Hacker News new | ask | show | jobs
by zwetan 3763 days ago
OK, remember you asked for it

"If you know otherwise, then please cite the specific CVEs. Otherwise, you're just spreading false information"

man, you are so full of it

want proof ? no problemo

1. CVE are organised by vendors and products

HTML and JS does not show as products, only browsers

see http://www.cvedetails.com/top-50-products.php

look #3 Firefox, #4 Chrome, #8 IE

that explains why you will never see a specific HTML and/or JS CVE, that does not mean they don't exists.

Also in term of volume, browsers have more CVE than Flash, it's all here in the numbers: Firefox 1320, Chrome 1216, but no let's ignore them and focus on Flash 713 CVE.

Just that it make your whole argument biased, the part "JavaScript itself has been pretty stable for years" is ridiculous, search for JS blackhole exploit, Rowhammer.js exploit, Heap Overflow exploit in JS, etc. you don't see them in CVE but they are here and exploitable.

It's better to think than JS is secure looking at that http://www.cvedetails.com/vendor/10288/Javascript.html

yeah no exploit in JS, none, we are all safe LOL

this for example http://www.cvedetails.com/cve/CVE-2015-0817/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817 https://www.mozilla.org/en-US/security/advisories/mfsa2015-2...

you don't see it show up under the tag "JavaScript"

2. Number of CVE listed do no equals CVE exploited in the wild

so you say "It averages to about 1 every 3 days", that's completely false

1 vendor patch for a particular product can close numerous CVE at the same time so it's more like "we squashed 50 CVE in 1 day"

look at http://www.cvedetails.com/cve/CVE-2015-8449/

follow up on https://helpx.adobe.com/security/products/flash-player/apsb1...

that's 1 patch, it does not indicate 1 CVE every 3 days, look at the details

"These updates resolve use-after-free vulnerabilities that could lead to code execution (CVE-2015-8050, ..." that's more than 50 CVE of the same type patched and closed at the same time

Also look the "Acknowledgments", numerous security team reported all those CVE for them to be patched, there is no indications they were exploited in the wild.

Saying such things as "oh 30 CVE discovered in 1 month, so that means there were 1 CVE per day" is totally misleading, even more misleading to assume all those CVE were exploited by default (eg. "could lead to").

At best it indicates that they (Adobe and other security team) are more serious about discovering and patching those CVE and so they close more of them more often.