Truth hurts? Adobe Flash and Microsoft Silverlight are common exploit paths because they have new critical exploits every few days. Here's the CVE list for Flash -- notice how many critical exploits there are? It averages to about 1 every 3 days.
https://www.cvedetails.com/vulnerability-list/vendor_id-53/p...
If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information. You wrote, "Browsers and HTML5/JS also have a hell lot of CVE that can be exploited". I say: Prove it. Cite your sources.
that explains why you will never see a specific HTML and/or JS CVE, that does not mean they don't exists.
Also in term of volume, browsers have more CVE than Flash, it's all here in the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on Flash 713 CVE.
Just that it make your whole argument biased, the part "JavaScript itself has been pretty stable for years" is ridiculous, search for JS blackhole exploit, Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in CVE but they are here and exploitable.
that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details
"These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type patched
and closed at the same time
Also look the "Acknowledgments", numerous security team reported all those CVE for them to be patched, there is no indications they were exploited in the wild.
Saying such things as "oh 30 CVE discovered in 1 month, so that means there were 1 CVE per day" is totally misleading, even more misleading to assume all those CVE were exploited by default (eg. "could lead to").
At best it indicates that they (Adobe and other security team) are more serious about discovering and patching those CVE and so they close more of them more often.
"If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information"
man, you are so full of it
want proof ? no problemo
1. CVE are organised by vendors and products
HTML and JS does not show as products, only browsers
see http://www.cvedetails.com/top-50-products.php
look #3 Firefox, #4 Chrome, #8 IE
that explains why you will never see a specific HTML and/or JS CVE, that does not mean they don't exists.
Also in term of volume, browsers have more CVE than Flash, it's all here in the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on Flash 713 CVE.
Just that it make your whole argument biased, the part "JavaScript itself has been pretty stable for years" is ridiculous, search for JS blackhole exploit, Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in CVE but they are here and exploitable.
It's better to think than JS is secure looking at that http://www.cvedetails.com/vendor/10288/Javascript.html
yeah no exploit in JS, none, we are all safe LOL
this for example http://www.cvedetails.com/cve/CVE-2015-0817/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 https://www.mozilla.org/en-US/security/advisories/mfsa2015-2...
you don't see it show up under the tag "JavaScript"
2. Number of CVE listed do no equals CVE exploited in the wild
so you say "It averages to about 1 every 3 days", that's completely false
1 vendor patch for a particular product can close numerous CVE at the same time so it's more like "we squashed 50 CVE in 1 day"
look at http://www.cvedetails.com/cve/CVE-2015-8449/
follow up on https://helpx.adobe.com/security/products/flash-player/apsb1...
that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details
"These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type patched and closed at the same time
Also look the "Acknowledgments", numerous security team reported all those CVE for them to be patched, there is no indications they were exploited in the wild.
Saying such things as "oh 30 CVE discovered in 1 month, so that means there were 1 CVE per day" is totally misleading, even more misleading to assume all those CVE were exploited by default (eg. "could lead to").
At best it indicates that they (Adobe and other security team) are more serious about discovering and patching those CVE and so they close more of them more often.