Internet Explorer Unsafe for 284 days in 2006

May be I should have posted this a year ago.

A report submitted by Brian Krebs in Washington Post shows that Internet Explorer was unsafe and prone to security issues 284 days in 2006. Surprisingly, Mozilla Firefox was on a security threat for just nine days in the year.

The huge difference shows that Internet Explorer still could not be regarded as reliable even though it has the largest market share of 80 percent.

The detailed report by Brian Kerbs was started in 2005. Kerbs contacted nearly all researchers who had informed about the critical flaws in products by Microsoft. He also examined the dates these security trends or anomalies were found and their submissions. It has been found that Internet fraudsters had used the security flaws in Microsoft for their own benefit all round the year.

KEY: Browser vulnerability publicly disclosed Browser vulnerability actively exploited
December 2005 Dec. 27: MS06-001 (CVE-2005-4560) – 0day in Windows Metafile Format (WMF). Patch issued Jan. 5.
January 2006 Jan. 7: MS06-004 (CVE-2006-0020) – Proof of concept for Windows Metafile Format flaw. Patch issued Feb. 14.
February 2006
March 2006 Mar. 16: MS06-013 (CVE-2006-1245) – Proof of concept exploit for IE Microsoft Internet Explorer 6.0.2900.2180 (mshtml.dll). Patch issued Apr. 11.
Mar. 22: MS06-013 (CVE-2006-1359) – Proof of concept exploit for Microsoft Internet Explorer 6 and 7 Beta 2. Patch issued Apr. 11.
April 2006
May 2006 May 31: MS06-043 (CVE-2006-2766) – Proof of concept exploit for MHTML Parsing Vulnerability in IE. Patch issued Aug. 8.
June 2006
July 2006 July 18: MS06-043 (CVE-2006-2766) – Proof of concept code for Microsoft Internet Explorer 6 on Windows XP SP2 (setslice).
August 2006 Aug. 27: MS06-067 (CVE-2006-4446) – Proof of Concept exploit for Microsoft Internet Explorer 6.0 SP1 (DIRECT ANIMATION). Patch issued Nov. 14.
September 2006 Sept. 13: MS06-067 (CVE-2006-4777) – 0day flaw in Internet Explorer 6.0 SP1 (daxctle.ocx). Patch issued Nov. 14.
Sept. 18: MS06-057 (CVE-2006-3730)
– IE 0day Vector Graphics Rendering engine (vgx.dll), as used in
Microsoft Outlook and Internet Explorer 6.0. Patch issued Sept. 26.
Sept. 26: Exploited in the wild. Patch issued Oct. 10.
October 2006
Oct. 24: CVE-2006-5559 – ADODB.Connection 2.7 and 2.8 ActiveX control objects in Internet Explorer 6.0 Unpatched.
November 2006 Nov. 3: MS06-071 (CVE-2006-5745) – 0day: IE-related (not installed by default on Windows). Patched Dec. 14.
December 2006

Compiled by Brian Krebs, – January 4, 2007

The first major flaw was done by organized criminals who hacked sites and placed codes which can steal passwords using spyware on systems which use Internet Explorer. Microsoft did not take this attack serious and within few days, thousands of customers were already attacked due to this spyware. Since Microsoft was stubborn, a third-party patch was created by some security experts to fix the bug until Microsoft finally developed the fix.

Again in September, hackers used an unpatched flaw in non-Microsoft web server software and installed malicious codes in a huge number of legitimate websites. Websites affected with this malicious code can infect Windows systems if a user just opens the sites using their browser. Again Microsoft was lazy enough to become serious about this huge treat and third-party patches became the savior until Microsoft issued an official update many days later.

With many more browsers coming into the market, it is time that Microsoft realizes the importance of security and gets alerted and responds promptly than ever before.