Chrome was the application with the most number of high-severity vulnerabilities that impacted end users this year, followed by Safari, Microsoft Office, Adobe Reader and Acrobat, and Firefox, according to a list to be released today.
Chrome had 76 reported serious vulnerabilities, Safari had 60, Office had 57, Acrobat and Reader had 54, and Firefox had 51, according to Bit9's annual "Dirty Dozen" list.
The fact that Chrome is at the top of the list does not necessarily mean it is less secure than other applications, said Harry Sverdlove, chief technology officer at Bit9.
"Chrome is the youngest of the browsers out there and is going through the most changes," he said. "It doesn't mean it's a risky browser."
Rounding out the list were: Sun Java Development Kit (36 reported holes), Adobe Shockwave Player (35), Microsoft Internet Explorer (32), RealNetworks RealPlayer (14), Apple Webkit (9), Adobe Flash Player (8), while Apple QuickTime and Opera were tied in last place with 6 vulnerabilities each.
Apple appears on the list three times, "which dispels the myth that Apple is safer" than Windows, Sverdlove said. "They are as vulnerable, if not more so, as Microsoft Windows."
The applications were pulled from the U.S. National Institute of Standards and Technology's official vulnerability database. They all had a severity rating of high.
The method of just focusing on the number of reported vulnerabilities is not without controversy. As Mozilla pointed out two years ago, the Bit9 study ignores issues like how quickly the bugs are fixed, and it punishes companies like Google and Mozilla that publicly disclose all vulnerabilities while other companies disclose only publicly discovered holes and not those found internally. It also fails to recognize that some companies lump multiple vulnerabilities into one report in the vulnerability database. In addition, there have been concerns about the quality and presentation of data in the vulnerability databases themselves, as mentioned by Google earlier this year.
Updated at 10:15 a.m. PT with information on complaints about studies based solely on numbers of reported vulnerabilities.