IE was the most vulnerable web browser in the first half of 2014

The browser market is a fiercely competitive arena dominated by three big players: Microsoft, Google and Mozilla. Yes, there are other browsers out there like Safari and Opera, but for the most part, Internet Explorer, Chrome and Firefox are the household names that most consumers know.

While the browsers are free, there is a lot of money on the line too. Why? Well, when a user installs a browser, the default search engine on that browser is the path to revenue for these companies. For example, Firefox sells the rights to Google to make it the default search browser for around $300 million a year. The reason Google does this is that it will earn all of that back, and likely a lot more, as Firefox users search through Google, allowing the company to share its advertisements with a wider audience.

According to a new security report out by Bromium, Internet Explorer was the most vulnerable web browser in the first half of 2014. The firm states that IE was the most patched and most exploited product in the first half of 2014, surpassing Java and Flash.

The chart above shows the trending of vulnerabilities; the blue bars represents vulnerabilities in 2013 and those in red are for 2014. As you can see, Internet Explorer's vulnerabilities increased in 2014, when compared to 2013, and the number is quite high compared to the other products that were reviewed. More importantly, the blue bars are for all vulnerabilities in the whole of 2013, so this means that in the first half of 2014, there have been more reported vulnerabilities in IE than during the entire previous year.

The report focused on highly used consumer products, which explains why there are non-browser applications in the report. It is worth pointing out that Office remains a secure application, which will likely appease the enterprise who uses this product heavily.

Why is Internet Explorer on the top of the list? The answer is likely attributed to the fact that IE still holds a significant chunk of the browser market share and that the legacy versions of Internet Explorer, such as IE6, are still prevalent enough on the remaining unpatched Windows XP machines, that targeting them is a lucrative opportunity. 

No matter the product that you use to browse the web, common sense is still the best security mechanism. If a website asks you to install a new add-on or download a file, unless you specifically clicked a link to download an application, leave that webpage and do not install the files.

Source: Bromium Security Report (PDF)

Report a problem with article
Previous Story

Verizon to begin throttling some users with Unlimited 4G LTE data plans this October

Next Story

The next step in wearables? $100 vibrating smartshoes that can help the blind

55 Comments

Commenting is disabled on this article.

As soon as you find out the report includes IE6 on XP, as well as successful exploits in the wild after patches have been released, in determining the IE data, you can be sure the study has an agenda and is useless for making actual decisions, other than fuel to the "please stop using IE6" fire to be presented to upper-management somewhere.

Another reason to not worry about not being able to upgrade from IE10 to IE11. MS still seems to have a lot of installation problems with that version. Anyway, FireFox is still a very viable substitute, at least on 32-bit machines.

And in other news Android users have made the most calls of all smartphone users we therefore conclude that Android is the best smartphone for calling.

Ronnet said,
And in other news Android users have made the most calls of all smartphone users we therefore conclude that Android is the best smartphone for calling.

No no, you're supposed to twist it around and say they make the most calls because the apps are too horrible to use instead and it's all they have left.

Jeez, learn to spin.

Joshie said,

No no, you're supposed to twist it around and say they make the most calls because the apps are too horrible to use instead and it's all they have left.


Lol

Joshie said,

No no, you're supposed to twist it around and say they make the most calls because the apps are too horrible to use instead and it's all they have left.

Jeez, learn to spin.

I already put a spin into it but you just didnt see it because you accepted my premise. So thank you for the compliment ;)

This is terrible journalism. You shouldn't be publishing reports based on shoddy statistics. How on earth does this show anything meaningful if it includes unsupported IE versions? Brad, you should actually take this down. It's that bad.

Are they also counting the vulnerabilities in Firefox 1.0 and earlier and Chrome 1.0? That would make it fair, at least for Firefox.

adrynalyne said,
Nor 7, Nor 8(for the most part).

Windows 7 SP1 is still in mainstream support until 2015, and gets security patches until 2020. Windows 8 (no updates) gets axed in 2015 as well, need the updates to stay in support. 8 (with updates) is supported until 2023.

Max Norris said,

Windows 7 SP1 is still in mainstream support until 2015, and gets security patches until 2020. Windows 8 (no updates) gets axed in 2015 as well, need the updates to stay in support. 8 (with updates) is supported until 2023.

Erm...I wasn't talking Windows. I was replying to an article on IE.

adrynalyne said,
Erm...I wasn't talking Windows. I was replying to an article on IE.

Ah. You replied to a guy who mentioned IE and Windows. I'm comfortable enough to admit a derp when I earn one.

That said.. isn't IE 8's "primary OS" considered to be Windows 7? IE tends to follow their "main" OS support cycles. 6 being XP, 7 being Vista, 8 being 7. (Yea, that's not confusing.) If that's the case, 8's supported..ish.

Max Norris said,

Ah. You replied to a guy who mentioned IE and Windows. I'm comfortable enough to admit a derp when I earn one.

That said.. isn't IE 8's "primary OS" considered to be Windows 7? IE tends to follow their "main" OS support cycles. 6 being XP, 7 being Vista, 8 being 7. (Yea, that's not confusing.) If that's the case, 8's supported..ish.

Yeah, my for the most part comment was to support the "ish" part :D

Partly too because that would be WIndows 7 prior to SP1 and I'm not sure if that falls under supported anymore (too lazy to look).

EXTREMELY misleading article. Including old versions of IE and not breaking down vulnerabilities by version is the worst kind of statistical cherry picking.

No doubt it won't be long before the tech media pick this up and run with it.

Agreed.. if you look at the actual CVE database the version numbers are all over the place, and a good number only apply to a specific version or two, not all, that alone paints a very skewed picture. But, if you want to pull in old versions that go that far back (IE6 was released 12 years ago), may as well be consistent about it, because when you do that IE doesn't have the most vulnerabilities. There are people running outdated versions of other stuff too. Going across the same time span across the board, the top five offenders are the Linux kernel, Firefox, Chrome, OSX, and then XP. IE's at #8, Windows 7 is at #23, Windows 8 is barely on the list at all, relatively speaking.

Forjo said,
EXTREMELY misleading article. Including old versions of IE and not breaking down vulnerabilities by version is the worst kind of statistical cherry picking.

No doubt it won't be long before the tech media pick this up and run with it.

They do this all the time when it relates to Android and the different versions of their OS. And people eat it up. Bigger numbers get views/ratings. Small numbers not so much. It makes the assumption that all versions are affected and creating a bigger shock value.

It's interesting to see that the bigger security steps Java has taken after last year seem to be having an impact. So that's good.

And while Google's deal with Mozilla will net them search result revenue, it's not uncommon for companies like Google or Microsoft to pay Open Source companies money to keep them operating. For example, Google and Microsoft both pay money to a group that funds stuff like OpenSSL, etc. Thankfully OpenSSL will finally start getting a bigger piece of that pie after Heartbleed.

how about they break down the stats instead of these reductionist quikcly line stats. Give us stats on which version of IE are being targeted, whether IE11 is less secure than other browers.... This is such a joke for an article. If you read the actuall PDF with the Bromium report, these are writing a load of nonsense. graphs dont make sense, stats are used in the wrong context and WIKIPEDIA is cited as a referance! What the hell?

B0mberman said,
how about they break down the stats instead of these reductionist quikcly line stats. Give us stats on which version of IE are being targeted, whether IE11 is less secure than other browers.... This is such a joke for an article. If you read the actuall PDF with the Bromium report, these are writing a load of nonsense. graphs dont make sense, stats are used in the wrong context and WIKIPEDIA is cited as a referance! What the hell?


this report is a complete non-sense.

in 2014, there was only 1 0day flaw that could have affected IE11, and it was patched in 5 days, before being widely exploited, and furthermore, it WAS NOT able to bypass the sandbox.

which means there was actually no working 0day exploit targeted at IE11 users this year.

this report goes as far as counting flaws that were exploited in the wild AFTER the patch was released. WTF?!?

I like how they include ie6 and XP in their calculations. No ######ing ###### that a browser that's 10 years old and hasn't received updates in years would be vulnerable.

Why not just use ie10 and 11?

elenarie said,
Jeez, I wonder how many vulnerabilities other browsers have when you include their 10+ years old versions.

Will literally shoot thru the roof :)

Crimson Rain said,

Will literally shoot thru the roof :)

specially that Chrome crap! :)

I'll use IE any day over any other browser although I have been using Firefox lately.

To be including all versions of IE like this is absolutely stupid in a comparison like this. :x

I was like wtf till I read about IE6 & XP. That made sense. Too bad Microsoft doesn't understand that users want to use addons. Well, they are always late to the game(mobile, having an actual good browser etc) and if they ever support addons, it will be after so many years.

Diehard Firefox user(Nightly) and I can say that IE11 rocks!

Konstantine said,
I was like wtf till I read about IE6 & XP. That made sense. Too bad Microsoft doesn't understand that users want to use addons. Well, they are always late to the game(mobile, having an actual good browser etc) and if they ever support addons, it will be after so many years.

Diehard Firefox user(Nightly) and I can say that IE11 rocks!


Actually IE does support plugins, but strangely enough nobody is making anything worthwhile for it, just some stupid toolbars and such. There was just one great plugin called IE7Pro, but development stopped when they tried to adapt it for IE8 and given up apparently.

Konstantine said,
I was like wtf till I read about IE6 & XP. That made sense. Too bad Microsoft doesn't understand that users want to use addons. Well, they are always late to the game(mobile, having an actual good browser etc) and if they ever support addons, it will be after so many years.

Diehard Firefox user(Nightly) and I can say that IE11 rocks!

Addons are a double edged sword.

Konstantine said,
I was like wtf till I read about IE6 & XP. That made sense. Too bad Microsoft doesn't understand that users want to use addons. Well, they are always late to the game(mobile, having an actual good browser etc) and if they ever support addons, it will be after so many years.

Diehard Firefox user(Nightly) and I can say that IE11 rocks!

Internet Explorer was the first major browser to support add ons.

Yes, kind of a deceptive headline and article. Yes, if you roll all IE versions together, this is true. If you are a consumer deciding which browser to use, its irrelevant since only current versions should be looked at.

How vulnerable millions of pirated copies of XP shouldn't really be a factor in this kind of analysis.

Grunt said,
In other news: water is wet, grass is green.

Who was it that said, "if you repeat enough times, it becomes true"? Anyway, IE is usually the one with the lowest number of vulnerabilities. I think MS released an unusual patch which plugged like 50 holes this year, probably some amped up security effort at MS. But it tells us nothing really, because any other browser under that kind of scrutiny probably would've had a similar amount. IE is the most attacked, and most the time has the lowest number of vulns though, and ironically when this is true, the IE haters tell us it is because open source allows them to find and patch more bugs, which means there are less bugs in the software, blah blah blah, how anyone takes a group that continually attacks from both sides serious is beyond me.

Grunt said,
In other news: water is wet, grass is green.

a few months ago, Microsoft has started paying security researchers $1100 per memory corruption bug reported to the company.

on the other hand, google pays only $500 for that kind of minor bugs when no working exploit is provided.

that alone explains why compared to last year there is huge increase in reported flaws. And it's actually a good thing that these flaws are reported and then fixed, rather than being kept for private use.