Skip to main content

Was Mac OS X really the most vulnerable in 2015?


Much has been said in the security world about the recent release of data on vulnerabilities discovered in 2015. Due to the way this data has been presented, many news outlets have been reporting that Mac OS X was the “most vulnerable” OS in 2015. But was it really?
It turns out, there are some issues with the way the data is presented and the conclusions that are being drawn from that presentation. The table shows Mac OS X at the top, with 384 vulnerabilities, and iOS in a close second with 374. Well below that are different versions of Windows, with the worst being Windows Server 2012, in 10th place with 155 vulnerabilities, a mere 40 percent of the vulnerabilities of OS X.
Therein lies the first issue with this data, however. All versions of OS X are clumped together in one group, while different versions of Windows are broken down and shown separately. This means that comparing the numbers in that table does not amount to comparing apples to apples, so to speak.
If we look into the data a little more closely, it is possible to group vulnerabilities by vendor. Doing that, we see that Apple had a total of 654 vulnerabilities in 2015, while Microsoft had 571. Throwing Adobe into the mix, it achieves third place at 460 vulnerabilities.
This is a slightly more useful number, as it includes all versions of each company’s systems as well as their web browsers (Safari and Internet Explorer). However, this includes the vulnerabilities for iOS, while it’s unclear to me whether any Windows mobile systems are included in the Windows vulnerability counts.
Still, even those numbers are not particularly meaningful as-is. Comparing them is like comparing the number of hits made by two different baseball teams in a season without considering how many of those hits were foul balls, grounders, home runs, etc. One team may have a higher number of hits than another, but if they hit a lot more foul balls, while the team with fewer hits had a higher proportion of home runs and RBIs (runs batted in), the higher number of hits is revealed as a misleading statistic.
Similarly, vulnerabilities come in all kinds. There are relatively minor vulnerabilities that can’t really do much harm, and then there are the ones that allow a remote attacker to fully compromise your machine. Fortunately, each vulnerability in the data set is given a severity rating between 0.0 and 10.0. With some filtering, it’s possible to see all the vulnerabilities for each platform that were very severe (higher than 9).
Doing so turns up some interesting results. Apple, it turns out, had 91 vulnerabilities of this severity in 2015, a mere 14 percent of their total vulnerabilities. Microsoft, however, had 332 very severe vulnerabilities, at 58 percent of their total. Adobe leads both with a whopping 389 very severe vulnerabilities, almost 85 percent of their total.
This tells us more clearly about the severity of the vulnerabilities in the data, which is a more important metric than just how many total vulnerabilities there are.
Now, don’t get me wrong… I’m not trying to say that Apple’s systems are the most secure systems on the planet. Although the number of highly dangerous vulnerabilities is interesting, there’s still a lot left out.apple-iphone-smartphone-desk
For example, how many of the vulnerabilities were actually exploited by malware in the wild? There’s no way to know, barring another source of information or a lot of research. It doesn’t matter that Apple’s counts of dangerous vulnerabilities are lower if they got exploited more frequently than the competition.
There’s also no information about existing vulnerabilities. As an example, there are no new vulnerabilities listed for Windows XP. However, there are existing, unfixed vulnerabilities in Windows XP, and many people still use that, despite the fact that Microsoft has discontinued support for it. These won’t show up, but it would still be fair to count them if we’re trying to put some kind of number on how vulnerable Windows users as a whole are.
The same is probably true of Mac OS X 10.6 (aka Snow Leopard), which is no longer supported by Apple but has known vulnerabilities. That should also count against Apple, and although I don’t know for sure (due to the way the Mac OS X data was categorized), I’m guessing there are probably no Snow Leopard vulnerabilities in the 2015 data.
Plus, there could very well be minor vulnerabilities in the systems that were listed that were found in 2014 but haven’t been fixed yet. Such things do happen, and that would be particularly interesting to examine, since it would give insight into the delay between discovery of a vulnerability and patching it for each vendor.
So, bottom line, I’d advise you to ignore any click-bait headlines about how Mac OS X is the “most vulnerable system” based on this data. As I’ve shown, if you look at the data in a different way, you could come to a very different – but still probably inaccurate – conclusion. Ultimately, based solely on vulnerability counts, there’s no valid way to say whether Apple or Microsoft win the “most vulnerable” award, and any attempt to do so is extremely misleading.

Comments

Popular posts from this blog

SoftBank Lands $236M From Alibaba And Foxconn To Bring Its Pepper Robot To The World

Remember Pepper,  the intelligent robot that SoftBank unveiled last year ? Pepper goes on sale in Japan this coming weekend, but in advance of that launch  SoftBank has revealed  that Alibaba and manufacturer Foxconn have invested $118 million each in its robotics division. That deal will give Alibaba and Foxconn 20 percent shares in SoftBank Robotics Holdings (known as SBRH), with SoftBank retaining a dominant 60 percent stake. “SoftBank, Alibaba and Foxconn will build a structure to bring Pepper and other robotics businesses to global markets, and cooperate with the aim of spreading and developing the robotics industry on a worldwide scale,” SoftBank said in its announcement. SoftBank isn’t short on money, of course — it is building up quite a portfolio of e-commerce investments across Asia — but its two partners bring know-how, strategy and global networks to the table. So, it looks like Pepper has eventual world domination plans. Or, at least, ...

Five budget-friendly open source storage servers

Storage is essential for the enterprise: Data must be stored. Data must be retrieved. Data must be shared. Data must be secured. At the same time, storage must not consume the entirety of your IT budget. Fortunately, you can find effective solutions in the world of open source. Outside of cost effectiveness, one of the biggest benefits of these solutions is the ability to modify them to perfectly fit your needs. You can make minor changes or even roll your own storage solution based on one of these tools. If you want enterprise support and a "solution in a can" that will meet just about any enterprise storage need, you should turn to Red Hat or SUSE. Both Linux-based companies offer some of the most powerful enterprise-ready tools on the market. But if you'd rather get your hands dirty and craft something of your own—something that won't demolish your budget—these five open source tools are a great place to start. 1: ownCloud ownCloud ( Figure ...

Visa confirms Coinbase wasn’t at fault for overcharging users

Yesterday, we wrote that Coinbase customers were being charged multiple times for past transactions. While some speculated that the erroneous withdraws were down to a Coinbase engineering issue, Coinbase issued a statement saying it wasn’t liable for the duplicate charges. The blame, instead, rested with Visa for the way it handled a migration of merchant categories for cryptocurrencies, Coinbase said. While you can read my post yesterday for an in-depth description of what happened, the basic gist is that Visa refunded and recharged (under a different merchant category) a month of old transactions. Many users saw the recharge come through before the refund processed, making it look like they were double charged. Honestly, the issue was likely exacerbated by existing payment rails — it’s normal for refunds to take multiple days to show up on credit and debit statements. But here’s where it gets weird — this morning Visa issued a statement to some publications shifting the blam...

Apple Releases First Battery Case To Eat Third-Party Accessory Makers’ Lunch

In a surprise move, Apple just announced an external battery case for the iPhone 6s. Named the  iPhone 6s Smart Battery Case , the battery extends the battery life of your iPhone 6s by up to 25 hours. The new accessory is available in black and white for $99 starting today. Let’s start with the design. Apple is using silicone as the main material like on its other cases. The company doesn’t disclose the capacity of the battery except that you’re supposed to get 18 to 25 hours of extra battery. Like third-party battery cases, Apple uses a Lightning male port at the bottom to plug your iPhone. You can charge the case using a traditional Lightning cable — most third-party batteries rely on a microUSB cable. Apple’s accessory also works with the iPhone 6 and it looks like there isn’t a 6 Plus and 6s Plus version. The Smart Battery Case features an unfortunate hump at the back. Mophie’s  Juice Pack  design is a bit sleeker compared to Apple’s official accessory. Apple...