Navigations is looking out for our fans to join us! us today

Google Search


Tuesday, January 09, 2007

IE 6 has 284 days unsecured for 2006


Slashdot Slashdot It!

Looking back on three years of efforts by Microsoft to address only the most severe security holes in its software. In fact, if you examine the vulnerability chart that accompanies this post, you can see for yourself how the data is supported by information posted on the Web over the past year.

Internet Explorer Vulnerabilities in 2006

KEY: Browser vulnerability publicly disclosed Browser vulnerability actively exploited
December 2005 Dec. 27: MS06-001 (CVE-2005-4560) - 0day in Windows Metafile Format (WMF). Patch issued Jan. 5.
January 2006 Jan. 7: MS06-004 (CVE-2006-0020) - Proof of concept for Windows Metafile Format flaw. Patch issued Feb. 14.
February 2006
March 2006 Mar. 16: MS06-013 (CVE-2006-1245) - Proof of concept exploit for IE Microsoft Internet Explorer 6.0.2900.2180 (mshtml.dll). Patch issued Apr. 11.
Mar. 22: MS06-013 (CVE-2006-1359) - Proof of concept exploit for Microsoft Internet Explorer 6 and 7 Beta 2. Patch issued Apr. 11.
April 2006
May 2006 May 31: MS06-043 (CVE-2006-2766) - Proof of concept exploit for MHTML Parsing Vulnerability in IE. Patch issued Aug. 8.
June 2006
July 2006 July 18: MS06-043 (CVE-2006-2766) - Proof of concept code for Microsoft Internet Explorer 6 on Windows XP SP2 (setslice).
August 2006 Aug. 27: MS06-067 (CVE-2006-4446) - Proof of Concept exploit for Microsoft Internet Explorer 6.0 SP1 (DIRECT ANIMATION). Patch issued Nov. 14.
September 2006 Sept. 13: MS06-067 (CVE-2006-4777) - 0day flaw in Internet Explorer 6.0 SP1 (daxctle.ocx). Patch issued Nov. 14.
Sept. 18: MS06-057 (CVE-2006-3730) - IE 0day Vector Graphics Rendering engine (vgx.dll), as used in Microsoft Outlook and Internet Explorer 6.0. Patch issued Sept. 26.
Sept. 26: Exploited in the wild. Patch issued Oct. 10.
October 2006
Oct. 24: CVE-2006-5559 - ADODB.Connection 2.7 and 2.8 ActiveX control objects in Internet Explorer 6.0 Unpatched.
November 2006 Nov. 3: MS06-071 (CVE-2006-5745) - 0day: IE-related (not installed by default on Windows). Patched Dec. 14.
December 2006
The release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.

Microsoft labels software vulnerabilities "critical" -- its most severe rating -- if the flaws could be exploited to criminal advantage without any action on the part of the user, or by merely convincing an IE user to click on a link, visit a malicious Web site, or open a specially crafted e-mail or e-mail attachment.

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.

Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four "zero-day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain.

The first major flaw in a Windows program last year involved one that could be easily exploited via Internet Explorer. In late December 2005, experts tracked organized criminals hacking into sites and seeding them with code that installed password-stealing spyware on machines used by anyone who merely visited the sites with IE. Microsoft initially downplayed the severity of the attacks, until it became clear that the threat was fairly widespread and that thousands of customers had already been attacked in the span of a few days. The threat was seen as so severe that a large number of security experts urged users to download and install a patch produced by a third party until Microsoft developed an official fix.

In September, attackers would exploit an unpatched flaw in non-Microsoft Web server software to install malicious code on thousands of legitimate Web sites that could infect Windows machines when users merely browsed the sites with IE. Much like the IE flaw first detected in December 2005, this sophisticated attack by organized criminals also would prompt a series of third-party security patches in the days before Microsoft issued an official update.

No comments: