Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities

An anonymous reader writes: Which software had the most publicly disclosed vulnerabilities in 2015? According to a site called CVE Details, which organizes data provided by the National Vulnerability Database, Apple's Mac OS X was near the top, with 384 vulnerabilities. iOS followed closely, with 375 vulnerabilities. The list splits out Windows into its separate versions, so it's hard to get an accurate count — simply adding them all together yields a total of over 1,000, but there are likely many duplicates. Other top spots went to Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. The four major web browsers also ranked quite highly.

Android.

[Noah+Haders]

I find it hard to believe that iOS would be listed with 375 vulnerabilities, but android would be listed with 130 vulnerabilities. Everybody knows that android is insecure as shizz. Something is fishy here.

Re:Android.

[AmiMoJo]

Maybe because Android isn't nearly as bad as people make out. It's actually got a pretty robust security system so vulnerabilities tend to be rather useless anyway, and there is less value in looking for them. Apple is more reliant on preventing malware through the app store, while at the same time more people are looking for flaws because it's more profitable (e.g. jailbreaks).

You know you are doing badly when you have more vulnerabilities than Flash, which is a major target and extremely badly written.

Re: Android.

[Rosyna]

Because the list includes bugs found and publicly disclosed, the company that fixes the most bugs has the highest number of disclosed bugs in any list. Since Google doesn't really disclose Android bugs, many never get added to the list.

Furthermore, Apple submits self-found security bugs and gets CVEs assigned to them. Most other vendors do not report self-found bugs.

Re:Android.

[JaredOfEuropa]

Probably depends on what constitutes a "vulnerability". This ranges from the serious "SMS remotely roots your phone without you knowing about it" to the less serious "If you jailbreak your phone and install this dodgy Chinese app, an attacker who gets his hand on your phone may be able to read your last Tweet without having to enter your PIN". Nr/ of vulnerabilities in itself is a crappy measure of security.

Re:Android.

[a_n_d_e_r_s]

Publicity.

Android is open source so its a target for those that hunt for fame. iOS is closed source so its harder to find the problems and thus they get less publicity since most are fixed internally.

In reality Android is more secure since its open source and all errors is easier to find for fame hunters.

Re: Android.

[Rosyna]

The list is not a list of vulnerabilities. It's a list of known bugs fixed in the last year. It doesn't say anything about the severity of the bugs. For example, since Microsoft never discloses or fixes bugs in Windows Phone, it's very low on the list despite sharing a lot of code with Windows for the desktop. That doesn't mean Windows Phone is somehow more secure.

Re: Android.

[Rosyna]

This is incorrect. If you look at any release notes for any Apple security update you will see numerous CVE that were discovered internally by Apple.

Re:Android.

You find it hard to believe because you are a blind Apple fanboy.

Reality doesn't need your belief to be true.

Re: Android.

I thought the way CVE worked is that it was a thing the US Government did to track vulnerabilities across multiple reporting sites. So there's no need for Microsoft or Google to self-submit a bug, as long as it gets reported somewhere, it ends up in CVE.

Still doesn't make "number of bugs" a really useful metric, especially given that Apple tends to dump all their vulnerabilities into a single report. (So they're probably undercounted if anything - yeah, OS X is that insecure.)

Re: Android.

[Rosyna]

There are two ways to get a CVE assigned to an issue. Either report the issue on your software yourself and a CVE gets reserved or have someone else report the issue in your software and a CVE gets assigned.

Neither method actually determines if the CVE is a security issue or the severity if it is a security issue.

Re:Android.

[dgatwood]

Many of the security problems with Android are design problems rather than bugs. iOS tends to let the user control app access to shared data, whereas Android tends to put control over access rights in the hands of the developers. Android is getting better at this in recent versions, but there's still a bit of a stigma because of historical problems.

And as other folks have mentioned, Android's biggest problem is that Google lets hardware developers ship custom versions of the OS in ways that make future updates dependent on the hardware vendor. Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware. As a result, last I checked, a staggering percentage of Android users were running old, unpatched versions of the OS. So Android is insecure because Android *was* insecure when the devices shipped.

Re:Android.

[Opportunist]

The reason for this is likely that there is a big difference between IOS and Android concerning what belongs to the system. It's a bit like Windows and Linux. A bug in XWindow would probably not be counted against "Linux", same for a bug in a RPC package. Both are on the other side of the fence part of the OS itself and thus would get counted against "Windows".

Re: Android.

[matbury]

In support of @Rosyna's comment: An interesting and relevant anecdote about not thinking through what the evidence tells us: During WWII the allies were losing a lot of bombers from German anti-aircraft defences. They brought in a bunch of statisticians and analysts to work out how to bring that number of bombers shot down, down. They looked at the damaged bombers that had returned to see where they were getting hit and decided to armour those places. Big mistake... why? Well, someone pointed out that those were the bombers that weren't actually shot down and that they should do precisely the opposite and armour the areas that didn't get shot full of holes - The planes that got shot there were the ones that weren't coming back. The new policy was a big success.

So yes, the software projects that report the most vulnerabilities may be the ones that are working hardest to make their software more secure and may also be more open about it, thereby inviting more vulnerability reporting by independent 3rd parties too.

tl;dr - Lots of publicly reported bugs may be a good thing! :) (As long as they're being patched, of course).

Re: Android.

You're a douchebag.

Re:Android.

[BronsCon]

I seem to recall arguing at length with someone about this on here. Good to see that actual sources (of which he provided none) agree with my position, as well as me own experience.

Re:Android.

[BronsCon]

Many of the security problems with Android are design problems rather than bugs.

Which you admit they've fixed in recent versions.

The rest of your post, though: +1 as it applies to non-Nexus devices. Since Nexus devices *do* see updates, those tend to be much more secure.

Re:Android.

Except that the "actual sources" is really not sources but just a random count.

The number of bug reports is not the same as the number of vulnerabilities.

Re: Android.

They are all security vulns. Read the FAQ:

http://cve.mitre.org/about/faq... First up on the FAQ
CVE is a list of information security vulnerabilities and exposures that aims to provide common names for publicly known cyber security issues. The goal of CVE is to make it easier to share data across separate vulnerability capabilities (tools, repositories, and services) with this "common enumeration."

Re:Android.

[BronsCon]

It's not random, but you're right to say it's not the same. It's a damn good indicator, though, especially when all vulnerabilities are bugs (from an end-user perspective, that is; a purposeful backdoor might not be a bug to the developer) and most bugs can be exploited (e.g. are vulnerabilities).

Re: Android.

[Rosyna]

No, they are not all security bugs in the software they were reported for. For example, some people make entries for third-party software when it is, in fact, the OS that prevents the third-party software from securing it.

There have also been times when things like "launching malware runs arbitrary code" get assigned CVE numbers when there hasn't actually been any bug. Because the user explicitly launched the malware.

Re: Android.

The list is not a list of vulnerabilities.

Er... bullshit. CVE - Common Vulnerabilities and Exposures. These are all meant to be security vulnerabilities. It is possible for a CVE number to get assigned and then turn out not to be an actual vulnerability, however normally when that happens the CVE will never be published. CVE numbers should only ever be published for actual vulnerabilities (or "exposures" which are also vulnerabilities).

Re:Android.

[xonen]

Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware.

Not in my experience. The phones they sell you here with a contract rarely get patched, despite the big mobile names from both operators and manfufacturers behind it.

The cheap c-brand android phones i order in China only not offer more value for money, but happily receive regular firmware updates.

At least in Europe many telecoms offer inverse service. Instead of buying extra good service, you pay to get ripped and run outdated inferior firmware.

Their motivation may similar as you suggested though, they prefer selling you a new yearly or two-yearly contract with fresh-new-outdated-phone; instead of the customer having a perfectly fine free phone after a year and gets a cheap pre-paid plan or some.

Re:Android.

[pr0fessor]

Are the top of the list insecure pieces of crap or are they simply the most active at patching? It doesn't say how many where released by the vendor, other sources, how many had exploits in the wild, or whether they were patched.

Re: Android.

[non0score]

Apple releases iOS when they feel like it. Google releases Android semi-annually (until recently, which I'm sure the security updates are exactly that -- fixing vulnerabilities). The fact that the release process was such a PITA has no relation to how much Android devs were hardening their system.

Re: Android.

Most of the time when Android leaks personal data to Google and other companies it's working as designed--no exploit required.

Re:Android.

Except CDMA Galaxy Nexus, which only got patched twice: 4.1 and 4.2.2 (even GSM Galaxy Nexus was only patched to 4.3). R.I.P. Galaxy Nexus.

--A sad Galaxy Nexus early adopter

Re: Android.

And you're a dumb little shit.

Re:Android.

[KGIII]

An interesting, to me, aside is that we'll count a vulnerability in IE, Outlook, Windows Mail, Windows Media Player, and all that sort of stuff as a "Windows" vulnerability. Yet, if there's an exploit in SSL, GRUB, or MKUSB then we immediately say, "Linux is the kernel!"

To be honest, Windows, the OS itself, hasn't really had a whole lot of exploits in a long time. Microsoft has really stepped up their game and have managed to harden it fairly well. Given the ubiquity, the need for backwards compatibility, and the varied versions on disparate hardware - that's rather impressive.

That said, I still prefer Linux. I much prefer the system as a whole, at least at the moment, and can manage to keep both secure enough to suit my needs. Well, I'd probably be a little rusty at keeping a Windows box secure but it shouldn't be too hard to get back into the swing of things.

Re: Android.

[Noah+Haders]

Dude your analogy makes no sense whatsoever.

Re:Android.

[BronsCon]

Unfortunately, that has more to do with Verizon and Sprint than Google. Sprint refused to certify 4.0.4 for their network so they did not carry the phone for its initial launch, they then only certified 4.1.1 and 4.2.1 (but not 4.2.2, which Verizon certified). Verizon certified 4.0.4, 4.1.1, and 4.2.2 (but not 4.2.1, which Sprint certified). The GSM carriers can't stop you from using your own device regardless of their certification, so you generally see more updates for GSM phones where the carrier is one step removed from the certification process, at least for the Nexus line where Google doesn't have a direct relationship with the carriers that requires them to sell their phones that way.

Re:Android.

[Bert64]

Flash is much smaller than an entire OS... It stands to reason that a larger and more complex system will have more vulnerabilities.

Re:Android.

[Bert64]

Often it's the opposite, linux distros come with a huge array of software and the distro will announce any bugs in the software they distribute, which results in any given linux distro having a huge number of security advisories.

Re: Android.

[macs4all]

I thought the way CVE worked is that it was a thing the US Government did to track vulnerabilities across multiple reporting sites. So there's no need for Microsoft or Google to self-submit a bug, as long as it gets reported somewhere, it ends up in CVE.

Still doesn't make "number of bugs" a really useful metric, especially given that Apple tends to dump all their vulnerabilities into a single report. (So they're probably undercounted if anything - yeah, OS X is that insecure.)

If OS X and iOS are "that insecure", why is it that we are at SIXTEEN YEARS for OS X, and EIGHT YEARS for iOS without a SINGLE actual self-replicating, self-distributing piece of Malware on either platform?

Re: Android.

CVEs are not magically assigned. While vendors can reserve blocks of CVEs and use them as they see fit (the rules are more like guidelines), someone, likely from mitre will request details and a convincing argument, why a certain bug is actually a (potential) security problem in released software, if you ask for a CVE for a bug in open source software on the oss security list.. You'll not receive a CVE if you can't convince them. You can however request CVEs for any open source software, even if you're just a user, not a developer of that software and haven't even discovered the bug. Consequently, if you see a commit in the open Android source code that fixes a security problem, you can request a CVE.

Re: Android.

[macs4all]

Apple releases iOS when they feel like it. Google releases Android semi-annually (until recently, which I'm sure the security updates are exactly that -- fixing vulnerabilities). The fact that the release process was such a PITA has no relation to how much Android devs were hardening their system.

In case you haven't noticed, iOS pretty much gets updated continuously, or at least several times per year, with a major new release every September, when the new iOS hardware debuts.

So, although you can mischaracterize this as "when they feel like it"; the reality is that iOS is updated ALL THE WAY OUT TO THE USERS far more frequently than Android.

Re: Android.

[macs4all]

And you're a dumb little shit.

That's why I keep coming back to Slashdot: The erudite intellectual discourse.

Re:Android.

[Noah+Haders]

i love how nothing is ever precious google's fault.

Re:Android.

No, everyone does not know that. It's only the Jobby sheeple that mindlessly assume that.

Re:Android.

[BronsCon]

Well, nothing that was decided, implemented, and shipped by someone else, at least. And you should love that, as the same applies to you; nothing someone else does with your work is your fault. Would you rather that changed? And, honestly, if Google's license terms didn't allow modification and required updated, do you honestly think anything would change? Samsung, et-al, would still roll the dice, figuring the cost of settling with Google after the fact would be lower than playing by the rules in the first place.

Apple is a device manufacturer, so they get to handle the entire release cycle of the software that runs on their devices. Samsung, et-al, could do the same, but they don't have their own OS to put on the devices they ship, so they screw Android up as bad as they can to make it "their own" and, well, here we are. Google, not being a device manufacturer, needs the hardware side to be done by somebody else and, thus, is not in a position to control the entire lifecycle; once it's in the hands of a 3rd party, they can do whatever to it. They di reign things in quite well with the Nexus series, but they have only recently managed to get the manufacturers to play ball and put together decent high-end devices (starting with the 6) for that line. Now that they've broken that ground, I'm seeing more and more Nexus devices out there, which is a good thing.

But yes, as far as the CDMA versions of Nexus phones are concerned, the carriers can simply say "nope" and the update does not get released; since a CDMA phone requires carrier intervention to use on a different network and the larger carriers tend not to activate off-network devices, there is no competition and the carriers really do play hardball, opting to let devices run obsolete software in order to force purchases of new devices. In the GSM arena, where devices (once unlocked, which is the default for a Nexus device) can be moved from provider to provider simply by inserting a new SIM, there is actual competition between providers to provide better and more up-to-date devices; it is on the manufacturers to allow that to happen and Google does a very good job of that, IMO, with the GSM Nexus line, where providers generally don't stop them from doing so. That is to say, if AT&T were to drag their feet approving a new update and T-Mobile approved it straight-away, well, that would make AT&T look bad when they're already losing marketshare, so the updates got approved.

So yes, this is a carrier problem, at least as it relates to Nexus devices.

Adding together?

[Calydor]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together? Bash Microsoft all you want, sure, but hold them to the SAME standard as the rest, not a far harsher one.

Re: Adding together?

[Rosyna]

All versions of Mac OS X and iOS are being added together already in the list.

Re:Adding together?

[ShanghaiBill]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

Linux, iOS, and OSX tend to improve monotonically, so few people are running older versions. With Windows, new versions are often worse than their predecessors, so older versions are still widely used.

Re:Adding together?

[darthsilun]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

They are! Did you even glance at the article?

I wonder how much overlap there is between the Debian, Ubuntu, Fedora, and OpenSuSE counts?

And nothing for RHEL or CentOS? Good to know.

Re: Adding together?

Not in the way they are adding all the Windows versions together. A Windows bug affecting 7, 8, and 10 would count 3 times. An OSX bug affecting 10.9, 10.0, and 10.11 is counted once as it is the same bug.

Re: Adding together?

That's why the summary specifically calls out the fact that if you add the Windows count, there are likely a lot of duplicates.

Re:Adding together?

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

I don't know, why did YOU add different versions of Windows together and not the other OSes?
You Linux fanboys are all alike, always looking for a way to unfairly bash Windows.

Re:Adding together?

They did, your comment is totally wrong, and the douche bags who modded you up to +4 didnt even bother to read the article.

Re: Adding together?

[bn-7bc]

don't think they include ISX 10.0 in the count as it has been eol a long time iirc, as to the way they count bugs in osx, if you are right that only shows that they don't know how Apple numbers OSX release. Or did I as usual not stop to think, did you indeed mean 10.10 not 10.0, in that case I'm sorry

Re:Adding together?

[pappaxray]

The Slashdot title doesn't match the article to, it lists Windows first, whereas it doesn't appear in the Venture Beat title.

Re: Adding together?

[Rosyna]

It only counts fixed bugs, so for Mac OS X, that'd be bugs in 10.8.x and later for 2015.

The funny part is the AppleTV bug list. Apple lists CVE numbers for WebKit in AppleTV security updates (as all 2nd gen and later AppleTVs share code with iOS) even though the WebKit framework is inaccessible.

That is, there's no way to trigger those bugs but they still get counted.

Re: Adding together?

Nobody added together different Windows versions. They said if they did there would be a lot of duplicates.

Big deal... I got massive firewalls around my OSX.

Impenetrable to any troll, sans U.S. and U.K. gov't.

the most popular OS's...

[Maestro485]

um, so the most popular OS's in the world had the most reported vulnerabilities?

duh?

Re:the most popular OS's...

It's ok, linux desktop had the most bugs out of all of them despite being the least popular OS in the world.

Ubuntu wins

[penguinoid]

Looks like Linux is better than Windows at something.

Re:Ubuntu wins

It has been since about 1995.

Re:Ubuntu wins

[KGIII]

I dunno how accurate that is. See, I work hard to be objective an unbiased. I'll see how well I can articulate this, 'tis not my strong suit.

I use Lubuntu. I also have some Ubuntu installs. I also have some Mint installs and Mint is a derivative of Ubuntu. On top of this, I have all of those (except for server installs) set to update daily. Sometimes, out of boredom, I even will update manually in the middle of the day to see what's going on and if anything new has come down the pipe.

That said, I also read (not always but often enough) the descriptions of those updates. I see security updates all the time. I mean, daily - some times. It has been a little slow since just before Christmas but there were a few that popped up. I see trivial security issues but security issues they are. I see them by the hundreds, throughout the life of a version. I see them impacting multiple versions, some going back to the oldest LTS build. I see them impacting this and that and, really, most of them are really trivial and not even remotely plausible but they're still security fixes as they could lead to exploits.

I am not exaggerating when I say that I am pretty sure there has to have been at least 100 of them (perhaps more - I've not kept count) with just Lubuntu 15.10. 15.10 was released in the end of October 2015. These aren't just for Linux (the kernel) but for the whole OS and the default applications. They're borderline security issues, in my verbiage, where "a local attacker could cause ____ and get ____ and have escalated permissions" and things of that nature. In other words, they're fairly trivial and not all of them have been exploited - only that they *could* be exploited.

I admit, I have not kept count. However, I *do* have all the various emails from the many mailing lists. I do have all the announcements. I could count them - but it's rather irrelevant. I'd not be surprised to find out there were more than 100 updates that resolved security issues. (I'd be surprised to find out that even one of them was exploited in the real world.) I've read a stack of 'em and I see them with great frequency - almost daily and probably more frequently than daily if I averaged them out.

I don't mind seeing them. I'm glad their fixed. I appreciate the notice and I install them all immediately. However, these numbers don't seem to be taken into account and I've no idea why they're excluded. This is not a claim that any one OS is more or less secure. Security is a process, not an application, and the greatest security weakness is the user in the chair - regardless of the operating system.

But, and I hope this has made sense, the numbers are suspect. I see far higher numbers than what other people are claiming. I know, I know I didn't count 'em and I'm not going to. However, spend the next 30 days reading /just/ the "Ubuntu Base" updates or the likes. Read the mailing lists. There's a bunch of exploits that are quietly patched, nobody notices, and they were pretty damned trivial to begin with but to suggest that they don't count is a bit misleading. I'm not kidding about the 100 or so since just October, it was late October at that! It's probably more than 100. I'd be kind of surprised if it wasn't that many but I'm far too lazy to go count 'em all.

Hmm... I could spin up a VM and have a look to see what downloads but that might not be accurate as some will have been depreciated by newer versions and I won't get an accurate count. In short, it's a lot of 'em. I'm glad they're fixed and they're not huge gaping holes - but they're still vulnerabilities and probably not included in these numbers.

Not bad code, just no updates

Android isn't insecure because it's full of bugs, it's insecure because out of those 130 vulns discovered, approximately 0 will get patched by the vendors.

Re:Not bad code, just no updates

[BronsCon]

That's not *Android* being insecure, that's the vendors' products being insecure. Those of us with Nexus devices get patches as they're released by Google, which happens quite quickly.

Re:Not bad code, just no updates

[saigon_from_europe]

Android isn't insecure because it's full of bugs, it's insecure because out of those 130 vulns discovered, approximately 0 will get patched by the vendors.

Actually, this is not completely true. Large part of Android is now in APKs and system-related APKs get updated silently, unlike apps that require user to approve updates.

Re:Not bad code, just no updates

[macs4all]

That's not *Android* being insecure, that's the vendors' products being insecure. Those of us with Nexus devices get patches as they're released by Google, which happens quite quickly.

So do those of us with iOS devices.

Jus' sayin'...

Re: Not bad code, just no updates

[BronsCon]

No need to "just say", I never said anything about iOS and I'm fully aware my iPad gets updates direct from Apple. I thought we were past this... ;)

Re:Not bad code, just no updates

That's not *Android* being insecure, that's the vendors' products being insecure. Those of us with Nexus devices get patches as they're released by Google, which happens quite quickly.

There goes the "Android has the highest marketshare" argument. Where each of several dozen manufacturers gets counted as a single OS, and the only secure version has one of the lowest shares.

Re:Not bad code, just no updates

[BronsCon]

Good thing I never made that argument, then! ;)

Re:Not bad code, just no updates

[supremebob]

Unless you have an older Nexus device, then you're just as screwed as everyone else who is stuck on Android 2.x or 4.x.

Re:Not bad code, just no updates

[BronsCon]

Huh... What more do you want? Once it's 2 years old it's well past obsolete, and at 3 years it's unlikely current versions of many popular apps (e.g. what you can get from the market) will run on it.

And, even before that announcement, Google's policy has been to provide updates for 3 years from date of first sale, or 18mo from date of last sale in the Google store, whichever is longer. That sure beats most of Apple's offerings (I think they had one model that had support for longer than 18mo from last sale in an Apple store), and all offerings of any other Android manufacturer.

Of course, the same people complaining that they can't get updates from Google after 3 years are the ones who loudly proclaim that they bought a Nexus device in the first place so they could run whatever ROM they want on it, making manufacturer updates irrelevant for those complaining in the first place.

Re:Not bad code, just no updates

[BronsCon]

To clarify, the newest Nexus phone that is stuck on 4.x is the Galaxy nexus, which is over 4 years old. Is that what you're complaining about?

If so, you need to remember that it's only "stuck" if you insist on running a factory image; there are plenty of Lollipop and Marshmallow ROMs to choose from.

Which Windows is "Windows"?

[rippeltippel]

I would be interested to know what version of Windows is the one at position 39, as it looks safer to use than the other ones.

I might even consider switching from Linux...

Re:Which Windows is "Windows"?

Most likely it is XP.

Re:Which Windows is "Windows"?

A detailed list of that windows can be viewed here:
http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3435/year-2015/Microsoft-Windows.html

It still doesn't say precisely which version of windows it is, but it tells what the individual fixes are. 40 out of 41 are can be triggered remotely. Also the score of most of them are well into the red area. On the other hand, OSX may have more fixes, but the percentage of local issues (non-remote) is much higher and the scores are rarely red. OSX link http://www.cvedetails.com/vulnerability-list/vendor_id-49/product_id-156/year-2015/Apple-Mac-Os-X.html

Once again the number of bug fixes isn't the important number. It's how severe the bugs are and even more importantly: how severe are the unfixed bugs?

Re:Which Windows is "Windows"?

[unencode200x]

My guess is Windows embedded. By default on, for example WYSE terminals, it's read only.

Re:Which Windows is "Windows"?

[rippeltippel]

Most likely it is XP.

Bah, I'll stick to Linux.

We need Rust. We need Rust NOW!

All of these security flaws, and software bugs in general, would not be an issue if we used a better programming language than C or C++ or Objective-C.

There's just one language out there today that can give us this, and it is called the Rust programming language

If you don't know what Rust is, let me refer you to what Rust's home page says: "Rust is a systems programming language that runs blazingly fast, prevents segfaults, and guarantees thread safety." It has guaranteed memory safety and threads without data races.

We need to immediately start using Rust for all of our software, and we need to start doing this now. It will take a lot of effort, but we need to port every single application out there to Rust.

Rust is clearly the future. It's being developed by masters of the trade like Yehuda Katz, Steve Klabnik and Patrick Walton. These fine men are visionaries and many years ahead of the rest of the industry. We need to follow their valiant lead today. We need to use Rust for all new projects, and start porting all existing software to it immediately.

Let's put an end to software security problems. Let's put an end to software bugs. Let's use Rust. Rust is our only savior at this point.

Re:We need Rust. We need Rust NOW!

Let me guess. You're voting for Trump.

Re:We need Rust. We need Rust NOW!

Nah, he comes from the 'rust' belt!

Re:We need Rust. We need Rust NOW!

[techno-vampire]

Either that, or he's campaigning for Ronald Rust.

Re:We need Rust. We need Rust NOW!

[KGIII]

If you've not seen 'em, they're a quasi-frequent troll. I think it's copypasta. I'm going to guesstimate that they've been posting that for the past six months. It's not as frequent as Goatse, Cow, APPS!, or the Republicans hate us and want us to die but it's not actually original content or anything.

Yes, yes I do get bored and visit frequently. I've almost always got a Slashdot tab open so I meander over and read to see if someone's said something interesting. Usually the answer is in the affirmative - which is why I keep doing it. Sometimes, it's the Rust language solves all security issues guy, but that's not that often.

Re:We need Rust. We need Rust NOW!

[RoLi]

Rust does not have a preprocessor thus is no worthy replacement for C.

Even a passing cat can root Linux!

Unplug your keyboards now!

Re:Even a passing cat can root Linux!

[KGIII]

Assuming you speak of the (patched) GRUB issue, that just gets 'em past the boot loader. That doesn't actually get them into the OS, don't actually decrypt the /home directory, and doesn't enable them to do anything they probably couldn't already do just by using a Live USB disk.

Yes, it was a silly bug and one that survived for a long time. However, most of us don't even use that and it doesn't actually portend to be much in the way of a security feature. Of the few places where I could see someone making legitimate use of it, say a kiosk, the GRUB menu should have been hidden and not in use in the first place. It's literally like finding a security hole in a butter knife. Yes, it's dumb and it shouldn't have lasted that long but it really didn't mean anything and the likelihood of it leading to any sort of compromise is pretty low.

I can think of absolutely zero computers, or realistic settings, where that would be considered a security feature of any value. Truly, not one situation (that I've come up with) where one would want to use that as even a part of a layered defense comes to mind. Some of the threads here have wracked our brains trying to figure out why this feature even exists. Most of us haven't even used it. It's not much different than a BIOS password protection system except it is slightly less important than that - at least keeping the BIOS protected is a sound choice in a public system.

And no, before you decide I'm a fanboy, I'm actually pretty good (I think) at being objective. Further up the thread, I mentioned that I felt the count for the Linux vulnerabilities was lower than it probably should be based on sheer numbers alone. I'm not some rabid fan who is unwilling to be objective or a zealot that thinks I need to get affirmation by convincing you that my choice in operating system is the right or best choice for you to make with your hardware.

It's just that it's a really, really stupid vulnerability and rather amusing that it was in place for so long. I'm not even sure why one would have that feature enabled. It's truly pointless - or damned close to it. There are so many better ways to layer on security than to rely on something like a boot loader password that I've never even bothered to give it any consideration, look into the mechanism, and still don't see why I would.

But yes, it's damned amusing that it managed to survive as long as it did.

But... but... wasn't OS-X supposed to be secure?

[QuietLagoon]

I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.

.
What happened? Did Apple mess up its development process?

Kind of misleading

[burtosis]

It's one thing to list bug fixes as vulnerabilities but it's a bit misleading. Is it extremely minor or does it fully root the system? It would be way more informative to rate them 1-5 so at least someone could have a basic understanding of how bad the situation is even if it is somewhat subjective.

Re:Kind of misleading

Follow the link in the article. You can get a full list of fixes, including severity on a 1-10 scale, user/admin access, local/remote and a text telling what each fix does. I would rather pick OSX with scale 5 issues, half of them local than windows with mainly scale 9-10 issues, mostly remote even though OSX seems to have a higher count of fixes.

Hope this article gets burried

[GabeGhearing]

NVD and CVE are great tools for finding if there are vulnerabilities that effect you... but they are largely self reported and lumping a bunch of bugs into one "vulnerability" only helps with BS lists like this while hurting the usefulness of the databases.

Please don't use this data for a penis contest.

flash

[jmccue]

Is flash's new motto "we try harder" ? Disappointed, flash has always been my favorite for # 1

Re:flash

[supremebob]

I was kind of disappointed in Oracle. JDK is usually good for at least 100 on their own.

Oh, that's right... they basically gave up trying to run Java applets in a browser without half a dozen security dialogs two years ago.

Re: But... but... wasn't OS-X supposed to be secur

[guruevi]

No, Apple assigns and patches security vulnerabilities in everything from its (open source) BSD core to their web stacks running in OS X Server. Also iOS == OS X so the vulnerabilities largely overlap. They also list potential vulnerabilities such as buffer overflows and input sanitation issues even without working exploits.

So you could have stuff from MachO to OpenSSL, Samba to Apache and Tomcat all mapping as OS X bugs. On the other hand Microsoft and some others don't even fix bugs without a working exploits much less report them.

Errors in list

I imagine Apple probably should top this list as they only recently came to the conclusion that they should care about this stuff and still aren't very good at getting timely patches out yet. However when you peruse the list, you see odd things like "Apple Tv" in both 34th and 38th place. You see the broken out Windows Vista, Windows 7, etc. (which makes sense, and as the summary mentions you can't add them as most are duplicated), but then you see just "Windows" in 39th place. Some of that doesn't make a lot of sense. One thing that blows me away is that a music player application (iTunes) can be in 25th with 100 exploitable vulnerabilities. It is a music player! How can it be that close to an entire OS (Android with 130)?

Re:But... but... wasn't OS-X supposed to be secure

Did you have to wipe cheetos out of your beard before or after typing that. Being smug about which computer or phone you buy is pretty lame.

Re:But... but... wasn't OS-X supposed to be secure

Apple bought into that whole Unix is so secure stuff and didn't bother to think about the stuff that they put on top of Unix. They had this mentality that they had the best, most secure coders who couldn't make mistakes. Fortunately in the last year or two they have finally started to care about this stuff more. They pretty much had an awakening moment like Microsoft did back in 2005 or so and are still working out how to patch quickly. They will get there. But yeah, it gives the lie to their old advertisements and all...

Windows 10

records your every key-press, compresses, encrypts, and sends them all back to Microsoft. Do you think your use of Tor, VPNs, and other encrypted channels were enough to stop anyone from pin-pointing a text on the Internet to you? Yeah, I think that classifies as a vulnerability.

Re:But... but... wasn't OS-X supposed to be secure

I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.

.

What happened? Did Apple mess up its development process?

Apple are open about their security fixes, flooding their fix list with minor issues. Some does the opposite and Microsoft appears to only report severe remote exploits. This mean the vast majority of Apple issues are so minor, that had they been in Windows, they wouldn't appear on the list.

Remember the numbers are self reported issues, not actual count of issues. With that in mind, I actually prefer high number of fixes because we know the low numbers are incomplete lists. Why should I trust software if the vendor intentionally keep security issues hidden from me?

Re:But... but... wasn't OS-X supposed to be secure

I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.

.

What happened? Did Apple mess up its development process?

Apple sells themselves as a user friendly "it just works" company. The problem is "it just works" is horrible for security: you don't want a malicious program to "just work!"

The issue is that their solution is not to secure the OS, but rather to start locking users out. The latest version of OS X locks down /bin, /usr/bin, and certain things in /Applications so that not even root can touch them. This means that while before you could resolve iTunes issues by deleting iTunes, you no longer have that option in the latest OS X. This causes a huge issue when their versions of various UNIX-y things are out of date (which a lot of them are) - you simply can't update them because root can't touch /usr/bin.

Their solution to malware was not to secure the OS but to simply require programs be signed by Apple before they'd allow them to run.

So it's not surprising that they'd be the least secure OS out there. They don't get UNIX, they don't get security, and without Steve Jobs, they increasingly don't even get user friendliness.

Re:But... but... wasn't OS-X supposed to be secure

[thegarbz]

OS-X has never been "secure" just like Linux was never "secure" as demonstrated by long standing vulnerabilities.

That doesn't change the fact that on the whole you don't need to worry much about the viruses and vulnerabilities. The open attack surface doesn't matter much if the popularity (or lack of) makes attacking the platform economically unexciting.

Whenever competitions are held to exploit various pieces of software they all fall regardless if it's closed source from a hated vendor, closed source from the blessed messiah himself, or openly developed under the scrutiny of many eyes.

Re:But... but... wasn't OS-X supposed to be secure

[Feral+Nerd]

I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.

. What happened? Did Apple mess up its development process?

People write all kinds of things about OS X much of which is not true and that bit about it having no vulnerabilities is at the top of the list of crap statements about OS X along with claims that OS X is closed source. Apple has in the past tried to score marketing points with the fact that there is less malware floating around for OS X which I thought was pretty stupid since they were pushing security through obscurity as a feature which is guaranteed to come back and bite you. As far as I know even Apple's marketing department has never been dumb enough to claim OS X is completely devoid of security vulnerabilities since this would be easy enough to disprove by means of Apple's own historic patch release notes. The only ones who persist in repeating this particular factoid are trolls and flame baiters. OS X is also not closed source, Aqua, the Finder and the rest of the GUI stuff layered on top of OS X are closed source. The OS X core system it self is open source and has been for years. It is also not forbidden to modify the code which is another misconception Linux enthusiasts keep sending my way in (usually) friendly Open Source vs Closed Source software debates as an example of why OS X sucks. I have downloaded OS X system software source code from the Apple source code repo and fixed bugs myself when I got tired of trying to get Apple to fix them.

Re:But... but... wasn't OS-X supposed to be secure

[BitZtream]

Nope, Apple didn't mess up. Just idiots like you who parrot shit someone else said without actually knowing if the person saying it was anything other than a rabid fanboy like yourself.

The only people who say stupid things like what you're claiming are people who don't know what they are talking about. If those are the people you are using for reference when it comes to computers, you're probably just as stupid as they are. Its generally a good idea to take your cues from people in the know, rather than end users and morons.

Nothing is 100% 'secure' so just get down off your high horse, shove your head way back up your ass where it fits so nicely and ... well STFU ignorant troll.

OSX has a good default security policy and its small marketshare doesn't make it a target. Ironically, fanboy, thats the same thing that gives Linux a good reputation. Good default policy and being almost the smallest player on the block means you don't get targeted, so the perception about you is entirely different.

More important to note is that the only reason you're given a chance to make such an ignorant comment is because Apple self-reported the majority of those flaws found and fixed them, making it more secure.

OS X security

[laffer1]

Many OS X security issues are related to OpenSSL, a graphics library (JPEG, PNG, etc) or webkit. Most of these issues would affect linux distros and other systems as well. Keep that in mind.

Re: But... but... wasn't OS-X supposed to be secur

[guruevi]

Linux is one of the largest deployed operating systems in the world. Even very old versions like 2.2 are still prevalent in embedded devices that are never updated. If you're looking at all the consumer devices out there, Linux is running a LOT and most of them are unmanaged. For every Windows XP/2000 embedded still out there for which people are scrambling to contain them (often by using an unmanaged Linux based system) there is at least a magnitude more of the same era running Linux.

If you want to collect people's data and maintain endless amounts of bots, Linux 2.2-2.6 is the holy grail for security holes to find. Think of all the Netgear/Asus/... SOHO routers, the Checkpoint VPN and Firewall systems that often analyze corporate SSL traffic, data center firewalls and load balancers, the entire root DNS system, most of the "cloud", many of those things "just run" and have ports open to the world on public IPs with their owners having no clue that they have a powerful bog standard computer with a standard operating system directly connected to the net. And these days it gets even worse with all those 'software defined' devices that do everything a dedicated setup does without any custom chips.

Re:But... but... wasn't OS-X supposed to be secure

[radarskiy]

Have you heard it from anyone who wasn't making a straw-man argument?

contest Re:Hope this article gets burried

Please don't use this data for a penis contest.

Penises Are Like Religion.

it's OK to have one.
it's OK to be proud of it.
but, don't whip it out in public,
or try to convince me that the one I'm familiar with is somehow inferior.

oh, and ... keep yours away from my kids!

Re:But... but...

What happened? Did Apple mess up its development process?

Cookie enslave too much Aytchwonbee.
All play 0sex HipsterGame.
Ive herd, the reason.
NSA not Mensa, foreplay Brah!
Jobs died (yes they did!)
Fault of Queer Tim UI, OP.

Mostly, only remote exploits are interesting.

[tlambert]

Mostly, only remote exploits are interesting.

If you have local access to the machine, or the machine hosts remote shell accounts, then you care about credentials changes, including privilege escalation.

Most people have at most a few local users who aren't attacking the systems. So you really don't give a crap about local privilege escalation, since the same can be pretty much accomplished using a screwdriver or a boot into "safe mode", or whatever the OS equivalent happens to be.

If you are a server hosting company running VMs, you also don't care, because it's one user/customer per VM, and it's still not a problem, except in cases of self-sabatoge. If you are a server hosting company not running VMs, *and* you don't limit yourself to one customer per machine, then you start to care.

The problem with most reporting -- including the reporting in this article -- are that they don't make the distinction.

For example, unless it's a remote exploit, and the exploit is in the kernel, you aren't going to see a Mac OS X kernel shipped with a Mac OS X security update. If it's important enough to fix immediately, then Apple will ship a point release for Mac OS X, which is the only way it can perform a kernel update: it can't perform a kernel update without an OS update.

So a lot of reporting is about things that don't matter, or it's about third party software vulnerabilities, or it's about providing a warning for click-monkeys who onboard malware onto their systems because they are stupid.

Thinks like shellshock are pretty rare.

Unless and until reporting is changed to conform to at least a crude categorization of "remote exploits", "local exploits", and "PEBKAC exploits", these types of reports are all about comparing condom size, and trying to pretend that your dick is as big as the condom you are showing everyone.

Fan boys like to compare condom size, but for almost everyone else, it just represents a bunch of comments by clueless people we can laugh at on slow news days when there was nothing else to report.

Re:But... but... wasn't OS-X supposed to be secure

[KGIII]

Dude... I love to hate on Apple as much as the next graybeard but, really, having the most patched vulnerabilities is not necessarily a bad thing and, based on what I know and can see, the OS X operating system is, factually, quite secure by default. The greatest vulnerability that any operating system or software has is not actually in the code itself but in the seat of the user, in the minds of the maintainer, and in the implementation on the stack.

Hate on OS X all you want but, really, it's pretty damned secure. Fixing found vulnerabilities, regardless of the number, is a good thing and it is even better when they are doing so proactively without the need for it to have reached the point where they're in-use exploits.

Lest you think I'm a fanboy, I gave up being a participant as a Microsoft MVP award winner and community participant, much of my history is using Solaris and using Sun workstations, this post is being sent to you by means of a convoluted setup (through a connection way up in Maine) that all runs on Linux, and the only Apple device that I own is an iPod which is somewhere in my pile of stuff back in Maine.

Hate all you want but, by default, OS X and iOS are both rather secure by default. To imply or believe otherwise is just silly. I have no desire to use Apple products, I have no financial ties with the company (as far as I know - I may own some shares but I don't know if I do), and I am certainly not a fan of their business practices.

Also, do not tell CanadianMacFan, macs4all, or Noah Haders that I said any of this. I reserve the right to retract the above statement if a desire to go trolling should come along. If they found out that I'd admitted such (though I have before) they might not let me live it down.

Re:But... but... wasn't OS-X supposed to be secure

[KGIII]

I take that back. In the effort to be accurate and honest, I made a mistake. I do, in fact, have my iPod with me. I did not recollect bringing it with me and I do not recollect having used it since I went on my wanderlust but She Who Must be Obeyed tells me that I do, in fact, have it with me - in my suitcase. How she knows this is beyond me - as not even I remember putting it there, pulling it out, or mentioning it. She was also not even known to me when I started this journey. She did, however, unpack my stuff as I was putting stuff away. I'm guessing that's how she knows - I'd ask but she's meandered off again.

Which, alas, means I too need to meander off soon. Well, maybe... I'm not yet tired but tomorrow is a big day. Things shall go boom!

But, in an effort to ensure that my statement is accurate - I do, in fact, have an iDevice with me. It's an iPod touch with a bunch of songs loaded onto it and I think it has bluetooth but I've never actually used that functionality. Err... I can hook it to the infotainment system in the car but I have never done so and I'm not exactly sure how I would go about doing so. At any rate, I was mistaken and wish to correct that statement. The rest of the statement is, as far as I know, accurate.

Adobe shareholders should act now

It is unbelievable, how Adobe manages to create so many vulnerabilities from a year to another. If a single piece of web video plugin (Flash) manages to contain almost as many vulnerabilities as whole operating systems, the Adobe really has a problem in their process. The company board should get rid of the technology management, as they clearly do not have a clue for software development.

Re:Adobe shareholders should act now

[MoarSauce123]

You forget about the many security flaws Microsoft and Apple do not tell us about. Can't really compare just by those numbers.

Re:But... but... wasn't OS-X supposed to be secure

[Bert64]

This is not also for security, but also to stop users breaking things...

Home computers used to come with the OS in ROM which was therefore read only, and having a system which you couldn't break was in many ways beneficial as it gives users the confidence to experiment with the system and learn about it safe in the knowledge that they can't permanently damage it.
I find that people who started out on such systems tend to be more knowledgeable than those who learned on newer more fragile systems.

Flash bashers?

[MoarSauce123]

So where are all the Flash bashers who claim that every software is perfect except for Flash with its 234242424242342424324 vulnerabilities? OK, 314 vulnerabilities is nothing to party about, but it is apparently industry average...as far as we know. Who knows how many vulnerabilities are known, undisclosed, and still unfixed because cramming in yet another buggy feature is always more important than fixing bugs.

Re:But... but... wasn't OS-X supposed to be secure

[macs4all]

Also, do not tell CanadianMacFan, macs4all, or Noah Haders that I said any of this. I reserve the right to retract the above statement if a desire to go trolling should come along. If they found out that I'd admitted such (though I have before) they might not let me live it down.

Too late, LOL!

I've already saved your post to disk for future bashing sessions! [j/k]

Re:But... but... wasn't OS-X supposed to be secure

[KGIII]

Hrmf! It wasn't me, it was someone who hacked my account and said that stuff!

Actually, no - it's pretty damned secure by default. You can make it less secure if you want. I understand that OS X has "locked" you out of a few system folders now but I presume there's a way to access them, perhaps by rebooting and using some sort of hidden administrator account? I'd not be surprised if one could set those permissions to allow the user access/control but I'm not sure what the benefit would be except maybe saying something like, "I have control!" Which, while nice, probably *isn't* actually beneficial to the vast majority of end-users and, so long as they consent, that's fine by me.

I am a FOSS aficionado - not a zealot. Buggered if I care what you use or consent to. I am, however, a bit at a loss as to why the OP would have indicated that more repairs means an inherently less secure system. Proactive repairs are good and the greater the number the greater the attention. I dare say the numbers are off - at least from what I see? I use Linux, Lubuntu specifically, and I get security fixes pretty much every single day - sometimes quite a few of them. They've slowed down over the holiday season but I expect a whole host of 'em coming up in the next week or two.

Hmm... Apt tells me that I've only got an upgrade to qtox in the queue. Yeah, it's been a pretty slow past week and a half - I expect to see a bunch of 'em coming down the pipe next week. I should probably catch up on the mailing lists. I have been less than attentive.

As an aside; I had some (a total of three and two brought some family with them) Slashdotters over to help ring in the new year. We had to do it last night instead of on the correct night because of the rain. It was fantastic and I had a total of about 200 people here yesterday afternoon and most people meandered off home by about 1:00. I got four hours of sleep or so and am alive and alert again.

I've never set off that many things that go boom in one spell before. I'll send out some emails in a while and see who got what for pictures and video. I've got a hell of a mess to clean up - I may just call LaborReady and have them send a couple of people over. In fact, I think I will. I probably have some "party favors" kicking around to help get them motivated and make it turn into a job they'll appreciate going on.