This is a list of the products with the most vulnerabilities in 2016.
The winner is Android, with 523, almost twice as much as Flash.
Debian is second (319) and Ubuntu is third (278). mac OS is 11th (215) and Windows 10 is 13th (172). It's true that Linux distros were much more secure in the past, but that doesn't seem to be the case anymore (see also the recent gstreamer 0-day affecting up-to-date Ubuntu and Fedora).
I think we need more proactive security measures in Linux: - Much more sandboxing, especially for media parsing, using modern methods like systemd-nspawn. - More comprehensive AppArmor/SELinux policies by default.
It's also interesting how much more secure Chrome is than Firefox, thanks to all the mitigations and sandboxing. Chrome had just 2 code execution vulns in 2016 while Firefox had 53. Personally I just use Firefox inside a one-use instanced VM because Chrome is a privacy nightmare, but it's sad to see Mozilla neglecting it so bad while spending resources in retarded crap, I wish they concentrated 100% on a new Servo-based secure and fast browser.
do these statistics include unknown vulnerabilities?
Nathan Morales
>using modern methods like systemd-nspawn. >like systemd-nspawn. >systemd
Lennart pls.
Jonathan James
>I think we need more proactive security measures in Linux Too bad the majority of the Linux community is against this (most notably Linus Torbalds). Now that grsecurity is closed source also hasn't helped. Now that the monolithic systemd arrived, also hasn't helped. SELinux is crap.
OpenBSD has always taken the opposite approach to this and most OSes from that family are much better off.
Common Vulnerabilities and Exposures (CVE®) is a dictionary of common names (i.e., CVE Identifiers) for publicly known information security vulnerabilities.
Gavin Murphy
Well if you want better security you can chroot firefox and problem solved
Jackson Rivera
>Study sponsored by Microsoft and Google
Cooper Jones
...
Juan Evans
If you went trough those you'd find that they're full of third party software vulnerabilities somehow listed under the OS. Just the code execution listing Ubuntu contains dozens of Firefox vulnerabilities, multiple Flash vulnerabilities, three OpenOffice vulnerabilities from 2010 and 2011 along with 14.04 specific lockscreen bypass techniques listed as code execution vulnerabilities for some reason.
If the MacOS listing is what I remember it to be, it also lists every version of OSX going back to versions like 10.0 that are obviously not being maintained anymore.
In short: Somebody is definitely desperate for attention when they're listing vulnerabilities in application software as vulnerabilities for the underlying OS.
Oliver Ross
100 rupees deposited to your vindaloo pot
Wyatt Price
>Microsoft Office has less vulnerabilities than Debian Linux
What a fucking fantastic comparison.
Alexander Howard
since Microsoft can't code, it's probably a good comparison if you look at the total number of lines of code
Aaron Anderson
FreeBSD is actually pretty bad at security. They don't even have ASLR. freebsd-update didn't check signatures until this year when a public exploit was discovered (and they didn't notice users until they were forced to).
Camden Martin
>using holey cheese meme os >not OpenBSD
Samuel Adams
Hardened OpenBSD with full-disk encryption is the way to go if you're paranoid.
Christopher Long
Click on debian Read the first line
>Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer.
>KMAIL
They are counting the vulnerabilities from every software that debian has access to?
what a joke
Nicholas Butler
If you're paranoid SubgraphOS is the way to go. If you want a priv/public cloud that survives any failures you want SmartOS + Zones + Solaris reliability tools (behind OpenBSD firewall).
Theres also mbox/firejail to contain browsers pdf readers on reg linux or bsd, or sandboxie on Windows.
Logan Perez
what about qubes? it's snowden-verified.
Chase Clark
>suse >61 Does that mean openSUSE is the best Linux OS?
Owen Stewart
OpenBSD is good, but I can't really use it for several reasons: - Installing anything outside the base system decreases security significantly. - You have to trust a third-party for stable package updates. - I can't rest easy nowadays running a non-sandboxed modern browser.
Personally, I think right now the best choices are Qubes OS for desktop and OpenBSD for servers.
I haven't used Subgraph OS, but from what I've read it's still pre-alpha and very buggy. But it's certainly among the most promising things out there, I wish their application firewall was used by other distros.
Nathan Gray
Some distros are better (by default) than others.
For example latest Fedora desktop uses Wayland (no more X11 everything runs as root) and SELinux sandboxes just so you don't hang yourself with easy 1990s levels of insecurity which is what the vast majority of regular distros are. (talking default install here, not building your own GrSec patched hardened gentoo).
If anybody here is using Debian the first thing you want to do is use firejail to contain your browser (or run it in KVM) or Mbox pdos.csail.mit.edu/archive/mbox/
If anybody here is using a BSD then you want to do things like create a zero priv user for PDF reading, edit your pf firewall so that user has no outside connections, chroot the pdf reader ect. Basically 90% of vuln comes from the browser (and esp it's addons using NDK) and pdf files. Focusing all your efforts on just those two things and you have a pretty safe box regardless of what OS you run. The rest of the vulns come from old USB bugs they still haven't fixed (that were fixed with GrSec patches) and TCP/IP stack bugs that will continue to deliver as the Linux protocol stack is a pile of pure buggy trash code.
You can also get academic journal access to security journals through sci-hub of course, find a journal and paste it's DOI number or link into sci-hub and presto free paper. Just remember it's a .pdf and take above precautions
Elijah Butler
You're just jealous that notepad has less vulnerabilities than Ubuntu.
Michael Sanchez
SmartOS is the best one can get when it comes to running a cloud, public or private, and if that cloud must, without compromise, function correctly in the face of even the most severe failures, hardware or software wise. Zones + ZFS + fault management architecture (fmadm(1M) / svcadm(1M)) make it possible.
You can also tune any of your VMs using DTrace (!!) so means you can run Linux binaries or whatever else with KVM (called Zones on SmartOS) and get realtime optimization feedback as you run in production.
I'm talking about running mission critical servers that serve millions of people that absolutely cannot ever go down such as concurrent erlang stacks for a financial exchange. SmartOS uses OpenBSD's pf firewall too but of course you would want to drop in OpenBSD in front of it anyway just to sanely scrub traffic going to your cloud.
Qubes is for enterprise business use, so if you're a finance dude logging into trading accounts all day and want to keep all those credentials separate in case some employee clicks on a spear fishing attempt. If you were instead l337 hacker selling stolen credentials or something and actively being targeted by cops or nation state agencies you would want to use SubgraphOS regardless of it's alpha stage
They've put pledge into most of the packages and everything is on by default so if that package tries something out of bounds it will die. Pledge is really, really easy to use and to add to existing packages. Combine that with executive space protect by default and it's probably the most default secure OS anywhere with modern exploit mitigations. seccomp() + grsec dicking around you have to really know what you are doing to handle that kind of complexity it's easy to shoot yourself in the foot unless your distro already comes pre configured with it.
Ayden Nelson
Debian has a firewall. But you have to install and enable it. I trust Linux a lot more than windows. And I use Windows 8. Plus I bet a lot of these "security" issues are related to their Internet browsing. People who play in the mud shouldn't be surprised when they get muddy.
Carter Robinson
ungoogled chromium + firejail = privacy + security Use gentoo hardened for ultimate security.
Gabriel Sullivan
>ungoogled chromium Nice idea, but I can't trust it fully. Chromium is too big and changes fast, something could slip.
Isaiah Wood
Gee I wonder if there's any correlation between how many use or how popular the so called vulnerable software is? >Stats
Parker Thomas
...
Jack Bennett
> Enjoy your false sense of security. There are simply not enough eyes on openBSD
Nathan Evans
Keep in mind all the money is in compromising iOS/OSX or Windows (or Chromium). There's no money in compromising Linux distros yet they still have the top amount of public security advisories.
These are also major, MAJOR security vulns like last April when it was discovered you can inject malware into any kernel.org TCP/IP stack remotely or redirect users (esp Tor users) to malicious sites and relays.
The problem is of course default kernel.org where all protections are disabled, and default distros who have zero protections because they want to push optimization/performance and "user friendliness". Windows at one time pushed this then after the gongshow that was Windows ME they put serious money into auditing and formally verifying their kernels. A latest Windows system is much harder to break into than Ubuntu LTS, esp if said Windows user is using Sandboxie then you need ninja or state level skills to bypass that kind of kernel protection running by default.
You can get all this on Linux too but it means building your own kernel and turning on the kernel.org mainline protections. Then it means patching with GrSec (which is no longer offered public) so you have to run a testing version, or use Gentoo/Arch distro. It also means you have to manually tune a lot of things, because you'll see all these guides where they try and get you to turn off protections just to use a browser with MPROTECT on meaning you're just insecuring your system again.
Then there's the whole world of SELinux complexity which Redhat/Fedora uses. This is why often by default you'll see it turned off by sysadmins because you can spend weeks debugging SELinux logs trying to figure out what's going on. SELinux when developed by the NSA was never supposed to be an actual solution, it was merely a proof of concept that role based security could be put into the Linux kernel which at the time was so insecure a 10yr old kid with hacktheplanet.txt could launch a blind shell.
Cooper Evans
The eyes on it matter though, such as crypto engineers who develop OpenBSD, lifelong security experts and Microsoft who reviews OpenBSD code before they (steal) it to put in their own kernel. NCC Group also fuzzed the shit out of the OpenBSD kernel last year for free and had a team audit the entire TCP/IP stack.
btw I don't even use OpenBSD so I'm not shilling it, just the whole meme of 'not enough eyes' means nothing considering all the eyes on OpenSSL
Jonathan Allen
Chrome has less vulns because google pays goyim relatively large sums of money to find them. multiple times a year. firefux doesn't have God's covenant money.
Ryder Turner
People have turned to Linux and are actively reporting vulns. What's surprising you?
Zachary Sanchez
Chrome has less vulns because it's much better designed and has a lot of mitigations Firefox doesn't. In fact Mozilla literally plans to use Chromium's code for sandboxing in Firefox, and they're so stupid they're using two different, incompatible versions of said library (bugzilla.mozilla.org/show_bug.cgi?id=925471).
Build your own kernels and then write your own unique test cases for them. If you get good at this there's a job for you somewhere. Nostarchpress also has bootloader hacking books coming out this year which are really good
Adam Gomez
>its the year 2017 of our lord >still using some else kernel cuckish t bh
