Secunia Security FactsheetInternet Explorer | 2011/Q1

Welcome to the 2011/Q1 Security Factsheet for Internet Explorer

The Security Factsheet outlines the evolvement in advisories and vulnerabilities in the

last three months on a year−on−year (YoY) basis, and presents specific data

on advisories for Internet Explorer.

For a quick summary of the 2011/Q1 status, please refer to the three key indicators;

Advisories, Vulnerabilities (CVEs), and the year−on−year YoY trend.

This 2011/Q1 Security Factsheet is part of the Security Factsheet series provided to

you by Secunia, the leading provider of Vulnerability Intelligence and

Management, and can be downloaded from:

http://secunia.com/factsheets/IE−2011Q1.pdf

Stay secure

secunia.com

Summary/Overview

Advisories YoY 9 (11) −18% ●

Vulnerabilities YoY 34 (54) −37% ●

Report date 2011−03−31

Reporting period 2011/Q1

Advisories Vulnerabilities

YTD 1 0

Preceding 12 mo. 11 54

Last 12 mo. 9 34

YoY Trend −18% −37%

Number of Advisorieslast vs. preceding 12 months

0

5

10

15

20

YoY: preceding 12mo.: last 12mo.:−18% 11 9

preceding 12mo.last 12mo.

●

●

Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr

Number of Vulnerabilitieslast vs. preceding 12 months

0102030405060

YoY: preceding 12mo.: last 12mo.:−37% 54 34

preceding 12mo.last 12mo.

●

●

Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr

Cumulative number of Secunia Advisories of the two recent 12 monthsperiods (YoY) as of 2011/Q1. Advisories are used as a first orderapproximation for the number of security events or administrativeactions required to keep software secure in a given period of time.

Cumulative number of CVEs of the two recent 12 monthsperiods (YoY) as of 2011/Q1. CVE counts are a viable metricfor the number of distinct vulnerabilities found in software.

Attack vectorin # of advisories

Localsystem

From localnetwork

Fromremote

0 2 4 6 8 10

Criticalityin # of advisores

Not

Less

Moderate

High

Extreme

0 1 2 3 4 5 6

Impactin # of advisores

Cross SiteScripting

Spoofing

Exposure ofsensitive info

DoS

Systemaccess

0 2 4 6 8

The attack vector describes if an attacker canexploit the vulnerability from the Internet, alocal network, or if he needs authenticated un−privileged access to the system.

The criticality is based on an assessment of thevulnerabilities impact on a system, the attackvector, mitigating factors, and if actively exploitedprior to the release of a patch.

Classification of the impact of successfulexploitation on the affected system.

LegendThe data is based on vulnerabilities disclosed between 2005−01−01 and 2011−03−31.The year−on−year (YoY) analysis compares the last 12 months to the preceding 12 months.For a full explanation of the methodology and terminology see:http://secunia.com/resources/methodology.pdf

Year−on−year 12 months periods

2009 2010 2011 2012

preceding last

Secunia Security Factsheet | 2011/Q1 | SecFrs10

Email: factsheets@secunia.comWeb: secunia.com/factsheets

Secunia Security FactsheetInternet Explorer | 2011/Q1

History of advisories by calendar year

0

10

20

30

40

50

2005 2006 2007 2008 2009 2010 2011

History of vulnerabilities by calendar year

0

20

40

60

80

100

2005 2006 2007 2008 2009 2010 2011

Number of Secunia Advisories published in a given calendar year forthe last years.

Number of vulnerabilities (CVEs) published in a given calendar year forthe last years.

Solution status at the dayof advisory disclosure

VendorPatch

PartialFix

Un−patched

0 1 2 3 4 5 6

Time to patch for advisories disclosedand patched in the last 24 months

>0 days

>30 days

>60 days

>90 days

>180 days

>360 days

0 1 2 3 4 5 6

ExtremeHighModerateLessNot

The solution status tracks the vulnerabilityremediation available at the disclosure dateof the advisory.

Delay between vulnerability disclosure and the availability of a patch forall patches released within the last 24 months.

List of the 6 most recent Internet Explorer versions covered (out of 6 versions)

1 Microsoft Internet Explorer 9.x

2 Microsoft Internet Explorer 8.x

3 Microsoft Internet Explorer 7.x

4 Microsoft Internet Explorer 6.x

5 Microsoft Internet Explorer 5.5

6 Microsoft Internet Explorer 5.01

DISCLAIMER

The data is based on Secunia’s Vulnerability Intelligence database and analysis of Secunia Research. Secunia Advisories typically cover multiplevulnerabilities. Consequently, the number of Advisories issued for a product does not necessarily reflect the number of vulnerabilities that havebeen disclosed. A security comparison between products is inherently difficult and should not be based on vulnerability data only. Major factorssuch as type of product, market share, product and platform bundling, vendor/community research activity, and product release lifecycles mustalso be taken into consideration.

Secunia Security Factsheet | 2011/Q1 | SecFrs10