Android Was 2016's Most Vulnerable Product, Oracle the (bleepingcomputer.com) 147
An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
Stupid Apple (Score:1, Funny)
Look how they've stagnated. They're not even at the top of the CVE list. Jeez, get rid of Tim Cook already. We want more bugs.
Re: (Score:1)
Give 'em a chance, they've held the championship three times with OSX - immediately prior to this round in 2015, and in 2008 (tied with Firefox), and 2006.
Re: (Score:1)
Oracle the (Score:5, Funny)
I think you a word.
Re: (Score:1)
Re: (Score:2)
Oracle may be unbreakable, but its headlines aren't.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I think you a word.
Yes, the entire sentence should have read:
Android Was 2016's Most Vulnerable Product, Oracle the source of most buffer overrruns
Re: (Score:2)
I think you a word.
Yes, the entire sentence should have read:
Android Was 2016's Most Vulnerable Product, Oracle the source of most buffer overrruns
Sorry, not 'overrruns'. Overrrrruns.
Wot? I'm a Scotsman!
Re: (Score:2)
Re: (Score:2)
Blue rubber fridge dirt.
Re: (Score:2)
That's interesting (Score:1)
Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA
Re: (Score:2, Insightful)
Re: (Score:1)
Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA
I'm not surprised by Windows doing well - MS go their act together around WIn7 time. (Too many Slashdotters are still stuck in the 90s.) I am surprised IE wasn't a top contender - maybe it's dwindling share protects it?
Re: That's interesting (Score:2)
Hey everyone! I found the paid msoft edge shill! Is there a prize?
Re: (Score:2)
In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.
Re: (Score:2)
In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.
You got that right, fer sher. When someone at corporation x that purchases 200,000 licenses and needs a change in the OS to serve their needs, code is changed in a library or executable (or both) by MS to accommodate without taking into account all that it can introduce a weakness or bug when combined with other changes/additions. I don't think it's Humanly possible to have a corporation that's profitable when it is taking every single change into account and monitoring every other change and testing agai
Re: (Score:1)
True, it's not possible to test every combination in a huge system.
However, some obviously do a whole hell of a lot better than certain others! 8-P
Re: (Score:3)
Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA
And Microsoft has a very strict policy on what gets filed for a CVE; while open source folks file CVEs very often.
Re: (Score:2)
Spin it any way you wish. I still feel more secure with Linux than I ever would with Windows 10.
Re: (Score:2)
So, you're saying all those problems and annoyances are just W10 working as designed?
Re: (Score:3)
+1 Pedantic
most vulnerabilities != most vulnerable (Score:1)
duh
Re: (Score:3)
You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.
Re: (Score:2)
You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.
That's why MS loves "{mumble}found: 12,342,472, Fixed: 12,342,101".
Where the metric for "fixed and released to all vulnerable machines before the next bi-weekly release scheduled date"? I want that metric!
Re:most vulnerabilities != most vulnerable (Score:5, Informative)
Re: (Score:2)
Not really, Google mitigates issues via Play very quickly and almost all network connected devices quietly roll out the fixes with no interaction from the user.
That's why you see big botnets made of IoT devices and old Wordpress installs - people don't install the updates. Android vulnerabilities get mitigated quickly and widely.
Re: most vulnerabilities != most vulnerable (Score:2)
That's why all Android devices are on the latest build of Nougat with all security fixes applied. Or not.
Re: (Score:2)
Security fixes are backported. Settings > About Device > Android Security Patch Level & Security Software Version. Plus individual APKs are patched automatically via the Play Store
Re: (Score:2)
You know how Windows 8 still gets security patches, despite Windows 10 being the latest version? Or how LTS versions of Debian are still fairly secure and well supported with patches, despite being old?
Not being on the latest version of the OS doesn't mean no security patches.
Re: (Score:2)
My HTC EVO 4g still stands by for days without recharging, and hasn't gotten a single damn update - security or otherwise - since around 2012. I only got a new phone last year because Sprint shut down the 4G WiMax signal [rcrwireless.com] it used in favor of 4G LTE.
Not buying a new phone every 2 years means no security patches.
Re: (Score:2)
Does your old 4g have Play? Do the apps installed from Play get updated? If so, that phone is getting updates, including to the OS.
Re: (Score:2)
It does, it doesn't, it's got android 2.3.5 and a kernel compiled in 2012. The webkit version on it is so old it can't use the play store's (and many other websites) encryption cipher, and the android version on it is too old to install Chrome.
Re: most vulnerabilities != most vulnerable (Score:2)
Being on Android quite often does mean no security patches. That's why I stopped buying Android phones. Are the OEMs such as Samsung any better now? The iPhone 5 is still getting updates 4 years after release. Any Android phones, even the ones that cost a similar account, getting that kind of support? I have a Galaxy Note 2 released a couple of months later that didn't go any further than KitKat and it took bloody ages for Samsung to do that.
Re: (Score:2)
The patches come via Play.
Re: most vulnerabilities != most vulnerable (Score:2)
How many of these have been fixed via Play or otherwise for all Android versions still in use? http://www.techworld.com/secur... [techworld.com]
Re: (Score:2)
Re: (Score:2)
Same goes for Stagefright. You can mitigate some of the issues with this but mitigations can only go so far, you still need to patch the underlying library and again, no amount of "Play" patches will fix this since it's controlled by the vendor.
Re: (Score:2)
Sure, but if you cut off the ability for the exploit to actually get as far as the kernel, then the problem is mitigated. These days no-one relies on just one layer of security, it's always multiple layers.
Re: (Score:2)
Re: (Score:2)
If you have get around the mitigation, surely you can get around the fix to the kernel too, and in fact get around any security measures. Nothing can ever be secure because you can "get around" it.
Re: (Score:3)
True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.
It's not good, certainly, but it's not as bad as that makes it appear, at least not for users who stick with the Google Play store, and even users who don't but leave "Verified Apps" turned on. The Play store is pre-vetted and Verified Apps checks sideloads and apps from other stores. Both of those mechanisms can fail because things can slip through the cracks, but it's an another (large) hurdle that attackers have to jump through to get malicious code onto user devices.
In addition, the slow update issue
Re: (Score:2)
Says the Android security engineer.
So, are you arguing that anything I said is untrue? If so, what?
Re: (Score:2)
because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices...
Android KitKat, which was released in 2013, is still being used on 22.1% of the devices out there. And 36.3% of the devices out there run KitKat or older versions of Android.
Gingerbread 1.0%
Ice Cream Sandwich 1.1%
Jelly Bean 11.6%
KitKat 22.6%
Re: (Score:2)
because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices...
Android KitKat, which was released in 2013, is still being used on 22.1% of the devices out there. And 36.3% of the devices out there run KitKat or older versions of Android.
Gingerbread 1.0% Ice Cream Sandwich 1.1% Jelly Bean 11.6% KitKat 22.6%
Very true, and part of the reason that the Play store and Verified Apps protections are so important.
Number of bugs is hardly a valuable metric here... (Score:5, Insightful)
The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.
Re: (Score:1)
It's totally believable that Android was among the worst (it's sort of the new Windows), although Windows itself is said to still exist and be used by someone, so I kind of doubt Android really got the very top spot, but .. maybe.
But, yeah.. when you look at what the article is counting ("CVE"s) you realize that it's an arbitrary thing, so if their list happens to match reality, that's just a coincidence.
And you'd expect the least secure stuff to not even be on this article's radar, precisely because it d
Re: Number of bugs is hardly a valuable metric her (Score:2)
No one uses Windows anymore, that's why Microsoft went bankrupt years ago /s
Re: (Score:3, Interesting)
Larger more complex products have more bugs.
Products with larger user bases discover more bugs.
What we are measuring hear is the largest most used products.
I believe that means that 2016 was the year of the Ubuntu and Debian desktop! (and to a lesser extent openSUSE)
Though I find the whole things suspect when Adobe has 904 bugs across 4 products in the top 10 but only 548 total.
Re: (Score:2)
Certain bugs are the same bug in multiple products, so for a company total it is counted once but is also counted for each individual application. Think of this like a bug in a PNG decoder, using the exact same decoder in Photoshop and Illustrator. "Adobe" has 1 bug, but each application also has 1 bug each.
Re: (Score:3)
It is no coincidence that the most bug reports have been filed for the most popular software products.
Agreed. So we shouldn't interpret this article solely as an indictment of these products for being crappy.
Instead we should interpret this article as spotlighting the most popular companies and their products.
None the less, the fact that Oracle stands so far above the crowd does seem to imply that they're not doing something as well as they might. In particular since most of the members of that crowd are distributing software that is more complicated than a database-- entire operating systems, infrastruc
Re: (Score:2)
MySQL is a fucking Oracle product.
As is Java and three hundred enterprise grade applications and technologies.
Including operating systems, infrastructure that undergirds the entire web, etc.
Shit, there are plenty of things wrong with Oracle but their appearance on this list? Purely and entirely a consequence of their massive product portfolio.
Re: (Score:2)
The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used.
Open source products also get a boost, by dint of the simple fact that finding bugs is easier. Security researchers try to focus their time on the most-used software rather than the easiest-to-analyze software, but the time spent on easy-to-analyze software often generates more bugs. This is exacerbated when there is an entity that pays out good cash for vulnerability reports. Android's bug reports jumped significantly when Google began paying bounties, for example, but that doesn't mean the platform got le
Re: (Score:2)
To the extent that they're not sold on the black market.
A really good exploitable bug on very popular platforms is very valuable. The numbers of reported CVEs have been dropping industry wide, not because of better development practices...
commentsubject (Score:4, Insightful)
Security bug 1) Erroneous password entry reveals critical details in the rejection prompt, like the confirmed existence of an account name.
Security bug 2) Throwing in a parentheses and semicolon allows mass queries and a full DB dump of cleartext passwords.
One point each, equally vulnerable.
Re: (Score:2)
One point each, equally vulnerable.
Not to mention that the vast majority of vulnerabilities in Android were highly specific or mitigated by its security model. We've seen CVEs issued for things that can't actually be exploited due its use of SELinux.
Plus if you look at the actual CVEs you'll find that 90% or so have nothing to do with Android and everything to do with Qualcomm, Synaptics, Samsung, etc writing dodgy drivers and doing a shoddy job and bolting things into "Google Android".
The couting fiasco (Score:4, Interesting)
You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.
Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.
As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).
Re: (Score:2)
As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).
This report typifies the high level of hard-hitting analysis we've already come to expect from bleepingcomputer.com during its short existence. And, since their posts gets submitted to Slashdot regularly, thankfully we can expect much much more of the same going forward.
Re: (Score:2)
...As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).
Statistics. Love them.
Go Linux (Score:2)
Any press is good press!
Candlejack (Score:1)
But were the suppliers sending patches? (Score:1)
But were the suppliers of these android devices sending patches? My Nexus gets more security updates than my Samsung ever did. I think the bugs are fixed, just never pushed out by manufacturers.
Re: (Score:1)
Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.
Of course, that will never happen with Samsung. They hate Google even more than they hate Apple, and want their own ecosystem.
Re: But were the suppliers sending patches? (Score:2)
To a certain extent, Google HAS been isolating more & more potentially-vulnerable libraries used by the OS itself into packages that can be updated through Google Play (like WebView). Kernel-level stuff still requires manufacturers to fix, but Google can fix a newly-discovered Javascript vulnerability and deploy the fix to semi-recent devices all by itself.
I'm not totally sure where the AppCompat library/framework fits in... I think it's statically compiled into the .apk at build time, but I'd be shocke
Re: (Score:2)
Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.
How would that work? Thousands of unique devices with arbitrary hardware and drivers. Google is going to manage unique Android dists for all of those devices including testing? People that suggest this type of thing have a profound misunderstand about the nature of Android. It's not Windows or anything close to it where it runs on well-defined and standardized hardware. Every device is different in ways that only the manufacturer, SoC vendor, and other hardware providers can code to.
The only way something l
Re: (Score:2)
The problem, in my opinion, is when the carrier gets involved with updates. They are a 3rd party inserting themselves into your relationship with the manufacturer of the device you purchased for no reason other than their own benefit.
You are correct in my experience. I had the pleasure of working for a company that made Android phones (one of the smaller ones). For every carrier they had unique builds with different software that needed to be QA'd separately.
Of course, carriers get to demand that (unless you are Apple I guess). If you don't comply, they just go with a different vendor that'll abide by their rules. By "go with", I mean advertise those phones and sell them in their stores and give discounts on them and offer payments plan
Too stupid (Score:2)
Re: (Score:1)
Some of them can't even write an entire headline correctly.
Adobe: Truly solid products (Score:5, Interesting)
A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.
Re: (Score:1)
Glad to see I wasn't the only one thinking this :-)
Wow, just... wow.
Re: (Score:3)
Oh it's so much worse than that though. Adobe Reader has existed since loooooong before Android was even conceptualized. How often does the PDF format change that the reader requires lots of active development which is a vector for introducing bugs? Reader should be bullet proof by now. The one and only time I've had a machine infected was a decade ago with Adobe Reader from a website that sent me a PDF that exploited it. I knew exactly the attack vector because the Adobe Reader splash window popped up
Re: (Score:2)
According to Adobe's standards site [adobe.com], the last published change was in 2009. You'd think they'd have Reader pretty solid by now.
Novell? (Score:2)
Novell? Are people still using NetWare or GroupWise? WOW
I'm currently not working, cruising on a sailboat in Mexico, but if anybody needs a CNE I could use a little $$$.
Re: (Score:2)
Nah, they've just assigned all the SuSE stuff to Novell.
Congratulations to Android! (Score:1)
Statistics (Score:2)
This is why I like the walled garden (Score:1)
Whenever I see an Android user running an antivirus on his smartphone, I genuflect toward Cupertino and give thanks that I don't have to go through that.
Apples and oranges (Score:4, Insightful)
They put the linux kernel, linux distos, Android and apps in the same list.
Android and linux distros contain the linux kernel
There isn't much to linux distros besides testing and maintenance, there are mostly a collection of third-party software.
So, for example, is a bug in the linux kernel also a bug in Ubuntu? Is is still a but if there is some kind of mitigation in place?
Re: Apples and oranges (Score:2)
If it's in the default install then surely some of the onus is on the distro builder to audit the code. It's not like it's unavailable.
Re: (Score:2)
I assume people do pay attention to default installs. However, I've loaded distros with multiple development environments and office suites, so not only is there more code to vet, it's misleading in bugs per unit functionality.
Apples vs. Oranges (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?
Unless someone actually defines "bug," then what't the point to even discuss it.
Not a single CVE against software I work on. (Score:1)
Guess it's pretty much perfect!
How are the BSDs? (Score:2)
Re: (Score:1)
Somebody has to use the software for someone to report a bug. :)
Yeah, but... (Score:1)
... which version of Android?
Re: (Score:2)
Re: "Oracle the" what? (Score:2)
Mishmash more like.
Re: (Score:2)
Most of all that is FOSS, with the exception of Adobe (of course).
Exactly, and by organizations that have a well defined CVE policy so they generate a lot more CVEs than proprietary companies (like MSFT, Apple, Oracle, etc).
Oh, and don't forget that probably all those Linux Kernel CVEs also had a Debian/Ubuntu/Red Hat CVE filed too - so multiple countings - since CVEs are a form of notification; often by the time the CVE is filed for a FOSS project it has also already been fixed; unlike non-FOSS organizations...
Re: (Score:3)
Judging by the summary, the rating is nearly worthless. E.g., Debian is a suite of about 1000 programs, so comparing it against any one other program is obviously silly. From the summary I can't decide whether they did something similar to the "Android OS", but they could well have. And anything that includes Flash will clearly have all the vulnerabilities that Flash does.
Now lets consider the difficulty of judging the seriousness of something give that we are only told it's a vulnerability...
Re: (Score:3)
Probably - if the list I saw is anything to go by, the first 3 items were specific to a single vendor/handset, yet were listed as "Android" bugs... I'll wager that the vendor had (as is their habit) been tinkering, and got it wrong...
Re: (Score:3, Informative)
No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.
Re: (Score:3)
No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.
Yes, but for Android, it doesn't matter much if the bugs get fixed as long as the vendors stop providing OS updates/upgrades while there are still a substantial number of devices being used.
Re: (Score:2)
known by your enemies, and are not being fixed
ftfy
Re: What if you hate both? (Score:2)
iOS updates don't cost anything.
Re: What if you hate both? (Score:2)
Why do you need to buy a new phone? The 5 is still getting updates and that was released in 2012.
Re: (Score:2)
I'll tell you later. [damnlol.com]