On 4/17/2013 2:37 PM, markspace wrote:
On 4/17/2013 10:09 AM, Eric Sosman wrote:
Time to get my eyesight checked: When I read your post it
looked like a claim that Flash is secure!
Well, you should get your eyesight checked. Java is currently exploited
far more often and far worse than Flash has been. It's been all over
the security related websites, and even some for the general public. I
see what you're saying, but Flash and Java don't really compare right
now: things currently really bad for Java. Example:
<http://www.securityweek.com/unique-challenges-controlling-java-exploits>
In short complaining that Flash really isn't secure is to complain about
the mote in Flash's eye while ignoring the beam in Java's.
Searching the last three months' worth of the National Vulnerability
Database turns up 33 records for "Adobe Flash":
http://web.nvd.nist.gov/view/vuln/search-results?query=adobe+flash&search_type=last3months&cves=on
At a quick look I don't see how to search for "Java" without getting
"Javascript" at the same time, but searching for each in turn and
then subtracting gives 132-16=116 reports:
http://web.nvd.nist.gov/view/vuln/search-results?query=java&search_type=last3months&cves=on
http://web.nvd.nist.gov/view/vuln/search-results?query=javascript&search_type=last3months&cves=on
Admittedly, it's not as simple as "Java is 116/33=3.5 times worse
than Flash." Some of the NVD notices cover multiple problems,
some cover only one. Some "Java" problems are actually about
associated technologies like JBoss or non-Snoracle implementations
like IBM Java. Different notices carry different CVSS severities,
and I haven't tried to catogorize them.
So the "3.5 times worse" figure certainly doesn't have two significant
digits, perhaps not even one full digit. Still, "mote vs. beam" seems
to imply more difference of scale than the NVD data will support.
Let's face it: They're both bad.