Monday, December 3, 2007

Internet Explorer Shows Amazing Security Gains in 2007

(..Ok, Opera finished as the safest browser, but that's nothing new)

I have finished calculating the total number of risk-days (for those who want to know what risk-days is, read my earlier research) for browsers for the period January 2006 till now. Whew! And the surprising result is that Internet Explorer has improved markedly on the security front in 2007. When compared for the entire period of the study, IE finished as the most vulnerable browser. However, when comparing the years 2006 and 2007 separately, a pleasant surprise awaited me!

Edit: I celebrated too soon. In December, 1 more zero day vulnerabilities were announced in IE. There were also three more highly critical IE flaws and four more highly critical Opera flaws reported, but they were not associated with an increased risk-days (updated on 01/22/2008)

In 2006, the security record of Internet Explorer was abysmal! It was no where near its competitors. 2007 also began inauspiciously, with a zero-day vulnerability in January. However, since then, there has been to date not a single highly or extremely critical risk-day (See graph)! Well, neither did Firefox (if you leave out the URI vulnerability, which was basically a Windows problem) or Opera, but for Internet Explorer, it is definitely a first.

Graph I: The high criticality risk days for the different browsers in 2006 and 2007 (upto 1st December). Note that Opera just does not appear, and none of the browsers appear in 2007.For explanation for the two bars of Firefox, read the last paragraph of the article.

Graph II: The Risk days for each browser for 2006 and 2007(upto 1st December). Opera clearly has the best record. Firefox has a better record than Internet Explorer.

However, as is Microsoft's wont, the risk-days for low risk vulnerabilities have shot through the roof, and resulted in it having by far the highest number of risk-days among the major browsers. However, I suspect that there is improvement in that sphere also. Actually, the tables below flatter Microsoft's record in 2006 as it does not consider the number of unpatched vulnerabilities it carried into 2006. Now, low-risk weaknesses are also important since it can be a source of a cross-site scripting or similar attacks, where important user information may be stolen from an unwary user. This is a problem area for Internet Explorer and to a lesser extent, Firefox. Opera was also plagued by cross scripting vulnerabilities.

Tables I, II and III: Showing the different risk days for the different categories of vulnerabilities, for the different browsers.

The methodology of the study was the same as in the previous study. A search of Secunia was made for all the reported vulnerabilities, and the risk-days. Risk days is the sum of the total number of days for which vulnerabilities in a particular application were publicly announced , but still unpatched.
There were plenty of problems faced while making the analysis. Secunia gives total advisories, however, all the vulnerabilities within an advisory are not of equal severity. Secunia usually gives the advisory the highest criticality rating . This results in not so severe vulnerabilities being classified as a critical bug if the Secunia advisory is followed. Usually, this causes no problems for a risk-days analysis because a multiple vulnerability advisory is mostly the vendor advisory, where vulnerabilities disclosed have a zero-risk day. In one case, however, (Firefox, 2006) a moderate criticality bug was not properly patched, raising its risk-days to 45. Since this was part of an advisory reporting highly critical flaws, it got a 4x tag attached to it unfairly. However, to maintain uniformity in the analysis, this was still kept in the highly critical group. If a fair assessment is made, however, the number of risk-days for Firefox in the 4x group should be 7 and 3x should be 45. In 2007, Secunia showed a security flaw in Firefox for the infamous URI bug, but it was shown just as a Firefox bug. Since it was primarily a Windows bug , and depended upon IE,(and is still classified as an IE bug in NVD), I have decided to remove it from the analysis.To safeguard against any faulty conclusion, I therefore compared all the high criticality flaws (4x and above) and confirmed it with the NVD database. There was the further question of how to measure the risk-days for zero-day vulnerabilities. However, on account of an accurate date for the emergence of the bug being elusive, I did not give any numbers for the zero day bug in 2007 for IE but replaced it with a query mark. I suppose some mistakes may still be made, so I will try to upload the files where it can be downloaded from and scrutinized properly.. These inaccuracies should necessitate looking at the big picture than just counts of the vulnerabilities. Vendor supplied ratings, where applicable, are many times a better guide.


td said...

sir about linux and windows, i still find windows more usable becuse it meets many of my end user needs. lot to learn