More vulnerabilities were discovered in Google Chrome last year than any other piece of core internet software – that's according to research that also found 2014 clocked record numbers of zero-day flaws.

The Secunia Vulnerability Review 2015 report [PDF] is built on data harvested by the company's Personal Software Inspector tool residing on "millions" of customer end points, each with an average of 76 installed applications.

It said the Chocolate Factory's web surfer had more reported vulnerabilities than Oracle Solaris, Gentoo Linux, and Microsoft Internet Explorer which rounded out the top four among the analysed core products.

(Obviously, it's in Secunia's interests, as a security tool maker, to talk up holes in applications; Google's engineers would like you to know that the reported bugs are patched, or not even exploitable in the first place, and counting vulnerabilities is misleading.)

Chrome leads the browser pack with 504 reported vulnerabilities followed by Internet Explorer with 289 and Firefox with 171. Some 1035 flaws were reported across all browsers including Opera and Safari, up from 728 in 2013.

Secunia says Mozilla clocked the most number of un-patched users, followed by Chrome and Internet Explorer, although this could be because installed secondary browsers were often unused.

The report further reveals vulnerabilities increased 49 percent from 728 to 1035 by the end of 2014, with un-patched zero day flaws rising from 14 to 25.

Total vulnerabilities reached 15,435 relating to 3870 applications from 500 vendors. That is an increase of 18 percent over the reporting period and 55 percent since 2009. Of those, 1698 (11 percent) are deemed highly critical and 43 (0.3 percent) are extremely critical.

More than half of Foxit PDF users did not apply patches, compared to 32 percent of users of the utterly dominant Adobe Reader. The Flash factory produced 43 vulnerabilities that year compared to a mere two for Foxit.

Some 83 percent of vendors patched their wares before vulnerabilities were publicly disclosed compared to half in 2009.

The report finds remote network attacks are more common (60 percent) than local vectors (33.4 percent). ®