And the Buggiest Software Award Goes to...Chrome!

15

Comments

+ Add a Comment
avatar

monkey nuts

Has anyone actually checked the source the http://nvd.nist.gov/ if you do actually check the source you will find out that all but very few are actually for the new version 7.0.517.44. Some people just take others words for it and don't do the homework themselves. Sad to say that this editor only was trying to get another article out for his name. I only counted 11 vulnerabilities for the new version 7.0.517.44 not the stated 76 vulnerabilities. I sure do hope that this editor can redeem himself from falsely claiming these vulnerabilities. I think the only thing with the most bugs is the editors thought process. These searches can be done by you as well by going to http://web.nvd.nist.gov/view/vuln/search. I typed in as listed below. Chrome is definitely not the biggest loser here. Although it did come in second browser wise.

Chrome 7.0.517.44            Count: 11

Firefox 3.6.12                  Count: 0

Safari 5.0.2                     Count: 4

Internet Explorer 8            Count: 229

avatar

Slugbait

7.0.517.44 is not a new version. It's a point release that has been available for less than two weeks. In fact, this point release only addresses previous, known security vulnerabilities, otherwise there is nothing "new" about it.

If you search NVD for the last three months, it comes up with a total of 60 for Chrome...the majority of which are severity=high. Funny...if you read the summary, it says "Google Chrome before 7.0.517.44" for your findings, then the rest are "Google Chrome before 7.0.517.41". What, those other vulnerabilities don't count anymore?

Do a three-month search on Internet Explorer 8, and there are a total of 10. A three-year search yields 152, so I'm curious how you got 229.

At least you dishonestly included as many vulnerabilities since IE8 was released as you could to compare with a two-week old build of Chrome in order to make your misguided point that the editor made false claims. I doubt you will take the same measure to redeem yourself as you ask others to do.

avatar

Slugbait

OK, I figured it out...you did a Search All instead of three-month or three-year searches in order to saddle IE8 with 229 in order to compare to a two-week old release of Chrome. Applause for you.

avatar

monkey nuts

I did a search on all issues not just past three months though I only counted the ones relevant to the current version, sorry patched version of 7.x not full release because it doesn't state fixes as if you go to http://googlechromereleases.blogspot.com/search/label/Stable%20updates you can see a list of fixes that chrome has been working on and fixed. 

Internet Explorer Search isn't the easiest to do upon this NVD website I will say. I have tried to find a bug update for Internet Explorer 8 and can't seem to locate one, nor can i find any list of patched flaws with IE8. Forgive my prejudice against IE it has always given me nothing but problems. 

If you want a list of security flaws try searching Secunia for security flaws with different browsers. http://secunia.com/advisories/search/ or is Secunia not a reputable source to use.

Try running Secunia PSI http://secunia.com/vulnerability_scanning/personal/ on your system and see where you rank up with Internet Explorer X.X. I assure you that you will find issues with Internet Explorer 8 where as with Chrome it is still a risk but not enough to send up an alarm. I can not comment on Firefox, Opera, Safari because I use Chrome. However if you are wanting to lock up even tighter I would suggest SRWare Iron http://www.srware.net/en/software_srware_iron.php 

avatar

Slugbait

Secunia is not a source at all, much less a reputable source. When you search vulnerabilities at their site, you get links to CVE MITRE, which is simply a dictionary of publicly known information security vulnerabilities and exposures.

But I digress. When you do a search on Chrome at Secunia, you get a page of the more recent security advisories, a little more than a year's worth. And the majority of which are listed as "multiple vulnerabilities", seventeen (17) in all. Half of those each have 10 or more vulnerabilities listed. Only seven are individual incidents.

The first 25 returns for IE8 go back well over two years. But for the sake of apples-to-apples, for the same time period, IE8 has just eight listed with "multiple vulnerabilties", with seven individual incidents. And only one "multiple" lists more than 10...most list around 5.

I'm currently on my primary machine at home, which I haven't even booted in almost a week...thanks for reminding about running PSI, it did find one browser with a Category 5 threat

It was Firefox...

But let's get back to the fact that you pissed on the integrity of a journalist, shall we?

avatar

monkey nuts

I was curious the link shows an article http://www.maximumpc.com/article/maximum_it/study_windows_users_patch_their_os_every_5_days  

by the same journalist refering to Secunia PSI. There are also other articles by other writers about Secunia PSI, as well, from Maximum PC. It is the nature of journalism to be criticized as well as freedom of speech; to make it about integrity. I was merely stating a loss of belief in the research. 
As for bug fixes can you show me where I can find a list of patch updates and bug fixes for IE at all. So also assuming then that Bit9 is a reputable source and Secunia is not is what I am gathering from your subject; as his article states from Bit9 as a source. I will understand your arguement much better if you could provide a source that says IE has fixed the bugs and security flaws that were from the over two years ago that you have stated as I found one for chrome but can't find one for IE. This leads to believe that these holes are still un-patched. My apologized if I am incorrect that these holes are actually fixed I simply can't find evidence, as I can with Chrome.

avatar

Slugbait

Oh, for Christ's sake. You haven't heard of Patch Tuesday? What do you think MS is patching every month, Notepad?

Look at it from this point of view: you own 90% of both the OS market and browser market in the year 2000. You publicly tell people what each security vulnerability is. What do you think crackers are going to do with this info? Keep it generic, and crackers have to do actual work.

If those holes were still unpatched, MS would get far more harsh critism than Apple gets.

avatar

monkey nuts

My apologizes. I suppose after reading the article a few times I am taking the understanding that the article is not the editors actual research as it is Bit9's. The editor was simply relaying the info. As for debate I supose Bit9 is who needs to be looked at not the editor, though he should check for integrity in others work as I am merely doing myself.

avatar

jordinyc

.. should I be, like, worried or something? Coz I use Chrome constantly to order things online and visit lots of sites with my passwords, and I just shit my pants reading that.

avatar

Slugbait

In the past, criminals spent most of their time working flaws in IE because it was such a target-rich environment of dumb people who didn't regularly (or never) patch their systems.

But the introduction of Automatic Updates in XP slowed them down. Plus, IE no longer owns 95% of the browser market...with tens (or hundreds) of millions of people using an "alternative" browser now, there is a new target-rich environment for organized crime. Those browsers don't get updated via Windows Update or Microsoft Update, but I believe most have mechanisms in place for automatic upgrades as they become available.

Chrome WoV averages two days, so you should be OK for the most part. With a WoV of about two weeks, Safari users are the only ones who should panic.

avatar

spoonard

So... are they saying IE has the FEWEST exploitable vulnerabilities? Less than Chrome, Firefox, and Safari?

avatar

Slugbait

In fact, IE has been either the best or second-best in regard to security flaws since 1997. But it depends on who is crunching the numbers and how much press that company gets.

For example, for the year 2009 Symantic stated Chrome was the LEAST vulnerable, with just 41 flaws for the year, followed by IE with 45, Safari had 94, and Firefox with 169. Around the same period, NVD on the other hand had a three-month stat window that put IE in front with 17 flaws, Firefox with 20, they hammered Chrome with 40, and Safari brought up the rear with 51. The telling difference: NVD sez Chrome had 40 for a three-month period, while Symantic claimed 41 for a 12 month period. I would go with NVD numbers before a company's numbers, tho'.

The more important statistic is the Window of Vulnerability: if your security flaws are patched quickly, and before anybody figures out how to exploit them, it doesn't matter that much if your browser has more flaws than the next guy. During their war with Netscape, MS instituted a 24-hour turnaround time on security flaws (later replaced by Patch Tuesday, with only super-criticals getting out-of-band releases). In 2009, average WoV for IE was still 24 hours (Firefox also averaged a day). Chrome was a bit worse at 2 days, and those Apple boys continued to air funny television commercials stating how the Mac was more secure than Windows while averaging a two-week WoV on their extraordinarily large number of security flaws.

avatar

kamikaji

Chrome has only crashed on me twice, and I have been using it for a LONG time.  I have never had any issues with malicious attacks/malware either.  Plus, Chrome is blazing fast and is really low on system resources.  I like it a lot better than Firefox.

avatar

noobstix

...and then switched back to Firefox.  I found it funny that the "Grid view" for Google Image Search kept crashing Chrome while it worked flawlessly on IE and FF.

avatar

I Jedi

It is not too late to repent for your sins, Chrome users. Firefox welcomes back all those who would return to her.

Log in to MaximumPC directly or log in using Facebook

Forgot your username or password?
Click here for help.

Login with Facebook
Log in using Facebook to share comments and articles easily with your Facebook feed.