Microsoft PR blunder over Internet Explorer security
Once again, Microsoft's security evangelist Jeff Jones has tried to substantiate his proposition that Internet Explorer is at least as secure as Firefox. However, the Washington Post's Brian Krebs has clarified that the figures Jones used for making the comparison, are misleading.
For his current PR campaign, Jeff Jones released a whole series of articles on the website of CIO magazine, which is produced by US publishers IDG. In the first few parts of the series he discussed a study by Brian Krebs, according to which the users of Internet Explorer were acutely threatened by security holes on a total of 284 days in 2006.
In his statistics, Jones demonstrated that Firefox users had to live with unplugged security holes for 285 days. However, Krebs clarified in his response that Jones once again compared apples and oranges. While Krebs only counted critical holes that allowed malformed web pages to infect visitors' computers, Jones added up all the vulnerabilities. These included three holes with a low, and one with a medium, rating that together accounted for the major proportion of the 285 days stated; without them, Jones would have only arrived at a total of 9 days.
In his conclusion, Krebs also points out that Jones completely disregarded another aspect. During 98 days of that year, internet frauds exploited vulnerabilities in Internet Explorer for which there was no protection, because Microsoft hadn't yet released a patch. Conversely, Krebs found no indication that any such zero day holes were actively exploited in Firefox. Taking into account the zero day hole in IE at the end of 2008, this PR campaign has turned out to be quite an own goal.