On browsers and bugs | Computerworld

We’re told that one of the best ways to stay secure is to make sure our computers are patched. But we need to always be aware that at any given time, there are several vulnerabilities probably known and in use by attackers. The good news is that the number of days between when a bug is identified and when it’s patched is slowly going down, according to the Google Project Zero. It tracks how long it’s taking vendors to patch bugs and found that “in 2021, vendors took an average of 52 days to fix security vulnerabilities reported from Project Zero. This is a significant acceleration from an average of about 80 days [three] years ago.”

As you look through the list of the bugs reported from 2019 through 2021, it’s clear no platform is immune. Apple has often been touted as being natively more secure than other platforms, but — as measured by Google Project Zero — it had a total of 84 bugs, compared to Microsoft’s 80. The average number of days to fix the bugs moved from 71 days for Apple in 2019 to 64 days in 2021. For Microsoft, the time lag dropped from an average of 85 days to 76 days.

Don’t just think about desktop OS bugs; it’s important to remember bugs on smartphone platforms, too. Under the Google Project Zero program, it took an average of 70 days to fix iOS issues (and 72 days to fix Android bugs on the Samsung platform). Where the two platforms diverge is in the number of bugs fixed. iOS had 76 versus 10 for Android on the Samsung platform and 6 on the Android Pixel)platform. That discrepancy is more a reflection of how Apple builds and deploys software.

“Security updates for ‘apps’ such as iMessage, FaceTime, and Safari/WebKit are all shipped as part of the OS updates, so we include those in the analysis of the operating system,” Project Zero said. “On the other hand, security updates for standalone apps on Android happen through the Google Play Store, so they are not included here in this analysis.”

For browsers, the one with the most users also had the most bugs. Google Chrome had 40 bugs during that three-year period, and the fastest time to fix a bug, on average. But don’t get complacent if you use the Brave browser — many browsers are built on the Chromium engine and thus are just as vulnerable as Chrome. Edge, Opera, Vivaldi, Brave, Colibri, Epic, and Iron, among others, are all in the same Chromium boat. So, when Chrome gets a mandatory security fix, look for updates for alternate browsers.

Browsers are basically the new “operating system;” they need extra attention because they’re used in so many ways, and because so many products and services have moved to the cloud. You might even consider running developer versions of Chrome and Edge,  as the betas often include security features that can better protect you. Or you could download Extended Support release versions that ensure more long-term stable fixes. (Firefox, for example, has Extended Support Release (ESR) versions.) Even if you’re not an enterprise user, you can download Firefox ESR — especially if you want a secure platform without having to deal with change for change sake. The advantage is that changes are rolled out slowly; the disadvantage is that the changes are often drastic. So, you’ll need to know when changes will be made.