IE flaws stats stark, but omit big picture

By Shamus McGillicuddy, News Writer 16 Jan 2007 | SearchSMB.com

Technology news and tips for midmarket CIOs Digg This!     StumbleUpon     Del.icio.us

That's the question Laurence Olivier's sadistic Nazi dentist asked Dustin Hoffman over and over again as he plucked out Hoffman's teeth sans Novocain in the 1976 thriller Marathon Man.

Crooks are going to go to the low-hanging fruit. They like to write attacks for a mass audience. Avivah Litan vice president and research director, Gartner Inc.

Hoffman didn't know the answer to Olivier's cryptic question. But picture yourself in that same dentist's char asked a similar simple question: Is Microsoft Explorer safe? No. It's not safe. Nothing is safe.

The Washington Post's computer security blogger, Brian Krebs, raised a few eyebrows earlier this month when he announced that Microsoft's Internet Explorer was "unsafe" for 284 days in 2006.

Krebs arrived at that number (nearly nine months of the year) by compiling the amount of time it took for Microsoft to release a patch for critical flaws in Internet Explorer for which exploit code was publicly available on the Web. He added that there were at least 98 days in 2006 in which no software fixes were available from Microsoft for Explorer flaws that "criminals were actively using to steal personal and financial data from users."

Krebs took a look at Mozilla's Firefox, Explorer's closest competitor, and found there were only nine days in 2006 when exploit code for a serious security hole was available online before Mozilla issued a patch.

Those numbers side by side seem pretty stark, but is it a fair comparison?

"Not only is it fair to the level it goes, but it doesn't take into account that most people don't actually patch software as soon as a patch is available," said Richard Steinnon, chief marketing officer at Sunnyvale, Calif.-based Fortinet Inc., an information security vendor.

Avivah Litan, vice president and research director at Gartner Inc. in Stamford, Conn., said the 284 days of vulnerability seems accurate, but she said it's also a reflection of Explorer's 80% market share.

"If you were a thief, would you go after 80% of the market or 9%?" Litan said. "Crooks are going to go to the low-hanging fruit. They like to write attacks for a mass audience."

Analyst Natalie Lambert at Cambridge, Mass.-based Forrester Research Inc., didn't dispute Krebs' numbers, but she also said market share was a big part of the problem for Microsoft.

"The days are the days. You can take it at face value," she said. "I just feel that people are going to target Microsoft Explorer more than Firefox because of the market share. I don't think this shows that Microsoft is less secure, but that they do have their work cut out for them. They've got people who are attacking all of their products."

Lambert said Microsoft has improved its response to vulnerabilities, but she added the company has a way to go. She said Krebs' analysis doesn't establish that Explorer is less secure than other browsers. Instead, she said, it highlights the need for all software vendors to improve their policies for patching known vulnerabilities. She also said Vista and Internet Explorer 7, which was released in November, should further improve security for Microsoft. However, she cautioned that they are no silver bullets for exploitable code.

Lambert said the entire software industry has a problem with flawed code, and all vendors need to take a more aggressive approach to dealing with active exploits.

"I think all vendors need to add additional resources to make sure they are patching software with as much timeliness as necessary," Lambert said.

She said Krebs' findings also highlight the need for IT managers to make sure they have good patch management policies in place.

Steinnon said a number like 284 days will help IT organizations highlight to management why it's so difficult to manage and update Explorer and other Microsoft products.

He said businesses and consumers should use Explorer only when absolutely necessary.

More on IT security IT security threats/spyware resource center Security, disaster recovery top SMB predictions for 2007

"The only reason you should use Internet Explorer is if some of the online applications you use, such as banking, don't let you log in with another browser," he said.

In a statement sent to this reporter, a Microsoft spokesperson didn't dispute Krebs' findings, but suggested his methodology doesn't tell the whole story.

"When a security issue threatens customers, the Microsoft Security Response Center quickly mobilizes several specially focused teams to investigate, fix and learn from security vulnerabilities," the spokesperson said.

She added that delays in issuing patches are usually tied to several issues. Microsoft developers might find a problem with a patch while testing it. Or they might spend time looking for other related security issues to ensure a comprehensive patch. Other delays are related to whether changes could affect compatibility with other applications. She added that some problems are at an architectural level and require significant changes that take more time to test.

Let us know what you think about the story; email: Shamus McGillicuddy, News Writer

Tags: Information security management for the midmarket,  Risk management for the midmarket,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Information security management for the midmarket Droid does, but will IT support it? Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility Information technology management e-book downloads for midmarket CIOs 10 must-have steps for an effective SMB information security program Your IT security budget: How to get more bang for the buck Using key risk indicators to sell your information security program IT security spending a bright spot in '09, with more growth predicted Risk management for the midmarket Information security program revamp adds outsourcer oversight and more From data breaches to risk management frameworks: Test your knowledge Adopting a beta tool: Risks vs. rewards for a midsized enterprise The challenge of managing risk when IT budgets tighten Why cybersecurity awareness is everyone's responsibility How to decide if changing technology vendors is worth the time, risk A guide to managing the risk assessment process Free risk management tools and resources for the enterprise CIOs taking risk of cutting vendor maintenance contracts to save money 10 must-have steps for an effective SMB information security program

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary