A report by internet security company Bit9 (who run endpoint security contracts for the US Air Force, US Department of Defence, United States European Command – for whatever reason they even have one of those – and the US Fleet Forces Command, to name a few clients) has come under fire in the past day from security analysts for misrepresenting information.
Their report, the 2010 iteration of their Top Vulnerable Applications for IT (registration-free link), found Google Chrome to be the most vulnerable user-facing application that IT managers need to rapidly ban from their systems. This is due to the whopping 76 discovered security vulnerabilities, and it was closely followed by Safari with 60 vulnerabilites and Office in third with 57 vulnerabilities. (For reference, Internet Explorer was in 8th with 32 vulnerabilities). However, many IT security types have called out Bit9 on its methodology (which last year found Firefox to be the most vulnerable software), with Marc Maiffret, CTO of eEye Digital Security, writing “I would challenge that assertion and posit that you are much more likely to experience a system compromise because of Adobe Reader (Ranked #4) or Adobe Flash (Ranked #11) than you are with Google Chrome (Ranked #1). This is simply because while many vulnerabilities might exist for Chrome, there are very few exploits for Chrome vulnerabilities compared to Adobe. There is simply no comparison to the number of working code execution exploits in the wild for Adobe vs. Chrome.”
Bit9 have responded on their own blog, but they do concede “Much of the data provided to the NIST NVD is reported by the vendors themselves, and we applaud this honesty” – which makes you wonder what the table would look like were Microsoft’s bug tracker to be publically available.