Chrome leads with most Windows vulnerabilities in 2012.

Macro · 17 Mar 2013 at 19:20

Interesting to see that Chrome's reputation for security may not actually be backed up in reality according to Secunia. The study says that 86% of security vulnerabilities on Windows comes from non Microsoft software & Programs in 2012. The remaining vulnerabilities were lead by Chrome with 291 vulnerabilities in 2012, followed by Mozilla's Firefox browser with 257, Apple's iTunes with 243, Adobe's Flash Player with 67, and Oracle's Java with 66.

Surprising to see the supposedly most secure browser look as if it has the highest number of vulnerabilities across the year, with Flash and Java much lower than I would have expected.

Do people just take the "Google Chrome is the most secure browser" thing at face value and could it actually be somewhat misguided? Has Chrome's popularity actually lead to it being more of a target than when it was relatively little used and it's reputation forged? Was there previously a degree of "security through obscurity"? Or is the study just plain wrong or misguiding?

http://www.neowin.net/news/study-googles-chrome-leads-with-most-windows-vulnerabilities

KIA · 17 Mar 2013 at 19:32

So what?

Google offers cash incentives in return for vulnerability reports.

How many Chrome vulnerabilities were being actively exploited by the bad guys in 2012? Zero.

You can't say the same thing for IE and Java.

Rroff · 17 Mar 2013 at 19:44

Macro said:
Do people just take the "Google Chrome is the most secure browser" thing at face value and could it actually be somewhat misguided? Has Chrome's popularity actually lead to it being more of a target than when it was relatively little used and it's reputation forged? Was there previously a degree of "security through obscurity"? Or is the study just plain wrong or misguiding?

As I've mentioned a few times on here Chrome isn't as secure as people think it is and it has many underlying potential exploits from webkit, much of its security very much was through obscurity. While as mentioned above its generally becoming more secure over time for a long time I wouldn't consider it that much safer than IE due to the ways that 3rd party software could install itself even if you cancelled the popup prompt (not sure if its still the case as I've not used it in ages but the only safe way to work around that was to use task manager to kill the whole process once you got the popup).

I used to swear by firefox with noscript for security but with the churn of new versions and features lately I'm wary that they could be exposing new potential exploits.

dfarrall · 17 Mar 2013 at 19:47

KIA said:
So what?

Google offers cash incentives in return for vulnerability reports.

How many Chrome vulnerabilities were being actively exploited by the bad guys in 2012? Zero.

You can't say the same thing for IE and Java.

Erm, you cant say the same thing about Chrome.

theheyes · 17 Mar 2013 at 19:50

It's long been true that Windows gets 'blamed' for what actually are third party software vulnerabilities.

As for Chrome, it's not necessarily about the number of bugs discovered. I'd rather they were known than unknown, and Chrome is updated very regularly. That's what's most important. It also has some nice features out of the box for click-to-run, no script and integrated Flash player and PDF reader.

It really is a secure choice. If anything, it's IE getting unfairly ripped on that contributes just as much to the security perception of alternative browsers.

KIA · 17 Mar 2013 at 19:50

dfarrall said:
Erm, you cant say the same thing about Chrome.

Which Chrome vulns were being exploited in the wild in 2012?

Rroff said:
As I've mentioned a few times on here Chrome isn't as secure as people think it is and it has many underlying potential exploits from webkit, much of its security very much was through obscurity.

Hardly.

It was one of the first browsers to have automatic background updates, out-of-date plug-in blocking, click-to-play plug-ins, built-in PDF reader and flash bundled & sand-boxed.

theheyes · 17 Mar 2013 at 21:46

How often vulnerabilities are exploited isn't really pertinent. You could say exactly the same about Safari but it doesn't even come close to Chrome security.

Mattus · 18 Mar 2013 at 02:30

theheyes said:
As for Chrome, it's not necessarily about the number of bugs discovered. I'd rather they were known than unknown, and Chrome is updated very regularly.

Exactly. I'd rather have multiple vulnerabilities which are patched before the bad guys start exploiting them for harm, than one glaring vulnerability which takes the best part of a month to patch!

zakblood · 18 Mar 2013 at 06:19

who cares tbh, there all the same, good points and bad, weakness and strengths, just pick one you like the look of same as AV tbh, as long as it works for you and welcome to windows, it's keeps getting better, if your old enough you remember the really bad times

KIA · 18 Mar 2013 at 09:51

theheyes said:
How often vulnerabilities are exploited isn't really pertinent. You could say exactly the same about Safari but it doesn't even come close to Chrome security.

Safari isn't a major target due to low market share.

theheyes · 18 Mar 2013 at 13:13

But the rate of exploitation doesn't say anything meaningful about the quality of the browser itself. The holes are there regardless.

KIA · 18 Mar 2013 at 13:34

theheyes said:
But the rate of exploitation doesn't say anything meaningful about the quality of the browser itself. The holes are there regardless.

Not having a financial reward for reporting bugs doesn't help.

Let's say I discover a vulnerability in IE and and create a working exploit. Am I going to give it to Microsoft free of charge or make thousands of dollars by selling it on the black market?

Historically, IE users have always been at more risk.

theheyes · 18 Mar 2013 at 14:07

Correct, but we're talking about the actual browser software itself. Relative risk is a separate issue.