The "Dirty Dozen" list most-vulnerable applications for 2010 from security vendor Bit9 this week puts the Google Chrome browser at the top. Now into the resultant debate steps Marc Maiffret, security expert at eEye Digital Security, with a love song for Google Chrome.
In his blog post, "The Reality of the ‘Dirty Dozen' and Why I love Google Chrome," Maiffret, eEye's CTO and a well-known expert in application vulnerability research, screams foul about Bit9's list of most-vulnerable applications.
"To say that Google's Chrome is the most vulnerable application is to lead IT folks to a conclusion that they should be using a browser other than Chrome and therefore leading them to the wrong conclusion," Maiffret writes.
Bit9's research for the Dirty Dozen rankings for 2010 is based on information available in the National Institute of Standards and Technology's public National Vulnerability Database. Google Chrome had 76 reported vulnerabilities this year from January through mid-October, according to Bit9, which put Google Chrome in the top spot on the most-vulnerable list according to that measure. The second spot is held by Apple's Safari browser at 60 reported vulnerabilities, while Microsoft Office was third at 57.
In his blog post, Maiffret doesn't argue with Bit9's numbers. Rather, he excoriates Bit9's Dirty Dozen list as a "marketing exercise" intended to drum up headlines for Bit9's own self-aggrandizement.
The Bit9 Dirty Dozen is on the wrong track because it will cause people to think that "a software application having a large number of vulnerabilities does simply mean that software is 'dirty' and therefore should be considered more of a risk than a piece of software with less vulnerabilities," Maiffret writes.
Maiffret argues "you are more likely to experience a system compromise because of Adobe Reader (ranked fourth) or Adobe Flash (number 11) than with Chrome. This is simply because while many vulnerabilities might exist for Chrome, there are few exploits for Chrome vulnerabilities compared to Adobe. That is to say that while Chrome has more vulnerabilities than Adobe, it does not have nearly the amount of malicious code in the wild to leverage those vulnerabilities."
Maiffret says that is partly because Chrome was developed "with security in mind and is backed by Google's research team" which he says "are simply some of the best minds in the business."
"With all that being said," Maiffret concludes, "the single biggest factor is assessing the risk of a given technology comes down to your organization's ability to manage and maintain it," especially in terms of versioning and patching of an application. Vulnerabilities in technologies will always be a constant, he points out.