Android Was 2016's Most Vulnerable Product, Oracle the

An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

Stupid Apple

Look how they've stagnated. They're not even at the top of the CVE list. Jeez, get rid of Tim Cook already. We want more bugs.

Re:Stupid Apple

[GameboyRMH]

Give 'em a chance, they've held the championship three times with OSX - immediately prior to this round in 2015, and in 2008 (tied with Firefox), and 2006.

Re:Stupid Apple

Im sure they will come bouncing back.

Re:Stupid Apple

[kuzb]

They're more interested in charging you more money for feature incomplete folding phones which is so much more brave than everyone else. They don't have time to be concerned about such things.

Oracle the

I think you a word.

Re:Oracle the

[SlickUSA]

"Oracle the most vulnerable vendor"

Re:Oracle the

[93+Escort+Wagon]

Oracle may be unbreakable, but its headlines aren't.

Re:Oracle the

This is the second time this has happened just today. Are they even reading headlines before they post them?

Re:Oracle the

Main Stream Media (msm)ash should be fired.

Re:Oracle the

[malditaenvidia]

He accidentally the whole summary.

Re:Oracle the

[grcumb]

I think you a word.

Yes, the entire sentence should have read:

Android Was 2016's Most Vulnerable Product, Oracle the source of most buffer overrruns

Re:Oracle the

[grcumb]

I think you a word.

Yes, the entire sentence should have read:

Android Was 2016's Most Vulnerable Product, Oracle the source of most buffer overrruns

Sorry, not 'overrruns'. Overrrrruns.

Wot? I'm a Scotsman!

Re:Oracle the

[Yvan256]

Blue rubber fridge dirt.

Re:Oracle the

Is railing against "Crooked Hillary" and the "MSM" still all you can do? You're fighting a fight all by yourself, while the man you're fighting for has moved on.

Re:Oracle the

[kuzb]

You're assuming they read anything. More likely the entire submission selection process is automated by this point. It's trashdot after all.

Re:Oracle the

[arglebargle_xiv]

The computer fletely, mouse and all!

Re:Oracle the

[K.+S.+Kyosuke]

Oracle the Unfinished?

Poor Qualty

Most of all that is FOSS, with the exception of Adobe (of course).

Re:Poor Qualty

[cfalcon]

No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.

Re:Poor Qualty

[beelsebob]

known by your enemies, and are not being fixed

ftfy

Re:Poor Qualty

[arth1]

No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.

Yes, but for Android, it doesn't matter much if the bugs get fixed as long as the vendors stop providing OS updates/upgrades while there are still a substantial number of devices being used.

Re:Poor Qualty

[TemporalBeing]

Most of all that is FOSS, with the exception of Adobe (of course).

Exactly, and by organizations that have a well defined CVE policy so they generate a lot more CVEs than proprietary companies (like MSFT, Apple, Oracle, etc).

Oh, and don't forget that probably all those Linux Kernel CVEs also had a Debian/Ubuntu/Red Hat CVE filed too - so multiple countings - since CVEs are a form of notification; often by the time the CVE is filed for a FOSS project it has also already been fixed; unlike non-FOSS organizations...

Re:Poor Qualty

by organizations that have a well defined CVE policy so they generate a lot more CVEs than proprietary companies

LOL.. seriously??? you cheerleaders come up with the weirdest excuses. The Linux kernel (yes, kernel, not distribution) is buggier than the NT kernel. This is a documented fact

Re:Poor Qualty

[HiThere]

Judging by the summary, the rating is nearly worthless. E.g., Debian is a suite of about 1000 programs, so comparing it against any one other program is obviously silly. From the summary I can't decide whether they did something similar to the "Android OS", but they could well have. And anything that includes Flash will clearly have all the vulnerabilities that Flash does.

Now lets consider the difficulty of judging the seriousness of something give that we are only told it's a vulnerability...

Re:Poor Qualty

[Goose+In+Orbit]

Probably - if the list I saw is anything to go by, the first 3 items were specific to a single vendor/handset, yet were listed as "Android" bugs... I'll wager that the vendor had (as is their habit) been tinkering, and got it wrong...

Re:Poor Qualty

The Linux kernel (yes, kernel, not distribution) is buggier than the NT kernel. This is a documented fact

Where can I look at the source of the NT kernel to find bugs?

Re: Poor Qualty

I'd like to examine the NT kernel code to verify that, please provide link to GitHub repository thanks.

"Oracle the" what?

Oracle the most secure? Oracle the worst cut and paste editor ever? WTH msmash...

Re:"Oracle the" what?

[__aaclcg7560]

You didn't see that one coming.

Re: "Oracle the" what?

[cyber-vandal]

Mishmash more like.

Oracle the....

what?

Re:Oracle the....

[R3d+M3rcury]

I'll tell you later.

That's interesting

Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

Re:That's interesting

Ask Achilles how that works out.

Re:That's interesting

*fewer

Re:That's interesting

[lgw]

Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

I'm not surprised by Windows doing well - MS go their act together around WIn7 time. (Too many Slashdotters are still stuck in the 90s.) I am surprised IE wasn't a top contender - maybe it's dwindling share protects it?

Re:That's interesting

[stooo]

In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.

Re:That's interesting

No, it just had fewer publicly known/published bugs.

The open source community doesn't try to hide bugs, they expose and fix them.

Re:That's interesting

[TemporalBeing]

Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

And Microsoft has a very strict policy on what gets filed for a CVE; while open source folks file CVEs very often.

Re:That's interesting

People misinterpret any issue on a Windows machine as being caused by MS. IMHO Microsoft has done a lot of engineering work in their OS, which doesn't exist in others, to keep the user from sawing off their own foot. If the F/OSS culture wasn't so toxic (MS is partly to blame) it would be easier to share and adopt some of their ideas.

Re:That's interesting

[spatley]

+1 Pedantic

Re:That's interesting

[chipschap]

Spin it any way you wish. I still feel more secure with Linux than I ever would with Windows 10.

Re: That's interesting

Could you please provide the evidence so that i can sue the pants of Microsoft for wasting my electric power and thus contributing to global warming for their enforced automatic upgrades?

Re: That's interesting

The update process is just an executable file that runs and downloads the updates. Stop it from running (dozens of ways), or stop it from downloading (dozens of ways). Its that easy. If you're commenting on here and can't do that, you're probably the kind of person who should be forced to keep their system patched anyway.

Re: That's interesting

[thesupraman]

Hey everyone! I found the paid msoft edge shill! Is there a prize?

Re: That's interesting

+1 speaks English like someone who passed high school.

Re:That's interesting

[poofmeisterp]

In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.

You got that right, fer sher. When someone at corporation x that purchases 200,000 licenses and needs a change in the OS to serve their needs, code is changed in a library or executable (or both) by MS to accommodate without taking into account all that it can introduce a weakness or bug when combined with other changes/additions. I don't think it's Humanly possible to have a corporation that's profitable when it is taking every single change into account and monitoring every other change and testing against it with every possible combination and random introduction of circumstances with "use over time". Don't get me wrong, you can "reposit" all you want and make all comments under the sun, but that doesn't account for Human incapability.

If you were to ask a decision maker at Microsoft if they would rather have a bug found now that makes all machines vulnerable to being compromised, after having made $2billion, versus spending $500million now to try and account for all bugs now and delaying releases/updates, which do you think they'd pick? Come on, I'm talking Human pick, not logic pick. FOSS is no different, but there tend to be more competitive finds to get one's name out as a "savior" and +1ing their popularity for a brief second. Some get found and some don't, but there's more of a drive to find them and fix them rather than making money. Enter Google - it's not easy to fix all problems, let alone all problems in all versions of something, let alone all problems in all versions of something with manufacturers making in-the-middle non-FOSS changes, let alone all problems in all versions of something, with all problems in all versions of something with manufacturers making in-the-middle non-FOSS changes with their focus forced to be on coming up with new releases of products to make more money on sales.... I digress.

Re:That's interesting

[david_thornley]

So, you're saying all those problems and annoyances are just W10 working as designed?

Re:That's interesting

[cwsumner]

True, it's not possible to test every combination in a huge system.

However, some obviously do a whole hell of a lot better than certain others! 8-P

most vulnerabilities != most vulnerable

duh

Re:most vulnerabilities != most vulnerable

[OrangeTide]

You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.

Re:most vulnerabilities != most vulnerable

[TheRaven64]

True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.

Re:most vulnerabilities != most vulnerable

[AmiMoJo]

Not really, Google mitigates issues via Play very quickly and almost all network connected devices quietly roll out the fixes with no interaction from the user.

That's why you see big botnets made of IoT devices and old Wordpress installs - people don't install the updates. Android vulnerabilities get mitigated quickly and widely.

Re:most vulnerabilities != most vulnerable

[swillden]

True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.

It's not good, certainly, but it's not as bad as that makes it appear, at least not for users who stick with the Google Play store, and even users who don't but leave "Verified Apps" turned on. The Play store is pre-vetted and Verified Apps checks sideloads and apps from other stores. Both of those mechanisms can fail because things can slip through the cracks, but it's an another (large) hurdle that attackers have to jump through to get malicious code onto user devices.

In addition, the slow update issue also inflates the bug count, because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices. Often bugs still exist on newer releases but aren't exploitable on newer releases because SELinux blocks the exploit chain. By that I mean that while the reported vulnerability exists on new releases, the researchers can't find any way to use it to gain real access to anything else. So, they typically then verify that it also exists on Kit Kat (SELinux was turned on in enforcing mode in Lollipop) and submit the report, but claim it as a vulnerability on the latest version because it still exists, even if it's not usable. If Android devices were upgraded reliably they probably wouldn't even bother submitting. The Android security team is glad they do, though, since there's always the chance that some clever person could find a working exploit chain.

Anyway, as a practical matter although Android has lots of reported vulnerabilities the ecosystem is actually quite healthy. Few devices actually getting exploited and nearly all of those only after the user went out of their way to take on extra risks.

Re: most vulnerabilities != most vulnerable

[cyber-vandal]

That's why all Android devices are on the latest build of Nougat with all security fixes applied. Or not.

Re: most vulnerabilities != most vulnerable

[darkain]

Security fixes are backported. Settings > About Device > Android Security Patch Level & Security Software Version. Plus individual APKs are patched automatically via the Play Store

Re: most vulnerabilities != most vulnerable

[AmiMoJo]

You know how Windows 8 still gets security patches, despite Windows 10 being the latest version? Or how LTS versions of Debian are still fairly secure and well supported with patches, despite being old?

Not being on the latest version of the OS doesn't mean no security patches.

Re: most vulnerabilities != most vulnerable

[Qzukk]

My HTC EVO 4g still stands by for days without recharging, and hasn't gotten a single damn update - security or otherwise - since around 2012. I only got a new phone last year because Sprint shut down the 4G WiMax signal it used in favor of 4G LTE.

Not buying a new phone every 2 years means no security patches.

Re: most vulnerabilities != most vulnerable

[AmiMoJo]

Does your old 4g have Play? Do the apps installed from Play get updated? If so, that phone is getting updates, including to the OS.

Re: most vulnerabilities != most vulnerable

[cyber-vandal]

Being on Android quite often does mean no security patches. That's why I stopped buying Android phones. Are the OEMs such as Samsung any better now? The iPhone 5 is still getting updates 4 years after release. Any Android phones, even the ones that cost a similar account, getting that kind of support? I have a Galaxy Note 2 released a couple of months later that didn't go any further than KitKat and it took bloody ages for Samsung to do that.

Re: most vulnerabilities != most vulnerable

[AmiMoJo]

The patches come via Play.

Re: most vulnerabilities != most vulnerable

Says the Android security engineer. Jesus dude, maybe if u spent more time working and less on /. then things would improve.

Re: most vulnerabilities != most vulnerable

[cyber-vandal]

How many of these have been fixed via Play or otherwise for all Android versions still in use? http://www.techworld.com/secur...

Re: most vulnerabilities != most vulnerable

[swillden]

Says the Android security engineer.

So, are you arguing that anything I said is untrue? If so, what?

Re:most vulnerabilities != most vulnerable

[poofmeisterp]

You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.

That's why MS loves "{mumble}found: 12,342,472, Fixed: 12,342,101".

Where the metric for "fixed and released to all vulnerable machines before the next bi-weekly release scheduled date"? I want that metric!

Re: most vulnerabilities != most vulnerable

[Qzukk]

It does, it doesn't, it's got android 2.3.5 and a kernel compiled in 2012. The webkit version on it is so old it can't use the play store's (and many other websites) encryption cipher, and the android version on it is too old to install Chrome.

Re: most vulnerabilities != most vulnerable

[trparky]

But if the exploit is in the kernel no amount of "Play" patches will fix it since the "Play" service is running on top of the kernel. You can't patch the kernel, only the vendor can.

Re: most vulnerabilities != most vulnerable

[trparky]

For instance... QuadRooter, many devices are still vulnerable and won't be patched. The kernel itself is vulnerable, no amount of "Play" patches will fix this since it's a vulnerability much lower on the software stack than the "Play" services.

Same goes for Stagefright. You can mitigate some of the issues with this but mitigations can only go so far, you still need to patch the underlying library and again, no amount of "Play" patches will fix this since it's controlled by the vendor.

Re: most vulnerabilities != most vulnerable

[AmiMoJo]

Sure, but if you cut off the ability for the exploit to actually get as far as the kernel, then the problem is mitigated. These days no-one relies on just one layer of security, it's always multiple layers.

Re: most vulnerabilities != most vulnerable

[trparky]

But like I said, you can get around the mitigations. The best and only option should be to patch the vulnerability itself and not rely on something else to stop it.

Re: most vulnerabilities != most vulnerable

[AmiMoJo]

If you have get around the mitigation, surely you can get around the fix to the kernel too, and in fact get around any security measures. Nothing can ever be secure because you can "get around" it.

Re: most vulnerabilities != most vulnerable

[thejynxed]

The only patches I get are to GAPPs themselves (sometimes, currently several refuse to update, my guess is because they require at least Marshmallow or Nougat now) and Webview. I've had no other security patches period from either Google nor the vendor, and this device is on 5.0.1 running kernel build 3.10.49. Google Play hasn't even updated on my device since prior to the Stagefright and Heartbleed releases, let alone much of the underlying Android system.

Re: most vulnerabilities != most vulnerable

[nikkipolya]

because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices...

Android KitKat, which was released in 2013, is still being used on 22.1% of the devices out there. And 36.3% of the devices out there run KitKat or older versions of Android.

Gingerbread 1.0%
Ice Cream Sandwich 1.1%
Jelly Bean 11.6%
KitKat 22.6%

Re: most vulnerabilities != most vulnerable

[swillden]

because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices...

Android KitKat, which was released in 2013, is still being used on 22.1% of the devices out there. And 36.3% of the devices out there run KitKat or older versions of Android.

Gingerbread 1.0% Ice Cream Sandwich 1.1% Jelly Bean 11.6% KitKat 22.6%

Very true, and part of the reason that the Play store and Verified Apps protections are so important.

Fuck it, we'll just truncate the

"Fuck it, we'll just truncate the headline"

That's what would have been said if the editors even bothered to read the headlines - much less proof them - before posting.

Re:Fuck it, we'll just truncate the

Proofreading? You must be here.

Number of bugs is hardly a valuable metric here...

The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.

commentsubject

[Falos]

Oh boy a point metrics ranking list highscore chart golf game.

Security bug 1) Erroneous password entry reveals critical details in the rejection prompt, like the confirmed existence of an account name.
Security bug 2) Throwing in a parentheses and semicolon allows mass queries and a full DB dump of cleartext passwords.

One point each, equally vulnerable.

Re:commentsubject

[thegarbz]

One point each, equally vulnerable.

Not to mention that the vast majority of vulnerabilities in Android were highly specific or mitigated by its security model. We've seen CVEs issued for things that can't actually be exploited due its use of SELinux.

Plus if you look at the actual CVEs you'll find that 90% or so have nothing to do with Android and everything to do with Qualcomm, Synaptics, Samsung, etc writing dodgy drivers and doing a shoddy job and bolting things into "Google Android".

Re:commentsubject

That 90% is clearly an exaggeration, since almost 40% are already accounted for in the Linux Kernel vulnerabilities (many of which will require console or at least shell access to exploit).

The couting fiasco

You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.

Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.

As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

Re: The couting fiasco

Come on now, I judge windows 10 security based on bugs found in 98.

Re:The couting fiasco

[93+Escort+Wagon]

As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

This report typifies the high level of hard-hitting analysis we've already come to expect from bleepingcomputer.com during its short existence. And, since their posts gets submitted to Slashdot regularly, thankfully we can expect much much more of the same going forward.

Re:The couting fiasco

The website itself has a lot more information on it, including rating each vulnerability from 0-10 (0 being really minor stuff, and 10 being the worst, most critical vulnerabilities), and then showing weighted averages. That ends up putting all of the adobe products at the 'top' (scores are all like 9.5 and higher - which is a *bad* thing, because 1: they have a lot of vulnerabilities and 2: they are shifted heavily towards critical vulnerabilities). Here's one of the pages as an example. Obviously there's a huge difference between Flash Player (973 vulnerabilities, 84% of which are 9+) and the Linux kernel (1,564 vulnerabilities, but only 4% are 9+).

Maybe it's not the best metric around, but it at least shows some comparison between different products. A score of 0 would be the best, and mean you have no vulnerabilities. But even Linux, after 25+ years of work, is still only a 5.6. Most Windows versions are around an 8. Most adobe products are 9.5+. So that basically confirms how people naturally felt about those products. So you can gauge the relative safety of other products by comparing it to what you've seen come out about Linux, Windows, and Adobe vulnerabilities over the year.

The core idea is to demystify how 'secure' different products are. Anyone can slap on a badge/sticker/whatever on their website claiming "We're super secure, we use SSL!!!!" But they won't tell you the SSL they're using is vulnerable to heartbleed.

And considering how prevalent "Legacy" systems are, I think it's perfectly valid to roll up previous versions together with current versions. Using the site linked above, you can delve down to the year(s) that are relevant to you. They have data on hundreds of thousands of products, so there's no way they're putting that in a single chart that would fall into a news article.

Re:The couting fiasco

Maybe it's not the best metric around, but it at least shows some comparison between different products.

It's not only not the best metric, it's completely worthless for use in any comparison.

Vendor A Product B quietly fixes 17 critical vulnerabilities, 39 severe vulnerabilities, and 182 moderate or minor vulnerabilities in patch release 1.2.3 resulting in one high severity CVE "Multiple vulnerabilities in Vendor A Product B versions before 1.2.3"

Vendor C Product D openly fixes 2 critical vulnerabilities, 1 severe vulnerability, and 19 moderate or minor vulnerabilities resulting in 22 CVE bulletins.

The number of CVEs even if weighted by bulletin severity does not provide any useful comparison of Product B and Product D.

Re:The couting fiasco

[poofmeisterp]

...As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

Statistics. Love them.

Go Linux

[OrangeTide]

Any press is good press!

Candlejack

[cccc828]

Good that Candlejack is no edit-

When will Microsoft learn

Android Was 2016's Most Vulnerable Product

To be fair, I wouldn't consider Android XP as it has already reached end of life.

But were the suppliers sending patches?

But were the suppliers of these android devices sending patches? My Nexus gets more security updates than my Samsung ever did. I think the bugs are fixed, just never pushed out by manufacturers.

Re:But were the suppliers sending patches?

Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

Of course, that will never happen with Samsung. They hate Google even more than they hate Apple, and want their own ecosystem.

Re: But were the suppliers sending patches?

[Miamicanes]

To a certain extent, Google HAS been isolating more & more potentially-vulnerable libraries used by the OS itself into packages that can be updated through Google Play (like WebView). Kernel-level stuff still requires manufacturers to fix, but Google can fix a newly-discovered Javascript vulnerability and deploy the fix to semi-recent devices all by itself.

I'm not totally sure where the AppCompat library/framework fits in... I think it's statically compiled into the .apk at build time, but I'd be shocked if it didn't delegate most of its actual work to a component that's updatable via Google Play.

Re:But were the suppliers sending patches?

Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

I feel like you are wrong. When you purchase something from, say, Motorola, you expect Motorola to handle all things related to updating and securing the device.

The problem, in my opinion, is when the carrier gets involved with updates. They are a 3rd party inserting themselves into your relationship with the manufacturer of the device you purchased for no reason other than their own benefit.

Re:But were the suppliers sending patches?

[farble1670]

Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

How would that work? Thousands of unique devices with arbitrary hardware and drivers. Google is going to manage unique Android dists for all of those devices including testing? People that suggest this type of thing have a profound misunderstand about the nature of Android. It's not Windows or anything close to it where it runs on well-defined and standardized hardware. Every device is different in ways that only the manufacturer, SoC vendor, and other hardware providers can code to.

The only way something like this could work is if Google specified a very narrow range of supported hardware configs. And if they did that, guess what? The hardware manufacturers would bow out of Android (or would have never bought into it to begin with). What's the point? They can't compete on the software, and now, they couldn't compete on the hardware either. I take it back. Even if they specified a narrow range of hardware configs, they'd still have to test all of those devices. Absolutely impractical.

P.S., if you really think updates should come from Google, but a Pixel or Nexus phone. Support that model. Don't go out and buy a Samsung and then cry about it. Vote with your wallet.

Re:But were the suppliers sending patches?

[farble1670]

The problem, in my opinion, is when the carrier gets involved with updates. They are a 3rd party inserting themselves into your relationship with the manufacturer of the device you purchased for no reason other than their own benefit.

You are correct in my experience. I had the pleasure of working for a company that made Android phones (one of the smaller ones). For every carrier they had unique builds with different software that needed to be QA'd separately.

Of course, carriers get to demand that (unless you are Apple I guess). If you don't comply, they just go with a different vendor that'll abide by their rules. By "go with", I mean advertise those phones and sell them in their stores and give discounts on them and offer payments plans.

Too stupid

[AndyKron]

Humans are too stupid to write good software

Re:Too stupid

Some of them can't even write an entire headline correctly.

msmash

This is what happens when the cron job is replaced by msmash.

Re:Number of bugs is hardly a valuable metric here

It's totally believable that Android was among the worst (it's sort of the new Windows), although Windows itself is said to still exist and be used by someone, so I kind of doubt Android really got the very top spot, but .. maybe.

But, yeah.. when you look at what the article is counting ("CVE"s) you realize that it's an arbitrary thing, so if their list happens to match reality, that's just a coincidence.

And you'd expect the least secure stuff to not even be on this article's radar, precisely because it doesn't have the bugs reported yet. Maybe the bugs are known (and used) but not reported.

Adobe: Truly solid products

[MobyDisk]

A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.

Re: Adobe: Truly solid products

This. I mean if they stuck to the KISS rule, they wouldn't have this problem. It is exactly why I don't use acrobat. I want my PDF software to do one thing...we'll two, and that's edit and view PDF documents. Nothing else.

Re:Adobe: Truly solid products

Glad to see I wasn't the only one thinking this :-)
Wow, just... wow.

Re:Adobe: Truly solid products

[Dan+East]

Oh it's so much worse than that though. Adobe Reader has existed since loooooong before Android was even conceptualized. How often does the PDF format change that the reader requires lots of active development which is a vector for introducing bugs? Reader should be bullet proof by now. The one and only time I've had a machine infected was a decade ago with Adobe Reader from a website that sent me a PDF that exploited it. I knew exactly the attack vector because the Adobe Reader splash window popped up and went away after a few seconds when I visited a site pushing malware.

Re: Adobe: Truly solid products

Sort of like how the Chrome "browser" presents itself as a full desktop environment including notification engine, app container, task switcher and my personal favorite a FUCKING CLOUD PRINT SERVICE.

Re:Adobe: Truly solid products

[david_thornley]

According to Adobe's standards site, the last published change was in 2009. You'd think they'd have Reader pretty solid by now.

Novell?

[n0w0rries]

Novell? Are people still using NetWare or GroupWise? WOW

I'm currently not working, cruising on a sailboat in Mexico, but if anybody needs a CNE I could use a little $$$.

Re:Novell?

No one needs a CNE. You can float all around Mexico.

Re:Novell?

[henni16]

Nah, they've just assigned all the SuSE stuff to Novell.

Congratulations to Android!

[TheFakeTimCook]

You FINALLY beat Adobe!!!

could the Apple haters explain me....

how is the iPhone's walled garden bad? Because....?

Re:Number of bugs is hardly a valuable metric here

Larger more complex products have more bugs.
Products with larger user bases discover more bugs.

What we are measuring hear is the largest most used products.

I believe that means that 2016 was the year of the Ubuntu and Debian desktop! (and to a lesser extent openSUSE)

Though I find the whole things suspect when Adobe has 904 bugs across 4 products in the top 10 but only 548 total.

Statistics

[HaaPoo]

I like how statistics works, by looking at this chart i can say Apple is on the top: http://www.cvedetails.com/vend...

What if you hate both?

At this point in time, both are equally bad. iOS is a terrible bloated OS which gets slower and slower with every update. Apple forces you to update (nag screen which you can't turn off, _EVER_) meaning you pretty much have to keep buying their junk. Atleast with Android you have somewhat of a choice, even though the OS is just as terrible, and sends all your shit to the mothership at Google.

Re:What if you hate both?

funny my experience is quite the opposite, my iPad mini 2 went throught three major IOS updates (8,9,and 10) and not only never felt slower, but actually faster. And I have NEVER seen a nag screen to force me to update, are you sure you were using an Apple product? You sound like an Apple hater making up stuff.

Re: What if you hate both?

[cyber-vandal]

iOS updates don't cost anything.

Re:What if you hate both?

And I have NEVER seen a nag screen to force me to update, are you sure you were using an Apple product?

Are you sure *YOU* have ever used one? Jesus its all over the internet. https://www.google.com/search?...

http://forums.macrumors.com/th...

http://apple.stackexchange.com...

You can temporarily delay the nags by deleting the update (but it redownloads it) or blocking apple's servers on your domain, but you can never switch them off. EVER. This is how Apple has yet again decided to ream its users in the ass.

You sound like an Apple hater making up stuff.

You sound like someone who likes to bend over. That makes you a good Apple customer.

Re: What if you hate both?

Neither do Android ones. Oh, you mean the cost of a new phone. Where you pay money for a phone with a headphone jack. Yeh.

Re: What if you hate both?

[cyber-vandal]

Why do you need to buy a new phone? The 5 is still getting updates and that was released in 2012.

Note 7s are safe BADroids

only good badroid is a deactivatd badroid

Re:Number of bugs is hardly a valuable metric here

[erapert]

It is no coincidence that the most bug reports have been filed for the most popular software products.

Agreed. So we shouldn't interpret this article solely as an indictment of these products for being crappy.
Instead we should interpret this article as spotlighting the most popular companies and their products.

None the less, the fact that Oracle stands so far above the crowd does seem to imply that they're not doing something as well as they might. In particular since most of the members of that crowd are distributing software that is more complicated than a database-- entire operating systems, infrastructure that undergirds the entire web, etc.. And note that MySQL, MSSQL, Postgres, and Mongodb are not on the list in TFS and none of these four databases are unheard of little toy projects.

Re:Number of bugs is hardly a valuable metric here

[swillden]

The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used.

Open source products also get a boost, by dint of the simple fact that finding bugs is easier. Security researchers try to focus their time on the most-used software rather than the easiest-to-analyze software, but the time spent on easy-to-analyze software often generates more bugs. This is exacerbated when there is an entity that pays out good cash for vulnerability reports. Android's bug reports jumped significantly when Google began paying bounties, for example, but that doesn't mean the platform got less secure.

Re:Number of bugs is hardly a valuable metric here

[Nelson]

To the extent that they're not sold on the black market.

A really good exploitable bug on very popular platforms is very valuable. The numbers of reported CVEs have been dropping industry wide, not because of better development practices...

This is why I like the walled garden

[Applehu+Akbar]

Whenever I see an Android user running an antivirus on his smartphone, I genuflect toward Cupertino and give thanks that I don't have to go through that.

Re:This is why I like the walled garden

Too tough for some to use android, there always was a learning curve to it. People went to apple computers because the only option was bug prone windows, apple's slogan was 'it just works'. From the complaints I'm seeing lately, apple user's are slowly coming to realize that they've been overpaying for lesser hardware, but I don't have to think so hard and learn android if I pay the premium.

Re:This is why I like the walled garden

Just like Mac users don't think they need AV for their MBP's and then don't realise that their system secretly runs malware in the background because Mac's can't get viruses because Apple told you they can't. The Apple walled garden has failed in the past numerous times. Malicious apps get through and the damage is done. The only reason you don't have AV for iOS is because the maintainer of the faulty walled garden has told you that you don't need one. If McAfee or Symantec had the ability to get past the keepers of the walled garden, there certainly would be AV for iOS.

There's a strong argument FOR AV on iOS even if the claim that iOS can't be infected is true: At least get a mail scanner, so that if you're forwarded attachments that ARE infected, you aren't infecting other people. Otherwise you're device is just a stepping stone to someone else's device.

Apples and oranges

[GuB-42]

They put the linux kernel, linux distos, Android and apps in the same list.
Android and linux distros contain the linux kernel
There isn't much to linux distros besides testing and maintenance, there are mostly a collection of third-party software.

So, for example, is a bug in the linux kernel also a bug in Ubuntu? Is is still a but if there is some kind of mitigation in place?

Re: Apples and oranges

[cyber-vandal]

If it's in the default install then surely some of the onus is on the distro builder to audit the code. It's not like it's unavailable.

Re: Apples and oranges

[david_thornley]

I assume people do pay attention to default installs. However, I've loaded distros with multiple development environments and office suites, so not only is there more code to vet, it's misleading in bugs per unit functionality.

Re: Number of bugs is hardly a valuable metric her

[cyber-vandal]

No one uses Windows anymore, that's why Microsoft went bankrupt years ago /s

Apples vs. Oranges

[RealGene]

Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?

Re:Apples vs. Oranges

[freeze128]

It shouldn't have *ANY* bugs. But adobe also thought that it should be able to execute scripts from web based sources. That's the kicker.

Re:Apples vs. Oranges

[Princeofcups]

Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?

Unless someone actually defines "bug," then what't the point to even discuss it.

Windows?

TFA must have been written by Microsoft.

Re:Number of bugs is hardly a valuable metric here

[darkain]

Certain bugs are the same bug in multiple products, so for a company total it is counted once but is also counted for each individual application. Think of this like a bug in a PNG decoder, using the exact same decoder in Photoshop and Illustrator. "Adobe" has 1 bug, but each application also has 1 bug each.

This is stupid

A bug does not mean a vulnerability and even a security bug isn't necessarily exploitable.

The most vulnerable are the ones that get successfully attacked the easiest and the most.

Slashdot is really plumbing the depths of stupidity.

Not a single CVE against software I work on.

[eddy]

Guess it's pretty much perfect!

How are the BSDs?

[unixisc]

I didn't see the BSDs in the list - OpenBSD, FreeBSD, NetBSD. How are they compared to Android, Linux, Windows and Apple OSs?

Re:How are the BSDs?

[moronikos]

Somebody has to use the software for someone to report a bug. :)

Re:Number of bugs is hardly a valuable metric here

The two are linked you jabroni. The total real world functional vulnerability is a function of its geometry and its bugs.

That is obvious in real life.

Re:Number of bugs is hardly a valuable metric here

So conversely, we could work out the highest installed base by looking at the highest number of CVE's?

Yeah, but...

[sidnelson13]

... which version of Android?

Re:Oracle?

I'm sure you'll be disappointed when I say not many.

http://www.cvedetails.com/product/19117/Oracle-JRE.html?vendor_id=93

Re:Number of bugs is hardly a valuable metric here

[Cederic]

MySQL is a fucking Oracle product.
As is Java and three hundred enterprise grade applications and technologies.

Including operating systems, infrastructure that undergirds the entire web, etc.

Shit, there are plenty of things wrong with Oracle but their appearance on this list? Purely and entirely a consequence of their massive product portfolio.