Firefox named most vulnerable Windows application

In a list, published by security firm Bit9, of 12 most vulnerable applications for the Windows platform, Firefox finished at the top of the list.

The browser has earned the reputation from Mozilla patching 10 vulnerabilities which could be used to gain control, access, or execute miscellaneous code via buffer overflow, malformed URI links, javascript, documents and third party tools.

The browser is well respected throughout its open source community. Users can download add-ons, themes and many other tweaks that users can be used to adjust, modify and tweak their browser for maximum performance and appearance.

Bit9 posted a list of the top 12 vulnerable applications:

  1. Mozilla Firefox
  2. Adobe Flash and Adobe Acrobat
  3. EMC VMware Player,Workstation and other products
  4. Sun Java JDK and JRE, Sun Java Runtime Environment (JRE)
  5. Apple QuickTime, Safari and iTunes
  6. Symantec Norton products (all flavors 2006 to 2008)
  7. Trend Micro OfficeScan
  8. Citrix Products
  9. Aurigma Image Uploader, Lycos FileUploader
  10. Skype
  11. Yahoo Assistant
  12. Microsoft Windows Live (MSN) Messenger

Report a problem with article
Previous Story

Asus Eee Box B203 gets Celeron power

Next Story

Apple strikes again to halt iPhone jailbreaking

88 Comments

Commenting is disabled on this article.

I believe Max Pain is indeed hitting the nail on the head. At the end of the day the study is intended to lead the concerned IT professional to evaluate the Bit9 software. Just a marketing strategy that is quite frequently used.

The bottom line is about NOBODY knew who Bit9 was yesterday. Now A LOT of people know who the hell Bit9 is ...

I think they are happy today ;)

I have to agree with Max Pain comment specially the first paragraph. SMS and WSUS and MS technology. The world doesn't end with MS and not including 3rd party technology in the study is really unprofessiosnal. Commercial patch management system comes with a cost but they exist and should be taken into consideration.

1) The criteria for making into the list is that it cannot be updated by SMS or WSUS, ignoring other commercial patching solutions that updates non-Microsoft applications. So naturally, most of the applications on the list are not from Microsoft. The fact that there is a Microsoft application on the list speaks volumes about relying on SMS or WSUS only.

2) The list is sorted by popularity of the applications, not by number of vulnerabilities or seriousness of the vulnerabilities. Therefore Firefox is number one because it is most popular, not the one with most vulnerabilities. But no matter I how look at it, I don't understand how did Firefox end up as most popular over Adobe Flash. Whether you are talking about IE or Firefox, Adobe Flash will almost definitely be installed.

3) In an enterprise environment that is properly lock-down, you will not be able to install Firefox yourself. If you have permission to install Firefox, then you have permission to update Firefox, which is enabled by default, downloads in the background when you use the browser and take effect with the restart of the browser. Unlike most IE patches which are scheduled to update and would not take effect unless you restart the computer. I have seen computers in companies which are never patched because they are never turned on during the scheduled patching time, or haven't been rebooted in months because the users persistently refuse to reboot.

This report is clearly skewed to misinform about Firefox.

Max Pain said,
The list is sorted by popularity of the applications, not by number of vulnerabilities or seriousness of the vulnerabilities.

That's what has me scratching my head.

It has been impossible to logon with MSN Messenger 4.x or 5.0 for years now (unless you have a specific v5.0 build distributed exclusively for 95/NT4). And there has never been a v5.1 of MSN Messenger released.

So I did a search on the CVE, and found the info from Bit9 was incorrect. The vulnerabilities have nothing to do with MSN Messenger at all. They are exclusive to Windows Messenger.

Hardly anyone uses Windows Messenger any more. Before development ceased almost exactly four years ago, Windows Messenger had been re-tooled to be a more corporate-focused IM client, while MSN Messenger (later re-branded Windows Live) was the consumer IM client.

So with very few people using it, how did Windows Messenger crack the top 18 vulnerable apps with Bit9?

There must be some other criteria Bit9 used besides popularity. That would explain why Windows Messenger made the list, and Firefox beat Flash.

It doesn't stop there. VMWare is more popular than Java? Java is free and required on a lot of financial website while VMWare is commerical (yes, Player is free, but you can't create VM with it, so there must be at least a copy of Workstation).

What is "Aurigma Image Uploader, Lycos FileUploader" doing on a list of popular software for the enterprise?

Where are they getting the sample population from? Their (probably limited) customer base?

supernova_00 said,
Because one actually discloses its vulnerabilities it makes it the most vulnerable? Interesting.

Just like people say Windows is very vulnerable, but if you keep applying the updates, which comes every patch tuesday (first tuesday of the month) or check web sites like Neowin for emergency patches, you'll stay on top of the issues, and have a very limited chance of being infected.

Mozilla does a great job of releasing updates for issues, just like Windows. Yet both Windows and Firefox are considered vulnerable to hackers, for the people who do not update their product.

lylesback2 said,
Just like people say Windows is very vulnerable, but if you keep applying the updates, which comes every patch tuesday (first tuesday of the month) or check web sites like Neowin for emergency patches, you'll stay on top of the issues, and have a very limited chance of being infected.

Mozilla does a great job of releasing updates for issues, just like Windows. Yet both Windows and Firefox are considered vulnerable to hackers, for the people who do not update their product.

The funny thing is Windows is the most popular OS, while Firefox isn't the most popular browser.

This reminds me of how all the Apple fan boys said "Mac never get any viruses, blah blah".....then Macs got viruses and Apple recommended antivirus software for Macs.

Firefox fan boys always talk about how secure it is.......

Does the Mozilla staff do a good job patching and keeping it updated? Sure.....that's because it has a lot of flaws and they have to. I'm not saying other software doesn't......I just always like when fan boys get shot down, because they always think they product they are backing is perfect.

Glendi said,
You just ignored all the comments made above, if you would like a counter-argument of that, read.


I don't believe that they are valid.....that's why I made my own comment.....because I'm not a sheep that believes everything someone tells me. I just think the article is funny, that is all.

Peter Griffin said,
his reminds me of how all the Apple fan boys said "Mac never get any viruses, blah blah".....then Macs got viruses and Apple recommended antivirus software for Macs.

Firefox fan boys always talk about how secure it is.......

Does the Mozilla staff do a good job patching and keeping it updated? Sure.....that's because it has a lot of flaws and they have to. I'm not saying other software doesn't......I just always like when fan boys get shot down, because they always think they product they are backing is perfect.

FF is more secure in the sense that there are MANY addons that help make it secure and it has a good popup blocker. Mozilla's staff does a good/fast job patching their software because they are a good company dedicated to fix their software and produce a good product. A lot of companies are fast to patch their software...doesnt mean its crap or has a lot of issues. No software is perfect.

And who is shooting down FF fanboys? The study by bit9 must if been done by a bunch of morons because if FF was the least secure Windws app, the news would be all over the net.

Besides, most people use FF because its easy to skin and has a ton of addons and ways to customize the browser.

techbeck said,
And who is shooting down FF fanboys? The study by bit9 must if been done by a bunch of morons because if FF was the least secure Windws app, the news would be all over the net.


Not trying to be a smart@ss, but I think this is news.....that's why it's being reported on neowin.

Aren't you acting like a Windows fanboy?
Hey, I'm not defending Firefox. Although I believe that it is one of the best browsers and one of the most secure.
Why? Open Source...
Anyone can exploit Firefox's source code... And you ask, is that good? Yeah, 'cause the hackers that exploit FF tell Mozilla about the issues.
I believe that hackers are no criminals. Of course some of them are, but there are lots of great security researchers that work in "freelance".

Did anyone else read the about bit9 ?

Bit9 is the pioneer and leader in Enterprise Application Whitelisting. The company's patented solutions ensure only trusted and authorized applications are allowed to run on Windows computers, eliminating the risk caused by malicious, illegal and unauthorized software.

http://www.bit9.com/about/index.php


That is so funny-- It doesn't seem as if they tested Opera yet. Opera is not on their whitelist so by using their service it won't let you install it.

TO quote them again -- They actually in this one applaud Firefox.
http://www.bit9.com/resources/newsletters/2007-07-25.php
3 Critical Vulnerabilities Fixed in Latest Firefox Update

Mozilla.org recently released the latest security update to Firefox 2. Version 2.0.0.5 fixes a number of problems with the browser, including 3 critical vulnerabilities that, according to Mozilla, "can be used to run attacker code and install software, requiring no user interaction beyond normal browsing." One of these latest vulnerabilities enabled an attacker to escalate their privileges, while another allowed for remote code execution.
While Mozilla is to be applauded for their quick turnaround for security issues, IT professionals worry that profoundly weak links remain in the chain for application-level security:

* Not all software publishers are as diligent and responsive when it comes to security vulnerabilities.
* Users do not necessarily apply the patches they ought to be applying in a consistent or a timely fashion.
* Many companies do not have a way of centrally enforcing appropriate security policies at the application level.
--

Most of the Malware found on a computer are by people running as administrators... If you ran as a limited user most of this software could not find a root into the system.

I think though to me at least a company that is actively issuing fixes some before an exploit can be found is better than none. Some are Steady as she goes with a push for the next update.

That and if you read the PDF it says all can be stopped with their service. And a phone number to purchase it.


I would not trust a source that says with us all will be fixed and all will be secure.

Would this be different is IE was standalone?

I've seen people get more bad stuff using IE/Outlook, and no one getting bad stuff using Firefox/Thunderbird - says it all.

People here are MISSING the point...

It is NOT just about how many vulnerabilities that were patched, it is the fact they cannot be easily patched in the workplace, making them a LARGE risk because they are running un-patched...

FTA:

� Is well-known in the consumer space and frequently downloaded by individuals.
� Is not classified as malicious by enterprise IT organizations or security vendors.
� Contains at least one critical vulnerability that was:
o first reported in January 2008 or after,
o registered in the U.S. National Institute of Standards and Technology's (NIST) official vulnerability database at http://nvd.nist.gov, and given a severity rating of high (between 7.0-10.0) on the Common Vulnerability Scoring System (CVSS).
� Relies on the end user, rather than a central IT administrator, to manually patch or upgrade the software to eliminate the vulnerability, if such a patch exists.
� The application cannot be automatically and centrally updated via free Enterprise tools such as Microsoft SMS & WSUS.


There are possibly programs that have had more vulnerbilities fixed, but without a central way for an Admin to update these applications, if they are deployed on company computers they are often left unpatched and even if the users try to patch them, many users don't have the security level to do so.

This makes them a big problem and a big target...

(Microsoft has always done one thing better and that is understanding client/server roles and centralized management and making things easy and secure for businesses. So even with IE6 that had a lot of bugs, at least the administrators could issue the updates or have them applied automatically. Try doing this on a network of 1,000 desktop with Firefox or Skype.)

Glendi said,
So your point is this list is only for big workplaces?


Not exactly...

It is problematic for businesses more than home users, and the majority of computing is STILL done in workplace environments. This alone makes it a 'big' issue.

However, there are some things of serious side notes to consider:

Home users are also bad about updating software, and these applications don't always force updates on the users.

Code Quality is something else that everyone here is overlooking. When MS was pushing out TONS of updates a month for XP several years ago, there was a problem, there was a serious problem that there were as many security flaws being continually addressed.

Move forward to 2008, and now MS is pushing out a few updates a month.

Does this mean MS stopped caring about security in 2008 or they took time and redesigned not only their code, but their entire development and debugging processes. (The Windows 2003 Server delay timeframe) And XP SP2 was a result of this. They invested in new ways of testing software, adding new memory protection to compiled code (new compilers to check for things that were virtually unknown to be exploitable 10-20 years ago) and additional resources in literally hiring some of the best hacker minded security coders in the world.

So in 2008, MS having less patches is a result of less buggy and more solid code and more solid security throughout their OSes and products.


Now let's look at FireFox, instead of investing in more rigorous security trapping and better security coding guidelines, they have used the 'geek' popularity and obscurity to remain somewhat safe. This does not mean their code is better, but they are not MS and by proxy, less likely to be targeted.

So in 2008 if you look at Firefox or even OSes like OS X where each month there are massive security updates to the products, there is SOMETHING WRONG, just like there was something wrong with the massive updates that XP needed prior to SP2.

This is the result of lower quality code, buggy code, or less concern about security, and will continue to result in more and more security updates and 'fixed' exploits until the products take security and re-evaluate every bit of code from the ground up.


Think of it like this... Vista has been released for two years, OS X 10.5 has been out for one year. OS X 10.5 has had nearly 20x (times) the security updates to it in just one year than Vista has had in two years.

So the questions become:
-Which do you think has better code and probably has less 'unknown' exploits still open?
-Which would you think has a better model for security and the potential to expose less exploits in the future?
- Which OS code base is less buggy and has more security protections in the writing and compiling processes?


History does predict the future, and when you have 'consistent' high quantities of 'high risk' flaws, there is a problem.

In non-computer sense:
If your 6mo old car has been in the shop every month for numerous recall fixes or has been broke down, what do you think the next 6mo will be like? Chances are it is a lemon and that is why there are Auto Lemon laws.


If MS didn't do a complete development 'restart' for XP SP2 and Windows 2003 Server, the updates and bugs coming out of those products would still be huge. And Vista would have added a whole new set of millions of lines of code to exploit.

-Instead XP SP2 is fairly secure and Vista is highly secure.

You fail to take into account that Mozilla (maybe Google with Chrome now too) is the only one who does full disclosure on their security issues. If you take a look at all the Firefox vulnerabilities you'll notice that over 50% of them are actually found by Mozilla staff. Microsoft & co only disclose security issues that were found by 3rd party researchers. This is why comparing security by just summing up the fixed vulnerabilities is completely bogus.

I wouldn't put Mozilla Firefox on top of that list.

The real most vulnerable Windows application is in fact not an application, but the end-user.

m-p{3} said,
I wouldn't put Mozilla Firefox on top of that list.

The real most vulnerable Windows application is in fact not an application, but the end-user.

Amen!

This is very true. People that fight over browsers need to re-evaluate their priorities. The most vulnerable thing on a computer, the end user. The second most vulnerable, the browser. It doesn't matter which one you use, it is in fact the most vulnerable application on the computer. End of story.

IE and Fox' both have their strengths and weaknesses. What it really comes down to is your own personal preferences. Get over it.

Also their whole patch based logic is rediculous. Just because something is patched more does not necessarily mean it is more vulnerable then any other application. It just means that bugs and flaws have been found and fixed. What's to say that 'App B' is more secure then 'App A' simply because App A has patched more vulnerabilities. This makes no sense. What is to say that 'App B' has more un-patched vulnerabilities? See you really can't make any logical decision at all based on the data at hand.

Sorry if this post came off negatively to any one. I was not trying to single any one out or flame any one. Just giving my 2 cents. Have a good day every one.

GEIST said,
The fact that IE is not on that list is a safe sign it's BS.


1) IE7 had a lot less vulnerabilities, it wasn't until the one in the news now that people have even found a way in via IE7, and technically it a flaw in a semi-external to IE7 data binding DLL.
2) IE is self updating or can be updated centrally by Administrators.

I use some of these applications on a daily basis including Firefox and Live Messenger. Both look very secure to me.

Firefox does have a lot of security holes in it. Look at their bug tracker. The reason you dont hear about it is because of all the fanboys want to keep it quiet. Now is it #1? I doubt it. I have issues with that list except flash player. But saying its more secure than IE is no longer true. IE has only had a couple of critical patches this year. Pretty soon you will be seeing more and more firefox exploits in the wild. And if/when chrome gets popular, same will happen with that.

BrewNinja said,
Firefox does have a lot of security holes in it. Look at their bug tracker. The reason you dont hear about it is because of all the fanboys want to keep it quiet. Now is it #1? I doubt it. I have issues with that list except flash player. But saying its more secure than IE is no longer true. IE has only had a couple of critical patches this year. Pretty soon you will be seeing more and more firefox exploits in the wild. And if/when chrome gets popular, same will happen with that.

Well thats a no brainer, when things get more popular, they will get attacked more. And Fanboys cannot get the news/media quiet about these kind of things. Companies do this kind of research all the time, not only Bit9. If fanboys could keep things quiet, they we would never hear anything about MS or Apple.

I am going to call shenanigans on all 12 software items listed. For one, if Firefox was the least secure, we would hear about it all over the net. It would be published in article after article and Apple, maybe MS, would take advantage of this via advertising of IE/Safari. Same goes for all the 12 software items. Most of the software listed is very popular not only for regular consumers, but in the corp world as well.

of course it looks like it is the most vulnerable but that is because it is open source and when it is open source everyone can get the source code and find any problems meaning more problems are found.

but in propriety software they havent got everyone looking at the source code except for the developers meaning less problems are found and that is why people think it is less vulnerable

I dont see how a patched security bug makes something less secure than something. The amount of known unpatched security bugs are the problem, otherwise you are comparing the length of strings. What a pointless report.

6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.
WSUS is free.... SMS isn't, is it?!

u2_storm said,
6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.
WSUS is free.... SMS isn't, is it?!

Firefox doesn't need any external updater, it updates on it's own.

See that all works fine and dandy until you sling it on a secured down network. Example user A may need firefox for what ever reason and can't install it, user asks IT tech. It tech installs it locally and user runs it on network account
Consider this - User has limited account, able to install programs but not able to have them then modify files inside the program files or updates etc, or there's a firewall blocking the updater etc.

The sooner these browsers get added to WSUS the better sanity us IT techs will have!

Glendi said,

Compared to other browsers yes. And I mean YES.

Err, you seem to have forgotten Opera. "Compared to other browsers no. And I mean NO."

lol look at all the firefox fanbois coming out of their holes cos their browsers being attacked....... LOL All because the browser which they claim to be so secure then finding out it has exploits dun dun daaaaa. Now be good and take your medicine.
And before you ask i am a user of safari, opera, ie and firefox. (depnding on my location etc)

And those of you shouting oh but IE has this massive security flaw.... Well see if you run vista and leave UAC on and IE in protected mode then everything is near enough fine

tunafish said,
And those of you shouting oh but IE has this massive security flaw.... Well see if you run vista and leave UAC on and IE in protected mode then everything is near enough fine

So still IE has this unpatched bug while Firefox doesn't (read the article, bugs are patched). Firefox wins lol

WOW so mature aint we..... No on wins. Only some child would make an answer like that, so stuck up over a bloody browser!

If you leave UAC on then you are safe. Also if i was to pick out the list of bugs that are patched in IE i bet it would be more than firefox, and the fact that IE can be updated via windows server is the reason why IE was not included in the findings.
Have you ever been able to update firefox over a network? NO because it's a major pain! Thats why companys stick with and USE IE. Because of the fact you can deply updates by pressing like 2 buttons.

tunafish said,
WOW so mature aint we..... No on wins. Only some child would make an answer like that, so stuck up over a bloody browser!

Like, like, you are like, the one that is inmature. Glendi had a perfectly mature and logical point.

You need to lay off the MTV usage. It's bad enough when people use the word 'like' every other word but to type it is even more stupid. Just further proves who the immature one is.

"And those of you shouting oh but IE has this massive security flaw.... Well see if you run vista and leave UAC on and IE in protected mode then everything is near enough fine"

That's all well and good, but XP users are still SOL.

tunafish said,
WOW so mature aint we..... No on wins. Only some child would make an answer like that, so stuck up over a bloody browser!

The default browser is IE. I made the change to Firefox. In terms of being stuck, you're the one who's got stuck to a browser who has been bloody in all aspects.

Another one who can't read!
And before you ask i am a user of safari, opera, ie and firefox. (depnding on my location etc) Since when did i state i use just IE?

I believe for it to count as every other word you would have to at-least use it more than ONCE. So alas we have another troll who can't learn to read posts.

tunafish said,
Another one who can't read!
And before you ask i am a user of safari, opera, ie and firefox. (depnding on my location etc) Since when did i state i use just IE?

I believe for it to count as every other word you would have to at-least use it more than ONCE. So alas we have another troll who can't learn to read posts.

You said I'm stuck with Firefox in the first reply.

SINCE WHEN DID I STATE I JUST USE FIREFOX? I said "Firefox wins over IE". What part of that means I use Firefox?

Learn to read well before telling others about reading. That's just hypocritical.

Yet another guy with a weak attempt to prove me wrong while you did the same thing before.

FrozenEclipse said,
LOL @ you being an idiot.


LOL @ the firefox fanboys for calling the rationals idiots cause they are too fanboyish to admit mistakes.

I don't believe that about Firefox, i think its one of the more secure browsers, its better than IE, and if you're worried about security in the browser there are addon's like WOT that warns you about a lot of bad sites before you browse them, which i find quite effective.

what an utterly rubbish article seriously neowin what's going on these days ? you guys use to have better standards than to post utter tripe than this.... amazing how things change over time

where did i state you guys sucked ? i stated that the standards have slipped some what from when i first started reading this site , please creamhackered don't try putting words into my mouth i wasn't flaming anyone just stating my opinion on the standards of the site that's all , i am allowed to criticise arnt i ?

bob_c_b said,
Translation, apps I use are on that list and I am too smart to use insecure apps to the list is rubbish.

Yes for your information i do use firefox what does that not make me entitled to an op[inion that the article is still utter tripe without being called a fanboy ? what ever mate i don't really care but you obviously do not have a clue so i wont even bother wasting my time to try and explain to you why I think that this article is utter tripe

Fubar said,
where did i state you guys sucked ? i stated that the standards have slipped some what from when i first started reading this site , please creamhackered don't try putting words into my mouth i wasn't flaming anyone just stating my opinion on the standards of the site that's all , i am allowed to criticise arnt i ?

All you said was this is "utter tripe". Maybe if you had some constructive criticism then everyone wouldn't be jumping down your throat.

Fubar said,
where did i state you guys sucked ? i stated that the standards have slipped some what from when i first started reading this site , please creamhackered don't try putting words into my mouth i wasn't flaming anyone just stating my opinion on the standards of the site that's all , i am allowed to criticise arnt i ?

So reporting news is now 'slipping'?

This study mainly say :if "x" program can't be controlled and updated using a central or unified panel, then its insecure.

There is no microsoft program on there other than live messanger. I'm sure IE has been patched more than 11 times. From what dates are they talking about?

Ok. This is not talking about for home use. Its biased.

The applications on this list meet the
following criteria.
1) Runs on Microsoft Windows.
2) Is well-known in the consumer space and
frequently downloaded by individuals.
3) Is not classified as malicious by enterprise
IT organizations or security vendors.
4) Contains at least one critical vulnerability
that was:
a. first reported in January 2008 or after,
b. registered in the U.S. National Institute
of Standards and Technology's (NIST)
official vulnerability database at
http://nvd.nist.gov, and
c. given a severity rating of high
(between 7.0-10.0) on the Common
Vulnerability Scoring System (CVSS).
5) Relies on the end user, rather than a
central administrator, to manually patch
or upgrade the software to eliminate the
vulnerability, if such a patch exists.
6) The application cannot be automatically
and centrally updated via free Enterprise
tools such as Microsoft SMS & WSUS.

There is no microsoft program on there other than live messanger. I'm sure IE has been patched more than 11 times. From what dates are they talking about?

Ok. This is not talking about for home use. Its biased.

The applications on this list meet the
following criteria.
...

It is one of the reason because i dropped off the domain and turned back to a workgroup.

Domain in theory is awesome but in the real world is impracticable, mainly because many (if not all) programs are not following the restrict microsoft rules. Domain just add a new level of bureaucracy in the organization, and bureaucracy cost money.

I dont like norton stuff but I cant understand how it can be a vulnerable windows app.

As for Skype and WLM, I use them almost everyday, I dont know of any security problem related to these 2 apps; I mean for this year.

P1R4T3 said,
As for Skype and WLM, I use them almost everyday, I dont know of any security problem related to these 2 apps; I mean for this year.

WLM always has those files being sent about from people who are stupid enough to accept and execute them.

hotdog963al said,
WLM always has those files being sent about from people who are stupid enough to accept and execute them.

Yep... Since I don't need any of the special features of WLM, I just use a free multi-protocol app like Pidgin.

Pidgin FTW! ^_^

rpgfan said,
Yep... Since I don't need any of the special features of WLM, I just use a free multi-protocol app like Pidgin.

Pidgin FTW! ^_^


Miranda IM FTW! ^_^_^_^

From *patching* vulnerabilities? Isn't it software with *unpatched* vulnerabilities that's bad? In my book, patching stuff before exploits are in the wild, is a good thing. I'd rather visit e.g. Secunia and check their lists of unpatched vulnerabilities and the severity of them. Wouldn't you be more worried about a known security hole in a browser without a patch available, than one that was patched a month ago?

And I'm not just defending Firefox here, they generally seem to apply this sort of thinking in their list -- disregarding the number of open bugs, which may look completely different...

Finally, the number of patches is no special indication of worse security. If a developer doesn't follow up on reported security holes well, and thus releases less patches than they should -- do this product now have better security?

Yes, they go with the reasoning that a product with more patches "obviously" had more bugs to begin with, which isn't true.
Not false either, just not true. Like, you cannot extract any conclusion out of that (other than maybe evaluating the developers response).

ichi said,
Yes, they go with the reasoning that a product with more patches "obviously" had more bugs to begin with, which isn't true.
Not false either, just not true. Like, you cannot extract any conclusion out of that (other than maybe evaluating the developers response).

Saying that it isn't false, but isn't true sounds fanboyish to me.

Anyway, more patched vulnerabilities means there were lots of vulnerabilities, which in turn mean that there could, or should, be even more unknown ones.

ichi said,
Yes, they go with the reasoning that a product with more patches "obviously" had more bugs to begin with, which isn't true.
Not false either, just not true. Like, you cannot extract any conclusion out of that (other than maybe evaluating the developers response).

Saying that it isn't false, but isn't true sounds fanboyish to me.

Anyway, more patched vulnerabilities means there were lots of vulnerabilities, which in turn mean that there could, or should, be even more unknown ones.

Cidinho said,
Saying that it isn't false, but isn't true sounds fanboyish to me.

Is it "fanboyist" saying that a study based on incomplete data means squat?

Cidinho said,
Anyway, more patched vulnerabilities means there were lots of vulnerabilities, which in turn mean that there could, or should, be even more unknown ones.

On the other hand fewer patched vulnerabilities doesn't necessarily mean that there were fewer vulnerabilities.
Just an hypotetical situation that debunks any study based only on released patches:
- Take 2 programs with equal number of vulnerabilities.
- Patch all of them only in program 1.
- Apply the patch based rating and see the crap you've come up with.

Cidinho said,
Saying that it isn't false, but isn't true sounds fanboyish to me.

I would describe it as "being realistic". It's neither true nor false, but partially both.