Report Highlights Critical Importance of Non-Microsoft Patches

[HardOCP News]

I'm surprised that Chrome had the most vulnerabilities in 2014....by a long shot. Five times as many vulnerabilities than Windows 8? Yikes.

 

[schizrade]

I am not surprised at all.

Most of our patching is non-ms products. You know the shit that never get properly patched in most environments? Dell Kace FTW.

 

[pxc]

I'm surprised that Chrome had the most vulnerabilities in 2014....by a long shot. Five times as many vulnerabilities than Windows 8? Yikes.

Offering money works: http://www.google.com/about/appsecurity/chrome-rewards/

I don't think Chrome has more vulnerabilities than any other browser, especially not exploits active in the wild. Safari's security is crap and it had the lowest number of patches* made for browsers in 2014. The counting metric used doesn't really say much about security overall.

* Apple is very opaque about what's fixed in those patches. It could contain any number of fixes and may cause totals to be undercounted.

 

[Ultima99]

Chrome had over 4x the amount of JAVA?!?

You can dispute the meaningfulness of this data, but its still embarrassing.

 

[shansoft]

Chrome for me overall just unstable and having trouble rendering in some web.
The aggressive cache is really annoying too.

Overall, I prefer Firefox over Chrome for stability and convenience.

Safari on the other hand is not that it's the most vulnerable, they just happened to have some of the one that was report all over the news.

 

[Megalith]

More like the critical importance of patching Google's shitty software.

 

[webdev511]

Chrome may be #1 but look at all those IBM Apps. Eight application servers with 1415 critical bugs between them. Yeah, no wonder you never hear IBM bragging about security.

 

[Shmee]

Vulnerabilities != Exploits. Chrome may have the most, but they may be minor.

 

[xX_Jack_Carver_Xx]

Adobe not even on the list .... I call Shite.

 

[Wierdo]

Vulnerabilities != Exploits. Chrome may have the most, but they may be minor.

Exactly, there's no context to work with, no info about severity or nature. But it's always amusing to see folks try anyway.

Reminds me of when I used to pick five pennies over one dime as a kid, thinking it was more money.

 

[Jagger100]

Vulnerabilities != Exploits. Chrome may have the most, but they may be minor.

because where there's smoke, there's never fire.

 

[Old Paul]

If you add MSN's IE + Windows, you have 394 patches, which is good for Third Place, over all!

 

[Aeryx]

The only thing that this data shows is that Microsoft Windows has less availability for analysis, due to the closed source nature of the software. You may cry foul since Chrome is also closed source, but Chromium can be examined for vulnerabilities, and in theory applied to Chrome, especially older versions.

 

[Old Paul]

Think you need to rethink your User Classification System?

Just because YOU LOST MY LOGIN DATA, YOU ARE COUNTING MY USER CLASS AS STARTING ALL OVER AGAIN?

I have been using computers (Teletype Printing Terminals), since 1972, and Building PCs since 1984, so would think there ought to a better system for classifying a User's past computer knowledge, and experience?

Paul

 

[Wolf_Tech]

I'm not surprised one bit. I knew Chrome had those long time ago. The problem with chrome is the background extentions by default keep running even though chrome is closed. You can turn it off in advanced settings but by default its on. Funny thing is chrome on apple computers has that shut off and greyed out by default.

 

[dyzophoria]

I don't think it is a big issue as long as you patch bugs fast which is where Chrome is good at thanks to Google's rewarding system for finding bugs on the system.

 

[Quartz-1]

Of course, Chrome is the most open to bug reports of those and Google pays for bugs found.

 

[Wierdo]

because where there's smoke, there's never fire.

Well howbout this, you can use software A with 2 bugs that format your hard drive and I'll use software B that has 500 bugs involving color of icons.

 

[pxc]

because where there's smoke, there's never fire.

Bad analogy. Where there's frayed cord, either it can be fixed before there's worse consequences (as in bugs discovered in targeted attacks or reported for a cash bounty) or after (bugs generally exploited in the wild).

Equating a transparent number of fixes to a rank of security isn't valid. It's pretty easy to look at a list of exploits to get a better idea of what's more or less secure. Going back for the past 3 years:

Chrome https://web.nvd.nist.gov/view/vuln/search-results?query=google+chrome&search_type=last3years&cves=on
primarily denial of service, but also several types of element related bugs which could trick users. (arbitrary code execution bugs are very rare, and I didn't see one escalation bug in the several pages I sampled)

Firefox https://web.nvd.nist.gov/view/vuln/search-results?query=firefox&search_type=last3years&cves=on
lol really scary stuff which even IE doesn't allow anymore (seriously, click that link), plus lots of arbitrary code execution and denial of service

IE https://web.nvd.nist.gov/view/vuln/...ernet+explorer&search_type=last3years&cves=on
about 10-15% allow escalated privileges (and/or bypass ASLR), others mostly execute arbitrary code

Safari https://web.nvd.nist.gov/view/vuln/search-results?query=safari&search_type=last3years&cves=on
primarily flaws that allow attackers to execute arbitrary code

 

[choppedliver]

Meaningless without context.

Like saying high crime rate of one city because it has a shitload of jaywalkers, compared to a same sized city with a lower crime numbers but they are all murders. ZOMG

 

[NoTrigger]

Question is are they including Google Chrome's "bounty-like" bug reporting where they reward people for reporting bugs? If that's the case, then I'm not surprised by them being at the top of the list. Just last year one of the people were on the news for making upwards of $30,000 just for finding and reporting bugs in Chrome.

 

[Seventyfive]

I think "bugs found" is less relevant than "bugs that still exist". Mathematically they must be inversely correlated within a single release.