Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities

An anonymous reader writes: Which software had the most publicly disclosed vulnerabilities in 2015? According to a site called CVE Details, which organizes data provided by the National Vulnerability Database, Apple's Mac OS X was near the top, with 384 vulnerabilities. iOS followed closely, with 375 vulnerabilities. The list splits out Windows into its separate versions, so it's hard to get an accurate count — simply adding them all together yields a total of over 1,000, but there are likely many duplicates. Other top spots went to Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. The four major web browsers also ranked quite highly.

Re: Android.

[Rosyna]

Because the list includes bugs found and publicly disclosed, the company that fixes the most bugs has the highest number of disclosed bugs in any list. Since Google doesn't really disclose Android bugs, many never get added to the list.

Furthermore, Apple submits self-found security bugs and gets CVEs assigned to them. Most other vendors do not report self-found bugs.

Re: Android.

[Rosyna]

The list is not a list of vulnerabilities. It's a list of known bugs fixed in the last year. It doesn't say anything about the severity of the bugs. For example, since Microsoft never discloses or fixes bugs in Windows Phone, it's very low on the list despite sharing a lot of code with Windows for the desktop. That doesn't mean Windows Phone is somehow more secure.

Re: Android.

[Rosyna]

This is incorrect. If you look at any release notes for any Apple security update you will see numerous CVE that were discovered internally by Apple.

Re:Adding together?

[darthsilun]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

They are! Did you even glance at the article?

I wonder how much overlap there is between the Debian, Ubuntu, Fedora, and OpenSuSE counts?

And nothing for RHEL or CentOS? Good to know.

Re: Android.

[Rosyna]

There are two ways to get a CVE assigned to an issue. Either report the issue on your software yourself and a CVE gets reserved or have someone else report the issue in your software and a CVE gets assigned.

Neither method actually determines if the CVE is a security issue or the severity if it is a security issue.

Re: But... but... wasn't OS-X supposed to be secur

[guruevi]

No, Apple assigns and patches security vulnerabilities in everything from its (open source) BSD core to their web stacks running in OS X Server. Also iOS == OS X so the vulnerabilities largely overlap. They also list potential vulnerabilities such as buffer overflows and input sanitation issues even without working exploits.

So you could have stuff from MachO to OpenSSL, Samba to Apache and Tomcat all mapping as OS X bugs. On the other hand Microsoft and some others don't even fix bugs without a working exploits much less report them.