Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities

An anonymous reader writes: Which software had the most publicly disclosed vulnerabilities in 2015? According to a site called CVE Details, which organizes data provided by the National Vulnerability Database, Apple's Mac OS X was near the top, with 384 vulnerabilities. iOS followed closely, with 375 vulnerabilities. The list splits out Windows into its separate versions, so it's hard to get an accurate count — simply adding them all together yields a total of over 1,000, but there are likely many duplicates. Other top spots went to Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. The four major web browsers also ranked quite highly.

Android.

[Noah+Haders]

I find it hard to believe that iOS would be listed with 375 vulnerabilities, but android would be listed with 130 vulnerabilities. Everybody knows that android is insecure as shizz. Something is fishy here.

Re:Android.

[AmiMoJo]

Maybe because Android isn't nearly as bad as people make out. It's actually got a pretty robust security system so vulnerabilities tend to be rather useless anyway, and there is less value in looking for them. Apple is more reliant on preventing malware through the app store, while at the same time more people are looking for flaws because it's more profitable (e.g. jailbreaks).

You know you are doing badly when you have more vulnerabilities than Flash, which is a major target and extremely badly written.

Re: Android.

[Rosyna]

Because the list includes bugs found and publicly disclosed, the company that fixes the most bugs has the highest number of disclosed bugs in any list. Since Google doesn't really disclose Android bugs, many never get added to the list.

Furthermore, Apple submits self-found security bugs and gets CVEs assigned to them. Most other vendors do not report self-found bugs.

Re:Android.

[JaredOfEuropa]

Probably depends on what constitutes a "vulnerability". This ranges from the serious "SMS remotely roots your phone without you knowing about it" to the less serious "If you jailbreak your phone and install this dodgy Chinese app, an attacker who gets his hand on your phone may be able to read your last Tweet without having to enter your PIN". Nr/ of vulnerabilities in itself is a crappy measure of security.

Re: Android.

[Rosyna]

The list is not a list of vulnerabilities. It's a list of known bugs fixed in the last year. It doesn't say anything about the severity of the bugs. For example, since Microsoft never discloses or fixes bugs in Windows Phone, it's very low on the list despite sharing a lot of code with Windows for the desktop. That doesn't mean Windows Phone is somehow more secure.

Re: Android.

[Rosyna]

This is incorrect. If you look at any release notes for any Apple security update you will see numerous CVE that were discovered internally by Apple.

Re: Android.

[Rosyna]

There are two ways to get a CVE assigned to an issue. Either report the issue on your software yourself and a CVE gets reserved or have someone else report the issue in your software and a CVE gets assigned.

Neither method actually determines if the CVE is a security issue or the severity if it is a security issue.

Re:Android.

[dgatwood]

Many of the security problems with Android are design problems rather than bugs. iOS tends to let the user control app access to shared data, whereas Android tends to put control over access rights in the hands of the developers. Android is getting better at this in recent versions, but there's still a bit of a stigma because of historical problems.

And as other folks have mentioned, Android's biggest problem is that Google lets hardware developers ship custom versions of the OS in ways that make future updates dependent on the hardware vendor. Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware. As a result, last I checked, a staggering percentage of Android users were running old, unpatched versions of the OS. So Android is insecure because Android *was* insecure when the devices shipped.

Re: Android.

[matbury]

In support of @Rosyna's comment: An interesting and relevant anecdote about not thinking through what the evidence tells us: During WWII the allies were losing a lot of bombers from German anti-aircraft defences. They brought in a bunch of statisticians and analysts to work out how to bring that number of bombers shot down, down. They looked at the damaged bombers that had returned to see where they were getting hit and decided to armour those places. Big mistake... why? Well, someone pointed out that those were the bombers that weren't actually shot down and that they should do precisely the opposite and armour the areas that didn't get shot full of holes - The planes that got shot there were the ones that weren't coming back. The new policy was a big success.

So yes, the software projects that report the most vulnerabilities may be the ones that are working hardest to make their software more secure and may also be more open about it, thereby inviting more vulnerability reporting by independent 3rd parties too.

tl;dr - Lots of publicly reported bugs may be a good thing! :) (As long as they're being patched, of course).

Adding together?

[Calydor]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together? Bash Microsoft all you want, sure, but hold them to the SAME standard as the rest, not a far harsher one.

Re: Adding together?

[Rosyna]

All versions of Mac OS X and iOS are being added together already in the list.

Re:Adding together?

[ShanghaiBill]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

Linux, iOS, and OSX tend to improve monotonically, so few people are running older versions. With Windows, new versions are often worse than their predecessors, so older versions are still widely used.

Re:Adding together?

[darthsilun]

Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

They are! Did you even glance at the article?

I wonder how much overlap there is between the Debian, Ubuntu, Fedora, and OpenSuSE counts?

And nothing for RHEL or CentOS? Good to know.

Re: But... but... wasn't OS-X supposed to be secur

[guruevi]

No, Apple assigns and patches security vulnerabilities in everything from its (open source) BSD core to their web stacks running in OS X Server. Also iOS == OS X so the vulnerabilities largely overlap. They also list potential vulnerabilities such as buffer overflows and input sanitation issues even without working exploits.

So you could have stuff from MachO to OpenSSL, Samba to Apache and Tomcat all mapping as OS X bugs. On the other hand Microsoft and some others don't even fix bugs without a working exploits much less report them.