{"id":18606,"date":"2022-03-28T10:30:04","date_gmt":"2022-03-28T18:30:04","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/28\/news-12339\/"},"modified":"2022-03-28T10:30:04","modified_gmt":"2022-03-28T18:30:04","slug":"news-12339","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/03\/28\/news-12339\/","title":{"rendered":"On browsers and bugs"},"content":{"rendered":"

<\/p>\n

Credit to Author: Susan Bradley| Date: Mon, 28 Mar 2022 09:27:00 -0700<\/strong><\/p>\n

We\u2019re told that one of the best ways to stay secure is to make sure our computers are patched. But we need to always be aware that at any given time, there are several vulnerabilities probably known and in use by attackers. The good news is that the number of days between when a bug is identified and when it\u2019s patched is slowly going down, according to the Google Project Zero<\/a>. It tracks how long it\u2019s taking vendors to patch bugs and found that \u201cin 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days [three] years ago.\u201d<\/p>\n

As you look through the list of the bugs reported from 2019 through 2021, it\u2019s clear no platform is immune. Apple has often been touted as being natively more secure than other platforms, but \u2014 as measured by Google Project Zero \u2014 it had a total of 84 bugs, compared to Microsoft\u2019s 80. The average number of days to fix the bugs moved from 71 days for Apple in 2019 to 64 days in 2021. For Microsoft, the time lag dropped from an average of 85 days to 76 days.<\/p>\n

Don\u2019t just think about desktop OS bugs; it\u2019s important to remember bugs on smartphone platforms, too. Under the Google Project Zero program, it took an average of 70 days to fix iOS issues (and 72 days to fix Android bugs on the Samsung platform). Where the two platforms diverge is in the number of bugs fixed. iOS had 76 versus 10 for Android on the Samsung platform and 6 on the Android Pixel)platform. That discrepancy is more a reflection of how Apple builds and deploys software.<\/p>\n

\u201cSecurity updates for \u2018apps\u2019 such as iMessage, FaceTime, and Safari\/WebKit are all shipped as part of the OS updates, so we include those in the analysis of the operating system,\u201d Project Zero said. \u201cOn the other hand, security updates for standalone apps on Android happen through the Google Play Store, so they are not included here in this analysis.\u201d<\/p>\n

For browsers, the one with the most users also had the most bugs. Google Chrome had 40 bugs during that three-year period, and the fastest time to fix a bug, on average. But don\u2019t get complacent if you use the Brave browser \u2014 many browsers are built on the Chromium engine and thus are just as vulnerable as Chrome. Edge, Opera, Vivaldi, Brave, Colibri, Epic, and Iron, among others, are all in the same Chromium boat. So, when Chrome gets a mandatory security fix, look for updates for alternate browsers.<\/p>\n

Browsers are basically the new \u201coperating system;\u201d they need extra attention because they\u2019re used in so many ways, and because so many products and services have moved to the cloud. You might even consider running developer versions of Chrome and Edge, \u00a0as the betas often include security features that can better protect you. Or you could download Extended Support release versions that ensure more long-term stable fixes. (Firefox, for example, has Extended Support Release (ESR) versions<\/a>.) Even if you\u2019re not an enterprise user, you can download Firefox ESR<\/a> \u2014 especially if you want a secure platform without having to deal with change for change sake. The advantage is that changes are rolled out slowly; the disadvantage is that the changes are often drastic. So, you\u2019ll need to know when changes will be made<\/a>.<\/p>\n

Another tactic is to be sure your browsers are set to automatically update and install patches immediately. In general on Askwoody.com, I urge users to delay patching Windows immediately and wait until we get an all-clear for any known issues. But for browsers, I highly recommend that you install updates immediately; if you do suffer any side effects, you can easily switch to another browser until any bug is fixed.<\/p>\n

While speeding up security updates is generally a good thing, dealing with vendor side effects is not. Last year, Chrome moved from shipping updates every six weeks<\/a>\u00a0to pushing them out every four weeks. \u00a0(The Extended Security Release version gets feature releases every 8 weeks.)<\/p>\n

For Edge, you can use Intune or a Group Policy to change the update cadence to Extended Release. Open the local Group Policy Editor, go to Computer Configuration, then Administrative Templates, then Microsoft Edge Update>Applications>Microsoft Edge. Select Target Channel override and select Enabled. Under Options, pick \u201cExtended Stable\u201d from the Policy dropdown list.<\/p>\n

Bottom line: be aware that for all of the vulnerabilities that get patched every month, there are many more still under investigation and not yet fixed. Some of these are even used by attackers. Whenever you use your computer, always be cautious and click carefully. You are always at risk.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Susan Bradley| Date: Mon, 28 Mar 2022 09:27:00 -0700<\/strong><\/p>\n

\n
\n

We\u2019re told that one of the best ways to stay secure is to make sure our computers are patched. But we need to always be aware that at any given time, there are several vulnerabilities probably known and in use by attackers. The good news is that the number of days between when a bug is identified and when it\u2019s patched is slowly going down, according to the Google Project Zero<\/a>. It tracks how long it\u2019s taking vendors to patch bugs and found that \u201cin 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days [three] years ago.\u201d<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[12014,714],"class_list":["post-18606","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-browsers","tag-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18606","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18606"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18606\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18606"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18606"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18606"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}