Internet Explorer: The LEAST Secure Browser?
One website is reporting that a record number of security vulnerabilities were discovered in Internet Explorer during the first half of 2014, far more than in Google Chrome or Mozilla Firefox. Should alarms be sounded across the land? Should you tell Mom to switch browsers? Let's find out...
Is Internet Explorer Unsafe at Any Speed?
“We really recommend that you not use Internet Explorer,” I overheard a librarian telling a patron in the local Public Library recently. Chrome and Firefox are available on every terminal available at all library branches. I wonder why they don’t simply disable IE to make it disappear, but I understand why they discourage its use: the pundits that everyone heeds miss no opportunity to make IE look bad.
Most recently, Techworld trumpeted that a disturbing number of security vulnerabilities were discovered in Internet Explorer during the first half of 2014, far more than in any other popular program. That’s according to an analysis of U.S. National Vulnerability Database (NVD) figures. Researchers found 133 NVD records of IE vulnerabilities so far in 2014, compared to 130 for all of 2013. By contrast, the competing browsers Chrome and Firefox each logged about 75 vulnerabilities during the first six months of 2014.
But wait; Chrome had 175 vulnerabilities discovered during 2013 while Firefox achieved 150. So over a full year, IE actually had the least vulnerabilities of the three major browsers! Confused yet? What Techworld didn't mention is that those numbers don't take into account the severity of the software bugs. Severity is measured on a scale of 0 - 10, with a higher score indicating a more serious problem. Digging a bit deeper, I found that the average severity for vulnerabilities discovered in 2014 tell a story that's a bit more illuminating:
Internet Explorer: Average severity 9.8, with 93% in the 9-10 (most severe) range
Firefox: Average severity 8.0, with 49% in the 9-10 (most severe) range
Chrome: Average severity 7.5, with under 3% in the 9-10 (most severe) range
Okay, Internet Explorer seems to look worst when it comes to both raw numbers of vulnerabilities discovered, and the seriousness of those vulnerabilities. But keep in mind that a vulnerability means only that a security researcher found a software bug that COULD POSSIBLY be exploited by hackers, crackers and other cybervillians.
Nobody Expects the Spanish Inquisition!
And of course, nobody expects that they'll fall prey to a security flaw in their favored browser. So how many of those vulnerabilities were actually exploited? Firefox and Chrome have had ZERO exploits since 2010. For IE, there were only 3 in the past year. That's not so bad, considering that these exploits require the user to be tricked into viewing a specially crafted web page in order to be affected. And in each case, Microsoft responded to the flaws with timely fixes.
Microsoft released version 11 of IE last October. Like all new major versions of any software, it contains numerous bugs. The company issued its first security patch for IE 11 just five days after the update hit the Web, compared to more than 80 days lag time back in 2007 to 2011.
So no, IE is not the runaway winner of the Most Dangerous Software of All Time. A deeper look at the details of the software flaws discovered, their relative severities, the number of actual exploits, and the difficulty of carrying out an exploit, reveals that IE, Firefox and Chrome are all very safe vehicles on the information superhighway. The latter two automatically update themselves, and IE will do likewise if Windows Update is run with the default (automatic) settings. And as in the physical world, the driver is the cause of more accidents than the car.
You Want Danger? I'll Show You Danger...
A lot of techies give the Most Dangerous Software title to Java, which is found in more places than IE and has a horrible history of security vulnerabilities and exploits. (See my article, Time to Boycott Java? Apparently, a lot of people have been boycotting Java of late, encouraging bad guys to seek other victims.
In related news, Firefox 31.0 was released in July with a new anti-malware feature. The browser will now check the Google Safe Browsing reputations of individual files as they are downloaded, as well as checking Web sites’ reputations to warn users away from known phishing and malware sites.
Mozilla announced that Firefox 32.0, due in September, will add a new and more efficient file-checking feature. Before contacting the Google Safe Browsing database, Firefox will check a file for a valid digital signature that confirms the author is known and safe. Only if no signature is found will Firefox refer to the Google Safe Browsing database. If the user has added a software publisher to his/her local list of “known good guys,” Firefox will skip these tests.
The bottom line is that vulnerabilities logged in the National Vulnerability Database are down this year overall. At least temporarily, the good guys seem to be winning. But the pendulum can swing at any time, so keep your local defenses and good computing sense on the alert.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 28 Jul 2014
|For Fun: Buy Bob a Snickers.
Amazon's Kindle Unlimited: Netflix for Books?
The Top Twenty
7 Cool Things You Can Do With Dropbox
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Internet Explorer: The LEAST Secure Browser? (Posted: 28 Jul 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved