[FULL DISCLOSURE: In addition to being a 20-year Security Guy, I work for Microsoft. While I try hard to focus on objective data, go ahead and assume bias, if you wish, and challenge my analysis with your own comments—you'll be helping me fulfill my goal of ensuring all sides of security claims are thoroughly examined and rigorously debated in the public view.]
This is part 2 of a series—you can read part 1 for an introduction. In this article, I will take a look at when you are "at risk" as promoted by Mozilla on its security page as highlighted in the clip. At risk, as they say, is defined as publicly available exploits (including proof-of-concept) with no patch.
Before looking at more recent data, let's review what is behind the "at risk" chart from 2006, two years ago. What releases were available that year?
- IE5.01 supported for the full year
- IE6 supported for the full year
- IE7 supported from October 18 onward (75 days)
- FF1 supported until April 12 (102 days)
- FF1.5 support for the full year
- FF2 supported from October 24 onward (69 days)
For IE (Internet Explorer), a vulnerability was counted if any IE version was affected by an issue (thus, "IE users"). Practically, I believe this means issues affecting IE5.01 (which originally shipped in November 1999) and IE6 (which originally shipped with Windows XP in October 2001).
I note that the first issue in the chart only affected IE5.01, which I can't see affecting very many people. Also, the original source article says that IE7 "came too late in the year to improve the lot of IE users," but I can't quite agree. If a person had upgraded to IE7 when released on October 18, 2006, it would have reduced the "at risk" period by 75 days through the end of the year.
What about the Firefox chart? It took a little work, but here is my list of Firefox issues that had either proof-of-concept or in-the-wild exploit code available in 2006 that were confirmed by Mozilla in a Mozilla Foundation Security Advisory:
|CVE-2005-4134||Jan 1 - Feb 1||31|
|CVE-2006-1942||Apr 17 - Jun 1||45|
|CVE-2006-1993||Apr 18 - May 2||14|
|CVE-2006-2894||Jun 5 - Dec 31||209|
|CVE-2006-4253||Aug 12 - Sep 14||33|
|CVE-2006-5462||Oct 10 - Nov 7||28|
|CVE-2006-6077||Nov 12 - Dec 31||103|
So, based upon these items above, we can now come up with a new "at risk" chart for Firefox users during 2006, modeled after their chart. 31 + 45 + 209 = 285 days "at risk".
Hmm, quite a different picture based upon a little more research, keyed off of the Mozilla Foundation Security Advisories themselves and clicking through on a few links at the http://nvd.nist.gov site. What might be the explanation for why the chart above shows 285 days versus the original study showing only nine days? Basically, I have the benefit of a much longer time period to get 20/20 hindsight, whereas the original study tried to do this just as the period ended—which makes it a harder task to identify all of the issues. It is possible to identify a "waiting period" that gives a more accurate view in hindsight for this type of exposure chart, and you can read about it in more detail if you want in this IEEE paper, Estimating Software Vulnerabilities.
Of course, this is still all very old news with 2006 being two years behind us now. But since this is a metric validated by Mozilla and used in their security marketing claims, I am very curious how the latest Firefox products did in more recent time periods—after all, both IE7 and FF2 shipped in October of 2006 and didn't contribute much to the "at risk" charts in 2006.
Let's review where we are today with the releases:
So, none of the versions promoted by the chart on the Firefox security page are even supported at this point and no single Firefox version was available for all of 2008—though FF2.0 was essentially available for the full year.
Stayed tuned, as I construct more recent disclosure charts for Firefox users in a later part of this series. Before I get to that, however, I will digress a bit in the next article to discuss the issues raised by Mozilla after my Internet Explorer and Firefox Vulnerability Analysis released last year.