Why Counting Flaws is Flawed — Krebs on Security.
Krebs calls into question Bit9’s “Dirty Dozen” Top Vulnerable Application List which placed Google’s Chrome as number one. The key issue is that categorizing vulnerabilities simply by severity creates a misleading picture.
Certainly severity is an important criteria, but does not equal risk. Krebs highlights several additional factors which affect risk level:
- Was the vulnerability discovered in-house — or was the vendor first alerted to the flaw by external researchers (or attackers)?
- How long after being initially notified or discovering the flaw did it take each vendor to fix the problem?
- Which products had the broadest window of vulnerability, from notification to patch?
- How many of the vulnerabilities were exploitable using code that was publicly available at the time the vendor patched the problem?
- How many of the vulnerabilities were being actively exploited at the time the vendor issued a patch?
- Which vendors make use of auto-update capabilities? For those vendors that include auto-update capabilities, how long does it take “n” percentage of customers to be updated to the latest, patched version?
When taking these factors into consideration, Krebs opines that Adobe comes in first, second, and third!!