Slashdot Mirror
Android Was 2016's Most Vulnerable Product, Oracle the (bleepingcomputer.com)
An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
I think you a word.
The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.
Oh boy a point metrics ranking list highscore chart golf game.
Security bug 1) Erroneous password entry reveals critical details in the rejection prompt, like the confirmed existence of an account name.
Security bug 2) Throwing in a parentheses and semicolon allows mass queries and a full DB dump of cleartext passwords.
One point each, equally vulnerable.
You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.
Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.
As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).
You mean not all bugs carry the same weight? But I really needed a metric to prove product A is better than product B.
“Common sense is not so common.” — Voltaire
No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.
Ask Achilles how that works out.
A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.
Novell? Are people still using NetWare or GroupWise? WOW
I'm currently not working, cruising on a sailboat in Mexico, but if anybody needs a CNE I could use a little $$$.
True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.
I am TheRaven on Soylent News
Larger more complex products have more bugs.
Products with larger user bases discover more bugs.
What we are measuring hear is the largest most used products.
I believe that means that 2016 was the year of the Ubuntu and Debian desktop! (and to a lesser extent openSUSE)
Though I find the whole things suspect when Adobe has 904 bugs across 4 products in the top 10 but only 548 total.
I like how statistics works, by looking at this chart i can say Apple is on the top: http://www.cvedetails.com/vend...
True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.
It's not good, certainly, but it's not as bad as that makes it appear, at least not for users who stick with the Google Play store, and even users who don't but leave "Verified Apps" turned on. The Play store is pre-vetted and Verified Apps checks sideloads and apps from other stores. Both of those mechanisms can fail because things can slip through the cracks, but it's an another (large) hurdle that attackers have to jump through to get malicious code onto user devices.
In addition, the slow update issue also inflates the bug count, because people report vulnerabilities against very old versions of Android which, while they do still exist in the wild, constitute a fairly small number of devices. Often bugs still exist on newer releases but aren't exploitable on newer releases because SELinux blocks the exploit chain. By that I mean that while the reported vulnerability exists on new releases, the researchers can't find any way to use it to gain real access to anything else. So, they typically then verify that it also exists on Kit Kat (SELinux was turned on in enforcing mode in Lollipop) and submit the report, but claim it as a vulnerability on the latest version because it still exists, even if it's not usable. If Android devices were upgraded reliably they probably wouldn't even bother submitting. The Android security team is glad they do, though, since there's always the chance that some clever person could find a working exploit chain.
Anyway, as a practical matter although Android has lots of reported vulnerabilities the ecosystem is actually quite healthy. Few devices actually getting exploited and nearly all of those only after the user went out of their way to take on extra risks.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
It is no coincidence that the most bug reports have been filed for the most popular software products.
Agreed. So we shouldn't interpret this article solely as an indictment of these products for being crappy.
Instead we should interpret this article as spotlighting the most popular companies and their products.
None the less, the fact that Oracle stands so far above the crowd does seem to imply that they're not doing something as well as they might. In particular since most of the members of that crowd are distributing software that is more complicated than a database-- entire operating systems, infrastructure that undergirds the entire web, etc.. And note that MySQL, MSSQL, Postgres, and Mongodb are not on the list in TFS and none of these four databases are unheard of little toy projects.
They put the linux kernel, linux distos, Android and apps in the same list.
Android and linux distros contain the linux kernel
There isn't much to linux distros besides testing and maintenance, there are mostly a collection of third-party software.
So, for example, is a bug in the linux kernel also a bug in Ubuntu? Is is still a but if there is some kind of mitigation in place?
Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?
Mission: To provide products that consume time and energy as entertainingly as permitted by the laws of thermodynamics.
No, the "thousand eyes" gets bugs fixed. The proprietary bugs are only known by your enemies, and are not being fixed.
Yes, but for Android, it doesn't matter much if the bugs get fixed as long as the vendors stop providing OS updates/upgrades while there are still a substantial number of devices being used.
Windows 10 had Less vulnerabilities that linux and Mac... AHAHAHAHAHAHAHA
And Microsoft has a very strict policy on what gets filed for a CVE; while open source folks file CVEs very often.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
+1 Pedantic
Judging by the summary, the rating is nearly worthless. E.g., Debian is a suite of about 1000 programs, so comparing it against any one other program is obviously silly. From the summary I can't decide whether they did something similar to the "Android OS", but they could well have. And anything that includes Flash will clearly have all the vulnerabilities that Flash does.
Now lets consider the difficulty of judging the seriousness of something give that we are only told it's a vulnerability...
I think we've pushed this "anyone can grow up to be president" thing too far.
Probably - if the list I saw is anything to go by, the first 3 items were specific to a single vendor/handset, yet were listed as "Android" bugs... I'll wager that the vendor had (as is their habit) been tinkering, and got it wrong...