Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Google Android Security

Android Was 2016's Most Vulnerable Product, Oracle the (bleepingcomputer.com) 147

An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

This discussion has been archived. No new comments can be posted.

Android Was 2016's Most Vulnerable Product, Oracle the

Comments Filter:
  • by Anonymous Coward

    Look how they've stagnated. They're not even at the top of the CVE list. Jeez, get rid of Tim Cook already. We want more bugs.

    • Give 'em a chance, they've held the championship three times with OSX - immediately prior to this round in 2015, and in 2008 (tied with Firefox), and 2006.

    • by kuzb ( 724081 )
      They're more interested in charging you more money for feature incomplete folding phones which is so much more brave than everyone else. They don't have time to be concerned about such things.
  • Oracle the (Score:5, Funny)

    by Anonymous Coward on Wednesday January 04, 2017 @12:26PM (#53604833)

    I think you a word.

  • by Anonymous Coward

    Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

    • Re: (Score:2, Insightful)

      by Anonymous Coward
      Ask Achilles how that works out.
    • by lgw ( 121541 )

      Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

      I'm not surprised by Windows doing well - MS go their act together around WIn7 time. (Too many Slashdotters are still stuck in the 90s.) I am surprised IE wasn't a top contender - maybe it's dwindling share protects it?

    • by stooo ( 2202012 )

      In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.

      • In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.

        You got that right, fer sher. When someone at corporation x that purchases 200,000 licenses and needs a change in the OS to serve their needs, code is changed in a library or executable (or both) by MS to accommodate without taking into account all that it can introduce a weakness or bug when combined with other changes/additions. I don't think it's Humanly possible to have a corporation that's profitable when it is taking every single change into account and monitoring every other change and testing agai

        • True, it's not possible to test every combination in a huge system.

          However, some obviously do a whole hell of a lot better than certain others! 8-P

    • Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

      And Microsoft has a very strict policy on what gets filed for a CVE; while open source folks file CVEs very often.

    • Spin it any way you wish. I still feel more secure with Linux than I ever would with Windows 10.

    • So, you're saying all those problems and annoyances are just W10 working as designed?

  • by Anonymous Coward

    duh

    • You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.

      • You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.

        That's why MS loves "{mumble}found: 12,342,472, Fixed: 12,342,101".

        Where the metric for "fixed and released to all vulnerable machines before the next bi-weekly release scheduled date"? I want that metric!

    • by TheRaven64 ( 641858 ) on Wednesday January 04, 2017 @12:56PM (#53605091) Journal
      True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.
      • by AmiMoJo ( 196126 )

        Not really, Google mitigates issues via Play very quickly and almost all network connected devices quietly roll out the fixes with no interaction from the user.

        That's why you see big botnets made of IoT devices and old Wordpress installs - people don't install the updates. Android vulnerabilities get mitigated quickly and widely.

        • That's why all Android devices are on the latest build of Nougat with all security fixes applied. Or not.

          • by darkain ( 749283 )

            Security fixes are backported. Settings > About Device > Android Security Patch Level & Security Software Version. Plus individual APKs are patched automatically via the Play Store

          • by AmiMoJo ( 196126 )

            You know how Windows 8 still gets security patches, despite Windows 10 being the latest version? Or how LTS versions of Debian are still fairly secure and well supported with patches, despite being old?

            Not being on the latest version of the OS doesn't mean no security patches.

            • by Qzukk ( 229616 )

              My HTC EVO 4g still stands by for days without recharging, and hasn't gotten a single damn update - security or otherwise - since around 2012. I only got a new phone last year because Sprint shut down the 4G WiMax signal [rcrwireless.com] it used in favor of 4G LTE.

              Not buying a new phone every 2 years means no security patches.

              • by AmiMoJo ( 196126 )

                Does your old 4g have Play? Do the apps installed from Play get updated? If so, that phone is getting updates, including to the OS.

                • by Qzukk ( 229616 )

                  It does, it doesn't, it's got android 2.3.5 and a kernel compiled in 2012. The webkit version on it is so old it can't use the play store's (and many other websites) encryption cipher, and the android version on it is too old to install Chrome.

            • Being on Android quite often does mean no security patches. That's why I stopped buying Android phones. Are the OEMs such as Samsung any better now? The iPhone 5 is still getting updates 4 years after release. Any Android phones, even the ones that cost a similar account, getting that kind of support? I have a Galaxy Note 2 released a couple of months later that didn't go any further than KitKat and it took bloody ages for Samsung to do that.

              • by AmiMoJo ( 196126 )

                The patches come via Play.

                • How many of these have been fixed via Play or otherwise for all Android versions still in use? http://www.techworld.com/secur... [techworld.com]

                • by trparky ( 846769 )
                  But if the exploit is in the kernel no amount of "Play" patches will fix it since the "Play" service is running on top of the kernel. You can't patch the kernel, only the vendor can.
                  • by trparky ( 846769 )
                    For instance... QuadRooter, many devices are still vulnerable and won't be patched. The kernel itself is vulnerable, no amount of "Play" patches will fix this since it's a vulnerability much lower on the software stack than the "Play" services.

                    Same goes for Stagefright. You can mitigate some of the issues with this but mitigations can only go so far, you still need to patch the underlying library and again, no amount of "Play" patches will fix this since it's controlled by the vendor.
                  • by AmiMoJo ( 196126 )

                    Sure, but if you cut off the ability for the exploit to actually get as far as the kernel, then the problem is mitigated. These days no-one relies on just one layer of security, it's always multiple layers.

                    • by trparky ( 846769 )
                      But like I said, you can get around the mitigations. The best and only option should be to patch the vulnerability itself and not rely on something else to stop it.
                    • by AmiMoJo ( 196126 )

                      If you have get around the mitigation, surely you can get around the fix to the kernel too, and in fact get around any security measures. Nothing can ever be secure because you can "get around" it.

      • True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.

        It's not good, certainly, but it's not as bad as that makes it appear, at least not for users who stick with the Google Play store, and even users who don't but leave "Verified Apps" turned on. The Play store is pre-vetted and Verified Apps checks sideloads and apps from other stores. Both of those mechanisms can fail because things can slip through the cracks, but it's an another (large) hurdle that attackers have to jump through to get malicious code onto user devices.

        In addition, the slow update issue

  • by Anonymous Coward on Wednesday January 04, 2017 @12:35PM (#53604907)

    The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.

    • by Anonymous Coward

      It's totally believable that Android was among the worst (it's sort of the new Windows), although Windows itself is said to still exist and be used by someone, so I kind of doubt Android really got the very top spot, but .. maybe.

      But, yeah.. when you look at what the article is counting ("CVE"s) you realize that it's an arbitrary thing, so if their list happens to match reality, that's just a coincidence.

      And you'd expect the least secure stuff to not even be on this article's radar, precisely because it d

    • Re: (Score:3, Interesting)

      by Anonymous Coward

      Larger more complex products have more bugs.
      Products with larger user bases discover more bugs.

      What we are measuring hear is the largest most used products.

      I believe that means that 2016 was the year of the Ubuntu and Debian desktop! (and to a lesser extent openSUSE)

      Though I find the whole things suspect when Adobe has 904 bugs across 4 products in the top 10 but only 548 total.

      • by darkain ( 749283 )

        Certain bugs are the same bug in multiple products, so for a company total it is counted once but is also counted for each individual application. Think of this like a bug in a PNG decoder, using the exact same decoder in Photoshop and Illustrator. "Adobe" has 1 bug, but each application also has 1 bug each.

    • by e r ( 2847683 )

      It is no coincidence that the most bug reports have been filed for the most popular software products.

      Agreed. So we shouldn't interpret this article solely as an indictment of these products for being crappy.
      Instead we should interpret this article as spotlighting the most popular companies and their products.

      None the less, the fact that Oracle stands so far above the crowd does seem to imply that they're not doing something as well as they might. In particular since most of the members of that crowd are distributing software that is more complicated than a database-- entire operating systems, infrastruc

      • by Cederic ( 9623 )

        MySQL is a fucking Oracle product.
        As is Java and three hundred enterprise grade applications and technologies.

        Including operating systems, infrastructure that undergirds the entire web, etc.

        Shit, there are plenty of things wrong with Oracle but their appearance on this list? Purely and entirely a consequence of their massive product portfolio.

    • The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used.

      Open source products also get a boost, by dint of the simple fact that finding bugs is easier. Security researchers try to focus their time on the most-used software rather than the easiest-to-analyze software, but the time spent on easy-to-analyze software often generates more bugs. This is exacerbated when there is an entity that pays out good cash for vulnerability reports. Android's bug reports jumped significantly when Google began paying bounties, for example, but that doesn't mean the platform got le

    • by Nelson ( 1275 )

      To the extent that they're not sold on the black market.

      A really good exploitable bug on very popular platforms is very valuable. The numbers of reported CVEs have been dropping industry wide, not because of better development practices...

  • commentsubject (Score:4, Insightful)

    by Falos ( 2905315 ) on Wednesday January 04, 2017 @12:35PM (#53604913)
    Oh boy a point metrics ranking list highscore chart golf game.

    Security bug 1) Erroneous password entry reveals critical details in the rejection prompt, like the confirmed existence of an account name.
    Security bug 2) Throwing in a parentheses and semicolon allows mass queries and a full DB dump of cleartext passwords.

    One point each, equally vulnerable.
    • One point each, equally vulnerable.

      Not to mention that the vast majority of vulnerabilities in Android were highly specific or mitigated by its security model. We've seen CVEs issued for things that can't actually be exploited due its use of SELinux.

      Plus if you look at the actual CVEs you'll find that 90% or so have nothing to do with Android and everything to do with Qualcomm, Synaptics, Samsung, etc writing dodgy drivers and doing a shoddy job and bolting things into "Google Android".

  • The couting fiasco (Score:4, Interesting)

    by Anonymous Coward on Wednesday January 04, 2017 @12:36PM (#53604919)

    You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.

    Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.

    As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

    • As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

      This report typifies the high level of hard-hitting analysis we've already come to expect from bleepingcomputer.com during its short existence. And, since their posts gets submitted to Slashdot regularly, thankfully we can expect much much more of the same going forward.

    • ...As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

      Statistics. Love them.

  • Any press is good press!

  • Good that Candlejack is no edit-
  • by Anonymous Coward

    But were the suppliers of these android devices sending patches? My Nexus gets more security updates than my Samsung ever did. I think the bugs are fixed, just never pushed out by manufacturers.

    • by Anonymous Coward

      Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

      Of course, that will never happen with Samsung. They hate Google even more than they hate Apple, and want their own ecosystem.

      • To a certain extent, Google HAS been isolating more & more potentially-vulnerable libraries used by the OS itself into packages that can be updated through Google Play (like WebView). Kernel-level stuff still requires manufacturers to fix, but Google can fix a newly-discovered Javascript vulnerability and deploy the fix to semi-recent devices all by itself.

        I'm not totally sure where the AppCompat library/framework fits in... I think it's statically compiled into the .apk at build time, but I'd be shocke

      • Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

        How would that work? Thousands of unique devices with arbitrary hardware and drivers. Google is going to manage unique Android dists for all of those devices including testing? People that suggest this type of thing have a profound misunderstand about the nature of Android. It's not Windows or anything close to it where it runs on well-defined and standardized hardware. Every device is different in ways that only the manufacturer, SoC vendor, and other hardware providers can code to.

        The only way something l

  • Humans are too stupid to write good software
    • by Anonymous Coward

      Some of them can't even write an entire headline correctly.

  • by MobyDisk ( 75490 ) on Wednesday January 04, 2017 @12:48PM (#53605021) Homepage

    A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.

    • by Anonymous Coward

      Glad to see I wasn't the only one thinking this :-)
      Wow, just... wow.

    • Oh it's so much worse than that though. Adobe Reader has existed since loooooong before Android was even conceptualized. How often does the PDF format change that the reader requires lots of active development which is a vector for introducing bugs? Reader should be bullet proof by now. The one and only time I've had a machine infected was a decade ago with Adobe Reader from a website that sent me a PDF that exploited it. I knew exactly the attack vector because the Adobe Reader splash window popped up

  • Novell? Are people still using NetWare or GroupWise? WOW

    I'm currently not working, cruising on a sailboat in Mexico, but if anybody needs a CNE I could use a little $$$.

  • You FINALLY beat Adobe!!!
  • I like how statistics works, by looking at this chart i can say Apple is on the top: http://www.cvedetails.com/vend... [cvedetails.com]
  • Whenever I see an Android user running an antivirus on his smartphone, I genuflect toward Cupertino and give thanks that I don't have to go through that.

  • Apples and oranges (Score:4, Insightful)

    by GuB-42 ( 2483988 ) on Wednesday January 04, 2017 @01:36PM (#53605413)

    They put the linux kernel, linux distos, Android and apps in the same list.
    Android and linux distros contain the linux kernel
    There isn't much to linux distros besides testing and maintenance, there are mostly a collection of third-party software.

    So, for example, is a bug in the linux kernel also a bug in Ubuntu? Is is still a but if there is some kind of mitigation in place?

    • If it's in the default install then surely some of the onus is on the distro builder to audit the code. It's not like it's unavailable.

      • I assume people do pay attention to default installs. However, I've loaded distros with multiple development environments and office suites, so not only is there more code to vet, it's misleading in bugs per unit functionality.

  • Apples vs. Oranges (Score:5, Insightful)

    by RealGene ( 1025017 ) on Wednesday January 04, 2017 @01:43PM (#53605457)
    Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?
    • It shouldn't have *ANY* bugs. But adobe also thought that it should be able to execute scripts from web based sources. That's the kicker.
    • Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?

      Unless someone actually defines "bug," then what't the point to even discuss it.

  • Guess it's pretty much perfect!

  • I didn't see the BSDs in the list - OpenBSD, FreeBSD, NetBSD. How are they compared to Android, Linux, Windows and Apple OSs?
  • ... which version of Android?

Genius is ten percent inspiration and fifty percent capital gains.

Working...