Last updated on: September 7, 2020
This week we looked at patterns in the deployment of the recent Internet Explorer patch MS09-002. Our main interest was to see if there were any changes in its deployment speed compared to previous IE patches. Considering that an exploit became available roughly a week after the release of the patch we thought that companies would accelerate the deployment given that the existence of the exploit makes the threat concrete. We normalized the detection data from MS09-002 and Microsoft’s last cumulative patch to Internet Explorer MS08-073 to put them to the same scale and overlaid them in the same graph. To our surprise we found that nothing changed – no acceleration of patching, the curves follow a remarkably similar pattern:
However we noticed one anomaly – the absolute values (numbers found for each vulnerability) varied by a power of 10. MS09-002, which is only applicable to Internet Explorer 7 had much lower numbers, and plotting them to a common scale we found the difference to be between 80-90%. This means that Internet Explorer 6 continues to be the more prominent browser in the Enterprise.
Unfortunately this is bad news! IE7 is a much better browser than IE6 as IE7 has improved performance, compliance to standards and contains additional security features. Despite the public trend on the Internet that illustrates IE7 has surpassed IE6 in mid 2008, according to our live data enterprises persist on using what is tried and true. This is not only slowing the adoption of new technologies, but also affects the overall security of these companies and makes them more susceptible to attacks. In my experience with working with enterprise customers, this behavior still exists as IT teams try to control what version of the software end-users are allowed to use. This is a disservice to them and to all of us in this industry.
- Migrate away from Internet Explorer 6 – your most viable options at this point in time are IE7 and Firefox 3.
- Evaluate the potential impact of patching browsers in a faster rhythm – this would be a side benefit when the choice is Firefox but could also be implemented using Internet Explorer