On browsers and bugs
Credit to Author: Susan Bradley| Date: Mon, 28 Mar 2022 09:27:00 -0700
We’re told that one of the best ways to stay secure is to make sure our computers are patched. But we need to always be aware that at any given time, there are several vulnerabilities probably known and in use by attackers. The good news is that the number of days between when a bug is identified and when it’s patched is slowly going down, according to the Google Project Zero. It tracks how long it’s taking vendors to patch bugs and found that “in 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days [three] years ago.”
As you look through the list of the bugs reported from 2019 through 2021, it’s clear no platform is immune. Apple has often been touted as being natively more secure than other platforms, but — as measured by Google Project Zero — it had a total of 84 bugs, compared to Microsoft’s 80. The average number of days to fix the bugs moved from 71 days for Apple in 2019 to 64 days in 2021. For Microsoft, the time lag dropped from an average of 85 days to 76 days.
Don’t just think about desktop OS bugs; it’s important to remember bugs on smartphone platforms, too. Under the Google Project Zero program, it took an average of 70 days to fix iOS issues (and 72 days to fix Android bugs on the Samsung platform). Where the two platforms diverge is in the number of bugs fixed. iOS had 76 versus 10 for Android on the Samsung platform and 6 on the Android Pixel)platform. That discrepancy is more a reflection of how Apple builds and deploys software.
“Security updates for ‘apps’ such as iMessage, FaceTime, and Safari/WebKit are all shipped as part of the OS updates, so we include those in the analysis of the operating system,” Project Zero said. “On the other hand, security updates for standalone apps on Android happen through the Google Play Store, so they are not included here in this analysis.”
For browsers, the one with the most users also had the most bugs. Google Chrome had 40 bugs during that three-year period, and the fastest time to fix a bug, on average. But don’t get complacent if you use the Brave browser — many browsers are built on the Chromium engine and thus are just as vulnerable as Chrome. Edge, Opera, Vivaldi, Brave, Colibri, Epic, and Iron, among others, are all in the same Chromium boat. So, when Chrome gets a mandatory security fix, look for updates for alternate browsers.
Browsers are basically the new “operating system;” they need extra attention because they’re used in so many ways, and because so many products and services have moved to the cloud. You might even consider running developer versions of Chrome and Edge, as the betas often include security features that can better protect you. Or you could download Extended Support release versions that ensure more long-term stable fixes. (Firefox, for example, has Extended Support Release (ESR) versions.) Even if you’re not an enterprise user, you can download Firefox ESR — especially if you want a secure platform without having to deal with change for change sake. The advantage is that changes are rolled out slowly; the disadvantage is that the changes are often drastic. So, you’ll need to know when changes will be made.
Another tactic is to be sure your browsers are set to automatically update and install patches immediately. In general on Askwoody.com, I urge users to delay patching Windows immediately and wait until we get an all-clear for any known issues. But for browsers, I highly recommend that you install updates immediately; if you do suffer any side effects, you can easily switch to another browser until any bug is fixed.
While speeding up security updates is generally a good thing, dealing with vendor side effects is not. Last year, Chrome moved from shipping updates every six weeks to pushing them out every four weeks. (The Extended Security Release version gets feature releases every 8 weeks.)
For Edge, you can use Intune or a Group Policy to change the update cadence to Extended Release. Open the local Group Policy Editor, go to Computer Configuration, then Administrative Templates, then Microsoft Edge Update>Applications>Microsoft Edge. Select Target Channel override and select Enabled. Under Options, pick “Extended Stable” from the Policy dropdown list.
Bottom line: be aware that for all of the vulnerabilities that get patched every month, there are many more still under investigation and not yet fixed. Some of these are even used by attackers. Whenever you use your computer, always be cautious and click carefully. You are always at risk.