Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Most software that's as complex as Flash is probably similarly full of bugs. Most of those vulnerabilities reek of huge development teams toiling over a codebase whose foundation was written in the late 90s and had features and fixes duct taped ever since.


Do Chrome and Safari have as bad a track record?

Flash has been insecure since originally launched.


In a way, yes, they do. Chrome pushes out a dozen or more fixes for remotely exploitable vulnerabilities every 2 weeks.


No they don't. Chrome is designed from the ground up for security. It has the same number of bugs as other software of it's size but the type of bugs are much less severe.

Compare FF, Safari, IE, Chrome. Same number of bugs per yet but Chrome has 10x less code execution bugs (ie, 10x less likely for your machine to be owned by unknown bugs)

http://i.imgur.com/rVgu7Fs.png


The chart you just linked (which doesn't show a timescale) shows Chrome with over 300 exploitable bugs. I doubt the denial of service label, that just usually means that a bug wasn't fully investigated. So, again, how is this different from Flash? Chrome is riddled with vulnerabilities (and Safari is too).

Flash runs in a low-priv environment is nearly every major browser, includes application-specific exploit mitigations, and it silently auto-updates, just like Chrome. It's all a matter of the Flash install base: it's in 90%+ of browsers and it's running the same-ish codebase in all of them, making it a relatively stable platform to develop exploits for. That's it! It's more a factor of market share and not "security."

Every document reader, HTML renderer, JavaScript engine, browser, media player, etc that you use is the same -- a house of cards built on poor memory management :-/.


  > Chrome pushes out a dozen or more fixes
  > for remotely exploitable vulnerabilities
  > every 2 weeks.
That equates to 288 remotely exploitable vulnerabilities in Chrome per year.

Here is a chart from the same source with a timeline of sorts: http://www.cvedetails.com/product/15031/Google-Chrome.html?v...

Your statement about Chrome is clearly way off, and that's what your parent was addressing. He never said Chrome was bug-free. And he was right to say that Chrome is way ahead of the other browsers (according to these stats, at least).

Edit: those stats show Chrome is better in terms of CVE severity, not number of annual CVEs.


I don't think the classification of most of those DoS bugs are correct. I also don't think there's a big difference between 100 vulns per year and 300 vulns per year. You go fishing and you find some each time.


> a house of cards built on poor memory management :-/.

Shit, this is the most accurate description of modern software that I've seen so far.


no, maybe not as bad, but JIT can be played pretty hard. I think the difference is that they are better structured and more transparent. I would definitely NOT put my hands on flash code, must be a mess!


"Probably"? Complex as Flash? Whatever it have a big or small team, was started in the late 90s or whatever it causes problems now. So use whatever excuses you like, Flash is still a security concern with opportunity for more 0-day exploits(just one firm have two in the drawer, how many more there are?).




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: