

Google Chrome tops 'Dirty Dozen' vulnerable apps list  - there
http://www.networkworld.com/news/2010/111510-google-chrome-dirty-dozen.html

======
oiujhygtfyhjuk
The article bases this on that they had the greatest number of security
updates in the previous year - when the app was basically a beta.

This leaves aside the question of what is more secure - an app where you get
security fixes every day - or one where the makers deny there are any faults.

------
Legion
"Google Chrome in the No.1 spot with 76 _reported_ _vulnerabilities_ "

Reported by Google's bug tracker and security team, if the random sampling of
vulnerabilities I looked at are any indication.

Seems like the secret to "winning" this list is to just hide everything in-
house. I wonder what the list would look like if Microsoft's bug trackers were
public viewing.

~~~
qbproger
Opera didn't even make the list. Seems like <https://bugs.opera.com> is for
internal use only.

------
roder
Network World is owned by International Data Corp (aka IDC, IDG) and this[1]
blog author seems to think that they are the puppet of Microsoft. While I
certainly cannot make an argument one way or another, this raises the question
of how valid this report is.

I couldn't believe when I read this article that in related content, the top
item was "IE9 tops Chrome, Firefox in HTML5 Compatibility"[2]. That's what
made me research if there was any connection between Network World and
Microsoft.

[1] <http://techrights.org/2010/06/11/idc-idg-and-propaganda/>

[2] <http://cl.ly/3A0q1F2o44000u1O2P3l>

~~~
sudont
Not to mention that Safari and WebKit are specified as two different, ranking
products on this list.

~~~
DisposaBoy
Aren't they different?

The fact that they use roughly the same engine doesn't count for very much.
It's the implementation that matters.

~~~
InclinedPlane
Safari consumes WebKit (as does chrome). They are not merely "roughly the same
engine", one uses the other.

~~~
sudont
And, since Webkit is a development branch, it’s extremely unfair for it to be
used as a “target” in this sense. It’s going to have tons of security fixes,
because it’s _bleeding edge code._

------
mike_esspe
I'd like to know, how many of that 76 vulnerabilities were able to escape
chrome sandbox?

~~~
rarestblog
also... How many of those vuln. were actually found in the wild?.. How many
days were the flaws open?..

This is a very-very weird article.

------
jamesaguilar
Wouldn't it be more appropriate to order the list by the number of distinct
successful exploits of an app's vulnerabilities? In that case, unless I am
mistaken, Chrome would be at zero.

------
netmau5
I think this list is more likely a measure of the apps with the most security
testing performed on them if it isn't an outright falsification altogether.

------
extension
Fortunately Chrome is a dynamo at updating itself. It's generally invisible to
the user.

------
cornellouis
So the most vulnerable apps are the ones everybody uses. Huh. Who'da thunk.

~~~
shubber
What do you mean, exactly? Chrome + Safari don't crest 10% of web share.

------
davidj
oh no, articles like this are so misleading, Google Chrome tops the list as
the most security enhanced patched browser -- not the most vulnerable. This
probably has everything to do with the bounty that Google has offered and the
fact that Chrome is heavily being worked on. To say Google Chrome is the most
vulnerable browser is a huge lie, name just one exploit that you can use on
the browser right now. If I were Google I'd sue for slander!

------
SkyMarshal
I'm shocked, shocked to see open source Chrome and Firefox closer to the top,
while closed source IE and Opera are closer to bottom.

------
GrandMasterBirt
This is complete and utter crap when it comes to statistics.

Does most number of bugs reported mean anything? No. I can NOT report the bugs
because I don't have the IE source code. I can report 2 bugs a year, and never
have them resolved, so I'm secure I guess, yet I'm actually worse off. How
fast from report to release does a bug take on average to be fixed? How much
of chrome's reported vulnerabilities reside inside the sandbox vs leaking
outside the sandbox (this is a big one, if the answer is none then chrome is
still insanely secure)? What about the fact that many security problems in
chrome likely are problems in Safari except without the niceties of the
sandbox?

This is all crap.

------
unwantedLetters
I'm not sure what the first paragraph in the article states. The part I'm
having trouble with is: most discovered software flaws requiring security
updates and notifications. Does that mean that Google Chrome fixed the most
bugs, or were the most bugs found in Google Chrome?

If it was the former, Google is being shown in a positive light and they don't
have any sort of "dubious distinction", and if it was the latter, then Google
has an explanation for that. Lots of bugs are found in Chrome since Google
pays developers a lot of money to find bugs in Chrome (not really sure about
the others).

From the same site: [http://www.networkworld.com/news/2010/110110-google-
offers-b...](http://www.networkworld.com/news/2010/110110-google-offers-
bounty-to-web.html)

