Skip to main content

Was Mac OS X really the most vulnerable in 2015?

Image
By

Much has been said in the security world about the recent release of data on vulnerabilities discovered in 2015. Due to the way this data has been presented, many news outlets have been reporting that Mac OS X was the “most vulnerable” OS in 2015. But was it really?
It turns out, there are some issues with the way the data is presented and the conclusions that are being drawn from that presentation. The table shows Mac OS X at the top, with 384 vulnerabilities, and iOS in a close second with 374. Well below that are different versions of Windows, with the worst being Windows Server 2012, in 10th place with 155 vulnerabilities, a mere 40 percent of the vulnerabilities of OS X.
Therein lies the first issue with this data, however. All versions of OS X are clumped together in one group, while different versions of Windows are broken down and shown separately. This means that comparing the numbers in that table does not amount to comparing apples to apples, so to speak.
If we look into the data a little more closely, it is possible to group vulnerabilities by vendor. Doing that, we see that Apple had a total of 654 vulnerabilities in 2015, while Microsoft had 571. Throwing Adobe into the mix, it achieves third place at 460 vulnerabilities.
This is a slightly more useful number, as it includes all versions of each company’s systems as well as their web browsers (Safari and Internet Explorer). However, this includes the vulnerabilities for iOS, while it’s unclear to me whether any Windows mobile systems are included in the Windows vulnerability counts.
Still, even those numbers are not particularly meaningful as-is. Comparing them is like comparing the number of hits made by two different baseball teams in a season without considering how many of those hits were foul balls, grounders, home runs, etc. One team may have a higher number of hits than another, but if they hit a lot more foul balls, while the team with fewer hits had a higher proportion of home runs and RBIs (runs batted in), the higher number of hits is revealed as a misleading statistic.
Similarly, vulnerabilities come in all kinds. There are relatively minor vulnerabilities that can’t really do much harm, and then there are the ones that allow a remote attacker to fully compromise your machine. Fortunately, each vulnerability in the data set is given a severity rating between 0.0 and 10.0. With some filtering, it’s possible to see all the vulnerabilities for each platform that were very severe (higher than 9).
Doing so turns up some interesting results. Apple, it turns out, had 91 vulnerabilities of this severity in 2015, a mere 14 percent of their total vulnerabilities. Microsoft, however, had 332 very severe vulnerabilities, at 58 percent of their total. Adobe leads both with a whopping 389 very severe vulnerabilities, almost 85 percent of their total.
This tells us more clearly about the severity of the vulnerabilities in the data, which is a more important metric than just how many total vulnerabilities there are.
Now, don’t get me wrong… I’m not trying to say that Apple’s systems are the most secure systems on the planet. Although the number of highly dangerous vulnerabilities is interesting, there’s still a lot left out.apple-iphone-smartphone-desk
For example, how many of the vulnerabilities were actually exploited by malware in the wild? There’s no way to know, barring another source of information or a lot of research. It doesn’t matter that Apple’s counts of dangerous vulnerabilities are lower if they got exploited more frequently than the competition.
There’s also no information about existing vulnerabilities. As an example, there are no new vulnerabilities listed for Windows XP. However, there are existing, unfixed vulnerabilities in Windows XP, and many people still use that, despite the fact that Microsoft has discontinued support for it. These won’t show up, but it would still be fair to count them if we’re trying to put some kind of number on how vulnerable Windows users as a whole are.
The same is probably true of Mac OS X 10.6 (aka Snow Leopard), which is no longer supported by Apple but has known vulnerabilities. That should also count against Apple, and although I don’t know for sure (due to the way the Mac OS X data was categorized), I’m guessing there are probably no Snow Leopard vulnerabilities in the 2015 data.
Plus, there could very well be minor vulnerabilities in the systems that were listed that were found in 2014 but haven’t been fixed yet. Such things do happen, and that would be particularly interesting to examine, since it would give insight into the delay between discovery of a vulnerability and patching it for each vendor.
So, bottom line, I’d advise you to ignore any click-bait headlines about how Mac OS X is the “most vulnerable system” based on this data. As I’ve shown, if you look at the data in a different way, you could come to a very different – but still probably inaccurate – conclusion. Ultimately, based solely on vulnerability counts, there’s no valid way to say whether Apple or Microsoft win the “most vulnerable” award, and any attempt to do so is extremely misleading.

Comments

Post a Comment

Popular posts from this blog

How ad-free subscriptions could solve Facebook

By
At the core of Facebook’s “well-being” problem is that its business is directly coupled with total time spent on its apps. The more hours you pass on the social network, the more ads you see and click, the more money it earns. That puts its plan to make using Facebook healthier at odds with its finances, restricting how far it’s willing to go to protect us from the harms of over use. The advertising-supported model comes with some big benefits, though. Facebook CEO Mark Zuckerberg has repeatedly said that “We will always keep Facebook a free service for everyone.” Ads lets Facebook remain free for those who don’t want to pay, and more importantly, for those around the world who couldn’t afford to. Ads pay for Facebook to keep the lights on, research and develop new technologies, and profit handsomely in a way that attracts top talent and further investment. More affluent users with more buying power in markets like the US, UK, and Canada command higher ad prices, effectively...
1 comment
Read more

Anyline Raises €1.5M To Let You Add Optical Character Recognition To Your App

By
Anyline , the Austrian startup that provides mobile OCR tech to enable developers to add text recognition to their own apps, has raised €1.5 million in funding. The list of investors is interesting, too. It includes angel investor Johann ‘Hansi’ Hansmann, busuu co-founder Bernhard Niesner, Lukas Püspök, and the U.S.-based VC-fund iSeed Ventures. However, most notable is that the round was led by Gernot Langes-Swarovski Group. As one investor put it to me, “the fact that the Swarovski family led the round shows that finally ‘old’ money is moving into Austrian startups”. Offering its own mobile Optical Character Recognition (OCR) technology — which uses a smartphone’s camera to accurately scan and recognise any kind of text, code or number — Anyline co-founder and CEO Lukas Kinigadner tells me the startup is built on the premise that “people screw up a lot”. “Mistakes happen easily when you’re writing down a 10-digit-number and then have to type it in again a few moments later...
Post a Comment
Read more

Windows 7 and 8.1 Update to Windows 10 automatically

By
Windows 10 downloader While it might be a bit too early to start getting excited over the  Windows 10 update , which isn't expected to arrive until summer, Microsoft seems to already be warming up people's computers just the same. A recommended, and therefore purely optional, update for Windows 7 Service Pack 1 and Windows 8.1 has been discovered to be laying the groundwork for those machines' eventual upgrade to Windows 10. Although the  Windows 10 release date  was not announced officially, the details of this update also reveal how Microsoft might try to convince users to update to the latest Windows 10 version.  The  KB3035583  update "enables additional capabilities for Windows Update notifications when new updates are available to the user", which sounds pretty common. That is, until you dig into the update files and see a certain  GWXUXWorker.exe which, upon further inspection, would actually "Download Windows 10". So this rather ...
Post a Comment
Read more

Three Reasons Why You Need Better Personal Cyber security

By
From the infamous Sony hack to the recent WannaCry virtual catastrophe that affected over 300,000 computers, the need for reliable personal cyber security has never been more apparent. Rubica's skilled team of experts want to remind every one of the importance of cyber security and the three reasons why it is becoming a more pressing issue every day. With top-notch personal cyber security, most attacks are preventable. 1. Larger Number Of Attacks Americans have heard of the most notable attacks on major corporations or government entities over the past several years. However, most people who are not in the information security field do not learn just how much the attack frequency is growing. The number of cyber attacks carried out worldwide in 2015 was quadruple a number of attacks recorded in 2013. Although the cost associated with the number of annual recorded attacks is in the $500 billion range right now, experts say that it will grow well into the trillions by ...
Post a Comment
Read more

Insure Your Family by Controlling Devices Through an App

By
AIR: YOUR SMART HOME Have you ever rushed to your house suspecting that you may have accidently kept the iron turned on?  How do you deter a burglar  from breaking into your house? You probably would rush to your house and manually turn off the switch in the first instance, and get a burglar alarm for the next. But what if there were a single solution for both? Humans are delegating a lot of menial and repetitive tasks to machines. And as far as errands in your house and offices are concerned, the good news is – you can control appliances through your smart phone. INTRODUCING AIR: YOUR SMART HOME Air app, which is available on both Android and Apple platforms, interacts with your devices and switches them off with a single tap. AIR MOBILE APP The app is complemented with a package that consists of a pentagonal-shaped unit and switchboard module. Once you install air unit; your smartphone can interact with it using the Air App. Thereafter, the unit instructs the...
Post a Comment
Read more