Umm, that's interesting, but at least you *have* given Gaim a code audit, unlike IE and Skype which are closed source. And that's reflected in the vulnerability disclosures: since getting up to version 1 around 16 months ago, Gaim has had 13 vulnerabilities published, of which nearly all were non-critical DoS (you could crash Gaim with malformed input, generally only if the victim would accept the malformed data from the attacker). There were, however, 3 Critical vulnerabilities, all of them patched before any known exploits and none currently outstanding. The typical time to patch a new vulnerability, by the way, was 1 day, with a few stretching to 3 or 4 days. There have been 0 vulnerabilities on the roster continuously for the last 6 months. No doubt that will change soon: the beta of version 2 has just been released. But the record of Gaim on vulnerabilities and patching really is not too bad.

In contrast, IE has had 2 non-critical and 4 Critical vulnerabilities published in just the FIRST THREE WEEKS of this month. Three of those remain unpatched; one Critical has been unpatched for weeks now (you did apply the workaround, right?)

Two of the Critical ones had the vulnerability announced to coincide with the patch being released, but were actually discovered a while back; Microsoft spent respectively 5 and 8 weeks doing those two patches, lucky the discoverers both played ball with them I guess.

Of course these aren't the only known open vulnerabilities, just the ones from last 3 weeks.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/385/33151#33151