Web browser 'windows of exposure' shrink

Web browser makers are getting quicker at patching vulnerabilities, according to antivirus vendor Symantec's latest global security report.

The average time between the release of malicious code that targets Web browsers and patches, dubbed the "window of exposure", was smaller for most vendors during the first half of 2006 compared with the last half of 2005, Symantec reported on Monday.

During the window of exposure, hackers can attack a system through the Web browser. System administrators and individuals instead have to use workarounds and best practices to reduce the risk of a successful hack.

Microsoft's Internet Explorer (IE) has the longest average window of exposure at nine days, according to Symantec. This is a big drop from an average of 25 days in the last half of 2005.

IE has been beset by numerous problems over the years, including its most recent flaw in the way IE 6 handles graphics. An official patch is still not available for this problem.

Compared with its own performance last year, Apple Safari has got worse. The average window of exposure increased from 0 days from July to December 2005, to 5 days in the first six months of this year. This statistic may have been affected by the spate of vulnerabilities disclosed in OS X early this year, which included Safari flaws.

Mozilla Firefox has also performed worse, dropping from an average window of exposure of minus two days to plus one day.

Opera has been particularly successful in shrinking its window of exposure, dropping from 18 days last year to 2 days this year.

"Exploit code for enterprise-vendor vulnerabilities is still being released quickly, forcing administrators to respond rapidly despite a lack of vendor-supplied remediation," said the Symantec report.

"However, the decreasing patch development time indicates that enterprise vendors are responding more quickly to vulnerabilities. Despite this, it is critical that organizations follow up with installation of patches."