On 2014-01-17 Sean Walberg wrote:
Your statement is a bit unfair. http://wiki.wireshark.org/Security has a good explanation of why there are so many patches. I'd argue that "number of updates with the security flag" is a terrible metric of security in any product.
I apologize if I came across as harsh against the valuable and excellent wireshark project. I personally often use wireshark and in no way am trying to dissuade anyone from doing the same.
I think I was pretty clear, that I only wanted to remind people to "yum update" their wireshark on a regular basis, and mentioned the probable difficulty of doing that on a non-package-managed OS like Windows.
I also made it clear that my only metric of "insecurity" in that email was the raw CVE count. I never claimed that it was a "good" or "best" metric. However, it is often the only metric we have for FOSS, and certainly the one most visible and readily available.
I will add, however, that in my viewpoint, CVEs that are remotely exploitable without authentication (most wireshark CVEs fit that bill) are the most pernicious, and dangerous, and do deserve heightened scrutiny.
The fact that a (not very) out-of-date wireshark listening on (and displaying results from) an internet connection can be pwned simply by an attacker (or bots) sending malicious packets at random, is precisely identical to the very XP vulnerability you mention. While running wireshark as non-root is recommended, I still would not want my personal non-root account getting pwned, as much damage could still be done (including escalation attempts).
Moral of the story we can all agree upon: update your wireshark regularly, and again right before you use it on internet-facing interfaces!