First, a note on the methodology behind this blog post: The data presented here builds on a project I began in late 2005 looking back on three years of efforts by Microsoft to address only the most severe security holes in its software. I conducted that same research again last month, individually contacting nearly all of the security researchers who submitted reports of critical flaws in Microsoft products to learn from them not only the dates that they had submitted their findings to the company, but also any other security trends or anomalies they observed in working with the world's largest software maker.
Several weeks prior to posting this information, I shared the data I had gathered with Microsoft. The officials I dealt with helpfully concurred or quibbled slightly with some of my findings, but the company raised no objections that would materially affect the results presented in this particular study of IE flaws. In fact, if you examine the links included in the vulnerability chart that accompanies this post, you can see for yourself how the data is supported by information posted on the Web over the past year.
Patching Internet Explorer in 2006
For all its touted security improvements, the release of Microsoft's new Internet Explorer 7 browser in November came too late in the year to improve the lot of IE users, who make up roughly 80 percent of the world's online community. For a total 284 days in 2006 (or more than nine months out of the year), exploit code for known, unpatched critical flaws in pre-IE7 versions of the browser was publicly available on the Internet. Likewise, there were at least 98 days last year in which no software fixes from Microsoft were available to fix IE flaws that criminals were actively using to steal personal and financial data from users.
In a total of ten cases last year, instructions detailing how to leverage "critical" vulnerabilities in IE were published online before Microsoft had a patch to fix them.
Microsoft labels software vulnerabilities "critical" -- its most severe rating -- if the flaws could be exploited to criminal advantage without any action on the part of the user, or by merely convincing an IE user to click on a link, visit a malicious Web site, or open a specially crafted e-mail or e-mail attachment.
[The chart posted here shows the overlap of threats from various IE flaws throughout the year.]
In contrast, Internet Explorer's closest competitor in terms of market share -- Mozilla's Firefox browser -- experienced a single period lasting just nine days last year in which exploit code for a serious security hole was posted online before Mozilla shipped a patch to remedy the problem.
Criminals specializing in Internet fraud continued to ply much of their trade with the aid of security flaws in the Microsoft browser last year. In 2006, the company issued patches to fix a total of four "zero-day" flaws in IE. Zero-day (or 0day) attacks are so named because software vendors have no time to develop a fix for the flaws before they are exploited by cyber crooks for financial or personal gain.
The first major flaw in a Windows program last year involved one that could be easily exploited via Internet Explorer. In late December 2005, experts tracked organized criminals hacking into sites and seeding them with code that installed password-stealing spyware on machines used by anyone who merely visited the sites with IE. Microsoft initially downplayed the severity of the attacks, until it became clear that the threat was fairly widespread and that thousands of customers had already been attacked in the span of a few days. The threat was seen as so severe that a large number of security experts urged users to download and install a patch produced by a third party until Microsoft developed an official fix.
In September, attackers would exploit an unpatched flaw in non-Microsoft Web server software to install malicious code on thousands of legitimate Web sites that could infect Windows machines when users merely browsed the sites with IE. Much like the IE flaw first detected in December 2005, this sophisticated attack by organized criminals also would prompt a series of third-party security patches in the days before Microsoft issued an official update.
Check back with Security Fix on Friday for a look at the number of vulnerabilities that Microsoft patched in its Office applications last year.