Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Was 2016's Most Vulnerable Product, Oracle the (bleepingcomputer.com)

Posted by msmash on from the state-of-the-art dept.

An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

97 of 147 comments (clear)

  1. Stupid Apple by Anonymous Coward · · Score: 1, Funny

    Look how they've stagnated. They're not even at the top of the CVE list. Jeez, get rid of Tim Cook already. We want more bugs.

  2. Oracle the by Anonymous Coward · · Score: 5, Funny

    I think you a word.

    1. Re:Oracle the by SlickUSA · · Score: 1

      "Oracle the most vulnerable vendor"

    2. Re:Oracle the by 93+Escort+Wagon · · Score: 1

      Oracle may be unbreakable, but its headlines aren't.

      --
      #DeleteChrome
    3. Re:Oracle the by malditaenvidia · · Score: 1

      He accidentally the whole summary.

    4. Re:Oracle the by grcumb · · Score: 1

      I think you a word.

      Yes, the entire sentence should have read:

      Android Was 2016's Most Vulnerable Product, Oracle the source of most buffer overrruns

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    5. Re:Oracle the by grcumb · · Score: 1

      I think you a word.

      Yes, the entire sentence should have read:

      Android Was 2016's Most Vulnerable Product, Oracle the source of most buffer overrruns

      Sorry, not 'overrruns'. Overrrrruns.

      Wot? I'm a Scotsman!

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    6. Re:Oracle the by Yvan256 · · Score: 1

      Blue rubber fridge dirt.

    7. Re:Oracle the by kuzb · · Score: 1

      You're assuming they read anything. More likely the entire submission selection process is automated by this point. It's trashdot after all.

      --
      BeauHD. Worst editor since kdawson.
    8. Re:Oracle the by arglebargle_xiv · · Score: 1

      The computer fletely, mouse and all!

    9. Re:Oracle the by K.+S.+Kyosuke · · Score: 1

      Oracle the Unfinished?

      --
      Ezekiel 23:20
  3. That's interesting by Anonymous Coward · · Score: 1

    Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

    1. Re:That's interesting by Anonymous Coward · · Score: 2, Insightful

      Ask Achilles how that works out.

    2. Re:That's interesting by stooo · · Score: 1

      In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.

      --
      aaaaaaa
    3. Re:That's interesting by TemporalBeing · · Score: 2

      Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA

      And Microsoft has a very strict policy on what gets filed for a CVE; while open source folks file CVEs very often.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    4. Re:That's interesting by spatley · · Score: 2

      +1 Pedantic

    5. Re:That's interesting by chipschap · · Score: 1

      Spin it any way you wish. I still feel more secure with Linux than I ever would with Windows 10.

    6. Re: That's interesting by thesupraman · · Score: 1

      Hey everyone! I found the paid msoft edge shill! Is there a prize?

    7. Re:That's interesting by poofmeisterp · · Score: 1

      In Windows world, Vulnerabilities are Features, so there aren't any Vulnerabilities.

      You got that right, fer sher. When someone at corporation x that purchases 200,000 licenses and needs a change in the OS to serve their needs, code is changed in a library or executable (or both) by MS to accommodate without taking into account all that it can introduce a weakness or bug when combined with other changes/additions. I don't think it's Humanly possible to have a corporation that's profitable when it is taking every single change into account and monitoring every other change and testing against it with every possible combination and random introduction of circumstances with "use over time". Don't get me wrong, you can "reposit" all you want and make all comments under the sun, but that doesn't account for Human incapability.

      If you were to ask a decision maker at Microsoft if they would rather have a bug found now that makes all machines vulnerable to being compromised, after having made $2billion, versus spending $500million now to try and account for all bugs now and delaying releases/updates, which do you think they'd pick? Come on, I'm talking Human pick, not logic pick. FOSS is no different, but there tend to be more competitive finds to get one's name out as a "savior" and +1ing their popularity for a brief second. Some get found and some don't, but there's more of a drive to find them and fix them rather than making money. Enter Google - it's not easy to fix all problems, let alone all problems in all versions of something, let alone all problems in all versions of something with manufacturers making in-the-middle non-FOSS changes, let alone all problems in all versions of something, with all problems in all versions of something with manufacturers making in-the-middle non-FOSS changes with their focus forced to be on coming up with new releases of products to make more money on sales.... I digress.

    8. Re:That's interesting by david_thornley · · Score: 1

      So, you're saying all those problems and annoyances are just W10 working as designed?

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    9. Re:That's interesting by cwsumner · · Score: 1

      True, it's not possible to test every combination in a huge system.

      However, some obviously do a whole hell of a lot better than certain others! 8-P

  4. most vulnerabilities != most vulnerable by Anonymous Coward · · Score: 1

    duh

    1. Re:most vulnerabilities != most vulnerable by OrangeTide · · Score: 2

      You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.

      --
      “Common sense is not so common.” — Voltaire
    2. Re:most vulnerabilities != most vulnerable by TheRaven64 · · Score: 4, Informative

      True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.

      --
      I am TheRaven on Soylent News
    3. Re:most vulnerabilities != most vulnerable by AmiMoJo · · Score: 1

      Not really, Google mitigates issues via Play very quickly and almost all network connected devices quietly roll out the fixes with no interaction from the user.

      That's why you see big botnets made of IoT devices and old Wordpress installs - people don't install the updates. Android vulnerabilities get mitigated quickly and widely.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:most vulnerabilities != most vulnerable by swillden · · Score: 2

      True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.

      It's not good, certainly, but it's not as bad as that makes it appear, at least not for users who stick with the Google Play store, and even users who don't but leave "Verified Apps" turned on. The Play store is pre-vetted and Verified Apps checks sideloads and apps from other stores. Both of those mechanisms can fail because things can slip through the cracks, but it's an another (large) hurdle that attackers have to jump through to get malicious code onto user devices.

      In addition, the slow update issue also inflates the bug count, because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices. Often bugs still exist on newer releases but aren't exploitable on newer releases because SELinux blocks the exploit chain. By that I mean that while the reported vulnerability exists on new releases, the researchers can't find any way to use it to gain real access to anything else. So, they typically then verify that it also exists on Kit Kat (SELinux was turned on in enforcing mode in Lollipop) and submit the report, but claim it as a vulnerability on the latest version because it still exists, even if it's not usable. If Android devices were upgraded reliably they probably wouldn't even bother submitting. The Android security team is glad they do, though, since there's always the chance that some clever person could find a working exploit chain.

      Anyway, as a practical matter although Android has lots of reported vulnerabilities the ecosystem is actually quite healthy. Few devices actually getting exploited and nearly all of those only after the user went out of their way to take on extra risks.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    5. Re: most vulnerabilities != most vulnerable by cyber-vandal · · Score: 1

      That's why all Android devices are on the latest build of Nougat with all security fixes applied. Or not.

    6. Re: most vulnerabilities != most vulnerable by darkain · · Score: 1

      Security fixes are backported. Settings > About Device > Android Security Patch Level & Security Software Version. Plus individual APKs are patched automatically via the Play Store

    7. Re: most vulnerabilities != most vulnerable by AmiMoJo · · Score: 1

      You know how Windows 8 still gets security patches, despite Windows 10 being the latest version? Or how LTS versions of Debian are still fairly secure and well supported with patches, despite being old?

      Not being on the latest version of the OS doesn't mean no security patches.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    8. Re: most vulnerabilities != most vulnerable by Qzukk · · Score: 1

      My HTC EVO 4g still stands by for days without recharging, and hasn't gotten a single damn update - security or otherwise - since around 2012. I only got a new phone last year because Sprint shut down the 4G WiMax signal it used in favor of 4G LTE.

      Not buying a new phone every 2 years means no security patches.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    9. Re: most vulnerabilities != most vulnerable by AmiMoJo · · Score: 1

      Does your old 4g have Play? Do the apps installed from Play get updated? If so, that phone is getting updates, including to the OS.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re: most vulnerabilities != most vulnerable by cyber-vandal · · Score: 1

      Being on Android quite often does mean no security patches. That's why I stopped buying Android phones. Are the OEMs such as Samsung any better now? The iPhone 5 is still getting updates 4 years after release. Any Android phones, even the ones that cost a similar account, getting that kind of support? I have a Galaxy Note 2 released a couple of months later that didn't go any further than KitKat and it took bloody ages for Samsung to do that.

    11. Re: most vulnerabilities != most vulnerable by AmiMoJo · · Score: 1

      The patches come via Play.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    12. Re: most vulnerabilities != most vulnerable by cyber-vandal · · Score: 1

      How many of these have been fixed via Play or otherwise for all Android versions still in use? http://www.techworld.com/secur...

    13. Re: most vulnerabilities != most vulnerable by swillden · · Score: 1

      Says the Android security engineer.

      So, are you arguing that anything I said is untrue? If so, what?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    14. Re:most vulnerabilities != most vulnerable by poofmeisterp · · Score: 1

      You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.

      That's why MS loves "{mumble}found: 12,342,472, Fixed: 12,342,101".

      Where the metric for "fixed and released to all vulnerable machines before the next bi-weekly release scheduled date"? I want that metric!

    15. Re: most vulnerabilities != most vulnerable by Qzukk · · Score: 1

      It does, it doesn't, it's got android 2.3.5 and a kernel compiled in 2012. The webkit version on it is so old it can't use the play store's (and many other websites) encryption cipher, and the android version on it is too old to install Chrome.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    16. Re: most vulnerabilities != most vulnerable by trparky · · Score: 1

      But if the exploit is in the kernel no amount of "Play" patches will fix it since the "Play" service is running on top of the kernel. You can't patch the kernel, only the vendor can.

    17. Re: most vulnerabilities != most vulnerable by trparky · · Score: 1

      For instance... QuadRooter, many devices are still vulnerable and won't be patched. The kernel itself is vulnerable, no amount of "Play" patches will fix this since it's a vulnerability much lower on the software stack than the "Play" services.

      Same goes for Stagefright. You can mitigate some of the issues with this but mitigations can only go so far, you still need to patch the underlying library and again, no amount of "Play" patches will fix this since it's controlled by the vendor.

    18. Re: most vulnerabilities != most vulnerable by AmiMoJo · · Score: 1

      Sure, but if you cut off the ability for the exploit to actually get as far as the kernel, then the problem is mitigated. These days no-one relies on just one layer of security, it's always multiple layers.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    19. Re: most vulnerabilities != most vulnerable by trparky · · Score: 1

      But like I said, you can get around the mitigations. The best and only option should be to patch the vulnerability itself and not rely on something else to stop it.

    20. Re: most vulnerabilities != most vulnerable by AmiMoJo · · Score: 1

      If you have get around the mitigation, surely you can get around the fix to the kernel too, and in fact get around any security measures. Nothing can ever be secure because you can "get around" it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    21. Re: most vulnerabilities != most vulnerable by thejynxed · · Score: 1

      The only patches I get are to GAPPs themselves (sometimes, currently several refuse to update, my guess is because they require at least Marshmallow or Nougat now) and Webview. I've had no other security patches period from either Google nor the vendor, and this device is on 5.0.1 running kernel build 3.10.49. Google Play hasn't even updated on my device since prior to the Stagefright and Heartbleed releases, let alone much of the underlying Android system.

      --
      @Mindless Drivel: 100% of Twitter posts ever Tweeted.
    22. Re: most vulnerabilities != most vulnerable by nikkipolya · · Score: 1

      because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices...

      Android KitKat, which was released in 2013, is still being used on 22.1% of the devices out there. And 36.3% of the devices out there run KitKat or older versions of Android.

      Gingerbread 1.0%
      Ice Cream Sandwich 1.1%
      Jelly Bean 11.6%
      KitKat 22.6%

    23. Re: most vulnerabilities != most vulnerable by swillden · · Score: 1

      because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices...

      Android KitKat, which was released in 2013, is still being used on 22.1% of the devices out there. And 36.3% of the devices out there run KitKat or older versions of Android.

      Gingerbread 1.0% Ice Cream Sandwich 1.1% Jelly Bean 11.6% KitKat 22.6%

      Very true, and part of the reason that the Play store and Verified Apps protections are so important.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  5. Re:"Oracle the" what? by __aaclcg7560 · · Score: 1

    You didn't see that one coming.

  6. Number of bugs is hardly a valuable metric here... by Anonymous Coward · · Score: 5, Insightful

    The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.

  7. commentsubject by Falos · · Score: 3, Insightful

    Oh boy a point metrics ranking list highscore chart golf game.

    Security bug 1) Erroneous password entry reveals critical details in the rejection prompt, like the confirmed existence of an account name.
    Security bug 2) Throwing in a parentheses and semicolon allows mass queries and a full DB dump of cleartext passwords.

    One point each, equally vulnerable.

    1. Re:commentsubject by thegarbz · · Score: 1

      One point each, equally vulnerable.

      Not to mention that the vast majority of vulnerabilities in Android were highly specific or mitigated by its security model. We've seen CVEs issued for things that can't actually be exploited due its use of SELinux.

      Plus if you look at the actual CVEs you'll find that 90% or so have nothing to do with Android and everything to do with Qualcomm, Synaptics, Samsung, etc writing dodgy drivers and doing a shoddy job and bolting things into "Google Android".

  8. The couting fiasco by Anonymous Coward · · Score: 4, Interesting

    You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.

    Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.

    As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

    1. Re:The couting fiasco by 93+Escort+Wagon · · Score: 1

      As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

      This report typifies the high level of hard-hitting analysis we've already come to expect from bleepingcomputer.com during its short existence. And, since their posts gets submitted to Slashdot regularly, thankfully we can expect much much more of the same going forward.

      --
      #DeleteChrome
    2. Re:The couting fiasco by poofmeisterp · · Score: 1

      ...As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

      Statistics. Love them.

  9. Go Linux by OrangeTide · · Score: 1

    Any press is good press!

    --
    “Common sense is not so common.” — Voltaire
  10. Candlejack by cccc828 · · Score: 1

    Good that Candlejack is no edit-

  11. Re:Poor Qualty by cfalcon · · Score: 2, Informative

    No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.

  12. But were the suppliers sending patches? by Anonymous Coward · · Score: 1

    But were the suppliers of these android devices sending patches? My Nexus gets more security updates than my Samsung ever did. I think the bugs are fixed, just never pushed out by manufacturers.

    1. Re:But were the suppliers sending patches? by Anonymous Coward · · Score: 1

      Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

      Of course, that will never happen with Samsung. They hate Google even more than they hate Apple, and want their own ecosystem.

    2. Re: But were the suppliers sending patches? by Miamicanes · · Score: 1

      To a certain extent, Google HAS been isolating more & more potentially-vulnerable libraries used by the OS itself into packages that can be updated through Google Play (like WebView). Kernel-level stuff still requires manufacturers to fix, but Google can fix a newly-discovered Javascript vulnerability and deploy the fix to semi-recent devices all by itself.

      I'm not totally sure where the AppCompat library/framework fits in... I think it's statically compiled into the .apk at build time, but I'd be shocked if it didn't delegate most of its actual work to a component that's updatable via Google Play.

    3. Re:But were the suppliers sending patches? by farble1670 · · Score: 1

      Which is why the manufacturer shouldn't be in charge, or even allowed, to provide the updates. It should come from Google directly.

      How would that work? Thousands of unique devices with arbitrary hardware and drivers. Google is going to manage unique Android dists for all of those devices including testing? People that suggest this type of thing have a profound misunderstand about the nature of Android. It's not Windows or anything close to it where it runs on well-defined and standardized hardware. Every device is different in ways that only the manufacturer, SoC vendor, and other hardware providers can code to.

      The only way something like this could work is if Google specified a very narrow range of supported hardware configs. And if they did that, guess what? The hardware manufacturers would bow out of Android (or would have never bought into it to begin with). What's the point? They can't compete on the software, and now, they couldn't compete on the hardware either. I take it back. Even if they specified a narrow range of hardware configs, they'd still have to test all of those devices. Absolutely impractical.

      P.S., if you really think updates should come from Google, but a Pixel or Nexus phone. Support that model. Don't go out and buy a Samsung and then cry about it. Vote with your wallet.

    4. Re:But were the suppliers sending patches? by farble1670 · · Score: 1

      The problem, in my opinion, is when the carrier gets involved with updates. They are a 3rd party inserting themselves into your relationship with the manufacturer of the device you purchased for no reason other than their own benefit.

      You are correct in my experience. I had the pleasure of working for a company that made Android phones (one of the smaller ones). For every carrier they had unique builds with different software that needed to be QA'd separately.

      Of course, carriers get to demand that (unless you are Apple I guess). If you don't comply, they just go with a different vendor that'll abide by their rules. By "go with", I mean advertise those phones and sell them in their stores and give discounts on them and offer payments plans.

  13. Too stupid by AndyKron · · Score: 1

    Humans are too stupid to write good software

    1. Re:Too stupid by Anonymous Coward · · Score: 1

      Some of them can't even write an entire headline correctly.

  14. Re:Number of bugs is hardly a valuable metric here by Anonymous Coward · · Score: 1

    It's totally believable that Android was among the worst (it's sort of the new Windows), although Windows itself is said to still exist and be used by someone, so I kind of doubt Android really got the very top spot, but .. maybe.

    But, yeah.. when you look at what the article is counting ("CVE"s) you realize that it's an arbitrary thing, so if their list happens to match reality, that's just a coincidence.

    And you'd expect the least secure stuff to not even be on this article's radar, precisely because it doesn't have the bugs reported yet. Maybe the bugs are known (and used) but not reported.

  15. Adobe: Truly solid products by MobyDisk · · Score: 5, Interesting

    A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.

    1. Re:Adobe: Truly solid products by Anonymous Coward · · Score: 1

      Glad to see I wasn't the only one thinking this :-)
      Wow, just... wow.

    2. Re:Adobe: Truly solid products by Dan+East · · Score: 2

      Oh it's so much worse than that though. Adobe Reader has existed since loooooong before Android was even conceptualized. How often does the PDF format change that the reader requires lots of active development which is a vector for introducing bugs? Reader should be bullet proof by now. The one and only time I've had a machine infected was a decade ago with Adobe Reader from a website that sent me a PDF that exploited it. I knew exactly the attack vector because the Adobe Reader splash window popped up and went away after a few seconds when I visited a site pushing malware.

      --
      Better known as 318230.
    3. Re:Adobe: Truly solid products by david_thornley · · Score: 1

      According to Adobe's standards site, the last published change was in 2009. You'd think they'd have Reader pretty solid by now.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  16. Novell? by n0w0rries · · Score: 2

    Novell? Are people still using NetWare or GroupWise? WOW

    I'm currently not working, cruising on a sailboat in Mexico, but if anybody needs a CNE I could use a little $$$.

    1. Re:Novell? by henni16 · · Score: 1

      Nah, they've just assigned all the SuSE stuff to Novell.

  17. Congratulations to Android! by TheFakeTimCook · · Score: 1

    You FINALLY beat Adobe!!!

  18. Re:Poor Qualty by beelsebob · · Score: 1

    known by your enemies, and are not being fixed

    ftfy

  19. Re:Number of bugs is hardly a valuable metric here by Anonymous Coward · · Score: 3, Interesting

    Larger more complex products have more bugs.
    Products with larger user bases discover more bugs.

    What we are measuring hear is the largest most used products.

    I believe that means that 2016 was the year of the Ubuntu and Debian desktop! (and to a lesser extent openSUSE)

    Though I find the whole things suspect when Adobe has 904 bugs across 4 products in the top 10 but only 548 total.

  20. Statistics by HaaPoo · · Score: 2

    I like how statistics works, by looking at this chart i can say Apple is on the top: http://www.cvedetails.com/vend...

  21. Re:Number of bugs is hardly a valuable metric here by erapert · · Score: 2

    It is no coincidence that the most bug reports have been filed for the most popular software products.

    Agreed. So we shouldn't interpret this article solely as an indictment of these products for being crappy.
    Instead we should interpret this article as spotlighting the most popular companies and their products.

    None the less, the fact that Oracle stands so far above the crowd does seem to imply that they're not doing something as well as they might. In particular since most of the members of that crowd are distributing software that is more complicated than a database-- entire operating systems, infrastructure that undergirds the entire web, etc.. And note that MySQL, MSSQL, Postgres, and Mongodb are not on the list in TFS and none of these four databases are unheard of little toy projects.

  22. Re:Number of bugs is hardly a valuable metric here by swillden · · Score: 1

    The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used.

    Open source products also get a boost, by dint of the simple fact that finding bugs is easier. Security researchers try to focus their time on the most-used software rather than the easiest-to-analyze software, but the time spent on easy-to-analyze software often generates more bugs. This is exacerbated when there is an entity that pays out good cash for vulnerability reports. Android's bug reports jumped significantly when Google began paying bounties, for example, but that doesn't mean the platform got less secure.

    --
    Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
  23. Re:Number of bugs is hardly a valuable metric here by Nelson · · Score: 1

    To the extent that they're not sold on the black market.

    A really good exploitable bug on very popular platforms is very valuable. The numbers of reported CVEs have been dropping industry wide, not because of better development practices...

  24. Apples and oranges by GuB-42 · · Score: 3, Insightful

    They put the linux kernel, linux distos, Android and apps in the same list.
    Android and linux distros contain the linux kernel
    There isn't much to linux distros besides testing and maintenance, there are mostly a collection of third-party software.

    So, for example, is a bug in the linux kernel also a bug in Ubuntu? Is is still a but if there is some kind of mitigation in place?

    1. Re: Apples and oranges by cyber-vandal · · Score: 1

      If it's in the default install then surely some of the onus is on the distro builder to audit the code. It's not like it's unavailable.

    2. Re: Apples and oranges by david_thornley · · Score: 1

      I assume people do pay attention to default installs. However, I've loaded distros with multiple development environments and office suites, so not only is there more code to vet, it's misleading in bugs per unit functionality.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  25. Re: "Oracle the" what? by cyber-vandal · · Score: 1

    Mishmash more like.

  26. Re: Number of bugs is hardly a valuable metric her by cyber-vandal · · Score: 1

    No one uses Windows anymore, that's why Microsoft went bankrupt years ago /s

  27. Apples vs. Oranges by RealGene · · Score: 4, Insightful

    Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?

    --
    Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
    1. Re:Apples vs. Oranges by freeze128 · · Score: 1

      It shouldn't have *ANY* bugs. But adobe also thought that it should be able to execute scripts from web based sources. That's the kicker.

    2. Re:Apples vs. Oranges by Princeofcups · · Score: 1

      Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?

      Unless someone actually defines "bug," then what't the point to even discuss it.

      --
      The only thing worse than a Democrat is a Republican.
  28. Re: What if you hate both? by cyber-vandal · · Score: 1

    iOS updates don't cost anything.

  29. Re:Poor Qualty by arth1 · · Score: 2

    No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.

    Yes, but for Android, it doesn't matter much if the bugs get fixed as long as the vendors stop providing OS updates/upgrades while there are still a substantial number of devices being used.

  30. Re:Poor Qualty by TemporalBeing · · Score: 1

    Most of all that is FOSS, with the exception of Adobe (of course).

    Exactly, and by organizations that have a well defined CVE policy so they generate a lot more CVEs than proprietary companies (like MSFT, Apple, Oracle, etc).

    Oh, and don't forget that probably all those Linux Kernel CVEs also had a Debian/Ubuntu/Red Hat CVE filed too - so multiple countings - since CVEs are a form of notification; often by the time the CVE is filed for a FOSS project it has also already been fixed; unlike non-FOSS organizations...

    --
    Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
  31. Re:Number of bugs is hardly a valuable metric here by darkain · · Score: 1

    Certain bugs are the same bug in multiple products, so for a company total it is counted once but is also counted for each individual application. Think of this like a bug in a PNG decoder, using the exact same decoder in Photoshop and Illustrator. "Adobe" has 1 bug, but each application also has 1 bug each.

  32. Not a single CVE against software I work on. by eddy · · Score: 1

    Guess it's pretty much perfect!

    --
    Belief is the currency of delusion.
  33. How are the BSDs? by unixisc · · Score: 1

    I didn't see the BSDs in the list - OpenBSD, FreeBSD, NetBSD. How are they compared to Android, Linux, Windows and Apple OSs?

    1. Re:How are the BSDs? by moronikos · · Score: 1

      Somebody has to use the software for someone to report a bug. :)

  34. Re:Oracle the.... by R3d+M3rcury · · Score: 1

    I'll tell you later.

  35. Re:Poor Qualty by HiThere · · Score: 2

    Judging by the summary, the rating is nearly worthless. E.g., Debian is a suite of about 1000 programs, so comparing it against any one other program is obviously silly. From the summary I can't decide whether they did something similar to the "Android OS", but they could well have. And anything that includes Flash will clearly have all the vulnerabilities that Flash does.

    Now lets consider the difficulty of judging the seriousness of something give that we are only told it's a vulnerability...

    --

    I think we've pushed this "anyone can grow up to be president" thing too far.
  36. Re:Poor Qualty by Goose+In+Orbit · · Score: 2

    Probably - if the list I saw is anything to go by, the first 3 items were specific to a single vendor/handset, yet were listed as "Android" bugs... I'll wager that the vendor had (as is their habit) been tinkering, and got it wrong...

  37. Yeah, but... by sidnelson13 · · Score: 1

    ... which version of Android?

  38. Re: What if you hate both? by cyber-vandal · · Score: 1

    Why do you need to buy a new phone? The 5 is still getting updates and that was released in 2012.

  39. Re:Number of bugs is hardly a valuable metric here by Cederic · · Score: 1

    MySQL is a fucking Oracle product.
    As is Java and three hundred enterprise grade applications and technologies.

    Including operating systems, infrastructure that undergirds the entire web, etc.

    Shit, there are plenty of things wrong with Oracle but their appearance on this list? Purely and entirely a consequence of their massive product portfolio.