back to article Chrome trumps all comers in reported vulnerabilities

More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that's according to research that also found 2014 clocked record numbers of zero-day flaws. The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company's Personal Software Inspector …

  1. Anonymous Coward
    Anonymous Coward

    I wonder how they measure vulnerabilities in Gentoo and Solaris.

    Particularly Gentoo, since out of the box, Gentoo has practically no packages installed and doesn't even have the ssh daemon enabled.

    Solaris is fairly spartan when first installed too from what I remember.

    (Full disclosure: I'm a former Gentoo developer.)

    1. Anonymous Coward
      Anonymous Coward

      Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

      They can't because they are full of BS. Their web site says their PSI is for Windows only.

      1. Anonymous Coward
        Holmes

        Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

        "Gentoo OS" is vulnerability code-speak for Chrome OS. And there's probably almost nothing wrong with Gentoo - the problem is all the flash and other crap Google has shoved onto Chromebooks by default.

        Same with the Chrome browser - by itself, the underlying Chromium tends to be highly secure. But when you hard-wire flash into it and start optimizing it for gaming and media streaming, you are bound to expose a lot of vulnerabilities.

        1. This post has been deleted by its author

      2. Anonymous Coward
        Anonymous Coward

        Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

        "Their web site says their PSI is for Windows only."

        PSI is just patching software. Nothing to do with how they count or record vulnerabilities.

      3. This post has been deleted by its author

    2. thames

      Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

      I just had a look at Secunia's database, and it looks like they count vulnerabilities in all the software that can run on Gentoo against Gentoo itself. In other words, a Java vulnerability counts against Gentoo, and so do problems with Chrome, Flash, etc. I don't know how they end up with fewer vulns for Gentoo than for Chrome alone, but that might just be because Gentoo might lump several Chrome vulns into one notice.

      Secunia is counting by vendor, and since Gentoo redistributes lots of third party software then all the third party stuff which could potentially get installed gets counted against Gentoo. On the other hand, the exact same software may have the exact same vulnerabilities on MS Windows or Apple OS/X, but it won't be counted against Microsoft or Apple because they didn't distribute it.

      I think Secunia simply counts notices put out by vendors, they don't actually analyze them and apply any judgment. This means that the more conscientious and detailed a vendor (or distro) is about informing their customers (or users), the higher the vulnerability count they will have.

      It also means that you can't actually compare vulnerability counts between vendors unless they operate, distribute, and report in a similar manner. That would just be comparing apples to oranges. I'm sure though that won't discourage our favourite anonymous security commentard from ignoring the facts and stuffing both feet in his gaping pie hole. Let me save him some trouble - "Microsoft had zero vulnerabilities while Linux had seventy-bazillion and caused global warming as well". There, now where do I pick up my cheque from Microsoft?

      As to why Gentoo has loads more security vulnerabilities reported than any other distro, I suspect that is simply due to differing reporting and repo support policy. If another distro has smaller supported repos with fewer third party software packages, then they will pretty obviously have fewer vulnerabilities to report on to their users. Note though that I said supported repos. Different distros have different support policies.

      I'm not sure what the story is for Solaris. I didn't bother looking them up in the database, and I'm not sure what their distribution, support, and reporting policies are. I wouldn't be surprised though if a lot of the apparently high vulnerability count is also simply due to double counting of non-Solaris related problems combined with a long support life.

      1. Anonymous Coward
        Anonymous Coward

        Crap

        The post is required, and must contain letters.

      2. Anonymous Coward
        Anonymous Coward

        Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

        I think Secunia simply counts notices put out by vendors, they don't actually analyze them and apply any judgment. This means that the more conscientious and detailed a vendor (or distro) is about informing their customers (or users), the higher the vulnerability count they will have.

        Well, Alex Legler posted this article regarding the state of affairs in Gentoo. Alex's roles include Security.

        There he contrasts with probably our biggest competitor, Debian, which features much lower down the list. This makes me suspicious of the stats that Secunia put out, including those for Microsoft OSes. (i.e. is a vulnerability in IE6 counted for Windows XP even though XP users can move to IE8? Windows 8.1 can run Office 97, does a vulnerability in that count there too?)

        I think this suggests any stats given by Secunia on OSes other than Windows should be taken with a grain of salt.

        1. PNGuinn
          FAIL

          Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

          "I think this suggests any stats given by Secunia on OSes other than Windows should be taken with a grain of salt."

          Nah - a large bag of quicklime would be better. Roll of carpet optional.

          Re Debian - Debian don't do "firefox" etc. The icewhatsits are probably off their radar and so probably don't count.....etc.

      3. Jad

        Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

        It wouldn't surprise me if the figures were related to how much/how often the systems were patched.

        I know for myself that in general we don't patch the Solaris systems we're using, we firewall the f*ck out of them, and only start services we know are going to be used. We have Solaris systems that have been untouched for over 10 years, but they're still doing the job they were supposed to, and aren't facing the outside world.

        If a system is inherently more secure, with very low visibility and very low attack vectors, on an operating system that few use, is it not unexpected that the hackers will be going for the lower hanging fruit?

        Meh!

        Jon

    3. Anonymous Coward
      Anonymous Coward

      Re: I wonder how they measure vulnerabilities in Gentoo and Solaris.

      Chrome is on well over 1,000 vulnerabilities in total now. That's twice as many as all versions of IE!

  2. Anonymous Coward
    Anonymous Coward

    Not vulnerabilities

    Undocumented features!

  3. G2
    Megaphone

    half truth statistics coming from Secunia.

    1) Reported vulnerabilities are not the same thing as unpatched reported vulnerabilities and Google moves pretty quick to patch things.

    Their bounty rewards program helps A LOT with finding and reporting vulnerabilities - this is an incentive for people to smash, crunch and otherwise torture the browser in every imaginable way to see if it sprouts a leak, and that leak will be patched for the benefit of all the users.

    I don't see the other mentioned browser markers offering such bounties.. MS in particular is known for the secretive way in which it shoves stuff under the carpet (they have a sort of bounty rewards program.. with a NDA with stupid terms attached) when it doesn't like it shown until they release a patch for it, sometimes years later, and bragging about finally fixing x or y while some things never get fixed or get stealth "unsupported" half-fixes (*cough* POSReady fixes allowed for WinXP on purpose - they could easily nuke it.*/cough*).

    2) i'm a Secunia PSI user and i can tell you that their detection of the installed Chrome version is crappy about half of the time.

    This is because Chrome keeps the previous version around when it installs an update, just in case you need to roll back. If you have Chrome installed and if you ever applied an update to it, just take a look at C:\Program Files\Google\Chrome\Application (or wherever you installed it). You'll see there 2 folders, one for the current version and one for the previous version that you had before the latest update.

    Sometimes Secunia PSI will detect the version that was present when i started the computer and keep pestering me to update it even if i just updated it. When this happens i have to manually FORCE a full system scan in Secunia PSI just so that it can detect the updated version.

    1. returnmyjedi

      Re: half truth statistics coming from Secunia.

      I had no idea Google rewarded those who report vulnerabilities with a Bounty. I prefer a Twix myself, but hey, chocolate is chocolate.

      1. Anonymous Coward
        Anonymous Coward

        Re: half truth statistics coming from Secunia.

        "I prefer a Twix myself, but hey, chocolate is chocolate."

        Apparently a finger of fudge is just enough?

        1. returnmyjedi

          Re: half truth statistics coming from Secunia.

          You'll have the chaps from Operation Yewtree at your door with that sort of suggestion.

      2. Electron Shepherd
        Coat

        Re: half truth statistics coming from Secunia.

        I wonder what you get for reporting a vulnerability in Android 4.4?

      3. Anonymous Coward
        Anonymous Coward

        Re: half truth statistics coming from Secunia.

        I had no idea Google rewarded those who report vulnerabilities with a Bounty. I prefer a Twix myself, but hey, chocolate is chocolate.

        So long as they don't make the mistake of sourcing it from the US of A.

        http://www.theregister.co.uk/2014/10/26/usa_needs_to_learn_about_decent_chocolate/

    2. TeeCee Gold badge

      Re: half truth statistics coming from Secunia.

      Define "unpatched".

      What's the maximum allowable time between reporting and a patch being issued before you hang the "unpatched" label on it? You have to allow some, unless the developers have a time machine[1].

      You probably need to vary that by fix complexity to keep everyone on their toes, so that needs a definition as well.

      [1] Not the "unfair advantage to Apple" sort, the other one.

      1. Oninoshiko

        Definition of "unpatched"

        A vulnerability is "unpatched" for ANY length of time it is known. Once a patch has been released for it, it then becomes "patched." The maximum allowable time is "none:" as soon as it's known, it's an unpatched flaw.

        This isn't about making developers feel worm and fuzzy, it's about assessing risk.

        1. Tom 13

          Re: Definition of "unpatched"

          Yes, except the PSI tool itself is supposed to patch vulnerabilities. Yet I find that when I explicitly open the panel, not only does it list the XML hole for which MS Update shows no applicable patch, (and the Secunia supplied link is to a worthless MS page because I still can't find the applicable patch), it also frequently lists a number of programs as "waiting" or "pending" or some other such. As I leave the PC on most of the day and shut it down each night, none of those should be pending (I'm away from the PC for the better part of 12 hours a day).

          I still find the tool useful, but I'm not so sure about the validity of their statistics. One other note. I have Cygwin installed because I keep meaning to use it to learn a bit more *nix. I've never seen it, or any of its components show up on the Secunia patch list. On the occasion that I remember to start the process, I do patch it. But it could be 3 or even 6 months between updates. So the failure to show needed updates certainly raises questions.

    3. Whiskers

      Re: half truth statistics coming from Secunia.

      >>2) i'm a Secunia PSI user and i can tell you that their detection of the installed Chrome version is crappy about half of the time.

      [...]

      Sometimes Secunia PSI will detect the version that was present when i started the computer and keep pestering me to update it even if i just updated it. When this happens i have to manually FORCE a full system scan in Secunia PSI just so that it can detect the updated version.<<

      That's probably because your computer keeps files (including executables) in RAM until that space is needed for something with a higher priority. Installing an updated package doesn't change what's actually running. Stop the program and then start it again after the 'update' and there's a better chance that you'll now be running the completely updated package.

    4. Justin Clift

      Re: half truth statistics coming from Secunia.

      I don't see the other mentioned browser markers offering such bounties..

      As a data point, Mozilla does for Firefox (and other software):

      https://www.mozilla.org/en-US/security/client-bug-bounty/

      Note - they have more than one bug bounty program. There's a very short overview page here, with links to the individual programs in the bottom two lines.

  4. Lusty

    Chrome security

    Is there anyone running Chrome who wasn't expecting at least one massive global corp to have full access to all their data? If you want security then a data mining ad company is not your best bet for software.

  5. Velv
    FAIL

    Lies, Damned Lies and Statistics

    Not all vulnerabilities are created equal, so a raw count is meaningless.

    Even if you take the comment "1698 (11 percent) are deemed highly critical and 43 (0.3 percent) are extremely critical", where's the breakdown across browsers?

    The moral of the story is that ALL software potentially contains vulnerabilities of varying degree of severity and you've got to put as many layers of security as possible between you and the bad guys.

  6. Anonymous Coward
    Anonymous Coward

    A bit unfair

    Chrome is an advertising virtual machine that can also render web pages, you have to expect a bit of slack.

  7. eek the geek

    "The security firm says Mozilla clocked the most number of un-patched users, followed by Chrome and Internet Explorer, although this could be because installed secondary browsers were often unused."

    Isn't the point of installing Firefox or Chrome to make that the primary browser instead of IE?

    1. This post has been deleted by its author

    2. theOtherJT Silver badge

      Isn't the point of installing Firefox or Chrome to make that the primary browser instead of IE?

      In our case at least it's just so that when we have to go and look at user's computers we don't have to use the ancient version of IE that our finance software mandates as a front end. Most of our users can't handle the idea of learning how to use more than one browser, so IE for one, IE for all :(

    3. Jason 41
      Joke

      And isn't the primary use of IE for downloading Firefox?

    4. Sandtitz Silver badge
      Thumb Down

      @eek

      Isn't the point of installing Firefox or Chrome to make that the primary browser instead of IE?

      Very likely with Firefox, not necessarily so with Chrome which is often installed along with Adobe Reader or Flash. Chrome imports bookmarks from IE/FF and makes itself the default browser.

      ...and that's why Chrome is the most popular browser.

      1. James Welbes

        Re: @eek

        um, FireFox does the same thing...

        I've never seen Chrome bundled in any other packages. Chrome is the most popular browser because it's the best browser.

        Also, this junk about it being the least secure browser is BS. They just held their regular hackathon, offering tens of thousands of dollars to hackers for compromising browsers. Guess which browser performed the best?

        Chrome. Google it. (or Bing it, if you want to find your answer on page 2)

        1. Anonymous Coward
          Anonymous Coward

          Re: @eek

          "I've never seen Chrome bundled in any other packages."

          You dont use Abode Acrobat, Flash, Shockware, etc then?

          "Chrome is the most popular browser because it's the best browser."

          But it isn't where there is a choice. IE still has a ~ 57% share on the desktop.

        2. sabroni Silver badge

          Re: Chrome is the most popular browser because it's the best browser.

          I don't think so. A lot of people use Google to search. When Chrome came out Google pushed it hard on their search pages. A lot of people clicked on the "Make the internet better" link because they thought it would make the internet better, not because they were making an informed choice about which browser to use.

          From a user perspective it's a good browser, from a developer perspective it's probably the best, from a security perspective it's dubious.

      2. P. Lee

        Re: @eek

        >Chrome imports bookmarks from IE/FF and makes itself the default browser.

        They all ask to make themselves default if they aren't already.

        Chrome is the non-MS browser which is most likely to work with corporate sites designed for IE. It provides the easiest integration by using IE's configuration. I normally use it for internal corporate sites, with FF/noscript etc for teh interwebs.

        The problems with flash are usually less with the download code and more with the Adobe's player. Regardless, don't go wandering down internet dark alleys and you'll reduce your attack surface greatly.

    5. Tom 13

      I myself install Firefox and Opera, at one point I also had Chrome. IE is usually my last choice, but if I had only Firefox and Chrome installed, Chrome would be my secondary browser in deference to FF. That's actually one of the reasons I uninstalled Chrome. It kept showing up in Secunia as unpatched because I pretty much only ran it to update it.

  8. This post has been deleted by its author

  9. Mage Silver badge
    Devil

    By design in a way ...

    It's essentially Google Spyware anyway.

  10. JCitizen
    Coffee/keyboard

    Secunia PSI...

    always reports everything is A-OK! Why? Because I keep up with patches. Yes Secunia PSI will squawk if you never do maintenance, if it can't update it automatically it will tell you to manually do it. Some files just have to be deleted. If you know how to use Secunia PSI it can be very useful, but some comments here lead me to believe some don't. Yes Secunia PSI is for Windows, but the article was taking about the Chrome BROWSER! Google Chrome is just fine now, and updated not long ago for the Freak vulnerability and the last flash update, although it uses its own version of flash, as a built in HTML capability.

    I never use Secunia PSI to manually update an application, I use the target application's console, or I use File Hippo's Application Manager, or Avast's scan for outdated software. Any one of them will lead to the solution. After fixing a patch, you must scan again with Secunia PSI if you want the alert to clear, otherwise you can ignore it until Secunia notices the change eventually. I'd almost believe that if you do this religiously and run as a limited user on a Windows machine, you could almost get away with no anti-malware, or anti-virus, as this makes you almost zero day invincible. CCleaner could be the only tool you'd need for complete protection after that, as long as you run it before using a browser for banking, or log off and/or reboot.

    However - I'm paranoid, so I use a lot of different methods of building a defense in depth. IBM's free end point protection(formerly Trusteer), can make a big difference too. And no - I'm not a shill for IBM. I'm for free stuff that works!

    1. AJ MacLeod

      Re: Trusteer

      IBM's free end point protection(formerly Trusteer), can make a big difference too...

      ...mostly in ruining its responsiveness though. Not a fan of bloaty shifty software that isn't really documented - being hawked by the banks doesn't increase my confidence in it much either.

  11. DJGM
    Alert

    It looks as though . . .

    Google Chrome is fast becoming the new IE6 ... !

    1. Anonymous Coward
      Anonymous Coward

      Re: It looks as though . . .

      Indeed, but at least with Chrome it doesn't lock you in to one OS. Unlike IE6, it natively runs on MacOS X and Linux, so no need to do ritual sacrifices getting IE6 installed in WINE (been there, done that) or running a VM/dual-booting to check your site is still compatible with the great unwashed.

      It is also separate from the OS, so unless actually being used to browse, it poses a minimal risk.

      1. sabroni Silver badge

        Re: but at least with Chrome it doesn't lock you in to one OS

        No, but another big problem with IE 6 was sites that only rendered properly on IE 6 because that was all they targetted. A lot of developers these days think supporting Chrome is enough. I was on a site yesterday that had a form on it that didn't' work on Firefox (cursor moved but no text appeared as I typed). It worked fine in Chrome though.

        It's a slippery slope, the more sites that are like that the more users will think that the only browser that isn't broken is Chrome....

  12. Anonymous Coward
    Anonymous Coward

    Dodgy stats???

    "vulnerabilities increased 70 percent from 728 to 1035"

    Pretty sure thats only a 42% increase...

  13. Leeroy

    Foxy pdf

    Foxit pdf is fine and in some ways better than Adobe Reader but please please please don't blame your printing issues on the printer until you have tried it with the Adobe version :/

    Don't know why but I get several calls a month relating to missing lines, missing images or long print times with the foxy version.

    If anyone can provide a fox sorry fix I am all ears. .. like a fox or something.

    1. mrweekender

      Re: Foxy pdf

      I'd rather hang my scrotum in a bear trap, than use software from the thieving scum known as Adobe.

  14. Gis Bun

    Everyone knows Google decided to sacrifice security in favor of "speed". That's all they tout Chrome for. Meanwhile I think v38 fixed 150 vulnerabilities plus another 130 non-security fixes. That's just one update.

    1. TheVogon

      "Everyone knows Google decided to sacrifice security in favor of "speed". "

      Amusing then that Microsoft Edge beats them hands down - both for speed and for lower number of vulnerabilities over time!

  15. kneedragon

    I do think this is a trifle misleading. Micro$oft used to top the vulns list 100:1, because it was the obvious target. In many ways, Chrome (or Chromium) has become that. Many people are using it, so white hats and black hats zero in on it and do pizza and caffeine and attack it. Look hard enough for flaws, and you will find them.

    1. sabroni Silver badge

      re: Micro$oft used to top the vulns list 100:1, because it was the obvious target

      Oh yeah, I remember. Everyone used to be on here commenting on how it was unfair on MS, how the number of vulnerabilities wasn't important, etc....

  16. Comunicate Manifest

    Chrome * is * the vulernability

    It's spyware from Google, plain and simple.

  17. Gis Bun

    New link:

    http://resources.flexerasoftware.com/web/pdf/Research-SVM-Vulnerability-Review-2016.pdf

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like