Skip to main content

Was Mac OS X really the most vulnerable in 2015?

Image
By

Much has been said in the security world about the recent release of data on vulnerabilities discovered in 2015. Due to the way this data has been presented, many news outlets have been reporting that Mac OS X was the “most vulnerable” OS in 2015. But was it really?
It turns out, there are some issues with the way the data is presented and the conclusions that are being drawn from that presentation. The table shows Mac OS X at the top, with 384 vulnerabilities, and iOS in a close second with 374. Well below that are different versions of Windows, with the worst being Windows Server 2012, in 10th place with 155 vulnerabilities, a mere 40 percent of the vulnerabilities of OS X.
Therein lies the first issue with this data, however. All versions of OS X are clumped together in one group, while different versions of Windows are broken down and shown separately. This means that comparing the numbers in that table does not amount to comparing apples to apples, so to speak.
If we look into the data a little more closely, it is possible to group vulnerabilities by vendor. Doing that, we see that Apple had a total of 654 vulnerabilities in 2015, while Microsoft had 571. Throwing Adobe into the mix, it achieves third place at 460 vulnerabilities.
This is a slightly more useful number, as it includes all versions of each company’s systems as well as their web browsers (Safari and Internet Explorer). However, this includes the vulnerabilities for iOS, while it’s unclear to me whether any Windows mobile systems are included in the Windows vulnerability counts.
Still, even those numbers are not particularly meaningful as-is. Comparing them is like comparing the number of hits made by two different baseball teams in a season without considering how many of those hits were foul balls, grounders, home runs, etc. One team may have a higher number of hits than another, but if they hit a lot more foul balls, while the team with fewer hits had a higher proportion of home runs and RBIs (runs batted in), the higher number of hits is revealed as a misleading statistic.
Similarly, vulnerabilities come in all kinds. There are relatively minor vulnerabilities that can’t really do much harm, and then there are the ones that allow a remote attacker to fully compromise your machine. Fortunately, each vulnerability in the data set is given a severity rating between 0.0 and 10.0. With some filtering, it’s possible to see all the vulnerabilities for each platform that were very severe (higher than 9).
Doing so turns up some interesting results. Apple, it turns out, had 91 vulnerabilities of this severity in 2015, a mere 14 percent of their total vulnerabilities. Microsoft, however, had 332 very severe vulnerabilities, at 58 percent of their total. Adobe leads both with a whopping 389 very severe vulnerabilities, almost 85 percent of their total.
This tells us more clearly about the severity of the vulnerabilities in the data, which is a more important metric than just how many total vulnerabilities there are.
Now, don’t get me wrong… I’m not trying to say that Apple’s systems are the most secure systems on the planet. Although the number of highly dangerous vulnerabilities is interesting, there’s still a lot left out.apple-iphone-smartphone-desk
For example, how many of the vulnerabilities were actually exploited by malware in the wild? There’s no way to know, barring another source of information or a lot of research. It doesn’t matter that Apple’s counts of dangerous vulnerabilities are lower if they got exploited more frequently than the competition.
There’s also no information about existing vulnerabilities. As an example, there are no new vulnerabilities listed for Windows XP. However, there are existing, unfixed vulnerabilities in Windows XP, and many people still use that, despite the fact that Microsoft has discontinued support for it. These won’t show up, but it would still be fair to count them if we’re trying to put some kind of number on how vulnerable Windows users as a whole are.
The same is probably true of Mac OS X 10.6 (aka Snow Leopard), which is no longer supported by Apple but has known vulnerabilities. That should also count against Apple, and although I don’t know for sure (due to the way the Mac OS X data was categorized), I’m guessing there are probably no Snow Leopard vulnerabilities in the 2015 data.
Plus, there could very well be minor vulnerabilities in the systems that were listed that were found in 2014 but haven’t been fixed yet. Such things do happen, and that would be particularly interesting to examine, since it would give insight into the delay between discovery of a vulnerability and patching it for each vendor.
So, bottom line, I’d advise you to ignore any click-bait headlines about how Mac OS X is the “most vulnerable system” based on this data. As I’ve shown, if you look at the data in a different way, you could come to a very different – but still probably inaccurate – conclusion. Ultimately, based solely on vulnerability counts, there’s no valid way to say whether Apple or Microsoft win the “most vulnerable” award, and any attempt to do so is extremely misleading.

Comments

Post a Comment

Popular posts from this blog

Top 20 WordPress Interview Questions and Answers

By
Top 40 WordPress Interview Questions and Answers  for freshers and experienced are below are below : 1. What is WordPress? WordPress is an online, open source website creation tool written in PHP. But in non-geek speak, it's probably the easiest and most powerful blogging and website content management system (or CMS) in existence today. 2. Different between WordPress.com vs WordPress.org? WordPress.com (fully hosted) Focus on your beautiful content, and let us handle the rest. WordPress.org (self-hosted) Get your hands dirty, and host your website yourself. refer official URL: https://en.support.wordpress.com/com-vs-org/ for more details. 3. Use of WordPress? WordPress is a free and open-source blogging tool and a content management system (CMS) based on PHP and MySQL. Features include a plugin architecture and a template system. WordPress was used by more than 23.3% of the top 10 million websites as of January 2015 4. feature of WordPress? Here are some of the featu...
Post a Comment
Read more

How Education Will Be Smarter, Less Intrusive, And Able To Respond To How You Feel

By
Impatience characterizes the technology sector’s approach to education. Disruption is taking place in all other sectors of society — so, why not education? I know too well, whether at Pearson or in the classroom, the challenges and frustration of developing and using digital tools that improve outcomes for students. But I’m optimistic. We are on the verge of a tide of smarter innovation that, if allowed to spread, will turbocharge the learning experience for students. Here are four areas worth watching: 1. Using technology to learn from learners Every great digital product constantly evolves by learning from its users, adding capabilities, and improving its performance. If it’s true for your Facebook feed, then why not education? The potential is there, as the OECD’s recent report on  Students, Computers and Learning  (OECD) incidentally showed how clickstream and tracking navigation in digital readers can be used to see how students process online text and...
Post a Comment
Read more

Google Announces Android Wear Update With WiFi Support, Always-On Apps, And More

By
It has been a while since Android Wear got any substantial updates, but today Google is announcing a big one. A new version of Wear will be rolling out over the coming weeks that includes a number of previously rumored features (like WiFi support) and some all new stuff (like always-on apps). Most Wear devices use the always-on ambient mode for the watch face by default, the Moto 360 being a notable exception. The new Android Wear version allows apps to operate in ambient mode too, so they remain active when the watch goes to sleep. That makes it easier to take a quick glance at the app instead of waking the device up and opening the app all over again. The watch will still only go into full-color mode when necessary. WiFi support is also coming in the update, which means your watch can be useful even if your phone isn't connected. Watches with WiFi support will be able to connect to WiFi and still get messages and notifications from your phone, provided it has an interne...
Post a Comment
Read more

IT Where

By
#Responsive_Webdesign  start from #7500, #hosting_Service  Start from #3300 Per Year #get   #your   #special  offers at  Itwhere Pondy #Digital_Marketing  , #SEO , #Product_Branding  at Itwhere Pondy Email:info@itwheretech.co. in M:+91 9092734853 www.itwheretech.co.in
Post a Comment
Read more

The App Ecosystem’s New Status Quo

By
Americans spent more time using smartphone and tablet applications in 2014 than they did mobile and desktop web combined. With  nearly four billion smartphones projected  to be in use by 2020, the platform shift to mobile is well underway. The smartphone supply chain has already become a central and unifying aspect of the tech industry. For the first time, there exists a ubiquitous technology that connects us all to a central ecosystem, and apps form a huge part of this. The bar is constantly rising for mobile, and if we accept the “mobilization” of the future as a given, then what we are seeing is only just the very beginning.   Paradigm shift in payment models Many people still view apps as unsophisticated software with simple, one-dimensional functionality. This perception, however, is going to change. With the widespread adoption of mobile devices and the continued improvement of the hardware layer, alongside the creation of a robust app economy, it has bec...
Post a Comment
Read more