Symantec Global internet Security threat report
the average window of exposure for internet Explorer in 2009 was less than one day, based on a sample set of 28 patched vulnerabilities. Eighteen days was the maximum amount of time to release a patch for internet Explorer in 2009. internet Explorer had an average window of exposure of seven days in 2008, based on a sample set of 31 patched vulnerabilities. the maximum amount of time to release a patch in 2008 was 147 days.
it took an average of one day for Microsoft to release a patch for internet Explorer, while on average public exploits emerged two days after vulnerability publication. Usually, Microsoft has kept the window of exposure to a minimum; however, its monthly patch cycles can potentially introduce important exceptions in cases where vulnerabilities are disclosed publicly. in november 2009, exploit code was released for a new vulnerability in internet Explorer.93 A patch was released for the vulnerability (18 days after the release of the exploit code) as part of the monthly Microsoft patch release for December. While, in general, Microsoft was able to release patches before exploit code was publicly available, the longest patch turnaround time for the year was in relation to a vulnerability with working public exploit code.
Chrome had a window of exposure of two days in 2009, from a sample set of 29 patched vulnerabilities. in 2009, the maximum of amount time for a patch to become available for Chrome was 16 days. in 2008, Symantec documented an average window of exposure of three days for Chrome, based on a sample set of six patched vulnerabilities.94 the maximum patch time for a vulnerability was 11 days.
in 2009, the window of exposure for Opera was less than one day, based on a sample set of 16 patched vulnerabilities—the maximum patch time was three days. the window of exposure for Opera in 2008 was one day, based on a sample set of 33 patched vulnerabilities. in 2008, the maximum time to patch a vulnerability was 29 days.
in 2009, Firefox had a window of exposure of less than one day for a sample set of 151 vulnerabilities and the maximum patch time was 75 days. Firefox had a window of exposure of less than one day in 2008, based on a sample set of 83 patched vulnerabilities, and the maximum patch time was 30 days.
Mozilla continues to maintain a narrow window of exposure despite the challenges of patching the largest number of vulnerabilities of any browser vendor. this is due to factors such as aggressive auditing from the security and development community in addition to Mozilla’s security bug bounty program that compensates security researchers for responsibly disclosing vulnerabilities in Mozilla products.95
the browsers analyzed in 2009 all had an average window of exposure of less than one day except for Chrome and Safari. Additionally, all browsers except Safari either remained status quo or showed an improvement in the window of exposure. this demonstrates an increased effort by vendors to minimize the amount of time that users are exposed to exploits. While internet Explorer remains the most targeted of the browsers and the most likely to be associated with zero-day and malicious code attacks, other browser vendors enjoying an increase in market share seem to be anticipating the risks posed by such attacks.
http://www.securityfocus.com/bid/37085 it should be noted for comparison that Google Chrome data for the previous year begins in September 2008 because that is when Chrome was officially released to the public. http://www.mozilla.org/security/bug-bounty.html