While browsing through news sites for the latest in IT, I came across a very telling blog posted by Brian Krebs of the Washington Post. His report suggested that Internet Explorer was unsafe for 284 days in 2006. Unsafe, what do I mean by unsafe? Unsafe means that exploit code was publicly available for un-patched critical flaws. Microsoft defines a critical flaw as one being actively exploited for criminal activity without any user interaction other than visiting a malicious website or opening a crafted email. For 98 days last year there were no fixes available for flaws that were being used by criminals to harvest personal and financial data from users. In contrast to this huge amount of time on red alert, Firefox users suffered only 9 days of vulnerability to one critical flaw.
The release of IE7 included much hype over its enhanced security features (because lets face it all of the interface changes make it look and feel just like Firefox). Anti-phishing is one major feature although this won’t stop critical vulnerabilities it will only alert half asleep users that the URL being visited is not the website they are expecting to see. More useful security features include an ActiveX Opt-in that disables most ActiveX controls by default, requiring them to be enables as and when required. When combined with Windows Vista, IE7 runs in a protected mode completely isolated from the rest of the system.
It will be interesting to see if Internet Explorer 7 can put up a tougher fight in 2007 than Internet Explorer 6 has in 2006.