Explorer “unsafe” for 98 percent of 2004

[whatthe]

"This means fully patched IE was known to be unsafe for an incredible 98 per cent of 2004,” ScanIT's CEO David Michaux commented. “And for 200 days in 2004 there was a worm or virus exploiting one of those un-patched vulnerabilities."

http://www.techworld.com/security/ne...fm?NewsID=3362

Not very pleasant statistics. It would be interesting to hear MS take on this, flaws were minor?

[MrCoffee]

The company gleaned this dramatic statistic from the 195,00 Internet users who tested their browsers for security holes using the company’s online security checker.

So this is based on their own stats. I would be interested in seeing comparisions from TrendMicro and others with the online scanners. My personal feeling is that if you have enough monkey typing long enough aginst any browser, you'll poke holes in it, or end up with a copy of A mid-summers Night's Dream . MS is the biggest target at the moment.

This isnt really all that hopeful for IE, but not that surprizing, if you stop to think about WHY people are going to a online scanning site...... Maybe because they think they MAY have been explioted...?

There is to much info missing from behind the stats to reach any real conclusion.

Cheers!

[zENGER]

Does this mean that there was 2% of the time when IE "was" safe, or just during that 2% of the time it was unknown whether it was safe or not.

[MrCoffee]

No, but if you read what they are saying, there was online a week in Oct when it was not expliotable... I think..

[whatthe]

Does this mean that there was 2% of the time when IE "was" safe

Yeah, I think that's what they meant.

if you stop to think about WHY people are going to a online scanning site...... Maybe because they think they MAY have been explioted...?

That's what I thought at first too but

A browser version was considered “unsafe” on a particular day if a patch fix had not been made available for a known remote execution problem.

This puts the focus on whether MS had a patch for the vulnerability not on whether the user applied it.

"This means fully patched IE was known to be unsafe for an incredible 98 per cent of 2004,” ScanIT's CEO David Michaux commented. “And for 200 days in 2004 there was a worm or virus exploiting one of those un-patched vulnerabilities."

I do agree that stats put out by only one company, especially one promoting and online scan, need to be taken with a grain of salt.

That's why we're here to play devil's advocate.

[catch]

If an exploit is made public after Dec 31 2004, that means the application was explotable 100% of the year, it just wasn't widely known.

By this logic the 2% argument is flawed and moot... and furthermore this stands true for every application or software. Just because the exploit isn't widely known doesn't mean the product is secure. Thus Windows, Linux, BSD, IE, Firefox, etc are all insecure 100% of the time.

This is why counting known exploits is such a terrible way of measuring security and by extension reports like this are terrible.

cheers,

catch

[Und3ertak3r]

There are lies dambed Lies and there are statistics..


While I dont think that IE was the most secure browser in 2004, and in its shipped state it is a whore looking for clients,, I find some of these statistical reports just crap..