Logically, a zero day flaw is of most danger to users if it is being actively exploited in the wild e.g. by a malicious website to infect the user. Flaws which, although known and unfixed, are not being actively exploited simply do not present the same risk to the user (although they still need to be fixed quickly to prevent future exploitation).
IE Zero Day Flaws Actively Exploited – Brian concludes that, in the past 18 months, zero day flaws in IE were actively exploited for 152 days – about 5 months, based on Microsoft’s figures. On average then, users of IE were left at risk of zero day flaws (which were known to be actively exploited) for one week in every month. The study compared the corresponding 18 month period for Google Chrome and Mozilla Firefox:
Chrome – No disclosed vulnerabilities reported to be actively exploited. “A Google spokesperson said that the company has never observed a Chrome zero-day in the wild against any of its stable versions since it first released Chrome”.
Firefox – No disclosed vulnerabilities reported to be actively exploited. “A Mozilla spokesperson said the last true zero-day that was used by attackers to install malware via a vulnerability in Firefox came in October 2010”
Why Is IE So Susceptible To Active Exploits? How can it be that IE users were left exposed to active attacks for 152 days in the last year and a half whereas Firefox and Chrome users were not exposed for a single day?
The answer must be the relative speed that updates are issued and applied for each browser. Google and Mozilla can fix the vulnerability before it can be exploited in the wild because they are able to update their browsers so quickly – using automatic updates.
1. IE security updates may suffer much longer delays because they have to be developed and tested on 5 different ‘live’ versions of the browser – IE6 through to IE10. However, Google only has to produce security updates for the current stable version of Chrome and Mozilla abandoned Firefox 3.6 support, leaving it free to produce security updates for the current stable version only.
With both Chrome and Firefox, if you use an old version you do not receive security updates – upgrades to the latest version are automatic and available for all versions of Windows from XP onwards (unlike IE9 which is not available to XP users).
2. IE security updates during the 18 months covered in the study were rolled out as part of the normal monthly automatic update cycle for Windows, not as emergency fixes. It should therefore be no surprise that those delays of up to 1 month (or more) left ample opportunity for flaws to be actively exploited in the wild – before they were fixed.
When faced by such a zero day vulnerability, Chrome and Firefox release an emergency update of the browser – a new version rolled out automatically to all users to protect them, even if they weren’t aware of the problem.
However, the infamous IE fix on September 21 was the first emergency update of an IE zero day flaw since January 2010. A quote from the director of security operations at nCircle Security which praises Microsoft’s reaction time is amusing: “Let’s call it five days from advisory to patch, I’d like to see anybody pull that off.”
Instead of admiring Microsoft’s ‘quick’ 5 day reaction (the first time in almost 2 years they reacted so fast) perhaps he should consider Mozilla’s reaction to a serious privacy vulnerability found October 10th in the new Firefox 16. There is no evidence that it was exploited in the wild but Mozilla still managed to release a fixed 16.0.1 version for users on October 11 – just a day later…
Zero day flaws in web browsers are most serious risks for users if they are being actively exploited. Whereas Firefox and Chrome users have not been at risk from active zero day exploits over the last 18 months, IE users have been at risk for about 1 week in every month.
There is still almost a full month before we can expect Microsoft’s next set of security updates. Do IE users feel lucky this week?