Chrome leads with most Windows vulnerabilities - Secunia

[nsane.forums]

A new study from security firm Secunia claims 86 percent of all software vulnerabilities in Windows come from programs not made by Microsoft, with Google's Chrome browser leading the list.



When you download any software program on your desktop or laptop PC, there's always a risk that there will be a flaw in the program that will be exploited by hackers. This week, a new study from the security firm Secunia claims that the number of software programs that are not made by Microsoft that have some kind of vulnerability is actually increasing.

The study results show that 86 percent of programs that the firm said has security issues came from non-Microsoft applications, an increase compared to 78 percent from the year before. The actual report, based on data recorded by Secunia's Personal Software Inspector program, showed there were 9,776 software vulnerabilities in 2,503 applications released by 421 different companies in 2012.

Google's Chrome web browser topped the list with 291 vulnerabilities in 2012, followed by Mozilla's Firefox browser with 257, Apple's iTunes with 243, Adobe's Flash Player with 67, and Oracle's Java with 66. Secunia says the study shows that Microsoft is doing a better job in making sure its own programs are more secure from exploits.

That's the good news. The bad news is that the study seems to show that large businesses need to do a better job in making sure that their third party programs don't leave their PC systems open to attack. Morten R. Stengaard, Secunia’s Director of Product Management, states:

The number of vulnerabilities is on the increase, but many organizations continue to turn a blind eye, thereby jeopardizing their entire IT infrastructure: It only takes one vulnerability to expose a company, and no amount of processes and technology that supports operating systems and Microsoft programs will suffice in providing the required level of protection.

View: Original Article

[wdm]

:lol:

[irefay]

Well, hopefully google will awake and work on fixing this. I have noticed a huge spike the last few months with sites attempting to execute code when using Chrome.

[stylemessiah]

I block my users from installing Chrome for this reason, and many others, among them the sheer number of bugs in it. Its the Adobe Reader/Flash or Java of the browser world.

http://social.technet.microsoft.com/Forums/eu/winserverGP/thread/a7abcfea-8819-4680-9010-d2604a59c9bd

[Marik]

damn, I naturally assumed that since it was google, their sh*t was safe...guess I was wrong :hehe:

[DKT27]

Normally I would take these finding with a pinch of salt, but it's from Secunia so. :dunno:

[Ambrocious]

Secunia almost always fails to run on computers which I test it on. Maybe they are right but Im not really worried anyways, I use Firefox.

[DKT27]

Secunia almost always fails to run on computers which I test it on. Maybe they are right but Im not really worried anyways, I use Firefox.

You mean PSI? Try v2. v3 is not working on my PC either.

[ck_kent]

So, what about those Pwn2Own that has been going yearly/regularly, don't the participants suppose to find these sort of things?

[R0H1T]

I'll call this article total B$ cause Google patches these vulnerabilities regularly & this is the reason chrome is the undisputed leader at Pwn2Own ! But as always folks who don't regularly update their system/software will have to bear these consequences & they are the ones that usually end up whining as always ! Guess what the core Windows OS still has more vulnerabilities & yearly patches issued than chrome, bear in mind that chrome is cross platform so whilst some of these security holes are common across all four major platforms however alot of these are due to the underlying nature of the Windows NT kernel, which from all accounts is second rate as compared to Linux ! So my advice ~ take these reports with a huge grain of salt & try to dig deeper if you're still unsure what they're all about !

[ffi]

Strange result, are all these vulnerabilities able to break chrome's sandbox? And why if chrome is so insecure have people been unable to hack it at pown2own (or pownium)? (btw i am an opera user, not a chrome user)

@Ambrocious, firefox is 2nd with only a few vulnerabilities less than chrome

[exodius]

chrome use much of RAM.

very bad, and it slow load. :(

[stylemessiah]

I'll call this article total B$ cause Google patches these vulnerabilities regularly & this is the reason chrome is the undisputed leader at Pwn2Own ! But as always folks who don't regularly update their system/software will have to bear these consequences & they are the ones that usually end up whining as always ! Guess what the core Windows OS still has more vulnerabilities & yearly patches issued than chrome, bear in mind that chrome is cross platform so whilst some of these security holes are common across all four major platforms however alot of these are due to the underlying nature of the Windows NT kernel, which from all accounts is second rate as compared to Linux ! So my advice ~ take these reports with a huge grain of salt & try to dig deeper if you're still unsure what they're all about !

Chrome is so full of bugs its not funny, and if it has that many bugs, then theres plenty of people who are out there trying to exploit them.

Its not safe, simple as that.

I enforce using Firefox which i also have locked down with addons like Public Fox (locks settings/addons etc), and use filtering with antimalware and ad lists via squidguard on squid proxy.

Not in a million years would i let my users use Chrome, or to a lesser extent, IE.

Look at how its downloaded and installed, right into a users profile...which bypasses a fair amount of security, so dont be surprised its a huge security risk.

Would you let users install any other bit of software to run from their user profile? i think not.....

Any program that bypasses needing admin rights to install is in my opinion malware, which is what i class Chrome as, it behaves like it.

So i'll take your BS and raise you some reality.

p.s. Completely separate is the fact that Chrome is just one big data mining tool anyways

[ffi]

Chrome is so full of bugs its not funny, and if it has that many bugs, then theres plenty of people who are out there trying to exploit them.

Its not safe, simple as that.

Lol chrome 291 exploits vs firefox 257 and you believe firefox is safer :doh: chrome was designed with the idea in mind that it will have vulnerabilities but to exploit them you also need to break chrome's sandbox. Chrome is much safer than firefox

Any program that bypasses needing admin rights to install is in my opinion malware, which is what i class Chrome as, it behaves like it.

you really don't seem to understand security, when a program installs as a regular user it can only escalate to a regular user, it is therefor much safer than installing it needing admin rights....

[stylemessiah]

Chrome is so full of bugs its not funny, and if it has that many bugs, then theres plenty of people who are out there trying to exploit them.

Its not safe, simple as that.

Lol chrome 291 exploits vs firefox 257 and you believe firefox is safer :doh: chrome was designed with the idea in mind that it will have vulnerabilities but to exploit them you also need to break chrome's sandbox. Chrome is much safer than firefox

Yup, its still much safer.

Oh no ones ever broken a sandbox before *cough*

Okay you put all your faith in the mythical sandbox....why people are so conned by the word "sandbox" (in any security product currently) is beyond me....perhaps in time i will trust one, but not at the moment. Putting the word "sandbox" in your product just attracts people who are dead set on bypassing it in some way for some perceived web cred. Its like painting a target on your product. Its quite silly really.

Oh noes, there seems to be a new breed of fanboy, the Chrome (head in the sandbox) kind, and here i was hoping i wouldnt meet anyone worse than the Win8 fanboys at Neowin....

Oh, and yes, if theres software out there that has 30 odd LESS vulnerabilities, i will use it. If you didnt youre nucking futs :)

Honestly, try and have a rational argument next time :)

[Gabben]

This is bullshit. If product "A" has more bugs than product "B" that does not means that product "B" is safer.

2 things that Secunia fails to mention.

1. The fastest bugfixing is done by Google Chrome and Mozilla Firefox developers.

2. Both Chromium and Firefox are open source programs. Evryone can search for vulnerabilities and they will be awarded by Google with a huge amount of money. GOD knows what kind of bugs has IE or other Microsoft products. That is only known by IE devs(and hackers).

[ffi]

Oh no ones ever broken a sandbox before *cough*

Oh the chrome sandbox has been broken before but you fail to understand that with the sandbox you need at least 2 vulnerabilites to be able to exploit a chrome install.

Oh, and yes, if theres software out there that has 30 odd LESS vulnerabilities, i will use it. If you didnt youre nucking futs :)

Google pays people who report vulnerabilites to them in chrome, so chrome is sure to attract lots of people looking for vulnerabilities in its open source code whereas in closed source projects this is impossible

[R0H1T]

Chrome is so full of bugs its not funny, and if it has that many bugs, then theres plenty of people who are out there trying to exploit them.

Umm what ! Either you're trolling for fun or simply trolling, the number of vulnerabilites has got nothing to do with how secure a browser is, so the only thing to consider here is the number of unpatched security holes which AFAIK is zero till the last stable version & btw can you count the number of bugs in say Windows 8 ?

Its not safe, simple as that.

As I said ~ only for those who don't update their stuff, just like installing Windows updates for instance !

I enforce using Firefox which i also have locked down with addons like Public Fox (locks settings/addons etc), and use filtering with antimalware and ad lists via squidguard on squid proxy.

Unless I missed something addons don't patch security holes you know !

Not in a million years would i let my users use Chrome, or to a lesser extent, IE.

Say that again ? A billion+ users of chromium based browsers on 4 major platforms beg to differ !

Look at how its downloaded and installed, right into a users profile...which bypasses a fair amount of security, so dont be surprised its a huge security risk.

You do realize that chrome runs with limited rights or not ? FYI you can't update chrome, nor access google update with admin rights, so I'd say your knowledge of chrome is severely lacking !

Would you let users install any other bit of software to run from their user profile? i think not.....

The regular/stable version of chrome installs in the "program files" folder, since version 20.x or something last I checked ! Besides what has the install folder got to do anything at how you perceive a piece of software but more importanatly how secure it is ?

Any program that bypasses needing admin rights to install is in my opinion malware, which is what i class Chrome as, it behaves like it.

Again total B$ so do your homework man !

So i'll take your BS and raise you some reality.

Were you involved in M$ erstwhile scroogle campaign by any chance ?

[stylemessiah]

Chrome is so full of bugs its not funny, and if it has that many bugs, then theres plenty of people who are out there trying to exploit them.

Umm what ! Either you're trolling for fun or simply trolling, the number of vulnerabilites has got nothing to do with how secure a browser is, so the only thing to consider here is the number of unpatched security holes which AFAIK is zero till the last stable version & btw can you count the number of bugs in say Windows 8 ?

>>>>>Its not safe, simple as that.

As I said ~ only for those who don't update their stuff, just like installing Windows updates for instance !

I enforce using Firefox which i also have locked down with addons like Public Fox (locks settings/addons etc), and use filtering with antimalware and ad lists via squidguard on squid proxy.

Unless I missed something addons don't patch security holes you know !

Not in a million years would i let my users use Chrome, or to a lesser extent, IE.

Say that again ? A billion+ users of chromium based browsers on 4 major platforms beg to differ !

Look at how its downloaded and installed, right into a users profile...which bypasses a fair amount of security, so dont be surprised its a huge security risk.

You do realize that chrome runs with limited rights or not ? FYI you can't update chrome, nor access google update with admin rights, so I'd say your knowledge of chrome is severely lacking !

Would you let users install any other bit of software to run from their user profile? i think not.....

The regular/stable version of chrome installs in the "program files" folder, since version 20.x or something last I checked ! Besides what has the install folder got to do anything at how you perceive a piece of software but more importanatly how secure it is ?

Any program that bypasses needing admin rights to install is in my opinion malware, which is what i class Chrome as, it behaves like it.

Again total B$ so do your homework man !

So i'll take your BS and raise you some reality.

Were you involved in M$ erstwhile scroogle campaign by any chance ?

Oooh fanboy, im out

Oooh a billion plus users cant be wrong...umm yes they can...

Even your responses contradict themselves

I'd suggest you actually chekc your facts, but i know thats not going to happen, so....

Try administering a large network and then see which browser causes the most issues and has the most bugs.

Find me an educational institution that allows users to have chrome, that isnt run by a fool....

Reality has ceased to exist in this thread

Sheesh

[R0H1T]

Oooh fanboy, im out

Hardly, I'm using firefox for tying this response !

Oooh a billion plus users cant be wrong...umm yes they can...

Nope but pretty sure a few million of'em know what they're talking about unless you're implying pretty much all of'em are umm let's just say ~ technically deficient !

Even your responses contradict themselves

Not really, you need local user rights to access google update however to complete the installation one needs admin rights for any version of chrome ! Unless you meant something else I don't see how this can be a contradiction ?

I'd suggest you actually chekc your facts, but i know thats not going to happen, so....

Sure, whatever that means !

Try administering a large network and then see which browser causes the most issues and has the most bugs.

IE is tailor made for Windows, the one reason corporates stay with it, but outside of the wintel nexus firefox/chrome are the only real alternatives across all major platforms which is the reason lots of sites the world over are increasingly being optimized for chrome & chrome only !

Find me an educational institution that allows users to have chrome, that isnt run by a fool....

You'd be surprised to see the number of institutions run by fools, heck major corporations aren't that much better !

Reality has ceased to exist in this thread

Sheesh

I'll be eagerly waiting for you to leave that dreamland of yours as well :rolleyes:

[ffi]

I'd suggest you actually chekc your facts, but i know thats not going to happen, so....

We seemed to have done that, you just look at a number (of vulnerabilities) and then conclude chrome must be the most vulnerable application and then also concluding firefox is safe but ignoring the fact it had only a few reported vulnerabilities less than chrome...

[stylemessiah]

I'd suggest you actually chekc your facts, but i know thats not going to happen, so....

We seemed to have done that, you just look at a number (of vulnerabilities) and then conclude chrome must be the most vulnerable application and then also concluding firefox is safe but ignoring the fact it had only a few reported vulnerabilities less than chrome...

Seriously, more than 30 is now "a few"

You lot really are as deluded as you seem....

Fanboyism really has spread here as well.....

[ffi]

Seriously, more than 30 is now "a few"

You lot really are as deluded as you seem....

Fanboyism really has spread here as well.....

Instead of calling us deluded fanboys why don't you give us a list of in the wild malware targeting chrome? Btw it's 291 vs 257 vulnerabilities for chrome and firefox respectively, that's 24 vulnerabilities more for for chrome, less than 10% more than firefox

[dcs18]

Without any intention of intruding into the discussion - am really taken aback that IE has been spared from the top honors of the vulnerability blame. :mellow:

[pweeseonichan]

http://krebsonsecurity.com/2010/11/why-counting-flaws-is-flawed/

http://krebsonsecurity.com/2012/10/in-a-zero-day-world-its-active-attacks-that-matter/

don't need to thank me for bringing the truth to you lost sheeps.

seriously make this post sticky lol