Cybersecurity Insurance Checklist - Meet Insurance Requirements with BeyondTrust PAM Download for Free

  • Partners
  • Support
  • Careers
  • English
    • Deutsch
    • français
    • español
    • 한국어
    • português
BeyondTrust
  • Products

    Privileged Password Management

    Discover, manage, audit, and monitor privileged accounts and credentials.

    • Password Safe
    • DevOps Secrets Safe
    • Privileged Access Discovery Application

    Endpoint Privilege Management

    Enforce least privilege across Windows, Mac, Linux, and Unix endpoints.

    • Windows and Mac
    • Unix and Linux
    • Active Directory Bridge

    Secure Remote Access

    Centrally manage remote access for service desks, vendors, and operators.

    • Remote Support
    • Privileged Remote Access
    • Privileged Access Discovery Application

    Cloud Security Management

    Automate the management of identities and assets across your multicloud footprint.

    • Cloud Privilege Broker

    BeyondInsight

    Experience the industry’s most innovative, comprehensive platform for privileged access management.

  • Solutions

    Use Cases

    • Cloud Security
    • Compliance
    • Cyber Insurance
    • Digital Transformation
    • Endpoint Security
    • Operational Technology
    • Ransomware
    • Service Desk Efficiency
    • Zero Trust

    Industry Applications

    • Financial Services
    • Government Agencies
    • Healthcare
    • Law Enforcement
    • Manufacturing
    • Schools & Universities

    Solutions

    The BeyondTrust Privileged Access Management portfolio is an integrated solution that provides visibility and control over all privileged accounts and users.

  • Resources

    Learn

    • Blog
    • Customer Stories
    • Competitor Comparisons
    • Datasheets
    • Demos
    • Glossary
    • Podcast
    • Whitepapers

    Attend

    • Events
    • Go Beyond
    • Training
    • Webinars

    Support

    • Changelog
    • Professional Services
    • Technical Documentation

    Universal Privilege Management

    Our innovative Universal Privilege Management approach secures every user, asset, and session across your entire enterprise.

  • Company
    • About
    • Leadership
    • Core Values
    • Partners
    • Careers
  • Watch Demo
  • Contact Sales

The Reality of “The Dirty Dozen” and why I love Google Chrome

November 17, 2010

  • Blog
  • Archive
If you have been following your security news the last couple of days you will have seen that there have been a handful of headlines about the “Dirty Dozen” most vulnerable applications with Google Chrome coming in at number one. Just from that fact alone I became quickly suspicious on the science behind the calculations backing up a claim that Google Chrome is “the most vulnerable application” given the brilliant security researchers Google employs and the general sense from my security peers that Chrome is in fact a night and day better browser than most anything out there. Before we get into the specifics on what makes an application vulnerable or not I want to enlighten you into how the security industry works. Specifically, how us security vendors hatch our plans to try to capture you IT folks as “leads” to then sell you a “solution” to the “problem” we just presented to you. Make no mistake security is a business and a very big one. Obviously all of us on the product side are here to make money. The reality is that there really are major threats out there facing businesses that if not addressed will cost businesses a lot more to clean up reactively than to have proactively invested in security. That being said, it is easy for people in the security industry, myself included, to get carried away at times presenting misleading research all for the sake of generating leads to sell some products. The process usually starts with a combination of engineering/research and marketing management getting together and brainstorming about some new lead generation ideas. This could be a free tool, white paper, research study, etc… Now this in of itself is not bad and I think most people in IT would agree they are willing to give up their contact information and receive a sales call in exchange for a useful tool or white paper Where things can go wrong is when you are going through this process purely as a marketing exercise which eventually leads to a white paper and news headlines that draws incorrect and misleading conclusions. Such is case with the recent “Dirty Dozen” top vulnerable applications “report” by Bit9. If you read the news headlines surrounding the report, which really are derived from the Bit9 press release, you will be led to believe that Google’s Chrome is the worst possible application you could have installed in your environment. The reason that Bit9 came to this conclusion is because they did a ranking of the end-user/consumer applications that had the largest number of high severity vulnerabilities. Now some folks might think a software application having a large number of vulnerabilities does simply mean that software is “dirty” and therefore should be considered more of a risk than a piece of software with less vulnerabilities. I would challenge this idea to say that simply measuring the risk level of a piece of software based on the number of vulnerabilities it has is not giving a fair portrayal to what I believe IT people really want to know: “Which software is more likely to cause my systems to become compromised?” Again, if you take the “Dirty Dozen” at face value, that will read to IT folks that using Google Chrome is a bad idea, a very bad one. I would challenge that assertion and posit that you are much more likely to experience a system compromise because of Adobe Reader (Ranked #4) or Adobe Flash (Ranked #11) than you are with Google Chrome (Ranked #1). This is simply because while many vulnerabilities might exist for Chrome, there are very few exploits for Chrome vulnerabilities compared to Adobe. That is to say that while Chrome has more vulnerabilities than Adobe, it does not have nearly the amount of malicious code in the wild to leverage those vulnerabilities. This is partially due to the fact that Chrome was developed with security in mind and is backed by Google’s research team whom simply are some of the brightest minds in the business. That is why Chrome has had various sandboxing and hardening technologies within it for a while now and companies like Adobe are just getting around to it. If you review an exploit framework tool like Metasploit you will find zero exploits for Chrome and a whole handful of exploits for both Adobe Reader/Flash. Moving beyond even just Metasploit, if one were to review www.Exploit-DB.com you will find references to “exploits” for Chrome which in reality are 90%+ Proof of Concept exploits which do not actually successfully execute code, but rather simply cause Chrome to crash. Whereas if you review the exploits for Adobe you will find many working code execution exploits. There is simply no comparison to the number of working code execution exploits in the wild for Adobe vs. Chrome. Now before some security researcher assumes I am saying that none of the Chrome exploits can be exploited for code execution, you must understand that I am sure plenty of the vulnerabilities in Chrome could be exploited. Folks working in the world of IT have thousands, if not hundreds of thousands, of vulnerabilities and threats that they are trying to manage in their environments. It is critical they know operationally what really isa problem happening in the wild vs. what could be a problem. To say that Google’s Chrome is the most vulnerable application is to lead IT folks to a conclusion that they should be using a browser other than Chrome and therefore leading them to the wrong conclusion. When striving to understand what the risk level of various applications are you cannot simply count the number of vulnerabilities as no two vulnerabilities are created equally. There are many other factors that go into properly assessing the risk of software being used within your business. The time it takes a vendor to patch a vulnerability (both zero-day and ‘responsible’), the split between vendor and third-party discovered vulnerabilities, how many vulnerabilities a vendor silently patches, etc… With all that being said, the single biggest factor in assessing the risk of a given technology comes down to your organization’s ability to manage and maintain it. It is in this area of customizing an application’s attack surface and programmatically being able to manage versioning and patching of an application that far too many technology companies continue to fall short. Vulnerabilities will always be a constant with some technologies having more or less, but your ability to understand your vulnerabilities and manage them will always be the winning formula. Signed, Marc Maiffret
Photograph of Scott Lang

Scott Lang, Sr. Director, Product Marketing at BeyondTrust

Scott Lang has nearly 20 years of experience in technology product marketing, currently guiding the product marketing strategy for BeyondTrust’s privileged account management solutions and vulnerability management solutions. Prior to joining BeyondTrust, Scott was director of security solution marketing at Dell, formerly Quest Software, where he was responsible for global security campaigns, product marketing for identity and access management and Windows server management.

Stay Up To Date

Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

You May Also Be Interested In:

Whitepapers

Cybersecurity Insurance Checklist

Whitepapers

Microsoft Vulnerabilities Report 2021

Whitepapers

Privileged Access Management: PAM Checklist

Keep up with BeyondTrust

I agree to receive product related communications from BeyondTrust as detailed in the Privacy Policy, and I may manage my preferences or withdraw my consent at any time.

Customer Support
Contact Sales

Products

  • Endpoint Privilege Management
  • Password Management
  • Privileged Remote Access
  • DevOps Secrets Safe
  • Remote Support
  • Cloud Privilege Broker

Resources

  • Blog
  • Case Studies
  • Competitor Comparisons
  • Datasheets
  • Glossary
  • Podcast
  • Videos
  • Webcasts
  • Whitepapers

About

  • Company
  • Careers
  • Contact
  • Events
  • Leadership Team
  • Partner Program
  • Press
BeyondTrust Logo
  • Facebook
  • Twitter
  • LinkedIn
  • Privacy
  • Security
  • Manage Cookies
  • WEEE Compliance

Copyright © 1999 — 2022 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.