Google has got its knickers in a twist after IBM claimed that the search giant become the vendor with the highest percentage of unpatched critical and high-risk bugs. Then Google shouted at IBM and admitted that it was the dodgiest after all.
The company and another unnamed software provider challenged the claims by IBM, which said it was top of the class for the first half of the year in its IBM X-Force 2010 Mid-Year Trend and Risk Report. It has had to revise this after Google kicked off.
Adam Mein, a member of the Google Security team wrote in a blog: “We questioned a number of surprising findings concerning Google’s vulnerability rate and response record, and after discussions with IBM, we discovered a number of errors that had important implications for the report’s conclusions. IBM worked together with us and promptly issued a correction to address the inaccuracies.”
Tom Cross, manager of XForce Research, wrote in a blog: “As a consequence of this feedback, we have manually reassessed the CVSS scoring, remedy information, and vendor information for every vulnerability that impacted the percentages that appear in this chart.”
In the original version of the report, Google was shown with 33 percent of its critical and high-risk vulnerabilities unpatched, followed by IBM, with 29 percent and Oracle bought up the rear with 22 percent.
Now that IBM has had to revise the report, Google’s numbers are at zero percent and Sun went from 24 percent of unpatched bugs of all severity to eight percent, and from nine percent unpatched critical and high-risk ones to zero percent. IBM now shows the most critical and high-risk bugs without a patch – talk about shooting yourself in the foot.
According to Mein it turns out that the 33 percent figure was based on the belief that one of the three vulnerabilities affecting Google during the first half of 2010 remained unpatched. In fact, as Mein explained, that one item was mistakenly assumed to be a security flaw due to some confusion about the terminology used to describe it.