Internet Explorer Vulnerabilities in 2006
|KEY:||Browser vulnerability publicly disclosed||Browser vulnerability actively exploited|
|December 2005||Dec. 27: MS06-001 (CVE-2005-4560) - 0day in Windows Metafile Format (WMF). Patch issued Jan. 5.|
|January 2006||Jan. 7: MS06-004 (CVE-2006-0020) - Proof of concept for Windows Metafile Format flaw. Patch issued Feb. 14.|
|March 2006||Mar. 16: MS06-013 (CVE-2006-1245) - Proof of concept exploit for IE Microsoft Internet Explorer 6.0.2900.2180 (mshtml.dll). Patch issued Apr. 11.|
|Mar. 22: MS06-013 (CVE-2006-1359) - Proof of concept exploit for Microsoft Internet Explorer 6 and 7 Beta 2. Patch issued Apr. 11.|
|May 2006||May 31: MS06-043 (CVE-2006-2766) - Proof of concept exploit for MHTML Parsing Vulnerability in IE. Patch issued Aug. 8.|
|July 2006||July 18: MS06-043 (CVE-2006-2766) - Proof of concept code for Microsoft Internet Explorer 6 on Windows XP SP2 (setslice).|
|August 2006||Aug. 27: MS06-067 (CVE-2006-4446) - Proof of Concept exploit for Microsoft Internet Explorer 6.0 SP1 (DIRECT ANIMATION). Patch issued Nov. 14.|
|September 2006||Sept. 13: MS06-067 (CVE-2006-4777) - 0day flaw in Internet Explorer 6.0 SP1 (daxctle.ocx). Patch issued Nov. 14.|
|Sept. 18: MS06-057 (CVE-2006-3730) - IE 0day Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0. Patch issued Sept. 26.|
|Sept. 26: Exploited in the wild. Patch issued Oct. 10.|
|Oct. 24: CVE-2006-5559 - ADODB.Connection 2.7 and 2.8 ActiveX control objects in Internet Explorer 6.0 Unpatched.|
|November 2006||Nov. 3: MS06-071 (CVE-2006-5745) - 0day: IE-related (not installed by default on Windows). Patched Dec. 14.|
In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.
Microsoft labels software vulnerabilities "critical" -- its most severe rating -- if the flaws could be exploited to criminal advantage without any action on the part of the user, or by merely convincing an IE user to click on a link, visit a malicious Web site, or open a specially crafted e-mail or e-mail attachment.
In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four "zero-day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain.
The first major flaw in a Windows program last year involved one that could be easily exploited via Internet Explorer. In late December 2005, experts tracked organized criminals hacking into sites and seeding them with code that installed password-stealing spyware on machines used by anyone who merely visited the sites with IE. Microsoft initially downplayed the severity of the attacks, until it became clear that the threat was fairly widespread and that thousands of customers had already been attacked in the span of a few days. The threat was seen as so severe that a large number of security experts urged users to download and install a patch produced by a third party until Microsoft developed an official fix.
In September, attackers would exploit an unpatched flaw in non-Microsoft Web server software to install malicious code on thousands of legitimate Web sites that could infect Windows machines when users merely browsed the sites with IE. Much like the IE flaw first detected in December 2005, this sophisticated attack by organized criminals also would prompt a series of third-party security patches in the days before Microsoft issued an official update.