January 4, 2007

the real story on browser vulnerabilities

As we've been saying for quite some time, browser vulnerability is not just a bug counting exercise. What matters is the real risk to users and when you start talking about user risk, the best possible metric is "how many days is a user vulnerable to real attacks on the web."

Security expert at the Washington Post, Brian Krebs, explains:

For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.

He even provides a nice chart demonstrating how, through out the year, IE users were under nearly constant attack on the web.

Brian goes on to describe Firefox:

In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.

Security is a process that includes among other things careful design, intense code review, heavy testing, and quick response when flaws are discovered. While all software as complex as web browsers will have flaws, including security and privacy vulnerabilities, it is clear that some organizations have processes in place that are better equipped to manage and mitigate the risk. This article leaves little doubt that the process we have at Mozilla has been orders of magnitude more effective at protecting users from online threats than what Microsoft customers have been offered.

Posted by asa at 2:02 PM