A year of bugs
This interesting little survey of browser bugs doesn't tell me anything I wasn't aware of just from reading bugtraq now and again, but it's always nice to have actual numbers to go with the general sense of malaise I have about browser security:It looks at the space of time between a vulnerability being found and a patch being created for three browsers: IE, Mozilla (apparently they sort of look at the whole family), and Opera.
They define a browser as "safe" when no known remote code execution bugs exist.
Here's the rundown:
IE: 2% safe. There were a grand total of 7 days in 2004 when no bug existed. More than half the year, there was a worm or virus in the wild exploiting one of these bugs.
Mozilla: 85% safe. There were 56 days where there was a publicly known vulnerability and no patch. Many bugs were reported privately to the Mozilla team. It is worth noting that Mozilla-type browsers were not being targeted in 2004 by malware writers due to lack of popularity. The more it grows, the bigger the target it becomes.
Opera: 83% safe. 65 days unpatched. The opera bugs happened to intersect, which could have made the patch take longer, or maybe made the total time shorter because both bugs could be put in one patch. It was also not targetted by malware writers.
All in all, somewhat interesting to put some firm numbers on the gap between discovery of a vulnerability and availability of a patch. And this doesn't even count the days people spend before they have time to patch! (With IE, that sort of gap could completely cover the few safe days they've got!)
posted by T @ 1:56 PM
0 Comments:
Post a Comment
<< Home