According to a study compiled by the Washington Post’s Brian Krebs, Internet Explorer 6 was vulnerable for 284 out of 365 days in 2006. That amounts to over 77% of the year. What does that mean? It means the for 3/4 of the year there were known vulnerabilities affecting Internet Explorer 6 for which no patch existed.
Some were fairly serious zero-day exploits that were being actively exploited in the wild while users waited for an update from Microsoft. Others were less serious, but were still left vulnerable, mostly due to the nature of the monthly Security Bulletin and patch release schedule that Microsoft uses. A flaw that is discovered the day after “Patch Tuesday” will most likely remain unpatched for an entire month until the next “Patch Tuesday”. By contrast, Krebs found that the Firefox browser was only vulnerable for 9 days, and IE7 was too new to have any substantial data for this year’s survey.
The pro-Firefox, Microsoft-bashing crowd will jump all over this. You can see it in the comments on Krebs’ article. I fall into the camp that believes that IE is targeted because of its market share as much as the quality of the code. Firefox or Opera may, in fact, be superior from a security standpoint, but neither is impervious and if they had 85% of the web browser market share we wouldn’t be so hyper-focused on the weaknesses of Internet Explorer (and neither would the malware authors). Still, it doesn’t paint a pretty picture and Microsoft should take notice and seek to rectify the issue for IE7 and for 2007. You can read Krebs’ complete article here: Internet Explorer Unsafe for 284 Days in 2006