Statistics don't lie, IE6 is insecure

Brian Krebs has gone beyond the normal finger pointing at Microsoft and actually gather the statistics to prove how insecure Internet Explorer 6 was in 2006.   For 284 days of 2006 IE6 had substantial, unpatched flaws that were being exploited and probed.  It sounds like there might be just a little bit of wiggle room in the statistics, so that number might be argued down to 250 or so, but that's still about two thirds of the year that IE 6 was vulnerable.  What I find disturbing is that this is just the amount of time the patches were unavailable; how long it was until the patches were actually applied to the average business or home user is an entirely different question.  Probably a more important question, but one that would be nearly impossible to ascertain.

We all know that Internet Explorer 7 is out now (you have upgraded, haven't you?), but there's still a lot of users who continue to use IE6.  IE7 only lasted a few days before the first vulnerabilities were found, and the attempts to break the browser are only intensifying, never decreasing.  IE7 has more security measures in place than any version of the browser before, but if it's going to take Microsoft a month or more to patch a vulnerability once it's found, it's still not secure enough.

I'm not a big fan of the "Month of (Pick a product) Vulnerabilities", but I've come to believe that this is sometimes the only way to get some vendors to respond.  TheSecurosis blog has declared February to be the " Month of No Bugs " to give vendors a chance to play catch up, but seriously, that's not going to happen.  The bad guys are going to keep hacking away at software and the good guys are going to have to continue working to patch the flaws.  What I'd like to see is a "Month of Currently Exploited,Unpatched Bugs"; researchers who have managed to get deep enough into the underground world of the hackers to find the 0-day exploits that are being used right now to attack browsers and other pieces of software.  I think this would be a useful service; vendors would be educated and forced to patch while the cries of "you're helping the hackers!" would be silenced, since the bugs came from the hacker community to begin with.  I'm sure a company like Symantec with their Deepthreat service could contribute to this effort.

The bottom line is, Microsoft has made great strides in their patching over the last few years, but they've still got to become much more responsive.  Having a known, critical flaw unpatched for 60 days is unacceptable.  At the very least, a beta patch should be made available.  I know there has to be testing, I know IE is incredibly complex, but I'm willing to have a patch break a certain percentage of sites for several weeks as long as it protects my browser from a vulnerability that's currently being exploited, at least until a fully tested patch can be developed.  I think the trade-off is worth it, both to my business and personally.