features are build-in for a long time in Opera.

Not according to the anonymous poster just before you, nor the link posted earlier by 369. One that seems to be in dispute is NoScript, so I guess I'll have to test it to know.

jkhgf> You should definately give the browser a try!

Now that it's free, I may. But it's clearly lacking some key features, so I wouldn't be able to rely on it for most of my work. Tamper Data and Vertigo are sine qua non for me.

Posted by: antibozo | January 6, 2007 11:18 PM | Report abuse

Surf in a sandbox and use a bit of common sense, then you don't have to worry about which browser you use. No one is limited to using only one browser anyway.

Posted by: Al J | January 7, 2007 6:35 AM | Report abuse

Andrew, I'm sure Brian is not moderating your replies unless you are using profanity or otherwise violating the comment rules. The comment system itself sometimes designates certain comments as spam and starts refusing them. I suggest you write to Brian and to the blog maintainers and ask them to check what's up.

Posted by: antibozo | January 7, 2007 4:26 PM | Report abuse

Andrew -- antibozo is correct. To many peoples' amazement, I let pretty much anyone say what they want on this blog, provided they do not violate this blog's comment policies.

Our anti-blogspam technology flagged your comment as highly likely to include spam-fed links. For better or for worse, usually this happens when someone includes more than one link in their comment. I have corrected this so that hopefully this won't be a problem for you in the future.

I shall post your original blog comment in a moment. Thanks for your patience.

Posted by: Bk | January 8, 2007 2:24 AM | Report abuse

Talin: A facts is: "Knowledge or information based on real occurrences."

Vulnerabilities that can be proven to exist, exist. It is IMPOSSIBLE to know if something has not been exploited or when it first was. Those are GUESSES! Which makes this whole analysis irrelevant and FUD.

R. Morris: OS integration is IRRELEVANT to security. That is another Myth:

Opera is very customizeable and has many extensions built-in plus it supports widgets! Stop spreading more Myths!

Posted by: Andrew | January 8, 2007 2:27 AM | Report abuse

"It is IMPOSSIBLE to know if something has not been exploited or when it first was."

Many vulnerabilities are reported to the software developer directly and fixed before they become public knowledge. This is true for all browsers, perhaps especially true for Firefox which is open source and offers a reward for vulnerabilities found, but also true of Opera, and indeed Internet Explorer, also less so, for a reason I will mention later.

It is of course conceivable that these vulnerabilities were also discovered by the bad guys independently, but if the bad guys get hold of vulnerabilities, they use them, so wouldn't we have seen exploits and malware if they had been known? I'll come back to that point again.

Sometimes vulnerabilities are publicly disclosed before the software developer is informed, sometimes by a hacker who just wants to show off, sometimes by a legitimate researcher because a software developer has not dealt with the problem in a timely fashion- with browsers, most often this is the case with Internet Explorer, which has been slow to address security issues.

When these vulnerabilities come to light, the race is on for the bad guys to develop an exploit before the good guys develop a patch. Again, there's no way to know if the bad guys hadn't already found that exploit. The question again is, if they had, wouldn't an exploit and malware have been seen?

There are many security companies which go out and look at websites for new exploits- an automatic "browser" goes round and the company looks for any malware which manages to bypass computer security and install itself, and identifies how this is done. One good example is Sunbelt, which publishes new exploits found in the wild on its blog: I've followed the stories of emerging browser exploits over the past year on this site.

Although it's possible to speculate that any vulnerability might have been exploited, ever used to install malware, exploits used in the wild tend to get noticed by companies like Sunblet, Sophos, McAfee, Websense, SANS etc.

The facts of last year are that malware exploiting different zero-day vulnerabilities was observed for days, even weeks in IE6.

Brian's story mentions one zero-day vulnerability in Firefox. I don't know if this was ever exploited: I don't remember seeing such a report from any of the companies above, perhaps somebody could post a link if there were?

The analysis of publicly known zero-day vulnerabilities and exploits is the only possible measure of browser security. Saying that all vulnerabilities may theoretically have been exploited (even when there's no evidence that they were exploited, or even known about) so vulnerability count is the only thing that matters is extremely foolish given the many reports from last year of malware using unpatched IE6 exploits to install.

The link from Firefox Myths that supposedly proves that IE integration into the OS is not a security risk is from a Microsoft employee's blog (hardly objective) and the claim itself is hotly contested in the comments section of the blog.

Opera is indeed an excellent browser, but Andrew is being disingenuous in praising it so highly here- he's expressed strong criticism in the past and seems to be advocating Opera now simply because it suits his anti-Firefox campaign.

Posted by: FreewheelinFrank | January 8, 2007 4:47 AM | Report abuse

Brian thank you for fixing the comment system.

Frank that is not me on those forums. I don't know why you keep thinking it is.

Just because some people report vulnerabilities to the software developer before they become "public knowledge" does not mean they were not known to others before the person who reported it knew of the vulnerability.

It is simply impossible to monitor the whole internet to know if an exploit is being used. Many, many people are infected and have absolutely no idea how or where from. All you can detect in these cases is the infection but not how it was infected. Exploits simply deliver the infection, they do not deposit a document or power point presentation of how this occured. Lets forget the fact of all the people currently infected who are still unaware.

You also forgot about the groups out there who deliberately put everyone at greater risk by releasing exploits one day after Microsoft's patch cycle to make Microsoft and IE look as bad as possible.

I already explained why it is impossible to know if an exploit does not exist.

Security companies cannot monitor the Internet, that is an impossibility. Let alone monitor it every second of every day.

You have no way to prove that exploits "tend to get noticed". Since you are not God this is an impossibility.

Those are not facts of anything. Malware could have been exploiting that for much longer.

You have no way to know if anything was never exploited. That is an impossibility. You cannot prove this unless you are God.

"The analysis of publicly known zero-day vulnerabilities and exploits is the only possible measure of browser security."

No it's not. It is fools gold. You are putting you money on hypotheticals, guessing and assumptions.

I just showed you how you can measure browser security by counting how many known vulnerabilities there are. That can be proven irrefutably. You cannot prove when something was first exploited or if no exploits exist.

OS integration is completely irrelevant to browser security. Dave Massey fully explains each misinformed "dispute" in the comment section. OS integration is simply more FUD spread by Firefox Fanboys to bash IE. Yet these same Fanboys ignore the ridiculous security record of Firefox and COMPLETELY ignore the SUPERIOR security record of Opera. Hypocrites? No just fanboys.

Posted by: Andrew | January 8, 2007 7:27 AM | Report abuse


1. Is Opera more secure than Firefox?
2. Is Opera the most secure graphical web browser for Windows?
3. Why do you not recommend the most secure graphical web browser for Windows?

Posted by: Andrew | January 8, 2007 7:32 AM | Report abuse

"Frank that is not me on those forums. I don't know why you keep thinking it is."

Possibly because you post pages from Poptech and Firefox Myths, both written by people called Andrew who claim to work for an OEM, Firefox Myths links to Poptech, the Poptech author links to Firefox Myths, the Poptech author has claimed to be the author of the Firefox Myths pages and the forum members at Poptech talk of the Poptech author as the author of Firefox myths?

Er... I could be wrong though (not).

Posted by: Anonymous | January 8, 2007 7:35 AM | Report abuse

Yes you are wrong as usual Frank. These are all me too:

All 183,000,000

I would hardly take some images off of some fanboy's pages as proof who have been known to manipulate images in the past. Linking is hardly proof of anything. Sorry but I don't have a blog or forums. But the popular technology site has excellent articles which is why I link to it.

Posted by: Andrew | January 8, 2007 8:03 AM | Report abuse

Frank please answer these questions:

1. Is Opera more secure than Firefox?
2. Is Opera the most secure graphical web browser for Windows?
3. Why do you not recommend the most secure graphical web browser for Windows?

Posted by: Andrew | January 8, 2007 8:05 AM | Report abuse

> Frank please answer these questions:
> Why do you not recoment [opera] although
> it is more secure than firefox

I don't know about Frank but both I and a lot of other insightful people will never recommend Opera for a very simple reason:

"My web browser is too critical* to be proprietary"

Now before you dismiss this as "Open source propaganda" please read another 40-60 words:

Proprietary s/w is being build by companies with a stated indent to maximize profit for their shareholders. I respect that. Still it is the reason that very often they will ignore their clients needs if they don't see a threat of loosing their profits. And because the s/w is proprietary nobody can do anything to fix it.

This is exactly what happened to Internet Explorer (nobody ignores the fact that microsoft after reaching a 98% market share made no improvement to IE for many years)

For that reason I will never go for _proprietary_ s/w in a critical position of my IT infrastructure if there exists a good-enough open source alternative.

In this case I consider FF at _least_ a good-enough alternative. _Maybe_ Opera is a little bit better but until it gets really better it's not even worth to consider.

* I suppose you know why a browser is a critical S/W component

Posted by: Nick Demou | January 8, 2007 9:29 AM | Report abuse

"Sorry but I don't have a blog or forums."

You lack what politicians call 'plausible deniability'.

I have personally witnessed forum members at Poptech refer to the Andrew there as the author of Firefox Myths. Even grabbed a screen shot. Which makes one of us a bare faced liar, doesn't it?

Evidence here:

Posted by: Anonymous | January 8, 2007 12:42 PM | Report abuse

Yes Frank, you. Why can you not answer the questions Frank? Why do you personally attack me once I disprove all of your BS points?

1. Is Opera more secure than Firefox?
2. Is Opera the most secure graphical web browser for Windows?
3. Why do you not recommend the most secure graphical web browser for Windows?

Not recommending a browser because it is "proprietary" is absurd. Especially when Opera is faster, more secure and more compliant (Acid2) than Firefox. Since this is a security discussion dismissing something that is more secure with excuses and rhetoric is hypocritical and proves that those recommending Firefox over Opera for security are pushing their own political agenda which is promoting the Firefox Religion:

Anyone reading this can see how they avoid the simple question I ask because they don't like the answer and don't want anyone to know the truth.

Posted by: Andrew | January 9, 2007 12:41 AM | Report abuse


regarding the "Not recommending ... Religion" paragraph of your post:

I told you why I don't recommend Opera and it has nothing to do with religion or political agendas. It has everything to do with what I consider as my long term interest. You don't agree. Fine, there's nothing wrong with that. But could you please stop saying that I present absurd and rhetoric excuses that I am a hypocrite,that I am promoting political agendas or that I am religious regarding Firefox.

I've respected you and you owe me the same level of respect.

Posted by: Nick Demou | January 9, 2007 3:18 AM | Report abuse

The "personal attacks" are made because you are dishonest about the pages you post.

I do not accept you have disproved any of the points I have made.

The points I made were:

A: If no exploits were observed for Firefox vulnerabilities before they were made public and patched, then there probably weren't any.

B: There were exploits and malware using these exploits observed in the wild for periods of days or weeks levering vulnerabilities in IE6. These exploits and malware were observed by security organisations which go out and search the web for such things.

Your counter claims were:

A: All vulnerabilities are as bad because we can't know for sure if they haven't been exploited at some point before we knew about them. If I can paraphrase, you argued that we can't know what we don't know. Although impossible to prove, my claim is also impossible to disprove. Absence of evidence is not evidence of absence, but on the other hand, there is still no evidence. If these exploits existed, why weren't they levered to install malware? At the beginning of this year, the University of Washington published a report into spyware on the web. If you argue that all the vulnerabilities found and patched in Firefox might have been exploited in the past year, one might expect the report to mention self installing spyware in Firefox. In fact none was observed. Conclusion: Stalemate- there is no evidence that security vulnerabilities in Firefox were being exploited before they were made public and patched.

B: You have discounted reports of malware using unpatched zero-day exploits in IE6 to install. You have refused to acknowledge the facts. After a recent zero-day attack, you are on the record as saying:

"Microsoft nor myself saw any problems during the inbetween patch time."

The Microsoft advisory for that vulnerability states:

"Advisory updated with indication of limited attacks."

You have dismissed all such reports of malware exploiting zero-day vulnerabilities in more general terms in posts to this blog. Far from disproving my points, you have proved yourself wrong: always willing to put the dogma of IE6 security above the facts.

Regarding Opera, in answer to your questions:

1) Difficult to compare. Both have had security vulnerabilities in the past. Impossible to know about the future. Sorry to be vague. On the evidence, maybe yes:

2) Possibly, that I know of. Again, sorry to be vague.
3) I recommend Opera most highly, and use it myself. At the moment I'm using Firefox for the in-line spell checker and Adblock- Security fix occasionally host the most intrusive web advert I have ever come across: a loud buzzing mosquito flying around the ad which one is invited to zap- with the best will in the world, I can't concentrate with that on the screen.

I have never recommended Firefox over Opera.

Regarding the Firefox-new-religion blog post, I'll leave the comments to two forum members at Poptech, Ducc and Karl:

"You're seriously an anti-firefox fanboy. Just as bad as the firefox-fanboys."

"Ducc is right. And the anti-Firefox anger and pettiness gets annoying. Andrew, did Firefox r*** your children?"

No doubt the Poptech Andrew will block this page to the general public quite soon as he has done with the link to the page I posted earlier where he states that he cannot recommend Opera. Funny, that...

Posted by: FreewheelinFrank | January 9, 2007 4:57 AM | Report abuse

Google Cache:

Andrew (the Poptech incarnation) on Opera:

I love things that work and IE works. Everytime I have to switch to IE to see or use a page properly is a waste of my time. I have to do it EVERY day. How can I possibly recommend this to anyone? When they could simply use IE or preferably Avant Browser and never have to switch to anything? The argument isn't their. I don't sacrifice for things that don't work. My time is my time. Why "put up" with something when you don't have to? For an idealistic dream? Get back to me when Firefox or Opera renders all of the Web correctly. Neither is ready for prime time as far as I'm concerned. :whistle:

Posted by: FreewheelinFrank | January 9, 2007 6:21 AM | Report abuse


This is a security blog and a discussion about security. Not recommending something for proprietary reasons is not a security argument. It is a political reason. Ignoring a browser with a superior security track record is hypocritical as far as being responsible about security goes. You can not claim to care about security and then ignore the more secure products for idealistic reasons. That has nothing to do with being disrepectful but rather logical.


The only dishonest person here is you. You apparently have a problem with the Andrew at Popular Technology. I suppose this Andrew is me too:

He even works at Microsoft!

The rest of your comments are also BS:

"A: If no exploits were observed for Firefox vulnerabilities before they were made public and patched, then there probably weren't any."

IMPOSSIBLE to prove! Are you God? No then you cannot prove this.

You make nonsensical arguments. If exploits were observered at any time they stop being unknown. You cannot prove anything with inconclusive evidence. It is IMPOSSIBLE to know if no exploits exist or when something was first exploited. That is the cold hard reality, foolish idealists like you don't understand. Illogical people like yourself simply wish to push a political agenda. You are not concerned about security you are concerned with promoting Firefox.

I am still waiting for the link that proves a Zero Day exploit in IE. You have yet to deliver. You keep linking to stories and blog posts but no proof.

I like your non answers to the questions. People like you are beyond hypocrites. You will do anything to defend Firefox even if it means playing down the superior security of Opera. You cannot even answer the questions I posted honestly. You and David Hammond can run around in dream land together, consistently ignoring facts while David plays with colors and statistics to make Opera look as bad as Firefox when even he cannot hide it's superior security record. You know it is more secure but will never admit it and that sir makes you a fanboy.

Frank you want more proof you are full of it? Proof that I do recommend Opera:

Only more proof you need to get a day job.

Posted by: Andrew | January 9, 2007 7:49 PM | Report abuse

Since Frank cannot answer the questions honestly being the loyal fanboy that he is, I will for him:

1. Is Opera more secure than Firefox?

Frank A: "Yes"

2. Is Opera the most secure graphical web browser for Windows?

Frank A: "Yes"

3. Why do you not recommend the most secure graphical web browser for Windows?

Frank A: "Because I am a Firefox Fanboy"

Posted by: Andrew | January 9, 2007 7:53 PM | Report abuse

Andrew, your arguments are circular and all you add with each response is to become more abusive.

I have quite clearly admitted that I cannot prove that exploits for Firefox vulnerabilities did not exist before the vulnerabilities were discovered. Neither can I prove that there are not monsters under the bed. If you're suggesting there are, it's up to you to prove it.

Once again you have denied that zero-day exploits ever happened in IE. That's really puting your head on the block since eEye has now catalogued these attacks with comprehensive links to show when exploits were discovered:

So, while asking Firefox users to believe in monsters under the bed, you are telling IE users they were never exposed to real security threats which were well documented. Since you bang on about facts so much. it's remarkable how comfortable you are in ignoring them.

Here are just two reports of malware using zero-day exploits in IE6:

As you didn't like my previous answers to your question, let me answer again:

1. Yes*
2. Yes*
3. I recommend Opera most highly and use it myself.

* Anyone capable of understanding that an answer might be qualified can read my previous answers.

Posted by: FreewheelinFrank | January 10, 2007 5:17 AM | Report abuse


Posted by: dave | January 10, 2007 6:50 AM | Report abuse

If you cannot prove this than any "metric" of exploitation is inaccurate and misleading.

I am simply asking for proof. I want a link to a website of one of these supposed "Zero-Day" exploits. Which you have consistently been unable to provide. You run around trying to scare people and consistently do not provide accurate security advice.

Posted by: Andrew | January 10, 2007 8:20 PM | Report abuse

The Exploit Prevention Labs link I provided has a link to the website hosting the zero-day exploit: of course it's obscured to prevent it being clickable. eEye states that IE6 users were exposed to this vulnerability for 84 days.

The Websense link I provided links to a video of auto-installing malware in which the website URL is visible. IE6 users were exposed to this vulnerability for 7 days according to eEye.

I really don't know why you prize this URL so much: why not simply trust these an other security organisations when they say exploits affecting zero-day vulnerabilities have been seen? Are McAfee, Sophos, SANS, even Microsoft lying?

Please don't repeat your usual nonsense of saying how these links don't affect your browser because I think anybody still reading will grasp that IE6 users could only be affected during the window of opportunity while the vulnerability remained unpatched.

"You run around trying to scare people."

This from the person who will pop up on any blog discussion of Firefox on the web to tell people about how insecure Firefox is with all its hundreds of vulnerabilities? The FUD Meister himself? Very funny!

Posted by: FreewheelinFrank | January 11, 2007 4:53 AM | Report abuse

> Not recommending something for proprietary reasons
> is not a security argument. It is a political reason.

Nonsense: Security you know, has EVERYTHING to do with TRUST. I don't trust neither Microsoft nor Opera SW ASA. Why? Because they don't care about my long term benefit. What exactly do you find political about it? I am not in love with open source or free software. I just see a model in F/OSS that naturally protects my long term interests as a consumer of software. Why don't you want to accept that this is just a different point of view?

> Ignoring a browser with a superior security
> track record is hypocritical

Enough is enough with you calling names for everybody that doesn't look at things from your point of view mister!

The rest is for all the other readers that don't want to read every post to understand why you are just shortsighted (besides rude). No need to reply AFAIC.

I DON'T Ignore the Opera browser because of WHAT IT IS but because of what IT CAN NEVER BE: TRUST WORTHY. Don't you take any lessons from recent history Andrew? Don't you see how corporations use software that is critical for us consumers? Me, my mother and her cat knows that Microsoft abandoned Internet Explorer when it had nothing more to earn from improving it (and we are talking years not months here). Microsoft also used IE to bend the web standards to its benefit and lock us all in. Why did MS did it? Is it evil? Is it under oath to the dark forces? I am not a child to believe that. They did it just because they COULD and it was to their best interest (companies are build to make a profit if you haven't heard). And do you know why they COULD: well because the code was proprietary. Now if you notice any similarities with 'Opera Software ASA' it's because they exist.

You chose to compare browsers with a very myopic view which takes into account today and a few weeks ahead. I know I'm gonna need a decent browser for more than a few weeks so I compare them with a view that includes the next 3-4 years. Viewing that far ahead it so naturally happens that I see a few things that don't appear in your limited field. And what do you do instead of looking ahead to check for yourself what I am talking about? You dismiss my description as idealistic, religious, political and hypocritical. Well mister, they are not. You are just rude and shortsighted.

Posted by: Anonymous | January 11, 2007 2:31 PM | Report abuse

To whomever wrote that last post: Bravo! (I'm not recieving a name for you on my end).

But folks, perhaps I'm being at bit obtuse. If security is the issue here, why not simply toss a Linux partition onto your machine with Firefox as your browser, and be done with it? Do all your online work there, and your offline work on your Microdoze partition.

I too value trust as a paramount element of security - and I don't trust MS! But I must admit the unavoidable truth that more polished software for games, viewers, audio and the like are written to the Windoze environment. So I watch movies, listen to music, play with graphics, and so forth using XP. But I keep my internet access restricted to Linux. It's not particularly difficult to set up. You plant a vfat partition between the two as a transfer zone, and there are a handful of other finesses that require attention on the installation. But it reads to me as the win/win situation to have the best of both worlds - sophistication with Windoze, and higher online security under Linux.

Posted by: yarro | January 12, 2007 11:59 PM | Report abuse

I'm looking for an answer. I was told by our software vendor that there was a security risk in IE 7 when you have a http tab and a https tab open at the same time. I'm doubtful but interested if anyone else has heard this. ie_tabs at gatewayreservations dot com

Posted by: Stuart | January 16, 2007 6:24 PM | Report abuse

Great work!
My homepage | Please visit

Posted by: Pamela | January 26, 2007 9:37 AM | Report abuse

Posted by: Gabriel | January 26, 2007 9:38 AM | Report abuse

Not welcome here:
[url=So many spammers here :(

Posted by: Crad | January 30, 2007 11:39 PM | Report abuse

Not welcome here:
[url=So many spammers here :(

Posted by: Crad | January 30, 2007 11:39 PM | Report abuse

Not welcome here:
[url=So many spammers here :(

Posted by: Crad | January 30, 2007 11:39 PM | Report abuse

"I would assert, that IE6, IE7, Mozilla, and Firefox had security flaws for 365 days last year. First, IE6 is used by 90% of the people, so hackers, focus there attention there, and not on the 10% or less that use mac, mozilla, or firefox. If Mozilla had 90% of the usuage, and the hackers focused their time on it, we would find that there are exploitable bugs. Same with Firefox, and even Mac. Because of this, as long as Mac, Mozilla, or Firefox are low in usuage they will be safer than Ie becuase IE is where the volume and Money is at."

Then you would be wrong in your assertion. Sure FF has some security holes, but it's not hooked into the O/S in the same way as IE so those vulnerabilities are generally less critical.

Posted by: Zorro | January 31, 2007 9:39 AM | Report abuse

The comments to this entry are closed.

RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company