The Reality of “The Dirty Dozen” and why I love Google Chrome

If you have been following your security news the last couple of days you will have seen that there have been a handful of headlines about the “Dirty Dozen” most vulnerable applications with Google Chrome coming in at number one. Just from that fact alone I became quickly suspicious on the science behind the calculations backing up a claim that Google Chrome is “the most vulnerable application” given the brilliant security researchers Google employs and the general sense from my security peers that Chrome is in fact a night and day better browser than most anything out there. Before we get into the specifics on what makes an application vulnerable or not I want to enlighten you into how the security industry works. Specifically, how us security vendors hatch our plans to try to capture you IT folks as “leads” to then sell you a “solution” to the “problem” we just presented to you. Make no mistake security is a business and a very big one. Obviously all of us on the product side are here to make money. The reality is that there really are major threats out there facing businesses that if not addressed will cost businesses a lot more to clean up reactively than to have proactively invested in security. That being said, it is easy for people in the security industry, myself included, to get carried away at times presenting misleading research all for the sake of generating leads to sell some products. The process usually starts with a combination of engineering/research and marketing management getting together and brainstorming about some new lead generation ideas. This could be a free tool, white paper, research study, etc… Now this in of itself is not bad and I think most people in IT would agree they are willing to give up their contact information and receive a sales call in exchange for a useful tool or white paper Where things can go wrong is when you are going through this process purely as a marketing exercise which eventually leads to a white paper and news headlines that draws incorrect and misleading conclusions. Such is case with the recent “Dirty Dozen” top vulnerable applications “report” by Bit9. If you read the news headlines surrounding the report, which really are derived from the Bit9 press release, you will be led to believe that Google’s Chrome is the worst possible application you could have installed in your environment. The reason that Bit9 came to this conclusion is because they did a ranking of the end-user/consumer applications that had the largest number of high severity vulnerabilities. Now some folks might think a software application having a large number of vulnerabilities does simply mean that software is “dirty” and therefore should be considered more of a risk than a piece of software with less vulnerabilities. I would challenge this idea to say that simply measuring the risk level of a piece of software based on the number of vulnerabilities it has is not giving a fair portrayal to what I believe IT people really want to know: “Which software is more likely to cause my systems to become compromised?” Again, if you take the “Dirty Dozen” at face value, that will read to IT folks that using Google Chrome is a bad idea, a very bad one. I would challenge that assertion and posit that you are much more likely to experience a system compromise because of Adobe Reader (Ranked #4) or Adobe Flash (Ranked #11) than you are with Google Chrome (Ranked #1). This is simply because while many vulnerabilities might exist for Chrome, there are very few exploits for Chrome vulnerabilities compared to Adobe. That is to say that while Chrome has more vulnerabilities than Adobe, it does not have nearly the amount of malicious code in the wild to leverage those vulnerabilities. This is partially due to the fact that Chrome was developed with security in mind and is backed by Google’s research team whom simply are some of the brightest minds in the business. That is why Chrome has had various sandboxing and hardening technologies within it for a while now and companies like Adobe are just getting around to it. If you review an exploit framework tool like Metasploit you will find zero exploits for Chrome and a whole handful of exploits for both Adobe Reader/Flash. Moving beyond even just Metasploit, if one were to review www.Exploit-DB.com you will find references to “exploits” for Chrome which in reality are 90%+ Proof of Concept exploits which do not actually successfully execute code, but rather simply cause Chrome to crash. Whereas if you review the exploits for Adobe you will find many working code execution exploits. There is simply no comparison to the number of working code execution exploits in the wild for Adobe vs. Chrome. Now before some security researcher assumes I am saying that none of the Chrome exploits can be exploited for code execution, you must understand that I am sure plenty of the vulnerabilities in Chrome could be exploited. Folks working in the world of IT have thousands, if not hundreds of thousands, of vulnerabilities and threats that they are trying to manage in their environments. It is critical they know operationally what really isa problem happening in the wild vs. what could be a problem. To say that Google’s Chrome is the most vulnerable application is to lead IT folks to a conclusion that they should be using a browser other than Chrome and therefore leading them to the wrong conclusion. When striving to understand what the risk level of various applications are you cannot simply count the number of vulnerabilities as no two vulnerabilities are created equally. There are many other factors that go into properly assessing the risk of software being used within your business. The time it takes a vendor to patch a vulnerability (both zero-day and ‘responsible’), the split between vendor and third-party discovered vulnerabilities, how many vulnerabilities a vendor silently patches, etc… With all that being said, the single biggest factor in assessing the risk of a given technology comes down to your organization’s ability to manage and maintain it. It is in this area of customizing an application’s attack surface and programmatically being able to manage versioning and patching of an application that far too many technology companies continue to fall short. Vulnerabilities will always be a constant with some technologies having more or less, but your ability to understand your vulnerabilities and manage them will always be the winning formula. Signed, Marc Maiffret