Google says Apple is faster than Microsoft - at closing security holes
In 2021, it took an average of 52 days to close a security vulnerability reported by Google's Project Zero. Three years earlier, the average was 80 days.
Since 2014, Google's Project Zero has been looking for security vulnerabilities in software and reporting them to the respective manufacturers. There were 376 gaps in the last three years - the majority of which affected Apple, Microsoft and Google.
Linux is the fastest
The average time to close a vulnerability reported by Project Zero dropped from 80 days to 67, 54 and now 52 days in 2021, but there are still big differences between manufacturers. Apple, for example, needs an average of 64 days, while Microsoft is even slower at 76 days. Google almost reaches the average with 53 days, but is dwarfed by Linux with 15 days. The manufacturers grouped under "Other" took an average of 29 days. Overall, the number of vulnerabilities found per year decreased. From 199 in 2019 to 87 in 2020 to most recently 63 in 2021.
| Gefundene Lücken 2019
(Durchschnitt der Tage bis zum Schließen) | Gefundene Lücken 2020
(Durchschnitt der Tage bis zum Schließen) | Gefundene Lücken 2021
(Durchschnitt der Tage bis zum Schließen) | |
|---|---|---|---|
| Apple | 61 (71) | 13 (63) | 11 (64) |
| Microsoft | 46 (85) | 18 (87) | 16 (76) |
| 26 (49) | 13 (22) | 17 (53) | |
| Linux | 12 (32) | 8 (22) | 5 (15) |
| Andere | 54 (63) | 35 (54) | 14 (29) |
The numbers only say something about how long it took for the update to be released. The security vulnerability could also have been closed after just one day, but manufacturers only deviate from their usual update cycles in exceptional cases when there is a particularly serious security vulnerability. It is positive that Google shortens this period from six to four weeks for the Chrome browser, for example.
For most manufacturers, Project Zero can only see and record the periods between the reporting of the security vulnerability and the release of the new version with the fix. For open source software, more detailed insights are possible. For example, with the three browsers Chrome, Safari and Firefox. For them, it took between 5.3 to 16.6 days until a patch for a security vulnerability was available. On average, however, it took another 37.3 days until the next version of the browser with this patch was released. If you do not install the patch yourself, you wait an average of 46.1 days until the security vulnerability is closed on your computer.
| Von der Meldung bis zum Patch
(Tage / Durchschnitt) | Vom Patch bis zur Veröffentlichung
(Tage / Durchschnitt) | Von der Meldung bis zur Veröffentlichung
(Tage / Durchschnitt) | |
|---|---|---|---|
| Chrome | 5.3 | 24.6 | 29.9 |
| WebKit (Safari) | 11.6 | 61.1 | 72.7 |
| Firefox | 16.6 | 21.1 | 37.8 |
90 days time
Project Zero gives developers 90 days to close a vulnerability after it is reported. Upon request, a delay of 14 days is possible. However, Project Zero makes a security hole public after 104 days at the latest - regardless of whether it has been fixed or not. This increases the pressure on manufacturers to close a gap.
When I was but a young student, I'd sit in my friend's living room with all my classmates and play on his SuperNES. Since then I've had the opportunity to test out all the newest technology for you. I've done reviews at Curved, Computer Bild and Netzwelt, and have now arrived at Galaxus.de.