We’re told that one of the best ways to stay safe is to make sure our computers are patched. But we should always be aware that at any time there are several vulnerabilities that are likely known and used by attackers. The good news is that the number of days between when a bug is identified and when it’s fixed is slowly decreasing, depending on the Google Project Zero. It tracks how long it takes vendors to fix bugs and found that “in 2021, vendors took an average of 52 days to fix security vulnerabilities reported by Project Zero. This is a significant acceleration from an average of around 80 days [three] years ago.”
Going through the list of reported bugs from 2019 to 2021, it’s clear that no platform is immune. Apple has often been touted as natively more secure than other platforms, but – as measured by Google Project Zero – it had a total of 84 bugs, compared to Microsoft’s 80. The average days to fix bugs dropped from 71 days for Apple in 2019 to 64 days in 2021. For Microsoft, the time lag dropped from an average of 85 days to 76 days.
Don’t just think about bugs in the desktop operating system; it’s also important to remember bugs on smartphone platforms. Under the Google Project Zero program, it took an average of 70 days to fix iOS issues (and 72 days to fix Android bugs on the Samsung platform). Where the two platforms diverge is in the number of bugs fixed. iOS had 76 against 10 for Android on the Samsung platform and 6 on the Android Pixel platform). This discrepancy is more a reflection of how Apple builds and deploys software.
“Security updates for ‘apps’ such as iMessage, FaceTime and Safari/WebKit all ship as part of OS updates, so we include them in the OS scan “said Project Zero. “On the other hand, security updates for standalone apps on Android occur through the Google Play Store, so they are not included here in this analysis.”
For browsers, the one with the most users also had the most bugs. Google Chrome had 40 bugs over that three-year period, and the fastest time to fix a bug, on average. But don’t be complacent if you’re using the Brave browser – many browsers are built on the Chromium engine and are therefore just as vulnerable as Chrome. Edge, Opera, Vivaldi, Brave, Colibri, Epic, and Iron, among others, are all in the same Chromium boat. So when Chrome receives a mandatory security patch, check for updates for other browsers.
Browsers are essentially the new “operating system”; they need special attention because they are used in many ways and because many products and services have migrated to the cloud. You might even consider running developer versions of Chrome and Edge, as beta versions often include security features that can better protect you. Or you can download extended support releases that guarantee longer term stable fixes. (Firefox, for example, has Extended Support Releases (ESR).) Even if you are not a professional user, you can download Firefox ESR — especially if you want a secure platform without having to deal with change for change’s sake. The advantage is that changes are rolled out slowly; the downside is that the changes are often drastic. So you go need to know when changes will be made.
Another tactic is to make sure your browsers are set to automatically update and install patches immediately. In general, at Askwoody.com, I urge users to delay Windows Update immediately and wait until we get a green light for all known issues. But for browsers, I strongly recommend that you install updates immediately; if you suffer from side effects, you can easily switch to another browser until any bugs are fixed.
While speeding up security updates is generally a good thing, managing vendor side effects is not. Last year, Chrome went from shipping updates every six weeks hunt them every four weeks. (The Extended Security Release receives feature releases every 8 weeks.)
For Edge, you can use Intune or Group Policy to change the extended release cadence. Open the Local Group Policy Editor, navigate to Computer Configuration, then Administrative Templates, then Microsoft Edge Update > Applications > Microsoft Edge. Select Target Channel Override and select Enabled. Under Options, choose “Extended Stable” from the Policy drop-down list.
In summary: be aware that for all the vulnerabilities that are fixed every month, there are many more that are still being investigated and not yet fixed. Some of them are even used by attackers. Whenever you use your computer, always be careful and click carefully. You are always at risk.
Copyright © 2022 IDG Communications, Inc.