For a long time, the industry has been debating whether a Linux distribution is more secure than Windows or macOS. Recently, Google's Project Zero research has made some interesting discoveries in patching security holes: Linux developers are fixing security holes faster than any other platform.
Google Project Zero is a team of Google security analysts that finds zero-day vulnerabilities in open source projects.
From January 2019 to December 2021, the Project Zero team found that Linux developers solved problems much faster than Apple, Microsoft, and Google (even better than Google's own internal team on Chrome, Chrome OS, and Android).
In the report, Google Project Zero shared a set of data: Apple software was found to have 84 security vulnerabilities, Microsoft 80, Google 56, and Linux only 25. The key is the speed of bug resolution, Linux developers fix bugs faster than anyone else.
While Apple was able to fix 87% of vulnerabilities within 90 days of issue reporting, Microsoft only fixed 76%. Google fixed 95% of security vulnerabilities within a 90-day "window time" and performed well; while Linux developers fixed 96% of the vulnerabilities, which is a sure win.
The report data shows that among the four platforms of Apple, Google, Linux and Microsoft, "Windows manufacturers" are the slowest to solve problems - Microsoft took an average of 83 days to fix bugs; Apple ranked first with 69 days. two. Bug fixes at Google take an average of 44 days, but issues with Linux software are resolved extremely quickly: 25 days on average.
The Project Zero report also revealed that between 2019 and 2021, the Project Zero team submitted a total of 376 issues to vendors during the standard 90-day period. Of these, 351 (93.4%) have been fixed, 14 (3.7%) have been flagged as WontFix by the vendor; 11 (2.9%) other bugs remain unfixed, and 8 have passed the deadline for fixes; the remaining 3 Still within the deadline. Most of the vulnerabilities were clustered around a few large vendors, with 96 (26%) submitted to Microsoft, 85 (23%) to Apple, and 60 (16%) to Google.
The report shows that the number of days to average fix time "has been declining overall," but the trend was most pronounced during 2019-20. Overall, Microsoft, Apple, and Linux reduced the time to fix during this time. Google also slowed down a bit in 2020 before 2021. Other software enterprise platforms not on the chart (including Facebook, Git, Canonical, Intel, Kubernetes and Node.js, Qualcomm, RedHat, and Zoom) have collectively cut their time by more than half. "This finding may represent a change in research objectives rather than a change in any particular vendor's practices."
The report also noted that iOS issues were fixed faster than Android, although the former (72) had far more bugs than the latter (10).
In addition, Chrome solved 40 problems in 30 days, while Firefox solved only 8 problems, which means that developers need 37.8 days to solve problems.
The Project Zero report also said that for most software, it is not yet possible to get into the details of the timeline. But specifically: After a vendor receives a security issue report, "How much 'fix time' is spent between the bug report and the fix, and how much time is spent between the fix and the release of the build with the fix?" This Problem, one of the windows they have is open source software and it's specific to the type of vulnerability research that Project Zero does -- open source browsers.
Of course, you can also see how the same data unfolds as a histogram, in particular the histogram of the time from when a patch is publicly released to when the patch is released to users shows a clear progression:
Finally, the report highlights: "We want to gain greater visibility into our suppliers' processes and timelines. We encourage all suppliers to consider publishing aggregated data on their timing to fix and patch externally reported vulnerabilities. By increasing industry transparency, Sharing and collaborating on information, trusting that we can learn best practices from each other, better understand the difficulties that exist, and hopefully make the internet a safer place for all.”
Click to see the full report: https://googleprojectzero.blogspot.com/2022/02/a-walk-through-project-zero-metrics.html
As we all know, with the increasing popularity of malware, security vulnerabilities in operating platforms and other software have become a concern for users. In particular, some targeted hacker attacks are posing a "threat" to government agencies, politicians, journalists and social activities. Of course, ordinary citizens are also often targeted by cybercriminals.
Therefore, Apple, Microsoft, Google and other companies as world-renowned software suppliers, it is indeed necessary to quickly patch security vulnerabilities in their products as one of the priorities of their next work. If you have any opinions on this topic, you are also welcome to exchange and interact in the comment area.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。