Report Highlights Critical Importance of Non-Microsoft Patches

schizrade

Supreme [H]ardness
Joined
Feb 15, 2003
Messages
4,885
I am not surprised at all.

Most of our patching is non-ms products. You know the shit that never get properly patched in most environments? Dell Kace FTW.
 

pxc

Extremely [H]
Joined
Oct 22, 2000
Messages
33,064
I'm surprised that Chrome had the most vulnerabilities in 2014....by a long shot. Five times as many vulnerabilities than Windows 8? Yikes. :eek:
Offering money works: http://www.google.com/about/appsecurity/chrome-rewards/

I don't think Chrome has more vulnerabilities than any other browser, especially not exploits active in the wild. Safari's security is crap and it had the lowest number of patches* made for browsers in 2014. The counting metric used doesn't really say much about security overall.

* Apple is very opaque about what's fixed in those patches. It could contain any number of fixes and may cause totals to be undercounted.
 

Ultima99

Supreme [H]ardness
Joined
Jul 31, 2004
Messages
4,905
Chrome had over 4x the amount of JAVA?!? :eek:

You can dispute the meaningfulness of this data, but its still embarrassing. :eek:
 

shansoft

Supreme [H]ardness
Joined
Oct 20, 2008
Messages
5,076
Chrome for me overall just unstable and having trouble rendering in some web.
The aggressive cache is really annoying too.

Overall, I prefer Firefox over Chrome for stability and convenience.

Safari on the other hand is not that it's the most vulnerable, they just happened to have some of the one that was report all over the news.
 

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,003
More like the critical importance of patching Google's shitty software.
 

webdev511

Limp Gawd
Joined
Dec 1, 2004
Messages
312
Chrome may be #1 but look at all those IBM Apps. Eight application servers with 1415 critical bugs between them. Yeah, no wonder you never hear IBM bragging about security.
 

Shmee

[H]ard|Gawd
Joined
Sep 12, 2014
Messages
1,148
Vulnerabilities != Exploits. Chrome may have the most, but they may be minor.
 

Wierdo

[H]ard|Gawd
Joined
Jul 2, 2011
Messages
1,817
Vulnerabilities != Exploits. Chrome may have the most, but they may be minor.

Exactly, there's no context to work with, no info about severity or nature. But it's always amusing to see folks try anyway.

Reminds me of when I used to pick five pennies over one dime as a kid, thinking it was more money.
 

Old Paul

Weaksauce
Joined
Mar 21, 2015
Messages
64
If you add MSN's IE + Windows, you have 394 patches, which is good for Third Place, over all!
 

Aeryx

n00b
Joined
Sep 19, 2011
Messages
3
The only thing that this data shows is that Microsoft Windows has less availability for analysis, due to the closed source nature of the software. You may cry foul since Chrome is also closed source, but Chromium can be examined for vulnerabilities, and in theory applied to Chrome, especially older versions.
 

Old Paul

Weaksauce
Joined
Mar 21, 2015
Messages
64
Think you need to rethink your User Classification System?

Just because YOU LOST MY LOGIN DATA, YOU ARE COUNTING MY USER CLASS AS STARTING ALL OVER AGAIN?

I have been using computers (Teletype Printing Terminals), since 1972, and Building PCs since 1984, so would think there ought to a better system for classifying a User's past computer knowledge, and experience?

Paul
 

Wolf_Tech

Limp Gawd
Joined
Sep 19, 2010
Messages
230
I'm not surprised one bit. I knew Chrome had those long time ago. The problem with chrome is the background extentions by default keep running even though chrome is closed. You can turn it off in advanced settings but by default its on. Funny thing is chrome on apple computers has that shut off and greyed out by default.
 

dyzophoria

Gawd
Joined
Jan 17, 2006
Messages
946
I don't think it is a big issue as long as you patch bugs fast which is where Chrome is good at thanks to Google's rewarding system for finding bugs on the system.
 

Quartz-1

Supreme [H]ardness
Joined
May 20, 2011
Messages
4,257
Of course, Chrome is the most open to bug reports of those and Google pays for bugs found.
 

Wierdo

[H]ard|Gawd
Joined
Jul 2, 2011
Messages
1,817
because where there's smoke, there's never fire.

Well howbout this, you can use software A with 2 bugs that format your hard drive and I'll use software B that has 500 bugs involving color of icons.
 

pxc

Extremely [H]
Joined
Oct 22, 2000
Messages
33,064
because where there's smoke, there's never fire.
Bad analogy. Where there's frayed cord, either it can be fixed before there's worse consequences (as in bugs discovered in targeted attacks or reported for a cash bounty) or after (bugs generally exploited in the wild).

Equating a transparent number of fixes to a rank of security isn't valid. It's pretty easy to look at a list of exploits to get a better idea of what's more or less secure. Going back for the past 3 years:

Chrome https://web.nvd.nist.gov/view/vuln/search-results?query=google+chrome&search_type=last3years&cves=on
primarily denial of service, but also several types of element related bugs which could trick users. (arbitrary code execution bugs are very rare, and I didn't see one escalation bug in the several pages I sampled)

Firefox https://web.nvd.nist.gov/view/vuln/search-results?query=firefox&search_type=last3years&cves=on
lol really scary stuff which even IE doesn't allow anymore (seriously, click that link), plus lots of arbitrary code execution and denial of service

IE https://web.nvd.nist.gov/view/vuln/...ernet+explorer&search_type=last3years&cves=on
about 10-15% allow escalated privileges (and/or bypass ASLR), others mostly execute arbitrary code

Safari https://web.nvd.nist.gov/view/vuln/search-results?query=safari&search_type=last3years&cves=on
primarily flaws that allow attackers to execute arbitrary code
 

choppedliver

Limp Gawd
Joined
Jan 3, 2005
Messages
479
Meaningless without context.

Like saying high crime rate of one city because it has a shitload of jaywalkers, compared to a same sized city with a lower crime numbers but they are all murders. ZOMG
 

NoTrigger

Limp Gawd
Joined
Feb 18, 2011
Messages
148
Question is are they including Google Chrome's "bounty-like" bug reporting where they reward people for reporting bugs? If that's the case, then I'm not surprised by them being at the top of the list. Just last year one of the people were on the news for making upwards of $30,000 just for finding and reporting bugs in Chrome.
 

Seventyfive

[H]ard|Gawd
Joined
Jul 14, 2004
Messages
1,347
I think "bugs found" is less relevant than "bugs that still exist". Mathematically they must be inversely correlated within a single release.
 
Top