Browser infection rate against an exploit pack

From http://www.prevx.com/blog/107/Fiesta---Monitoring-ITW-exploit.html

The overall infection rate for this exploit pack was 3137/26076, or about 12%. The data also gives breakdowns by browser used. Be careful about making comparisons though, because this will vary by the exploits used in a given exploit pack, and also because of correlations that affect security. For example, those who use IE6 may have different security habits and configurations than those who use IE7.

 

Thanks MrBrian. From the list of exploits it looks like FF wasn't targeted therefore is this why it appears to have done so well? I admit I don't know what some of the exploits are. But then again, isn't the PDF exploit universal?

 

You're welcome

Yes, I believe the reason is that Firefox wasn't targeted by this particular exploit pack, and also wasn't vulnerable to the PDF exploit(s) included, for whatever reason.

 

Thanks! It's also kinda interesting to see how many folks still run older browser versions.

 

At least in Poland and Russia...

 

It was also interesting to see that those on XP SP1 had an infection rate well below XP SP2, and that Vista had a low infection rate.

 

I missed that part.

Yikes! Windows 2003 got hammered at 47.3%.

 

Barring aside this exploit pack which was made with obvious intention to make IE8 and others look bad, there are exploits out there for FF which are yet to be patched and this article here sheds some light on the safety issue with FF in general. http://www.networkworld.com/news/2009/030909-mozilla-patches-fastest.html

 

Well, they were kind enough to provide percentage breakdowns by OS and browser version, and it appears that IE only looks bad when you're using old IE versions on old XP, with 90% of the infections attributed to IE6.

 

It's also interesting to note how they define "infection". The best I could find was: " The victims browser will then iterate through a series of exploits, to see if they are vulnerable to any of them," which isn't very helpful.

While it may be possible to get your exploit code running in the memory space of the browser process, to call just that as an "infection" is questionable at best. Chrome and IE7 / IE8, for example, have additional safeguards (sandboxing, Protected Mode) that can block payloads even if the exploit code gets successfully installed and running.

 

I feel if one keeps using old unpatched browser or OS, no matter what their origin, they deserve to get infected. Even running older unpatched Linux kernel would get you into heaps of trouble. Same goes for running older FF or Opera versions. IE8 and Chrome have set a good precedence by incorporating protected mode, something other brosers should emulate and learn from.

 

This page shows a different version of the exploit pack that has managed to achieve "loads" via Firefox. I wonder if the labels for SP1 and SP2 are transposed, because SP1 shows a much greater number of visits than SP2, which doesn't seem likely.

 

A page with different stats