Pwn2Own 2017 - Chrome unhackable whilst Firefox too easy.

Cromulent · 29 Mar 2017 at 06:46

jpaul said:
a comment suggests if there were this many patches for other vendors users would be up in arms (but yes, number of bugs does not necesarily equate to prizes)

I don't understand this thinking. Surely the more patches the better? When looking at open source programs to use you want to pick projects with a very active development community otherwise you might find yourself using software that eventually ends up being unmaintained. I'd rather see a project being pro-active and patching bugs than just sitting there doing nothing.

jpaul · 29 Mar 2017 at 08:11

(Versus FF, say) I mean, more patches (discrete bugs discovered in the code) for Chrome, maybe indicative of poorer quality code and architecture,
and potential for more seriois bugs awaiting undiscovered.
Since there maybe more people looking for bugs in chrome versus ff , using bug count as an indication of quality is difficult/tenuous.

.... but I am not upto date with s/w devlopment theories, used to have a bath-tub/half life type theory for bug discoveries as s/w matures

Cromulent · 29 Mar 2017 at 08:51

jpaul said:
(Versus FF, say) I mean, more patches (discrete bugs discovered in the code) for Chrome, maybe indicative of poorer quality code and architecture,
and potential for more seriois bugs awaiting undiscovered.
Since there maybe more people looking for bugs in chrome versus ff , using bug count as an indication of quality is difficult/tenuous.

.... but I am not upto date with s/w devlopment theories, used to have a bath-tub/half life type theory for bug discoveries as s/w matures

As a programmer myself I don't think the number of patches really means anything. Just look at the Linux kernel. That is patched literally all the time and lots of people trust that and it seems to have a reasonable security history (although there have been major problems in the past I'm not denying that). I think the thing to remember is that different projects have different ways of doing things so you can't say this project has more commits than another project because the project leaders might want things split up into multiple commits if it deals with different sub systems for instance so one security problem might actually be more than one bug so it might require more than one patch.

KIA · 29 Mar 2017 at 17:43

Cromulent said:
I don't understand this thinking.

It's ignorance.

Users are better off because the browser has fewer vulnerabilities, and security researchers can make $$$$ thanks to generous bug bounties. It's win win for everyone.

https://www.google.com/about/appsecurity/chrome-rewards/
https://www.mozilla.org/en-US/security/client-bug-bounty/

jpaul · 30 Mar 2017 at 10:31

something more objective than pwn (unfortunately you have to buy the full nss labs report)

Edge blocked an impressive 99% of the socially engineered malware (or SEM) that was thrown at it, thanks to two key Microsoft technologies: SmartScreen URL Rep and App Rep, reputation-based defenses that protect against malicious links and downloads. Chrome followed at 85.8% and Firefox came third at 78.3%. Both Chrome and Firefox leverage Google's Safe Browsing service.

applies to the vanilla user anyway
(article satisfies the date test Nov 5, 2016 @ 10:00 AM)

Agree with what you said croumulent - patch/bug count is not everything

One of the issues with using a metric like defect density is the temptation to “game” the system; raising many similar bugs to increase the defect density OR bundling bugs together to make it seem like there are less bugs. There could even be the temptation to not report bugs if having a high defect density is seen as a bad reflection on the team. Just like with judging the quality of the tester on the amount of bugs raised (another outdated metric), the quality of the software shouldn’t be judged with the amount of bugs raised either.

The Defects Of Defect Density