Chrome update closes holes and fixes mouse wheel issues

Gotta love their patching speed!

 

With the amount of holes constantly found in Chrome it would be the new IE6 if not for the patching speed.

 

While I tend to agree with you, I would still rather use Chrome than IE. Though my main browser is Firefox.

 

Not quite. Considering that the holes are found by Chrome team/ bounty program. IE6 was having people find the holes without any bounty program, big difference.

 

You think there isn't a profit to be made from selling exploits..? More so than the Chrome bounty program, as you can see from Vupen. The "bad guys" rake in the money from exploits too, hence the ton of malware made every take to take advantage of them.

While the bounty program is a good initiative it pales in comparison to what the folks finding exploits for the most popular browser get. Add that to the fact that exploits can't go very long in the wild before being discovered (and thus patched by Microsoft) and you start to get a clearer picture.

 

No, my point is that 'lots of vulnerabilities found' is indicative of a good bounty program and review process, not of an insecure program.

 

My point is that IE is a bigger, and more profitable target for criminals. Criminals who's day job is looking for exploits v.s. whitehats looking for Google money in their spare time. Yet we don't see hundreds of holes patched every other month in IE (anymore). Meanwhile Chrome's trend of holes found has continued for years, where as it should have declined by now much like how IE declined as it became more secure/holes were patched.

 

I'd rather use Chrome than IE & Chrome isn't normally my preferred browser. I still trust Chrome more for overall security.

 

The comparison seems fair, as we're discussing the context of these vulnerabilities.

Which is why we see exploits in the wild for IE, but we don't see them pushing out dozens of fixes. That's the difference.

Chrome's patching a bunch of vulnerabilities found by researches. IE is patching a bunch of vulnerabilities found by attackers.

Quite frankly, I'd be happier if IE were seeing more patches issued, because it's incredibly unlikely that there are just 'less' holes.

 

While I agree that it is far better to patch vulnerabilities found by researchers vs. in the wild vulnerabilities (I never said MS shouldn't have a bounty program - totally different discussion), my point still stands as the numbers speak for themselves. I'm not sure what makes you think there aren't just less holes, IE hasn't somehow stopped being a highly profitable target.

@Ronjor The discussion is about the high amount of holes in Chrome, not Chrome vs IE. IE is just being used as a reference as it is in a similar position (Sandboxed, high popularity browser which has gone through a lot of security focused changes) like Chrome.

 

Because both projects are massive and complicated, and I don't see why IE would have fewer holes. Comparing reported vulnerabilities doesn't make sense, It seems like using vulnerability statistics to determine how vulnerable an application is can be a bit nonsensical, as the only indication I get from this is that their bounty program is doing really well and the addresssanetizer project is working well.

By comparison I don't really think it's fair to say IE is 'more secure' because it has fewer vulnerabilities, this only reflects a lack of interest by white-hats, which makes sense considering the lack of bounty program.

Further, I don't think the number of in the wild exploits is an indicator that IE has *more* bugs than Chrome, only that it attracts more interest from blackhats.

Essentially I think vulnerability statistics are only good for providing some context, but can't ever really be used to determine how secure a program really is.

 

Just to clarify some info posted in this thread.

Microsoft pays much more than Google, but in the form of contests. Microsoft is incentivating researchers and white hats, but in a different route:

Lots of other good points about why this approach is considered better by Microsoft can be read on the following links:
- http://www.computerworld.com/s/article/9218845/Microsoft_kicks_off_250_000_security_contest
- http://www.computerworld.com/s/arti...0_security_contest?taxonomyId=17&pageNumber=2

 

Yes, and that's an entirely valid, and, in my opinion, potentially superior method to a bug bounty (they have separate benefits, to be honest). The point is not to say that Chrome is more secure than IE, only that a lot of vulnerabilities only indicates that Chrome's bounty program is working well, and they're attracting a lot of whitehats who are submitting these vulns.

 

To me it makes sense that as software security improves, the amount of holes found should decrease. You yourself frequently talk about how hackers are moving to 3rd party software, which it due to the decrease in exploits discovered in Windows. In my opinion, the exact same thing should apply to browsers. It will never reach a point where there are no holes, because features are also added over time. But I don't see why the amount of holes discovered shouldn't decrease over time.

Well I'm not using the vulnerability count to judge software security, I agree that doesn't make sense. But when there is a clear and obvious decrease in the amount of holes discovered month-after-month, it is obvious that code is improving. Yet, this doesn't seem to apply to Chrome?

I've never called IE more secure than Chrome because Chrome's sandbox has been proven to be better. The *only* thing that might change that is Windows 8's IE10 Enhanced Protected Mode, but I'd rather wait and see the results as time goes by before suddenly calling IE more secure.

I agree, but that follows onto the point I was making. Why has it gradually reduced over time for IE?

I agree, but the Chrome numbers concern me personally. It gives me the impression that there is no progress, where there should be.

 

I don't think that a decrease in found vulnerabilities means that there are just so few left to find. In fact, Chrome's blog stated that there were fewer vulnerabilities found and this was a good thing/ indicative of vulnerabilities being harder to find. I explicitly stated at the time that it was far more likely due to summer vacation.

I guess I felt the implication of your post was that, because Chrome's being patched so much, it indicates it's insecure, and if it weren't being patched we'd be seeing these bugs exploited in the wild a-la IE6.

A lack of a bounty program. There's also a lot more media for a Chrome vulnerability than an IE one. The code is open source as well, so it looks really great when you're applying for a job and you can show the patches themselves, the vulnerable code, etc. I'd much rather hack Chrome than IE, it would look great on my resume, and I'm not willing to turn to crime so hacking IE provides 0 direct profit for me.

There is no progress.

Bug bounty programs aren't about finding all of the bugs, in my opinion. They're much more about viewing trends of the bugs. I can probably find some defcon videos about this tomorrow - there was one with someone from Facebook/Mozilla/Google, and another guy, and they discussed the benefits of a bounty program. I also wrote a quick blog post about them, but I usually don't bother linking to my stuff outside of my signature. If you'd like I can post that as well.

@Wild_Hunter

The SDL does not belong to Microsoft. Anyone can maintain their own SDL. Google has a security team that audits code, of course. And they use addresssanetizer and other methods for finding the 'easy' ones.

I don't think the bounty program is really there to help them find the bugs. Maybe to help find the really easy ones? But I think it's far more useful for tracking trends in the bugs themselves - what areas of code they're in, XSS vs overflow, sandbox bypass, etc.

 

IMO:

Microsoft applies SDL (Security Development Lifecycle) to all its latest software (including IE) AFAIK. With that, easier to find bugs and vulnerabilities are found and fixed before the new version of the product even reaches the market (but that takes time and, with that, the release cycle gets slower).

Google, when it comes to Chrome, may be relying in its bounty program to help mitigate what the rapid release cycle of Chrome probably doesn't allow in terms of time for Google's own devs to find and fix the easier to find holes.

Just a weak assumption..

 

We don't need to guess anything. Microsoft SDL process guidance is available to the public: http://www.microsoft.com/security/sdl/default.aspx

How to Adopt:

SDL Process: http://www.microsoft.com/security/sdl/discover/default.aspx
SDL Tools: http://www.microsoft.com/security/sdl/adopt/tools.aspx
SDL for Agile: http://www.microsoft.com/security/sdl/discover/sdlagile.aspx
Consulting Services: http://www.microsoft.com/security/sdl/adopt/consulting.aspx

Why Adopt:

Build More Secure Software: http://www.microsoft.com/security/sdl/learn/measurable.aspx
SDL and Compliance: http://www.microsoft.com/security/sdl/learn/compliance.aspx
Reduce Development Costs: http://www.microsoft.com/security/sdl/learn/costeffective.aspx
Assess your Security Needs: http://www.microsoft.com/security/sdl/learn/assess.aspx
Industry Talk: http://www.microsoft.com/security/sdl/industry/default.aspx

Resources:

Evolution of the SDL: http://www.microsoft.com/security/sdl/resources/evolution.aspx
FAQ: http://www.microsoft.com/security/sdl/resources/faq.aspx
Publications: http://www.microsoft.com/security/sdl/resources/publications.aspx
Videos: http://www.microsoft.com/security/sdl/video/default.aspx

 

Not sure what you mean. I know what the SDL is.

 

Can you link me to a similar amount of info about Google Chrome's SDL? Just to compare some aspects.

 

Not that I can find too quickly. That's not especially surprising - as Microsoft provides information for developing secure programs so does Chrome provide information for developing secure extensions (that's much easier to find). Having seen plenty of Chrome bugs I'm quite sure they have a security team approving code, I just can't find documentation in the next few minutes of it, if that documentation exists. I may take time tomorrow to look through and find some info.

I think I get what you were saying though - that it's a 'guess' that Chrome follows a secure development life cycle. I didn't get that.

https://sites.google.com/a/chromium.org/dev/Home/chromium-security

There's some quick info. Specifically https://sites.google.com/a/chromium.org/dev/Home/chromium-security/core-principles

 

You got it

Microsoft's SDL seems to be more robust than Chrome's, going from what I could see in the available info. That isn't surprising for me - the rapid release cycle and open source nature of Chrome would at some point ask their price, which is, affect what Google invests in the internal development.

 

I guess I just disagree with this PoV. Mainly because it A) suggests that bad guys are now preferring to be good and go after Chrome vulns instead of IE vulns B) that a bounty program would be more profitable than selling to criminals and C) That suddenly hackers have lost interest in IE due to a lack of a bounty program.

All of which sound flawed to me. The only logical explanation for a reduction in exploits found in IE is that they are harder to find, v.s. plugins which haven't had any security oriented coding focus. Cost vs Time etc. But my point is that this doesn't just apply to IE, it applies to Windows also. Heck, even flash is starting to drop out the spotlight in favor or Java. Yet Chrome is still going.