A Lower Number of Vulnerabilities Doesn't Make Internet Explorer Safer

[tipo]

A report from a company called Bit9, which counted the number of high-risk vulnerabilities reported in popular software, was misinterpreted by many to show that some applications, like Internet Explorer, are more secure than competing products.

Bit9 claims that its "Dirty Dozen" apps list is meant to raise awareness that popular programs are also the most vulnerable ones, a reason for which they require constant monitoring and patching.

The fact that widespread applications have the highest number of publicly reported vulnerabilities is nothing new and is actually to be expected.

Hackers want to compromise as many systems as possible and will therefore target those programs with the largest user base. In consequence, security researchers will focus their vulnerability finding efforts on such software in order to make it more secure.

Bit9's 2010 "Dirty Dozen" list reads: Google Chrome (76 vulnerabilities), Apple Safari (60), Microsoft Office (57), Adobe Reader and Acrobat (54), Mozilla Firefox (51), Sun Java Development Kit (36), Adobe Shockwave Player (35), Microsoft Internet Explorer (32), RealNetworks RealPlayer (14), Apple WebKit (9), Adobe Flash Player (8), Apple QuickTime (6) and Opera (6).

The company's methodology for this report involved counting vulnerabilities listed in the U.S. National Institute of Standards and Technology’s (NIST) vulnerability database, that had a high severity rating (between 7.0 and 10.0 CVSS base score).

Unfortunately, what some people, including journalists, understood from this list was that applications ranking lower were more secure than those at the top.

However, the number of publicly disclosed vulnerabilities is far from an indication of a program's state of security and this is even admitted by Bit9's Chief Technology Officer Harry Sverdlove.

"You can’t really compare who is #1 on our list to #10, for example, without further context," Sverdlove writes on the company's blog.

"[…] The products toward the top of our list may in fact be more secure or present less risk – IF you are keeping your applications up to date," he explains.

This is because a lot of crucial factors were not taken into account. From a security perspective the speed with which vulnerabilities get fixed is much more important than their number.

read more