Android Was 2016's Most Vulnerable Product, Oracle the

An anonymous reader writes: According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award." The rest of the top 10 is made up by Debian (319 bugs), Ubuntu (278 bugs), Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).

When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs, who edged out Google (698 bugs), Adobe (548 bugs), Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).

Oracle the

I think you a word.

Number of bugs is hardly a valuable metric here...

The number of bugs opened with a given software product says very little about how "vulnerable" the product may be. The most ubiquitous (widely-deployed) products are bound to be subject to the greatest number of "bug reports" (CVEs), by virtue of the fact that they are "under the microscope" and so broadly used. It is no coincidence that the most bug reports have been filed for the most popular software products.

The couting fiasco

You know, when you read that had XXX CVEs on year 2016, you kinda expect those CVEs are about that latest stable release for in Ubuntu, Fedora, Debian, RedHat, etc.

Not so in this report. You'll ALSO get CVEs that are relevant only to older versions of the distro added to that distro's 2016 count in this report (RTFA and check it!). They didn't restrict it to the current [in 2016] stable version of the distro/product.

As far as I am concerned, this report is irrelevant, because you can't really get any real-world use of it other than deceptive marketing (either pro or contra).

Adobe: Truly solid products

[MobyDisk]

A document viewer had as many vulnerabilities as AN ENTIRE OPERATING SYSTEM.

Re:most vulnerabilities != most vulnerable

[TheRaven64]

True, however Android also suffers from very long delays between serious vulnerability being found and the majority of network-connected installs being patched. The combination of that and a large number of vulnerabilities is pretty bad.

Apples vs. Oranges

[RealGene]

Comparing an operating system to Acrobat Reader? The real question is, why should a text rendering application have half as many bugs as an entire OS?