He, he, i randomly clicked on one of those for Debian and got this:



How can be that assinged to Debian 8 when linux kernel 4.5.5 is not in Debian 8 I guess someone running backported kernel at the time found an issue or something

Or wintards in Seattle trying to make Linux look bad, remember "get the facts".

This. The fact that Windows is split by release while linux distros and macOS are not and there is a highly generic "Linux" entry do hint at some bullshit reasoning if not outright bad faith.

Honestly, I think they've just legitimately improved - Java does have a bad reputation, but they've not actually had many new issues in the last couple of years. And speaking as a Java developer, I can definitely confirm that they've *massively* tightened security policy since around 2014.... deploying client-side code (applets, web-start apps) has become a lot more restrictive than it used to be, to the point where the security checking is actually becoming a performance problem.

So yeah, I think it's plausible enough... it's not like they didn't have any CVEs raised in 2016, just not enough to put them in the top 50 (they had 37 raised).


Also, Java has never really quite as bad as the reputation suggests. The bad rep comes from a few years - 2008 and 2013 - where a lot of serious issues were found... the latter probably found by an audit, since there's a large number of very similar issues, almost all of them fixed in the same release.

What's wrong with poppler?

Too bad moronix spreads the same FUD as usual. M. Larabel always throws some shit without doing investigation. It's really bad journalism. I have adobe flash installed in my Kubuntu as default. Does it mean it counts as Kubuntu vulnerability? The same about many codecs and nvidia blob.

I don't think JVM is that bad. The Java browser plugin was the stuff of nightmares though. And Yahoo Messenger since we're unearthing the dead.

Actually, from what I see in the CVE list, most of the problems weren't in the plugin itself - the plugin was just the easiest mechanism for running arbitrary code on a user machine, allowing vulnerabilities elsewhere to be exposed. Quite a lot of them seem to be in AWT which makes sense - that includes native bindings for UI widgets and stuff, and native code (i.e. C/C++) is always a good place to find buffer overflows and other such easy targets.

I wondering why Windows XP is not in the list, funny that it still has more market than OS X and Linux combined... about 9% of Desktops - that is quite big really

Also very interestingly, Windows XP actually seems started to grow up again:

http://news.softpedia.com/news/windo...y-511474.shtml

Because none reports CVEs for XP since it is not supported anymore.
It has joined Win2000, Win98 and win95 in the nirvana of 0-CVE operating systems.

It may be an artifact (i.e. the amount of people with XP using some sites doing this tracking has increased), OS marketshare testing has never been terribly reliable.

Still better than Steam survey, on average, but there is a large margin for variability.