Symantec Global internet Security threat report
previous versions of the Symantec Global Internet Security Threat Report have discussed vulnerabilities according to whether they were vendor confirmed or non-vendor confirmed, because vulnerabilities that were not confirmed were also included in the data. this differentiation was important, especially given the disparity in patch times between vendors. However, starting with Volume X of the Symantec Internet Security Threat Report, this convention is no longer followed and no differentiation is made between vendor-confirmed vulnerabilities and non-vendor-confirmed vulnerabilities when calculating the total number of vulnerabilities.
individual browser vulnerabilities are difficult to precisely identify. A reported attack may be a combination of several conditions, each of which could be considered a vulnerability in its own right, which may distort the total vulnerability count. Some browser issues have also been improperly identified as operating system vulnerabilities or vice versa. this is partly due to increased operating system integration that makes it difficult to correctly identify the affected component in many cases. Additionally, some browsers are available for mobile and desktop platforms. therefore, the following caveats exist for this metric:
Many vulnerabilities in shared operating system components can be exposed to attacks through the browser. this report enumerates only those vulnerabilities that are known to affect the browser itself where sufficient information is available to make the distinction.
Vulnerabilities in mobile versions of a browser are only counted if they also affect the desktop version of the browser application. this metric is mainly concerned with evaluating vulnerabilities in desktop Web browsers and not their mobile equivalents.
Window of exposure for Web browsers
the window of exposure is calculated for vulnerabilities associated with the following Web browsers:
Microsoft internet Explorer
Symantec records the window of time between the publication of an initial vulnerability report and the appearance of third-party exploit code; this is known as the exploit code development time. the time between the disclosure date of a vulnerability and the release date of an associated patch is known as the patch development time. the time lapse between the public release of exploit code and the time that the affected vendor releases a patch for the affected vulnerability is known as the window of exposure. the average window of exposure is calculated as the difference in days between the average patch development time and the average exploit code development time. During this time, the computer or system on which the affected application is deployed may be susceptible to attack, as administrators may have no official recourse against a vulnerability and must resort to best practices and workarounds to reduce the risk of attacks.