And The Software With Most Vulnerabilities In 2016 Was… Android!

[Drak3]

7 hours ago, LAwLz said:

Yeah.... You have absolutely no idea what you're talking about. I don't know how you think open source works, but it's not the way you think. 

 

It's not a text file that everyone can write to. 

I know how open source works. Everyone can modify the code to fit their needs, and they can submit the code to an (often small) foundation for consideration to incorporate into the official version of the software.

 

Those organizations don't have the resources to monitor every last detail of what they recieve. Hell, Ubuntu is maintained by a decent sized company, and it still has a large number of vulnerabilities.

[Drak3]

10 minutes ago, ForsakenLive said:

It would be very interesting how many of those vulnerabilities are still there. 

For example Ubuntu had tons of vulnerabilities on 2016, but hey had a lot of them fixed:

first 10 pages https://www.ubuntu.com/usn/ are all 2016 vulnerabilities that were taken care of. 

"Taken care of."

 

At this point, most vulnerability fixes are bandaid solutions, and the arms race between benevolent and malevolent hackers just keeps going.

[myselfolli]

bangup job Microsoft

[ProjectBox153]

Ok, let's face it. Not everyone in this world is good. We all know that. But that means that people will always be trying to take advantage of something, most likely a person, through something that is common. Software is always going to have vulnerabilities because that's what allows it to be changed, updated and expanded. If you design something in 2017 with no vulnerabilities, how are you going to update it in a timely manner without introducing even the smallest vulnerability?

[ForsakenLive]

16 minutes ago, Drak3 said:

"Taken care of."

 

At this point, most vulnerability fixes are bandaid solutions, and the arms race between benevolent and malevolent hackers just keeps going.

That's why they are called patches.

The fixed issues that I linked have all their updates that corrects the problem and explains it in detail. If someone tomorrow finds another way to get into the system it will get reported and patched. 

[Sauron]

14 hours ago, Drak3 said:

Also, many of the vulnerabilities in the Linux Distros come from the open source nature of the Linux OS family, and can't easily be patched out without essentially creating a completely new OS family.

That's not how it works. It's easier to FIND those vulnerabilities (hence why, in my opinion, linux distributions top this chart) and the linux kernel is usually patched very quickly when one is found. The same goes for most critical programs that are included in mainstream linux based distributions. It's not generally up to ubuntu (for example) curators to patch the kernel, all they have to do is make the update available in their repos.

[sof006]

Windows 10 has more vulnerabilities than Windows 7? How does that work? 

[suicidalfranco]

4 minutes ago, sof006 said:

Windows 10 has more vulnerabilities than Windows 7? How does that work? 

fire your test division and release a beta OS to the consumer base

[That Norwegian Guy]

This is why I recommend non-tech savvy people stick with iPhones. Stupid Android users will try and convert iOS users over to their side, but that's a horrible idea when you realize what the average user clicks, taps and downloads.

 

Android is for people who have basic technological common sense. Of course, it has drawbacks and unfortunately not nearly as good as it should be, but we lack a better option.

[mynameisjuan]

2 hours ago, That Norwegian Guy said:

This is why I recommend non-tech savvy people stick with iPhones. Stupid Android users will try and convert iOS users over to their side, but that's a horrible idea when you realize what the average user clicks, taps and downloads.

 

Android is for people who have basic technological common sense. Of course, it has drawbacks and unfortunately not nearly as good as it should be, but we lack a better option.

This comment only applies to non nexus/pixel devices. 

 

Nexus/pixel devices are updated 1-2 times per month with security patches. A stock nexus/pixel device is just as secure as iOS due to the consistent security updates and the way android runs its apps. Its like you think iOS is fool proof when in reality suffers from similar attacks. The reason android is on top of this list is because of old versions that are the fault of the MANUFACTURER and CARRIERS not because its actually unsecure. If the carriers were not fucking lazy and approved the upgrades then this wouldnt be a problem. I guarantee if iOS was just as fractured you would see it trailing right behind it. 

 

So you can call us stupid for converting iOS users to either Nexus/pixel all you want because it actual reality it provides a better experience and wider range of use, even for these dumb tech people you mention. It doesnt matter what OS you are on, if you click whatever the fuck you want you will run into trouble.

[Mira Yurizaki]

First off kudos to OP to making it clear how to interpret the data.

 

Second off, smh at people who can't read between the lines in how to interpret this data.

[sof006]

2 hours ago, suicidalfranco said:

fire your test division and release a beta OS to the consumer base

Suppose but still shouldn't Windows 10 be implementing the same level of security as Windows 7 plus added other security features that Windows 7 doesn't have... not add more? I dunno just seems like the correct thing to do lol. Judging by this they didn't do that at all?

[vorticalbox]

there is no way window is that low on the list every single update note is "fixes blah blah that could allow hackers full access to the system" and with flash being installed on its default browser.

[Akolyte]

That is actually some of the worst news.  But it's not unexpected, it's so bad because if you run Debian, Windows, iOS, that can be patched across all devices provided you have internet and a device that can run the patch.  Yet most android users use out of date android versions.  Making it very insecure for a lot of users out there who cannot get security patches. 

[vorticalbox]

30 minutes ago, Mike_The_B0ss said:

That is actually some of the worst news.  But it's not unexpected, it's so bad because if you run Debian, Windows, iOS, that can be patched across all devices provided you have internet and a device that can run the patch.  Yet most android users use out of date android versions.  Making it very insecure for a lot of users out there who cannot get security patches. 

Google is going to do an apple and lock it down to only their decides running "official android"

[Mira Yurizaki]

35 minutes ago, Mike_The_B0ss said:

That is actually some of the worst news.  But it's not unexpected, it's so bad because if you run Debian, Windows, iOS, that can be patched across all devices provided you have internet and a device that can run the patch.  Yet most android users use out of date android versions.  Making it very insecure for a lot of users out there who cannot get security patches. 

I would wager however a lot of those security issues require the user to actually do something. Though there were some things that due to a setting, happened automatically.

 

Security and malware these days are a lot like vampires: they can't do anything until you explicitly invite them into your home (unless modern day vampires are all "eh, screw being nice, I'll barge in and suck your blood and sparkle during the day all I want")

[Akolyte]

Just now, M.Yurizaki said:

I would wager however a lot of those security issues require the user to actually do something. Though there were some things that due to a setting, happened automatically.

 

Security and malware these days are a lot like vampires: they can't do anything until you explicitly invite them into your home (unless modern day vampires are all "eh, screw being nice, I'll barge in and suck your blood and sparkle during the day all I want")

Indeed, that is why the only reason we probably aren't seeing malware take advantage of these vulnerabilities is because many android phones are not rooted, and most people are limited to the play store. 

 

In fact, I don't think Google needs to become Apple, just make some guidelines for manufacturers, like they have to push updates for at least 2 years.  Companies like Samsung would make a lot less devices, but that might be a good thing. 

[LAwLz]

7 hours ago, Drak3 said:

-snip-

OK...

1) Why do you think that vulnerabilities "can't easily be patched without essentially creating a completely new OS family" because something is open source?

2) Why do you think it is easy for malware to get worked into an "ecosystem"?

3) Why do you think developers aren't working with "unified coordination to keep vulnerabilities and bugs from occurring"?

4) Why do you think that there isn't a "reliable structure to hunt down these vulnerabilities"?

5) Are you seriously implying that shellshock was put in place by someone with malicious intentions? You mention it right after you say "developers have experience in embedding vulnerabilities that can go undetected for years"?

6) Why are you implying that changes gets accepted at random because "they don't have the resources to monitor every last detail of what they receive"? You do realize that every single thing that gets accepted into the kernel is in fact looked at by several key people before being accepted, including Linus Torvald himself, right? From the official documentation for submitting changes to the Linux kernel:

Quote

Linus Torvalds is the final arbiter of all changes accepted into the Linux kernel. His e-mail address is <torvalds@osdl.org>. He gets a lot of e-mail, so typically you should do your best to -avoid- sending him e-mail.

 

 

2 hours ago, sof006 said:

Suppose but still shouldn't Windows 10 be implementing the same level of security as Windows 7 plus added other security features that Windows 7 doesn't have... not add more? I dunno just seems like the correct thing to do lol. Judging by this they didn't do that at all?

More features often turns into a bigger attack surface.

Got the "bash for Windows" feature enabled in Windows 10? All of a sudden you might be affected by bash vulnerabilities.

 

 

 

48 minutes ago, vorticalbox said:

there is no way window is that low on the list every single update note is "fixes blah blah that could allow hackers full access to the system" and with flash being installed on its default browser.

These are only listing publicly known exploits. If Microsoft finds a vulnerability and patches it, without submitting the exploit to this tracker system then it will not show up in the list.

That is also a reason why the results seem more skewed towards open source software. Your closed source product might have a list of vulnerabilities that stretches from Earth to the moon and back (all of which might be exploited by hackers), but if only one is public knowledge then this list will say it has 1.

Because of the nature of open source software, almost all vulnerabilities ends up on this list. Hence why Mac OS (which is partially open source), Ubuntu, Android, Linux kernel and so on all show up on the list.

 

Because users are not kept in the dark about potential exploits as often.

[Mira Yurizaki]

Vulnerabilities are often times edge cases or corner cases. Even if the software design looks sound, there could be something wrong because you subjected it to a highly specific use case. Let me give you an example of one of my favorite experiences regarding this.

 

I worked on a system that had a detector for laser based transmissions. It would decode the laser transmission then send it wirelessly to what we'll call a master control unit (MCU). We found out that if you hammer multiple detectors, it would cause the MCU to lock up. The reason? It's message queue overran. Hammering multiple detectors isn't really a typical use case, but considering how easy it was to repeat the issue, we had to address it.

 

So you might think the easiest solution is to increase the queue size. My supervisor wouldn't do that on the notion that if the MCU cannot process the messages fast enough, creating a larger queue just delays the inevitable. Maybe the hardware wasn't up to snuff? Well would it make sense that an OMAP processor found on the original Motorola Droid can't handle messages that aren't even a half a kilobyte in size?

 

After poking around some usual suspects (the wireless transmitter for instance), we concluded those were working properly. So now it was time to figure out why the main program on the MCU wasn't working.

 

Turns out the part that handles the messages gets stuck. The message protocol requires that everyone sends acknowledgements for every message received and to retry sending the message again if an ack from the recipient doesn't come back. I forget the exact details, but hammering the MCU with messages caused either the transmitter or the receiver to stall and allow its queue to fill up with requests because sending an acknowledgement had priority and would not let those parts of the system get a turn.

 

By the way, the design docs looked fine. It had state charts, sequence diagrams, the works. You could not tell this vulnerability (which is a denial of service vulnerability) existed just by looking at the design. Maybe you could, if you were to run every scenario in your head, but you don't do that. Nobody has the time to do that.