Android Was 2016's Most Vulnerable Product, Oracle the (bleepingcomputer.com) 58
An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
Re:Poor Qualty (Score:4, Informative)
No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.
known by your enemies, and are not being fixed
Mishmash more like.
Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA
I'm not surprised by Windows doing well - MS go their act together around WIn7 time. (Too many Slashdotters are still stuck in the 90s.) I am surprised IE wasn't a top contender - maybe it's dwindling share protects it?
In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.
You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.
Re:most vulnerabilities != most vulnerable (Score:4, Informative)
Not really, Google mitigates issues via Play very quickly and almost all network connected devices quietly roll out the fixes with no interaction from the user.
That's why you see big botnets made of IoT devices and old Wordpress installs - people don't install the updates. Android vulnerabilities get mitigated quickly and widely.
True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.
It's not good, certainly, but it's not as bad as that makes it appear, at least not for users who stick with the Google Play store, and even users who don't but leave "Verified Apps" turned on. The Play store is pre-vetted and Verified Apps checks sideloads and apps from other stores. Both of those mechanisms can fail because things can slip through the cracks, but it's an another (large) hurdle that attackers have to jump through to get malicious code onto user devices.
In addition, the slow update issue
Number of bugs is hardly a valuable metric here... (Score:4, Insightful)
The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.
It's totally believable that Android was among the worst (it's sort of the new Windows), although Windows itself is said to still exist and be used by someone, so I kind of doubt Android really got the very top spot, but
But, yeah.. when you look at what the article is counting ("CVE"s) you realize that it's an arbitrary thing, so if their list happens to match reality, that's just a coincidence.
And you'd expect the least secure stuff to not even be on this article's radar, precisely because it d
Larger more complex products have more bugs.
Products with larger user bases discover more bugs.
What we are measuring hear is the largest most used products.
I believe that means that 2016 was the year of the Ubuntu and Debian desktop! (and to a lesser extent openSUSE)
Though I find the whole things suspect when Adobe has 904 bugs across 4 products in the top 10 but only 548 total.
It is no coincidence that the most bug reports have been filed for the most popular software products.
Agreed. So we shouldn't interpret this article solely as an indictment of these products for being crappy.
Instead we should interpret this article as spotlighting the most popular companies and their products.
None the less, the fact that Oracle stands so far above the crowd does seem to imply that they're not doing something as well as they might. In particular since most of the members of that crowd are distributing software that is more complicated than a database-- entire operating systems, infrastruc
The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used.
Open source products also get a boost, by dint of the simple fact that finding bugs is easier. Security researchers try to focus their time on the most-used software rather than the easiest-to-analyze software, but the time spent on easy-to-analyze software often generates more bugs. This is exacerbated when there is an entity that pays out good cash for vulnerability reports. Android's bug reports jumped significantly when Google began paying bounties, for example, but that doesn't mean the platform got le
To the extent that they're not sold on the black market.
A really good exploitable bug on very popular platforms is very valuable. The numbers of reported CVEs have been dropping industry wide, not because of better development practices...
Security bug 1) Erroneous password entry reveals critical details in the rejection prompt, like the confirmed existence of an account name.
Security bug 2) Throwing in a parentheses and semicolon allows mass queries and a full DB dump of cleartext passwords.
One point each, equally vulnerable.
You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.
Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.
As far as I am concerned, this report is irrelevant, because you can't really get any re
Any press is good press!
But were the suppliers sending patches? (Score:1)
But were the suppliers of these android devices sending patches? My Nexus gets more security updates than my Samsung ever did. I think the bugs are fixed, just never pushed out by manufacturers.
Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.
Of course, that will never happen with Samsung. They hate Google even more than they hate Apple, and want their own ecosystem.
Re: But were the suppliers sending patches? (Score:2)
To a certain extent, Google HAS been isolating more & more potentially-vulnerable libraries used by the OS itself into packages that can be updated through Google Play (like WebView). Kernel-level stuff still requires manufacturers to fix, but Google can fix a newly-discovered Javascript vulnerability and deploy the fix to semi-recent devices all by itself.
I'm not totally sure where the AppCompat library/framework fits in... I think it's statically compiled into the
.apk at build time, but I'd be shocke
Adobe: Truly solid products (Score:5, Interesting)
A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.
Glad to see I wasn't the only one thinking this
Wow, just... wow.
Oh it's so much worse than that though. Adobe Reader has existed since loooooong before Android was even conceptualized. How often does the PDF format change that the reader requires lots of active development which is a vector for introducing bugs? Reader should be bullet proof by now. The one and only time I've had a machine infected was a decade ago with Adobe Reader from a website that sent me a PDF that exploited it. I knew exactly the attack vector because the Adobe Reader splash window popped up
Novell? Are people still using NetWare or GroupWise? WOW
I'm currently not working, cruising on a sailboat in Mexico, but if anybody needs a CNE I could use a little $$$.
Nah, they've just assigned all the SuSE stuff to Novell.
This is why I like the walled garden (Score:2)
Whenever I see an Android user running an antivirus on his smartphone, I genuflect toward Cupertino and give thanks that I don't have to go through that.
Apples and oranges (Score:2)
They put the linux kernel, linux distos, Android and apps in the same list.
Android and linux distros contain the linux kernel
There isn't much to linux distros besides testing and maintenance, there are mostly a collection of third-party software.
So, for example, is a bug in the linux kernel also a bug in Ubuntu? Is is still a but if there is some kind of mitigation in place?