Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Internet Explorer Vulnerabilities Increase 100%

samzenpus posted about 3 months ago | from the protect-ya-neck dept.

Security 137

An anonymous reader writes Bromium Labs analyzed public vulnerabilities and exploits from the first six months of 2014. The research determined that Internet Explorer vulnerabilities have increased more than 100 percent since 2013, surpassing Java and Flash vulnerabilities. Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

cancel ×

137 comments

Sorry! There are no comments related to the filter you selected.

Surprise! (-1, Troll)

Anonymous Coward | about 3 months ago | (#47521655)

IE has always been a crappy, insecure browser which doesn't adhere to standards.

Color me unsurprised.

It's always been shit, and most of us keep it as the browser of last resort for work stuff which required a crappy, insecure browser which doesn't adhere to standards.

Piece of crap.

Microsoft have long since demonstrated they couldn't write a decent browser if Ballmer's life depended on it.

In fact, some day I home Ballmer's life does depend on IE.

Re:Surprise! (5, Funny)

ArcadeMan (2766669) | about 3 months ago | (#47521679)

Yeah, but no other browser can claim a 100% increase in vulnerabilities!

Take THAT, Apple, Mozilla, Google and Opera!

Re:Surprise! (5, Funny)

Anonymous Coward | about 3 months ago | (#47521795)

Don't worry--those who were responsible for that browser were all just sacked.
 
... and those who were responsible for sacking the browser writers were all sacked.

Re:Surprise! (2)

ArcadeMan (2766669) | about 3 months ago | (#47522561)

Mynd you, møøse bites Kan be pretti nasti...

Re:Surprise! (-1)

Anonymous Coward | about 3 months ago | (#47523223)

Shut the fuck up

Re:Surprise! (0)

Anonymous Coward | about 3 months ago | (#47524363)

Brilliant comeback!

Re:Surprise! (0)

Anonymous Coward | about 3 months ago | (#47523481)

I know this might be tagged as -1 redundant / flamebait / trolling; but I honestly never expected the US to know what that the word sacked == fired

Re:Surprise! (1)

fahrbot-bot (874524) | about 3 months ago | (#47523601)

Don't worry--those who were responsible for that browser were all just sacked.
... and those who were responsible for sacking the browser writers were all sacked.

Thankfully, my 401k is heavily invested in many and various Sack businesses ... Retirement here I come!

Re:Surprise! (5, Funny)

pr0nbot (313417) | about 3 months ago | (#47522405)

I think your post constitutes a 100% increase in the number of times I've heard Opera mentioned this year.

Re:Surprise! (0)

Anonymous Coward | about 3 months ago | (#47523921)

Come on! La traviata still kicks ass.

Re:Surprise! (3, Informative)

LordLimecat (1103839) | about 3 months ago | (#47523357)

Neither can IE. It has a ~5-10% increase.

The summary is absolute garbage; it implies that the number of vulnerabilities is doubled (it isnt), that IE security is worse (but public exploits are reduced from last year, and mean time to patch is vastly reduced), and that its always been worse (last year, Chrome and Firefox had more exploits than IE).

Unsurprisingly, everyone here took the bait.

Re:Surprise! (0)

Anonymous Coward | about 3 months ago | (#47523611)

Neither can IE. It has a ~5-10% increase.

Just depends on how you look at the data and interpret the words. I say that there was a 0% increase...that is, the vulnerabilities were already there, the users just didn't know about them.

Re:Surprise! (0)

Anonymous Coward | about 3 months ago | (#47523829)

Thats very likely not true at 0% are new...sometime the vulnerabilities are not there from a previous point in time, and get introduced via patches to other vulnerabilities.

Re:Surprise! (2)

dave562 (969951) | about 3 months ago | (#47523949)

Good points. The first thing that I thought when I read the summary was that the only way there could be a 100% increase is if the number of previous vulnerabilities was very small. Finding two vulnerabilities in the same period of time in which one was previously found is a 100% increase. Just like finding 60 when the previous amount was 30 is also a 100% increase.

Re:Surprise! (0)

Anonymous Coward | about 3 months ago | (#47524815)

Wouldn't it be nice if there was an xkcd to explain your math!

Re:Surprise! (1)

sproketboy (608031) | about 3 months ago | (#47521681)

Dude, tell us what you really think.

Re:Surprise! (1)

bumba2014 (3564161) | about 3 months ago | (#47521767)

I also do not understand, those people still using MSIE, they even send me articles which say that MSIE is more secure as Firefox or Chrome... Well I never have had an trojaner or virus from using Firefox/Mozilla the last +10 years. Have had a lot of problems until I stopped using that big piece of shit/crap MSIE. But of course like Einstein said two things are infinite, the cosmos and human stupidity. And he wasn't sure about the cosmos....

No privileges to install Cr or Fx (3, Insightful)

tepples (727027) | about 3 months ago | (#47521895)

I also do not understand, those people still using MSIE

I gather many of them are people at work who lack privileges to install other browsers or to run executables from writable directories. This is reportedly common on government PCs that need to connect to IE-only intranet apps.

Re:No privileges to install Cr or Fx (2)

Cro Magnon (467622) | about 3 months ago | (#47522071)

Recently, at my job, we got an email saying that Firefox was considered "at your own risk", and only those with a business need would be allowed to use it. Luckily, IE choked on one of our sites, and I used that as my justification for FF.

Re:No privileges to install Cr or Fx (0)

Anonymous Coward | about 3 months ago | (#47523037)

I would have hated, to be the IT person that was forced to write that.

Re:No privileges to install Cr or Fx (0)

Anonymous Coward | about 3 months ago | (#47523055)

So those browsing porn site will still use IE

Tepples has a great point (-1)

Anonymous Coward | about 3 months ago | (#47522249)

I'd also like to add to it (having done ASP.NET & ASP coding in industrial/business environs): A strength of IE is here - nothing else truly really "integrates" as well (in my professional development experience thusfar) into Intranet internal to corporate environs quite as well including group policies/volume network-wide management & with as much easily done database connectivity (via many methods to many disparate db engines) & this is by "way of comparison" to other webbrowsers - correct me if/where I am 'wrong/off', but that's been MY experience on all those grounds noted (2).

So, that all "said & aside" - now, do I *espouse* the use of IE online on the PUBLIC internet? Sadly, no. Why?? The premise behind this very article - security.

Yes - It's got potential & MS is truly *trying* to standardize it as well as secure it (every patch Tuesday almost has IE patches for most all versions over time as an example thereof for instance)... but, it has a lot of security "holes" even now still.

APK

P.S.=> Good point tepples, I agree, & merely wanted to "2nd your motion" & add on to it as a developer who's been exposed to some IE strengths in the business world since 1995 or so, onwards - what I noted IS one of them! apk

Re:No privileges to install Cr or Fx (1)

Anonymous Coward | about 3 months ago | (#47522497)

Posting AC just because...

In a previous life, I was prohibited from installing FF/Chrome in any way whatsoever, as only a certain image was allowed, and everything in the image had to get vetted by a regulation compliance committee, a legal team, a license vetting team, and so on. So, it was MSIE or no browser.

The good news is that Chrome can come as a signed MSI file, and FrontMotion has repackaged FF as a MSI for easy mass pushes.

MSIE has a unique place. In the enterprise, FIPS 140-2 and Common Criteria certifications are a must, and even though that doesn't mean much... it does when the auditors come to town.

Were it left to me, I'd include Chrome's MSI. Chrome with its virtual machine isn't 100%, but it does a good job at mitigating attacks. Installing EMET is another layer that is useful (although also not 100%.)

Re:No privileges to install Cr or Fx (2)

GerbilKor (2926575) | about 3 months ago | (#47522697)

Internal websites/apps that only work in one browser are understandable. I am baffled by the numerous public-facing government websites that, to this day, only work in IE. I haven't seen a non-government site do that since, I don't know, early 2000's maybe?

Re:No privileges to install Cr or Fx (1)

irrational_design (1895848) | about 3 months ago | (#47523177)

I've found that people who have always used IE are set in their ways and naturally distrust Firefox or Chrome. My father-in-law has always used IE and was having trouble with it. I got him to install Firefox and try it, but I could tell he totally didn't trust it and I have no doubt that he is still using IE.

Re:No privileges to install Cr or Fx (1)

theronb (1170573) | about 3 months ago | (#47523263)

IE was required at work but after talking with a a helpdesk tech who admitted they mostly used FF or Chrome, I installed FF on my workstation. Then I got an email from network services that I'd better cut it out; they have lots of in-house stuff on intranet sites that requires active-X. Then I retired, so now all is good.

No privileges to install Cr or Fx (1)

jpenguin (1503021) | about 3 months ago | (#47524309)

There are portable version of FF & Chrome

Re:No privileges to install Cr or Fx (1)

podmate (1115907) | about 3 months ago | (#47524523)

I am one of those people. We are stuck on IE 9 and won't be moving anytime soon. I work at a VERY security aware entity who have everything locked down, but they will only let us use IE 9. We are allowed to use unapproved software or hardware, but have to get the approval of the CIO which is beyond difficult to get.

Tepples has a great point... apk (-1)

Anonymous Coward | about 3 months ago | (#47524915)

I'd also like to add to it (having done ASP.NET & ASP coding in industrial/business environs): A strength of IE is here - nothing else truly really "integrates" as well (in my professional development experience thusfar) into Intranet internal to corporate environs quite as well including group policies/volume network-wide management & with as much easily done database connectivity (via many methods to many disparate db engines) & this is by "way of comparison" to other webbrowsers - correct me if/where I am 'wrong/off', but that's been MY experience on all those grounds noted (2).

So, that all "said & aside" - now, do I *espouse* the use of IE online on the PUBLIC internet? Sadly, no. Why?? The premise behind this very article - security.

Yes - It's got potential & MS is truly *trying* to standardize it as well as secure it (every patch Tuesday almost has IE patches for most all versions over time as an example thereof for instance) - however, it has a lot of security "holes" even now still.

APK

P.S.=> Good point tepples, I agree, & merely wanted to "2nd your motion" & add on to it as a developer who's been exposed to some IE strengths in the business world since 1995 or so, onwards - what I noted IS one of them! apk

Re:Surprise! (1)

lister king of smeg (2481612) | about 3 months ago | (#47523087)

You think that is bad I know someone who is still running Aol.

Re: Surprise! (0)

Anonymous Coward | about 3 months ago | (#47523293)

Do they ever load up a punter and boot someone offline like it's 1997!?

Re:Surprise! (0)

LordLimecat (1103839) | about 3 months ago | (#47523373)

Firefox was "more vulnerable" in 2013, and actually for several years post IE9, I believe it was generally considered LESS secure than MSIE due to its lack of common protections (like reduced privlege, sandboxing, etc).

The real surprise here is that people on a tech site continue to use awful metrics for judging things ("works for me", "everyone else hates it, must be bad").

Re:Surprise! (0)

plover (150551) | about 3 months ago | (#47521775)

Samzenpus has always been a crappy, insecure editor who doesn't adhere to journalistic standards of integrity.

Color me unsurprised.

He's always been shit, and most of us keep reading as the site of last resort for nerd stuff which survived a long list of crappy, untrained editors who don't adhere to standards.

Piece of crap.

Slashdot has long since demonstrated they couldn't write a decent article if Rob Malda's life depended on it.

In fact, some day I home Anonymous Coward's life does depend on /..

See what I did there?

Go read The Fine Article before spouting your nonsense.

^Microsoft^Slashdot Beta (1)

OffTheLip (636691) | about 3 months ago | (#47522299)

FTFY

Eh? (4, Informative)

Sockatume (732728) | about 3 months ago | (#47521689)

I can't see where the 100% figure comes from. The report says that IE attacks hit a record high in exploited zero-days in the first half of 2013, but they're now much lower.

Re:Eh? (4, Insightful)

SQLGuru (980662) | about 3 months ago | (#47521747)

Yeah, even reading the PDF (http://www.bromium.com/sites/default/files/bromium-h1-2014-threat_report.pdf/ [bromium.com] ) didn't show any sort of "AAAAAHHHHH!!!! The world is ending!" type of numbers. They show IE decreasing the patch time since 2007. There are charts showing that Zero days are decreasing. The Appendix shows 3 more entries in the National Vulnerability Database. Reporting statistics in percentages without referring to what the percentage is based on is just clickbait.

All software has holes. Larger use base makes for a bigger target. Blah blah blah. These stories aren't going to chance what people use because the common person isn't reading them.

Re:Eh? (2)

BasilBrush (643681) | about 3 months ago | (#47522191)

What are you finding unclear about this graphic?

http://www.net-security.org/im... [net-security.org]

Re:Eh? (0)

Rhipf (525263) | about 3 months ago | (#47522401)

Did you even look at that graph?
It does show a slight increase for IE but definitely not 100%.
At best this shows and increase from ~125 vulnerabilities to ~135. That's ~10% not 100%.

Re: Eh? (1)

IamTheRealMike (537420) | about 3 months ago | (#47522441)

Did YOU look at the graph? The bars are comparing all of 2013 against the first half of 2014 (obviously, as the second half is in the future). So the fact that IE already matched last year's record is where the 100% figure comes from - it's another way to say "doubled". Unless the second half of 2014 has a lower exploit rate then the conclusion will be correct.

Re: Eh? (2)

Sockatume (732728) | about 3 months ago | (#47522475)

Shouldn't that be worded "vulnerabilities will have increased 100%, assuming this trend continues" and not "vulnerabilities have increased 100%"? At any rate I'm sure you're right that it's what the article author meant.

Re: Eh? (2)

crimson tsunami (3395179) | about 3 months ago | (#47523455)

No they really have already increased 100%.
The trend may continue in the future or it may not, but as of right now the amount of vulnerabilities per unit time is twice as much,or 100% more, than in the past.
Eye-balling from the graph, last year averaged ~10 per month, this year is averaging ~20 per month. A 100% increase.

Re: Eh? (1)

sexconker (1179573) | about 3 months ago | (#47524855)

The number of vulnerabilities per time is not the same as the number of vulnerabilities.
You can't say the number of vulnerabilities has increased 100% by using two measurements of vulnerabilities / time and then normalizing both with respect to time. That gets you a normalized number of vulnerabilities per time, not a normalized number of vulnerabilities.

Re: Eh? (2)

Rhipf (525263) | about 3 months ago | (#47522527)

OK I'll admit that I didn't notice the H1 in the graph right away but...

Unless the article author has a time machine you still can't say that the vulnerabilities have increased 100% until they actually have. It would have been better if the author had compared the first half of 2013 to the first half of 2014. At least that way the comparison is grounded in facts not speculation.

Re:Eh? (1)

IRGlover (1096317) | about 3 months ago | (#47522645)

the graph compares all of 2013 with the first half of 2014. The implication being that, if so far this year there have been as many vulnerabilities as all of last year, then by the end of the year there will be twice as many. It is very poor analysis as there might be no more bugs found this year, a million bugs found this year, or something in between.

Re: Eh? (1)

Chewbacon (797801) | about 3 months ago | (#47521879)

Looks like Windows XP era browsers and now unsupported browser versions. So it's no surprise since Microsoft took their hands off of the products that all these exploits come out of the woodwork.

No actual numbers (4, Insightful)

CastrTroy (595695) | about 3 months ago | (#47521699)

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase, without a huge reason for concern. They also state:

a trend underscored by a progressively shorter time to first patch for its past two releases

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do. It also goes on to say in the report

Both IE exploits released in 2014 (CVE -2014-1776, CVE-2014-0322) used Flash to build the ROP chain and launch shellcode

Which really leads me to believe that the numbers really did go from 1 to 2, and that the exploits were more due to flash than they were to specific functionality in IE. MS was able to work around the bug by stopping it at the first step, but looks like the exploit isn't possible without Flash.

Re:No actual numbers (3, Insightful)

Ol Olsoc (1175323) | about 3 months ago | (#47521751)

Even after looking at the full report, I see no actual numbers for how many vulnerabilities there were. Going from 1 vulnerability to 2 vulnerabilities would have been a 100% increase

and

Is time to first patch really a bad thing? It really means that vulnabilities were found, and that they were fixed quickly. As opposed to vulnerabilities found and not fixed quickly. I suppose it's worse than "no vulnerabilities found" but even if none are found, it doesn't mean they don't exist. Fixing things quickly is about the best thing you can do.

You have convinced me sir. I'm switching to Internet Explorer, the safest most secure browser ever made, with possib;y only 1 vulnerability. Have you considered running damage control for disgraced politicians?

Re:No actual numbers (-1)

Anonymous Coward | about 3 months ago | (#47521787)

Have you considered killing yourself because you're a pathetic waste of oxygen and meat? If not, you should. Correct the error your mom made by not aborting you.

Re:No actual numbers (1)

LordLimecat (1103839) | about 3 months ago | (#47523419)

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Re:No actual numbers (0)

Anonymous Coward | about 3 months ago | (#47523607)

Maybe next-time you could comprehend the article, rather than just read it.
Unless you do understand a 100% increase when you already have the most vulnerabilities is a bad thing and you're just a MS shill doing damage control.

Re:No actual numbers (1, Insightful)

LordLimecat (1103839) | about 3 months ago | (#47524213)

There WAS no 100% increase. The article misinterprets the graph, and the report that it references contradicts its analysis. IE rose from some ~130 vulns to some 140 vulns; thats not 100%, its like 5%.

Like Mugato, I feel like Im taking crazy pills here. Almost noone bothered to fact check the original report, but everyone has an opinion on it. Keep doing what you do, slashdot.

Re:No actual numbers (1)

Qzukk (229616) | about 3 months ago | (#47524889)

The article, headline, story and comments are all bullshit.

Assuming the graph is not also bullshit, the correct story is that in the first 6 months of 2014 (1H 2014 on the graph), IE has had more vulnerabilities than all of 2013. IF this keeps up, then by the end of 2014, IE will have had more than a 100% increase in the number of vulnerabilities over last year.

Re:No actual numbers (1)

Ol Olsoc (1175323) | about 3 months ago | (#47523775)

Have you considered reading the article before criticizing someone else's analysis of it?

Apparently not.

Have you considered WHOOSH?

But since you didn't quite get it.....

Do you think that IE going from 1 Vulnerability to 2 vulnerabilities is someonhow, in some way, anywhere even close to the dog's breakfast that IE is? Seriously?

Have you considered that using a quick patch as indication of the security is ever to be considered a good thing, an excellent ecample of just how darn secure a browser is? If they made a patch every 15 seconds from here to eternity, if would be proof of the best darn browser, most secure experience on earth?

Sorry, m'Lord. I gave that "analysis" every bit of respect it deserved.

Re:No actual numbers (0)

LordLimecat (1103839) | about 3 months ago | (#47524195)

IE had fewer vulnerabilities last year than Chrome, or Firefox. This year it has more. Thats not a slam dunk, or an indication that IE is a dogs breakfast.

Ie has been substantially rewritten since the IE6 days, and is a sort-of-decent browser these days. These days its firefox thats the dogs breakfast; the only saving grace it has is its low userbase and its strong extension support that can plug some of the glaring holes (like its crappy 1-process architecture, its lack of sandboxing for anything, etc).

Re:No actual numbers (4, Informative)

BasilBrush (643681) | about 3 months ago | (#47522199)

Looking at the graphic the raw number looks like about 130 for all of 2013, and slightly more for the first half of 2014.

New Microsoft CEO (4, Interesting)

ArcadeMan (2766669) | about 3 months ago | (#47521705)

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

If that happens, Firefox will be the odd one out as far as rendering is concerned.

Re:New Microsoft CEO (3, Interesting)

gstoddart (321705) | about 3 months ago | (#47521803)

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit

Microsoft switch IE to use components written by someone else?

I place the likelihood of that as pretty small.

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

Re:New Microsoft CEO (1)

Richard_at_work (517087) | about 3 months ago | (#47521883)

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

Re:New Microsoft CEO (1)

ArhcAngel (247594) | about 3 months ago | (#47522881)

In the past Microsoft may have had an NIH approach, but over the past few years they have significantly changed from that in the developer area - switching from the Microsoft Ajax tools to jQuery, using Json.Net etc etc etc.

I'm not sure either the OP or this one understand what NIH means. It's part of the EEE [wikipedia.org] philosophy. Look for a hot new technology in the consumer space. Identify the leaders in that space. Purchase one of the leaders and modify the technology so that it is no longer 100% compatible with anybody else's version of the tech. Market the hell out of your version and destroy the competition. Internet Explorer [wikipedia.org] was licensed from Spyglass [wikipedia.org] and all version of IE up to 6 were based on that code. In this case Microsoft was so desperate to beat Netscape they gave Internet Explorer away for free which really pissed Spyglass off because their license was based on revenue from sales of IE. In the end it worked too well and the industry was stuck with dependency on IE 6 for over a decade. If Microsoft can figure out a way to integrate Blink or Webkit and make it work I don't see why they wouldn't as long as they can monetize it in some way.

Re:New Microsoft CEO (1)

operagost (62405) | about 3 months ago | (#47521995)

Well, IE was originally created using Spyglass' code...

Re:New Microsoft CEO (0)

Anonymous Coward | about 3 months ago | (#47522739)

"Not Invented Here"

They are the Knights Who Say NIH.

Re:New Microsoft CEO (0)

Anonymous Coward | about 3 months ago | (#47524959)

I second this post.

Re:New Microsoft CEO (2)

l0ungeb0y (442022) | about 3 months ago | (#47522837)

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

I believe you mean, "Not copied, ripped off, or acquired and gutted here"

Re:New Microsoft CEO (2)

Princeofcups (150855) | about 3 months ago | (#47523669)

Microsoft switch IE to use components written by someone else?

I place the likelihood of that as pretty small.

Microsoft have always had a huge case of "Not Invented Here", and I don't see that changing.

Considering that IE is based on Mosaic, SQLServer is based on Sybase, etc. etc., I don't think Microsoft has ever really "invented anything here."

Re:New Microsoft CEO (3, Informative)

jones_supa (887896) | about 3 months ago | (#47521809)

Why? Trident is very fast and standards-compliant engine.

Re:New Microsoft CEO (1)

bumba2014 (3564161) | about 3 months ago | (#47521875)

jeh right...

Re:New Microsoft CEO (1)

rescendent (870007) | about 3 months ago | (#47521813)

That would be a terrible thing; strong independent competition is a good thing; the browser scape would be far worse for it.

Re:New Microsoft CEO (0)

Anonymous Coward | about 3 months ago | (#47522053)

Does anyone think there's any chance that the next IE version will simply switch to Blink or WebKit, with a fallback to Trident if the X-UA-Compatible meta is present?

If that happens, Firefox will be the odd one out as far as rendering is concerned.

Gosh I hope not. Have you any idea how many bugs there are in Blink/Webkit?

More seriously, the web desperately needs to maintain the current situation of there being multiple rendering engines on the market; it's a large part of why we've managed to get to a relatively stable position now with decent standards compliance and new features going through the standards process rather than just being added arbitrarily by the market leader.

We are in a much weaker position in this regard since Opera threw in the towel.

We've been in a monoculture environment with web browsers before. I really don't want to be in that position again. Sure it made life easier for web developers only having to care about one browser, but the downsides far outweighed that.

Re:New Microsoft CEO (1)

holostarr (2709675) | about 3 months ago | (#47523465)

I actually believe it would be beneficial if all browser switched to webkit/blink. Having everyone switch to the same engine is not the same as having only one dominant browser. The issue in the past was that IE was the dominant browser and was only developed and maintained by Microsoft, however, with webkit/blink its not a single entity contributing to the development, everyone who is using it actively improving it. I think Microsoft joining the effort will improve browser compatibility.

Re:New Microsoft CEO (0)

Anonymous Coward | about 3 months ago | (#47522311)

Nope, MS suffers from Not Invented Here syndrome, despite the fact that nothing they ever made was actually invented there.

Re:New Microsoft CEO (0)

Anonymous Coward | about 3 months ago | (#47522727)

I sure hope not.
Didn't we suffer enough with the IE monopoly? You want a new monopoly now?

Odd Conclusion (5, Insightful)

bveldkamp (1838948) | about 3 months ago | (#47521707)

That's an odd conclusion to draw from the report. What it actually says is:

1. Number of vulnerabilities in IE remains constant from 2013 to 2014, other applications see a decrease
2. Number of public exploits in IE decreases from 11 to 3 in that same period
3. Number of days to patch in IE decreases from ~80 to ~5 between IE7 and IE 11

Re:Odd Conclusion (5, Informative)

BasilBrush (643681) | about 3 months ago | (#47522245)

We seem to be having a lot of astroturf from MS today.

IE Exploits.
2013 = 130
H1-2014 = 133.

Bearing in mind the year vs half-year, that's a 104% increase. So no it's not an odd conclusion at all.

Re:Odd Conclusion (1, Insightful)

Sockatume (732728) | about 3 months ago | (#47522485)

If by "astroturf" you mean "readers genuinely confused by a tersely written article and report", then yes. Why are Slashdotters so quick to conclude that Slashdotters are all corporate shills? You would think that Slashdotters of all people would know that Slashdotters aren't.

Re:Odd Conclusion (0)

Anonymous Coward | about 3 months ago | (#47522897)

Because Slashdotters are fucking idiots.

They've chased away anyone with a reasonable opinion by labeling them astroturfers and shills, and they wonder why the community is dying.

Re:Odd Conclusion (0)

Anonymous Coward | about 3 months ago | (#47522827)

Actually, that's 104% of the previous value, which would be a 4% increase. Or are you seriously trying to argue that staying the same is a "100% increase", and cutting by half is a "50% increase"?

Re:Odd Conclusion (1)

crimson tsunami (3395179) | about 3 months ago | (#47523531)

Staying the same numerical value is a '100% increase' if the time-frame you are discussing is 1/2 as long as before.
Don't worry, you're not the only person to fail at reading comprehension while trying to display you mathematical prowess.

Re:Odd Conclusion (0)

simplypeachy (706253) | about 3 months ago | (#47522429)

Pfft, as if any Windoze users have IE11 installed. Poppycock! Your figure of "80 days to 5" between "dinosaur" and "current" versions of Internet Explorer are of no relevance. You're clearly in the pay of Micro$haft.

Sensationalist subject (1)

Anonymous Coward | about 3 months ago | (#47521711)

Reporting on a 'percentage increase' in vulnerabilities really doesn't give you an idea of how large of a problem there really is. I didn't read TFA after seeing the garbage headline, but it's probably not worth my time. If there were no vulnerabilities and suddenly there was one, that's an increase of an infinite percent!!! Also, does this mean the number of vulnerabilites increase, or just the ones that people were aware of? Another worthless Microsoft bashing article, nothing to see here. Head on over to Soylent News [soylentnews.org] for some more interesting stories that might actually be worth reading.

Default Browser FTW (0)

Anonymous Coward | about 3 months ago | (#47521741)

Its pretty obvious that regardless of security measures it will always be the largest target because the demographic is people who aren't tech savvy and don't install a different browser on their store-bought windows machine. These are the same people who make up the majority of that 10% that fall for phishing attempts noted from the phishing article from earlier this morning. ...running an expired Norton 2009 that hasn't been working since the 6 month trial ran out.

A Ligh (0)

Anonymous Coward | about 3 months ago | (#47521765)

A ligh perpetrated by the man to keep the browser down.

Surprise! (0)

Anonymous Coward | about 3 months ago | (#47521781)

And we all thought that with complexity and bloat comes security?
This is why JavaScript, Adobe and Explorer are perfect together.
They really are "the" doorways to the Internet.

A rule of thumb.. (3, Interesting)

js3 (319268) | about 3 months ago | (#47521807)

if someone gives you a percentage they are trying to make it better or worse than it actually is.

Re:A rule of thumb.. (3, Insightful)

oodaloop (1229816) | about 3 months ago | (#47521845)

if someone gives you a percentage they are trying to make it better or worse than it actually is.

And contrariwise, if they give you raw numbers, it's the opposite. That's logic!

Re:A rule of thumb.. (1)

gstoddart (321705) | about 3 months ago | (#47521907)

Well, around 80% of the time at least. ;-)

Re:A rule of thumb.. (0)

Anonymous Coward | about 3 months ago | (#47522077)

Actually, this can be better formulate as: "If someone gives you numbers without any sort of reference, he is full of shit".

Re:A rule of thumb.. (1)

Andrio (2580551) | about 3 months ago | (#47522463)

If someone mods you up, your post's karma will increase by 33%

Re:A rule of thumb.. (0)

Anonymous Coward | about 3 months ago | (#47523443)

if someone gives you a percentage they are trying to make it better or worse than it actually is.

Heads I win, Tails you lose

Obligatory Colbert GIF (0)

Anonymous Coward | about 3 months ago | (#47521857)

Vulnerabilities did not increase (3, Interesting)

WD (96061) | about 3 months ago | (#47521903)

Just because you don't know about vulnerabilities, that doesn't mean that they're not there. The vulnerabilities are present in the code before they are discovered.

Having said that, drawing conclusions from vulnerability counts is usually an exercise in futility. There are many factors that affect how many vulnerabilities are discovered and disclosed. Including availability of vulnerability-finding tools, discovery of novel attack techniques, or simply critical mass of interest in the security field.

So (0)

Anonymous Coward | about 3 months ago | (#47522015)

Web browsers have always been a favorite avenue of attack, but we are now seeing that hackers are not only getting better at attacking Internet Explorer, they are doing it more frequently.

Are the hackers getting that much better, or is MS just writing that much poorer code? Plus Microsoft has a habit of refusing to patch known exploits as an extortion technique to get people to "upgrade".

100% Increase (3, Funny)

JD-1027 (726234) | about 3 months ago | (#47522033)

I'm betting it had more than one vulnerability...

http://xkcd.com/1102/ [xkcd.com]

This is a surprise? (2)

BCW2 (168187) | about 3 months ago | (#47522227)

History shows that more than 80% of windows vulnerabilities are IE based. Only the gullible and foolish would use such an unsecure and worthless piece of crapware. IE has never been good M$ couldn't even give it away when Netscape cost money. Nobody would use it when it was free. M$ had to incorporate it into the OS before they got any real market share.

Re:This is a surprise? (0)

Anonymous Coward | about 3 months ago | (#47523763)

M$ couldn't even give it away when Netscape cost money
Yeah they got to 98% market penetration. *NO* one at all used it /sarc

MS's browser was better, faster, and cheaper than netscape. Netscape would crash if you looked at it funny. It was not until about v20 that they finally got rid of that irritating quirk where it would stall out the whole browser if it could not authenticate a name and I use firefox and chrome every day now.

M$ had to incorporate it into the OS before they got any real market share.
It was well on its way to 50% of the market before that happened. Netscape sucked balls past about v2. Even then we only used netscape because it was better than mosaic. Pretty much everyone demanded MS put it in. Then pretty much everyone got mad when it happened. We begged them to do it. It was one less thing to mess around with on an desktop install. As it was already there.

The real pitty was MS decided to call v6 good enough and called it a day. They took a strong lead in the market and had the engineering chops to back it up and squandered it.

I remember the browser wars. MSIE6 was the awesome when it came out. No other browser touched it for features or speed. Compare it to chrome or even firefox now though and its garbage.

The only reason I ditched was I like my browser to not infect my computer if I look at it funny. That is the reason everyone else ditched. I would still use it as its 'jankyness' is less than the other two out there...

The only reason all the quirks became a big deal and a major pain is because MS dropped the ball then handed it over to mozilla and then said here score a goal while your at it we are on the piss.

Which IE? 4, 5, 6.....10? 11? (1)

Tomsk70 (984457) | about 3 months ago | (#47522607)

Another 'news' article that contains almost nothing.

Still, at least it's not another news article by someone pretending that a reseller of hardware would have no interest in pushing old tin.

XP still has 20% market? Maybe that helps. (0)

Anonymous Coward | about 3 months ago | (#47523111)

Given the fact that XP still holds a big percentage of Windows users. I think you could draw on a conclusion that many are still using IE8. That's a attractive statistic
in itself. I have to wonder though given the rise in Chrome usage when the focus won't turn away from IE and towards Chrome. You know its going to happen and you know some attacks will be successful. Chrome has been hacked in contests just as much as IE or Firefox. A better option to stay safer online is use a less popular browser like Maxthon or Slimbrowser or even Opera as they are in the single digit user percentage and tend to be unattractive to hackers.
I think its a broken record to keep busting on IE because we all know because of its ties to Windows OS that it has more issues with security. Microsoft has made strides with thinks like Protected Mode and sand boxing. But its never going to fix the problems unless IE breaks its connection with Windows.

Business plan (1)

jbmartin6 (1232050) | about 3 months ago | (#47523819)

1. Write software to sandbox $APPLICATION [bromium.com]
2. Release report exaggerating "increase in vulnerabilities" in $APPLICATION
3. Profit!

IE dangerous, but useful for now... (1)

LessThanObvious (3671949) | about 3 months ago | (#47523897)

I use I.E. for one reason these days. Every company I end up working for has some internal business application that only gets tested and supported on I.E. and this is particularly the case after I lock down Firefox for actual web browsing. These kind of internal business applications often fail with even minimal security restrictions.

I hold out little hope that apps designed to be run in controlled environments will ever work with a decently locked down browser. The issue is that the most vulnerable business users will take their corporate issued laptop with I.E. and default settings and use that as if it's sane to use that configuration on the internet.

US-CERT firt post was right at the end :) (1)

martiniturbide (1203660) | about 3 months ago | (#47524229)

US-CERT used to post a report some time ago advising to switch to other browser, after a few hours they changed the statement.

http://martin.iturbide.com/2014/04/do-you-trust-us-cert.html
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?