Secunia Security Factsheet
Transcript of Secunia Security Factsheet
Secunia Security FactsheetInternet Explorer | 2011/Q4
Welcome to the 2011/Q4 Security Factsheet for Internet Explorer
The Security Factsheet outlines the evolvement in advisories and vulnerabilities in the
last three months on a year−on−year (YoY) basis, and presents specific data
on advisories for Internet Explorer.
For a quick summary of the 2011/Q4 status, please refer to the three key indicators;
Advisories, Vulnerabilities (CVEs), and the year−on−year YoY trend.
This 2011/Q4 Security Factsheet is part of the Security Factsheet series provided to
you by Secunia, the leading provider of Vulnerability Intelligence and
Management, and can be downloaded from:
http://secunia.com/factsheets/IE−2011Q4.pdf
Stay secure
secunia.com
Summary/Overview
Advisories YoY 9 (11) −18% ●
Vulnerabilities YoY 38 (54) −30% ●
Report date 2011−12−31
Reporting period 2011/Q4
Advisories Vulnerabilities
YTD 9 38
Preceding 12 mo. 11 54
Last 12 mo. 9 38
YoY Trend −18% −30%
Number of Advisorieslast vs. preceding 12 months
0
5
10
15
20
YoY: preceding 12mo.: last 12mo.:−18% 11 9
preceding 12mo.last 12mo.
●
●
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Number of Vulnerabilitieslast vs. preceding 12 months
0102030405060
YoY: preceding 12mo.: last 12mo.:−30% 54 38
preceding 12mo.last 12mo.
●
●
Jan Feb Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan
Cumulative number of Secunia Advisories of the two recent 12 monthsperiods (YoY) as of 2011/Q4. Advisories are used as a first orderapproximation for the number of security events or administrativeactions required to keep software secure in a given period of time.
Cumulative number of CVEs of the two recent 12 monthsperiods (YoY) as of 2011/Q4. CVE counts are a viable metricfor the number of distinct vulnerabilities found in software.
Attack vectorin # of advisories
Localsystem
From localnetwork
Fromremote
0 2 4 6 8 10
Criticalityin # of advisores
Not
Less
Moderate
High
Extreme
0 1 2 3 4 5
Impactin # of advisores
SecurityBypass
Cross SiteScripting
Spoofing
Exposure ofsensitive info
Systemaccess
0 2 4 6 8
The attack vector describes if an attacker canexploit the vulnerability from the Internet, alocal network, or if he needs authenticated un−privileged access to the system.
The criticality is based on an assessment of thevulnerabilities impact on a system, the attackvector, mitigating factors, and if actively exploitedprior to the release of a patch.
Classification of the impact of successfulexploitation on the affected system.
LegendThe data is based on vulnerabilities disclosed between 2005−01−01 and 2011−12−31.The year−on−year (YoY) analysis compares the last 12 months to the preceding 12 months.For a full explanation of the methodology and terminology see:http://secunia.com/resources/methodology.pdf
Year−on−year 12 months periods
2010 2011 2012
preceding last
Secunia Security Factsheet | 2011/Q4 | SecFrs10
Email: [email protected]: secunia.com/factsheets
Secunia Security FactsheetInternet Explorer | 2011/Q4
History of advisories by calendar year
0
10
20
30
40
50
2005 2006 2007 2008 2009 2010 2011
History of vulnerabilities by calendar year
0
20
40
60
80
100
2005 2006 2007 2008 2009 2010 2011
Number of Secunia Advisories published in a given calendar year forthe last years.
Number of vulnerabilities (CVEs) published in a given calendar year forthe last years.
Solution status at the dayof advisory disclosure
VendorPatch
PartialFix
Un−patched
0 1 2 3 4 5 6 7
Time to patch for advisories disclosedand patched in the last 24 months
>0 days
>30 days
>60 days
>90 days
>180 days
>360 days
0 1 2 3 4 5 6
ExtremeHighModerateLessNot
The solution status tracks the vulnerabilityremediation available at the disclosure dateof the advisory.
Delay between vulnerability disclosure and the availability of a patch forall patches released within the last 24 months.
List of the 6 most recent Internet Explorer versions covered (out of 6 versions)
1 Microsoft Internet Explorer 9.x
2 Microsoft Internet Explorer 8.x
3 Microsoft Internet Explorer 7.x
4 Microsoft Internet Explorer 6.x
5 Microsoft Internet Explorer 5.5
6 Microsoft Internet Explorer 5.01
DISCLAIMER
The data is based on Secunia’s Vulnerability Intelligence database and analysis of Secunia Research. Secunia Advisories typically cover multiplevulnerabilities. Consequently, the number of Advisories issued for a product does not necessarily reflect the number of vulnerabilities that havebeen disclosed. A security comparison between products is inherently difficult and should not be based on vulnerability data only. Major factorssuch as type of product, market share, product and platform bundling, vendor/community research activity, and product release lifecycles mustalso be taken into consideration.
Secunia Security Factsheet | 2011/Q4 | SecFrs10