Most vulnerable operating systems and applications in 2014

Cristian Florian on February 18, 2015

Looking for the 2015 version of this data? Click here

An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD). The NVD provides a comprehensive list of software security vulnerabilities. In this article, I look at some of the trends and key findings for 2014 based on the NVD’s database.
[ulp id=”cbiKoDdv59CzTKSA”]

Some of the questions asked are:

– What are the latest vulnerability trends? Are we seeing an increase or a decrease in the number of vulnerabilities?

– What percentage of these vulnerabilities are rated as critical? (e.g. high security impact – like allowing remote code execution – and thus easy to exploit)

– In which areas do we see the most vulnerabilities? Are operating systems, third-party applications or network devices such as routers, switches, access points or printers most at risk?

– Which operating systems and applications are listed with most vulnerabilities? This data is important because the products which are on top get the most frequent security updates. To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched.

7,038 new security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.

24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year.

Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.

Top operating systems by vulnerabilities reported in 2014

It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple with OS X and iOS is at the top, followed by Linux kernel.

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

Top applications by vulnerabilities reported in 2014

The applications listed here are pretty much the same as in 2013. Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

To keep systems secure, it is critical that they are fully patched. IT admins should focus on (patch them first):

Operating systems (Windows, Linux, OS X)
Web browsers
Java
Adobe free products (Flash Player, Reader, Shockwave Player, AIR).

UPDATE

The response to my post on the top vulnerabilities in 2014 has been amazing and I would like thank everyone who commented on the article. What certainly stood out in the comments and feedback is the fact that some of the statistics I reported on were not clear enough. Many comments queried why vulnerabilities were grouped in the way I did and why there’s a single entry for Apple OS X and Linux but seven entries for each Windows version.

In the following update, I’m going to try and clarify and answer most of our readers’ queries.

The operating systems are different and it is hard to group them in a way that everybody agrees with. For example, unlike Windows, the Linux Kernel can be upgraded independently of the rest of the operating system; therefore it is hard to link Linux Kernel vulnerabilities to a specific Linux distribution or Linux distribution version. This is why Linux vulnerabilities are grouped under Linux Kernel as a separate product and then there are the specific vulnerabilities for each Linux distribution. The reason why only Linux Kernel and Apple OS X are listed at the top is because the number of vulnerabilities that specifically apply to other Linux distributions (like Red Hat, Debian, etc.) is lower than the number of vulnerabilities that apply to the operating systems already listed.

For example, here are some statistics for several Linux distributions that did not make it to the top and which are not included under Linux Kernel entry:

Ubuntu

39 total vulnerabilities 7 high severity 27 medium severity 5 low severity

Red Hat Enterprise

27 total vulnerabilities 6 high severity 17 medium severity 4 low severity

openSUSE

20 total vulnerabilities 9 high severity 9 medium severity 4 low severity

Fedora

15 total vulnerabilities 3 high severity 9 medium severity 3 low severity

If we had to group the different Windows versions under one entry the statistics would look like this:

Windows

68 total vulnerabilities 47 high severity20 medium severity 1 low severity

As you can see a lot of Windows vulnerabilities apply to multiple Windows versions and because of that there is not a huge difference between the number for the entire Windows operating systems family and the numbers for different Windows versions.

Some readers have also asked where Android fits in. Here are the NVD stats:

Android

6 total vulnerabilities 4 high severity 1 medium severity 1 low severity

It is important to note that Android is based on Linux Kernel too and some of those vulnerabilities apply to Android as well. The malware on Android devices is usually spread via applications installed on the devices rather than via holes in the operating system.

Another question: where is Safari? Are Safari vulnerabilities included in OS X counts? The answer is no. Safari vulnerabilities are counted separately as is the case with the other web browsers. The reason why Safari is not listed is because it did not make it to the top of the list (it does have a large number of vulnerabilities, but only three of them are high severity):

Safari

70 total vulnerabilities 3 high severity 67 medium severity 0 low severity

To conclude, the aim of the article is not to blame anyone – Apple or Linux or Microsoft. The message I am trying to get across is that all software products have vulnerabilities. The frequency of security updates increases with the product’s popularity. At GFI we would like the people to use the information as a guide and to show which areas to pay more attention to when patching their systems. At the end of the day, however, an IT admin’s attention should be on ALL products in his network and not limited to those at the top of the vulnerability list; neither should the assumption be made that those further down the list are safer. Every software product can be exploited at some point. Patching is the answer and that is the key message.

——

Vulnerability and patch management should be priority tasks for every sysadmin. Microsoft’s updates are not enough because third-party applications are just as problematic. If you would like to discover how many vulnerabilities exist in your network or how many patches are missing, download GFI LanGuard and try free for 30 days.

——

Read Emmanuel Carabott’s take on the interpretation of the NVD data mentioned in this blog.

About the Author: Cristian Florian

Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.

More Posts from Cristian Suggest a Topic

132 Comments

A February 24, 2015 at 7:37 am
“Mac OS X” ceased to exist a couple of versions ago (It’s simply OS X now), so I guess we’re speaking pre-10.8 versions here. Also, Apple TV is a device name, while it runs iOS, just as all other Apple’s iDevices.
1. harfox February 25, 2015 at 1:07 am
  You must be fun at parties.
  Anyway.
  Akoss-Mac-mini:~ akosszente$ sw_vers
  ProductName: Mac OS X
  ProductVersion: 10.10.2
  BuildVersion: 14C109
  Thanks for your comment.
2. Bill Gates February 27, 2015 at 1:45 am
  If you think OSX isn’t flawed, your wrong.
  Well, I’ve been able to load OSX on my HP laptop with every release.
  By using HP hardware and OSX software (which isnt soldered together; a serious flaw if hardware fails), I actually end up saving a lot of money; and learning more about Unix too..!
  The Real Bill Gates April 21, 2015 at 5:37 pm
  I think you meant “you’re” — come on Fake Bill Gates… you’re better than that.
  Irving Q Publiq April 21, 2015 at 6:56 pm
  Unfortunately the numbers provided for OSX are not based primarily on analysis of shipping OSX systems, but on analysis of the underlying open source BSD kernel. Apple ships OSX with most of the settings that make BSD vulnerable disabled by default, and a Unix user with root access would have to change these settings. So, this number is not indicative of the vulnerability of OSX for a typical user.
3. Jeffery Sikes May 4, 2015 at 7:13 pm
  Its not any one OS that is going to solve security issues with electronic data, its going to be the proliferation of many different Operating Systems and Applications, which is going to resolve security issues. The more diverse the available and use of operating systems and applications, the more difficult it is for hackers to exploit any one effectively.
  In the day when Microsoft was king (a decade or so ago) any attack upon Microsoft was devastating to many people but now that there is diversity among OS there are less and less effective attacks. Sure there are still a lot of folks stuck on Microsoft but that is changing day by day.
  Eventually the playing field will change and include multiple versions of Operating Systems and Applications all running at the same time, which will make the potential hackers job a nightmare. This article is evidence of that fact, especially the update section where at least 4 Operating Systems are indicated for Linux. The more diverse the operating systems one or a company uses the lower the probability of experiencing a successful attack (that’s just simple mathematics really).
  So rejoice in OSX and Windows and Linux (all of the distributions) as their existence and use is security.
  Case in point
  Look at your life and count the OS’s your support just at this one moment … today
  MS Windows?
  Xbox
  Unix Operating Systems?
  OSX
  iOS
  Android
  Blackberry
  Chrome OS
  Any number of Linux distributions?
  Red Hat
  Fedora
  Cent OS
  Debian
  Ubuntu
  Mint
  Sony Play Station OS
  Sony Portable OS
  Steam OS
  All of the Linux software running routers, file servers, TV boxes etc
Tamas Szelinger February 24, 2015 at 9:08 am
What version of OS X and iOS tested? There are more than 3 versions of each os supported today.
IE is safe February 24, 2015 at 1:06 pm
https://web.nvd.nist.gov/view/vuln/search-results?query=internet+explorer+11+2014
According to National Vulnerability Database (NVD), there are only 146 vulnerabilities in IE11 in 2014, not 242.
IE is perfectly safe browser and not much more vulnerable than Firefox or Chrome.
1. BubbleHead June 18, 2015 at 1:00 am
  First off, you are only looking at IE11, even though there are older versions of IE currently in use which are still supported; if you just search for Internet Explorer 2014, you return 177 results. Second, if I use your logic, and simply search by browser name and year, Chrome (all versions) only had 18 vulnerabilities reported, Firefox (all versions) had 5, and Safari (all versions) had 58, so IE is still way more insecure:
  https://web.nvd.nist.gov/view/vuln/search-results?query=internet+explorer+2014
  https://web.nvd.nist.gov/view/vuln/search-results?query=chrome+2014
  https://web.nvd.nist.gov/view/vuln/search-results?query=Firefox+2014
  https://web.nvd.nist.gov/view/vuln/search-results?query=Safari+2014
  ABGC July 20, 2015 at 2:47 pm
  IE is very old software and as such has had to cover many forms of web pages and applications to maintain support for enterprise (Who have a habit of not updating their systems… XP ring any bells) and is the reason IE is still so open to attacks. The good news is that MSFT have addressed this with the release of Edge in Windows 10 which is now a sandboxed app and has removed all the old coding and vulnerabilities. In the future we should see class leading security with MSFT’s new browser.
Laurent February 24, 2015 at 2:11 pm
There are two flaws in this argument:
1.) It is easier to find vulnerabilities in Open Source software because you can look directly at the source. That doesn’t mean there actually are more vulnerabilities than in closed-source software. It’s actually a good thing for white hats to find more vulnerabilities (instead of waiting for a zero-day exploit from a malicious hacker).
Which leads to the second point:
2.) How many of these vulnerabilities were actually exploited in the real world? And how many were patched successfully before there were exploited on a large scale?
So the statistics here are simply meaningless. You can very well imagine that we are simply finding more vulnerabilities and patching them in Linux before they are exploited (which is a good thing) compared to the more serious zero-day exploits that are found in Windows by the wrong people.
1. SteelCrysis March 15, 2015 at 6:26 pm
  “1.) It is easier to find vulnerabilities in Open Source software because you can look directly at the source. That doesn’t mean there actually are more vulnerabilities than in closed-source software. It’s actually a good thing for white hats to find more vulnerabilities (instead of waiting for a zero-day exploit from a malicious hacker).”
  Heartbleed, Shellshock, and GHOST beg to differ.
  Irving Q Publiq April 21, 2015 at 6:50 pm
  Those were, in fact, all discovered by White Hats, and there is no evidence they were ever exploited for malicious purposes. So, doesn’t that support his point?
Ch February 24, 2015 at 3:57 pm
Well let me tell you something ABOUT FACTS when you do such benchmarking you should normalize compared componentes you cant just come count and say who is better !!, (FACTS) such as release / patch cycles should be considered no software is free of bugs ( specially security bugs since 80% of programmers have understand of security by ( having a login screen ) and they take it as a non-functional requirement, to make it worse they have never even heard what SSDLC is !!!! ( DID YOU ? ). Microshit & its ugly technology such as .NET !! has bugs unpatched since the 90s, internet explorer has been the worse product in history well defeated only by VISTA & let me tell you more integrity checks in OSs components only started after XP….ETC & i can tell you million of remote code execution stories !!! but just to give you a simple point of view ( microsoft 8 has 24 / but with what OSX or kernel version you are comparing !! don’t understamte the 0.0.0.0 tag in this study !! ) so as conclusion this study does not mean nothing !!
1. Dennis March 3, 2015 at 11:39 am
  Slow down or else you’ll suffer from a hearth attack. Microsoft has significantly improved its security over the years, but the problem often is the user ..
  yedis June 7, 2015 at 4:55 pm
  Developers can’t seem to accept responsibility for their crappy applications so they ultimately blame the user. Of course!! The user must want to purposely get infected with a virus so its their fault. Get your heads out of your asses.
  Nelson June 12, 2015 at 3:20 am
  There are a lot of inevitabilities in computing, the tradeoff between security and usability being one of them. There are a lot of situations in which apps simply can’t be 100% secure because doing so would mean being essentially useless to all but a very specific set of use cases. There needs to be user input. There needs to be extensibility. You could argue that the most secure app in the world is one which runs, plays a fart noise, and closes – what’s the point in that? We live in a world of mass interactivity, and it’s simply not possible to stress test applications for every single possible use case which could potentially break them. Vulnerabilities are a fact of programming. That said, the vast majority of time spent by tech support is in training users to use applications correctly (since they generally don’t RTFM or have any semblance of common sense), not nailing down “real issues”. Spend some time in a call center or an entry-level IT job and you’ll realize that most problems can be drilled down to user error.
2. BubbleHead June 18, 2015 at 1:57 am
  I can tell by your post that anyone who writes anything which even hints that Windows may in any way be superior to OSX, regardless of how factual it may be, will ultimately be met with lewd and heated remarks by you – as is typical of the Apple-worshiping troll. The author never stated one OS was better than the other – he just provided the figures and allowed the readers to come to their own conclusions. Obviously you didn’t like the conclusion you arrived at, because it didn’t agree with your preconceived notions of Apple which you got from drinking their Kool-Aid – so instead of reanalyzing your previous beliefs, you do what the typical Apple fanboy does, and take your frustrations out on the author. As such, I fully expect you to respond in a likewise manner to my post.
  I will simply say this: for years, Apple has misled the public and their customer base into a false sense of security by implying that the apparent absence of Mac viruses (which has since been debunked) was a function of secure programming, rather than (more accurately) their small market share and the fact that most malware coders are more interested in targeting the most prolific OS (Windows, at 91% market share) than one which only has a 7% market share. Because of this continual campaign of lies, most Mac users have assumed they were immune to malware and would rarely install any A/V software whatsoever. Most Windows users run some sort of A/V software, since Microsoft isn’t stupid enough to lie about the fact that it’s operating system (or any OS, for that matter) may be subject to malware attacks.
  Now that the Linux kernel is becoming a more popular attack vector for hackers (as Linux servers are often used in corporate environments), OSX is inheriting many of those vulnerabilities. Many more Linux exploits require only minor modifications to make them usable against OSX.
  Further, considering how much more scrutiny there is on the Windows OS by the industry which uses it (it has 13 times the market share as OSX), you would expect there to be proportionately more vulnerabilities reported on an operating system which is so widely used, yet that is not the case. The statistics show that, while Microsoft may have had issues with vulnerabilities in the past, the large level of scrutiny their market share has given them, and the time spent improving their product, has allowed them to design a very secure operating system.
  The fact that Windows (or any OS) has had vulnerabilities does not mean no effort was made to make it secure, as every OS (if it has any functional value) has vulnerabilities. Further, the more functionality you add to an operating system, the more potential vulnerabilities you invite. Windows has a great deal of functionality – more so than Mac, which is one of the reasons it is so popular. Even today, I get to listen to new Mac users frustrated my the fact that they can’t find Mac equivalents of software they took for granted on Windows.
Tom February 24, 2015 at 8:02 pm
This article insults my intelligence at the highest level! What versions of Linux and OS X are you referring to, and why is Windows broken out by version. Last I checked, there is a ton of Windows XP running wild with virtually no support. Please retract this article and some granularity.
Frantisek February 24, 2015 at 8:16 pm
For such miserable journalism or work should be people spanked.
Daniel February 24, 2015 at 11:59 pm
NVD publishes fixed cve’s. Please correct me if i am wrong.
So when we look at the stats, we see x amount of cve’s that were fixed,
This tells me that the people at apple work working a little harder then most.
If lets say, IOS has 100 cve,s issues and android has 1000.
apple fixes 20 of them and android fixes 2.
this would mean to me that androids os is infact worse and not better.
In your OS list, you list Mac as the worst. Ok thats fair enough, Microsoft does not publish all the issues it has, half of them they do not even know they have. and putting my theory above there into practice, as much a fan of windows as i am, I do not think windows is safer them Mac.
Daniel February 25, 2015 at 12:11 am
Also again, If I am right, NVD does publish fixed CVEs, this means that apple has fixed the most meaning its that much safer.
As alot of people have mentioned in the comments you “the publisher” did not specify exactly what version of osx or ios. I have this on going argument with a friend of mine, its an apple ios versus android. When you look at androids bug list there is “oh my god” so many bugs listed, 20k + and he keeps on going on about how tragic android is but if you really look at that massive list of open issues, 80 percent of them are stupid bugs. where as apple does not really list its issues. This again teaches us a lesson, A google is not afraid to publish publicly its bugs, this is a positive thing. nothing to hide. I have not managed to find an open list of apple bugs for ios. tons to hide.
Whats the worst android mass exploit that has happened in 2014, and whats apples worst. I cant think of an android one. but sure did enjoy reading about nude celebs.
Id recommend instead of researching the top of the pond, you need to re research way way deeper and pull up some credible info
1. Brian Martin February 28, 2015 at 1:11 am
  CVE/NVD do not only publish for ‘fixed’ issues. There are plenty of identifiers that represents vulnerabilities that have no vendor solution.
Rob Walch February 25, 2015 at 6:11 am
How come there is no mention of Android? Did your spread sheet not go that high when looking at vulnerabilities? You can’t mention iOS and not Mention Android – even if the number was 2 or 10 or 100 orders of magnitude greater for Android.
Ma February 25, 2015 at 8:08 am
All windows vulnerabilities are 68? 7 *~30 items !!!!!
Jarth February 25, 2015 at 9:27 am
This is a great wiki page to validate what arguments fly and which not. It also shows relatively Microsoft is delivering piss poor security. Given almost ALL versions in this article run on NT 6.x and the minor numbers indicate a patch-level but also tweaks to the specific function.
http://en.wikipedia.org/wiki/Comparison_of_operating_system_kernels
Paolo February 25, 2015 at 10:36 am
If you sum all Windows versions you get 248 vulnerabilities. I see why it makes sense to keep them splitted (you either use Win7 or Win8, some of them could be duplicated among versions, etc) but for a fair comparison you should split the OS X and Linux versions too.
1. ilya February 26, 2015 at 6:04 am
  vista, 7, 8 and 8.1 are all the same thing; windows NT 6.X. it probably means that they all share the SAME vulnerabilities because it’s not a “windows release” issue, it’s an NT kernel issue.
2. Jack Rowley February 26, 2015 at 2:08 pm
  No, you are assuming that vulnerabilities are unique which isn’t the case. The total number of unique vulnerabilities across the windows platforms they tested is 68.
Gizmo February 25, 2015 at 11:30 am
Article is very biased and misleading, i mean, having iOS in comparison but not android nor windows phone os, and putting windows by versions but linux as grouped. That’s some really bad journalism, together with all news portals that shared this article. It says P.R. all over it. Sad to see that it’s getting harder and harder to get proper information on internet, and knowing web space is polluted with misleading and bad informations such as this article.
1. VARELA April 4, 2015 at 7:39 pm
  I AGREE
theresnosecurity February 25, 2015 at 4:21 pm
Note that the comparison based on these databases is not accurate without properly working the numbers. For example, only the Linux kernel is included in this article, but the worst vulnerabilities in Linux OS are not counted there! Heartbleed only shows up under OpenSSL, but it’s included in all Linux distributions. ShellShock (and actually 6 similar vulnerabilities) in bash is also not counted against Linux, but it affected almost all distributions. This would make the various Linux OS much more vulnerable than they appear to be. I verified this using cvedetails.com, where the CVE numbers for Ubuntu or Red Hat don’t include the kernel ones and vice-versa.
Another example, of the 36 listed vulnerabilities under Windows 7, two of them can only be exploited through specially crafted Office documents, so is it a Windows or Office vulnerability? should we also include LibreOffice in the Linux count? It comes pre-installed in the most popular distributions. Another one is related to font management. Should we include the Freetype vulnerabilities in the Linux count too?
This is a “kernel” vs. complete OS question, which seems to favor Linux in all statistics because its vulnerabilities are spread across various aplication names and not picked up in the database searches.
Kevin Wortman February 25, 2015 at 5:16 pm
Agree with others on here. There are some very important columns missing here. How many of the vulnerabiliites are being used in active exploitations? How many flaws (Vulnerabilities) remain unpatched. While I get the importance of reporting on things like this it seems to me that there maybe an agenda. There are many users of apple products (hence the reason they set a record for the amount of money made recently) and since this is the case, why dont we hear about these products being exploited? Too Hard? Too expensive? something else? Yes Apple should probably do more to secure their OS’s and devices with so many flaws as youve pointed out here, but with so many and no news of cybercrime or cyber warfare being conducted against these systems are we trying to scare people without all the facts behind the numbers?
1. Kevin Wortman February 25, 2015 at 5:40 pm
  Something I forgot to add. This is one of those posts/articles that leaves me saying “So What?” since there is a lack of other information.
Gwyneth Llewelyn February 25, 2015 at 8:35 pm
How journalists love to bash Apple! Searching for vulnerabilities on the NVD statistics database, for Mac OS X 10.10.0 and 10.10.1 (that would be the latest version) gives a result of NONE (for either of them). Of course, one would have expected that. Earlier versions probably have more vulnerabilities, I didn’t search for them all, but one would expect that one of the reasons for releasing new versions is to fix/patch vulnerabilities…
nobody February 25, 2015 at 8:38 pm
How is it possible that an OS has vulnerabilities of every rating scale except the lowest? Is it because Microsoft’s development process emphasizes security? If so, why are the high-rated vulnerabilities of Windows roughly as many as linux’s?
What does each vulnerability scale mean for each vendor?
Diegoz February 25, 2015 at 10:41 pm
PC friendly? After 30 years of deep Mac and PC use, I can tell you this statistic is a crap! Every windows user can tell you it’s a collection of vulnerabilities… why show OS X all in one version and Windows separating all versions?!?! Ad what a hell?!?! Apple TV is an application for you?!?!?!?! It’s a device with iOS on board!!
Please Cristian, back to school….
Michael Horton February 25, 2015 at 11:56 pm
ahem….
23% of all Windows users are using XP, couldn’t see that in the scores?
Dubious research if you missed you many millions of PCs, a whole whopping 23% just not counted.
Macuser February 26, 2015 at 7:40 am
The excuses that you’ve added are ridiculous.
Learn to make additions, and if you make the total by Apple you have to do even for Microsoft. If you want to separate the vulnerability for the different versions you can do it, but “after” and apart.
Because instead separates iOS and OS X when the kernel is the same? So you double a dose of vulnerability that instead are identical … you seem serious?
In conclusion, when it suits you separate and when it does not, then you differentiate … but pay you to act like this?
Android off the charts? Very convenient …
Ronald February 26, 2015 at 11:30 am
Completely useless list. It is a biased list. If you split up Windows you should also split up Mac OS X. If you add iOS to the list, why not add android to the list.
GFI is a big troll
Mr P February 27, 2015 at 7:17 pm
Christian Florian your broad “knowledge & skills” has taken you far in your career. You landed you a job as a “journalist blogger” for a shitty biased website. Keep up the great work lol.
What is even more sad than this poor journalistic input is people reading/believing this… sad.
Michel Tr February 28, 2015 at 3:16 am
I am wondering where is Windows XP, granted it’s no longer supported but the install base is still pretty high on the list ( >30% ).
Loving this February 28, 2015 at 2:34 pm
Got to love all the nix and apple fan boys you really annoyed from this article. A little bit defensive and sensitive over minor details such as not breaking down the flavores of Linux and using a kernel based grouping approach is kind of sad. I was hoping Linux and Mac users would have more valid arguments. Me? I use Linux and windows, your article was fine to those of us who are not biased.
pANKJ March 1, 2015 at 10:43 pm
Nice work
Scott March 3, 2015 at 2:49 pm
Looks to me like GFI is trying to increase sales of their products to Mac and Linux users.
Michael Richardson March 7, 2015 at 8:06 pm
Why did you group OSX into a single entry, also Apple iOS into a single entry, and Linux as a single entry (rather than by distro) but then you split off the Microsoft distributions in seperate category? Is that 38 unique attacks on win 8.0
and 38 different attacks on 8.1? Or was one attack present all the back to win95 and so gets counted into each category?
When I fix a bug in an “application” like tcpdump, that ships for OSX, Redhat, Debian, FreeBSD, and Windows, how do you count that?
Donald@guardcard March 21, 2015 at 1:46 pm
Operating System is only a interface between user and system so it is very important that the latest versions of the windows or OS includes an Automatic Updates feature.
Donald@Trackforce March 25, 2015 at 1:13 pm
Microsoft operating systems still have a considerable number of vulnerabilities and threats Security and software development helps you dealing with all kinds of vulnerabilities. I have a security software for my operating system the results are very good now my system is performing at an amazing speed without any problems.
Sirko April 24, 2015 at 1:26 pm
Hi,
can you please shortly describe how did you get those figures? On the NVD-Homepage in the Statistics-Section I typed i.e. “Mac OS X” in Keyword / Textsearch and choose as Severity (Base Score Range) “Low” and got a totally different result from yours. And I find out, that for “Mac OS X” and “Mac OS 10” the database delivers results. Totally different results. It seems that it ist important what you type in and this is the reason why I ask you how you got those figures.
Thank you for an answer
Sirko
1. Melanie Hart April 28, 2015 at 10:01 am
  Hi Sirko,
  The NVD vulnerability definitions are available for download in XML format on the NVD website: https://nvd.nist.gov/download.cfm
luca April 25, 2015 at 7:10 pm
Linux and Apple na single antry, and microsoft don’t?
Please!
Jeffery Sikes May 4, 2015 at 6:54 pm
The battle to defeat hackers is not bound up in which OS is the most vulnerable, its bound up in the public and business using different OS’s sitting on different kernels and with different distributions. Even multiple OS within one organization, make it far more difficult for an attack to be successful. Variety is far more difficult for hackers to contend with than Consistency under one supposedly secure OS.
Rejoice therefore in all types of Operating Systems as its the mass variation and its implementation which will stop the success of hackers not any one version.
Lee Creel May 8, 2015 at 5:38 pm
How about including other operating systems, such as z/OS, z/VM, and z/Linux. One list I saw seemed to indicate that these were over 100 times more secure than Windows based on the percentage of reported hacks.
1. sysdef May 8, 2015 at 5:49 pm
  Lee Creel, right. os/2, amigaOS, ReactOS and Haiku-OS are way more secure since that stats. Thank you for pointing that out.
  Even OpenBSD can now smile again! 🙂
Zhora May 11, 2015 at 1:51 pm
MS vs Apple vs Google vs …; IE vs Firefox vs Chrome vs Safari vs …; Emacs vs vi vs TextMate vs …; Speaking of OS wars, since that seems to be the focus at this time and place, perhaps one of the security issues that doesn’t show up on the list is the amount of time spent in non-constructive criticism that could be put into more constructive discussion or to provide tangible information or anything that might help us all to increase system security for themselves or others. In today’s world, achieving such a goal might require either limiting any article to only one emotive OS or if speaking of more than one, folding all the facts together into some sort of interwoven mush that jumps from pro to con and system to system in a way that makes it too difficult to know which, if any, of them has the advantage. Discussing only one would probably provide more, but not all, of what might be useful to say than creating confusion that would end up confusing everyone or being ignored. But the comments that this article has generated seem mostly to be attacks that don’t help correct the problem brought up nor encourage others to add to the discussion in a positive manner. Not all, but most.
The author did add to the article to attempt to clarify his intention as illustrating that all systems and software have security issues to which we must all pay more attention. That’s a valid statement, I believe, but a bit too general and often causes a reaction such as “right! those systems really need to do better with their security issues,” while adding the disclaimer, “at least my system is secure enough,” though generally unspoken. But though I believe the author does hold the need to consider security more seriously, it doesn’t feel that that was the point intended to be made. The article is still basically an aggregated list of security vulnerabilities where an attempt has been made to partition them between the various more mainstream OS types, thus focusing our attention on the comparison of various systems rather than the overall problem of security vulnerabilities that affect computer based products as is the stated clarified intention. Various significant operating systems are missing, seemingly justified due to not having been defined consistently (one category may contain all versions of that OS, a subset of versions of an OS but having no indication of which, or another OS not appearing at all). The casual division of system vulnerabilities invalidates any justification of dropping a category with lower severity counts from the list and even if the it is a valid omission, the perception it gives to the reader is one of doubt of credibility rather than being of any valid use at all. Then, in the original fourth point made in the article’s introduction is poorly written and is (or seems to imply) that the reasoning is circular: we should determine the most vulnerable particular operating systems so we can focus on fixing them but we determine the vulnerability of a system by the count of the major vulnerabilities that have been found (and fixed or may be fixed or may not be); but really we shouldn’t ignore the need to fix the vulnerabilities of any OS we support…but it’s important to know those that have the most problems…and on. That’s my impression of what is being said and it may not even be close to what was intended but I’m left with that impression after reading it and I really don’t want to have to read it again to see if that’s right or wrong.
I think that the main point I can get from the article is that security vulnerabilities are increasing over time (or perhaps are being found more often). Also I think I see that the worst vulnerabilities aren’t confined to one particular OS (or version) and any of the players may end up as better or worse than another or others at different times. That’s still a guess as the methodology used to produce the results appears to be poorly done (or is poorly described) but “it seems right to me” [which is one of my favorite justifications from someone’s blog who is speaking of a website that provided the information being used to support either increased alien abductions, the world’s end or perhaps achievement of perfection when the Mayan calendar “ends” or some mass conspiracy subject boding our ultimate doom]. So based on that I guess I need to revise my conclusions to the conclusive feeling that “rising vulnerabilities are important and require our attention” and that conclusion feels possible enough to at least search for similar conclusions that have a more rigorous base of support.
And two suggestions:
1) If the available data can’t be partitioned into a defensible set of categories that can be validly compared to produce statistics that support your argument then either fix that problem by further investigation and clarification of the underlying facts before attempting to state justifiable conclusions (and especially when they are to be published publicly).
2) If you find yourself creating a ranked list of some sort, especially if it contains items that have become “devisive” or “emotively charged,” but that list isn’t strongly supported or is more of an offshoot to the point you actually want to make (but, hey, people love lists and they make things look so organized and well thought out!; or, I spent too much time making this list not to include it!) then don’t put it in and think it will make things better (for obvious reasons, I think.)
I personally don’t think that a list comparing vulnerabilities of major operating systems could be constructed that would be defensible enough to use for comparison. So if you want your information considered and not trashed, don’t compare the problems and systems (in poorly designated categories). Reframe the information so that the various problems and issues can be considered in their own right and actively avoid whatever is not absolutely necessary to the discussion that might inflame people’s emotions.
[Too long…and I put in my own list, too. But it’s not ranked! I hope what I’ve said is understood as constructive.]
1. Melanie Hart May 12, 2015 at 12:14 pm
  Hey Zhora, thank you so much for your reply. I think you might find this blogpost which talks about the pitfalls of interpreting vulnerability data very interesting – http://www.techtalk.gfi.com/interpreting-data/
  Zhora May 14, 2015 at 1:12 am
  Thanks Melanie, I liked the balance of his post, how he could talk about specific vulnerabilities of a system and make his point without casting unnecessary blame on the vendor to do so. (There are times when criticizing the vendor would be appropriate but an undeserved attack isn’t the best way to get a vendor, or others, to hear what you’re saying, much less act on it.) Also, I liked what he said about the role that context plays in assessing vulnerability. Thanks again his post out.
vikram@cloudsecurity July 22, 2015 at 1:34 pm
As we know that in digital world you can’t say that very thing is secured but to be secured each and every one have to take some steps so that there should not be any gap to breach your security.
Lee July 29, 2015 at 1:15 am
I just took a Statistics class for a master’s degree and a funny thing about statistics is the process or analysis can be shown to prove almost anything but maybe not the right thing. In other words depending on how the tests were conducted the results can be misleading. I have both Imac 27′ with 5K Retina display, and I have Windows 8.1 on HP laptop. All of the updates I have gotten for my iMacs have been free, I have paid God only knows how much for Windows’ Operating System updates and antivirus and antimalware programs for windows and haven’t had a problem with my iMac in 8 years on the web. I don’t download third party applications like OSX warns you not to, and I have my system backed up with time machine so I can go to any past date I want and reload without loosing my data. OSX and Linux are a lot more secure than microsoft will ever be so to Bill Gates and Fake Bill Gates I say Baloney. But that’s just me.
1. BubbleHead July 29, 2015 at 4:15 pm
  @Lee. Microsoft has never charged for OS updates for its supported operating systems, and the support cycle for different Windows OS versions is relatively generous (Windows XP was released in 2001, and Microsoft was still releasing free security updates up until 2014), so if you were paying for OS updates, it likely means you were running an outdated OS version, rather than updating to a current, more secure version like the rest of us. @Lee, 2001 called, it wants its operating system back. Windows 8.1 updates are free, so if you are trying to claim that you had to pay for them, its because someone conned you into thinking you had to, which means you are an idiot and not qualified to provide meaningful input to this forum. Judging by the fact you don’t run any 3rd party applications on your machines, I must deduce you only use your computers for simple tasks with applications supplied by Apple and Microsoft (respectively), like word processing and media editing, which means you are a relative novice at computers in general, since the true functionality of computers is only unlocked through the use of 3rd party applications (though in the case of Macs, their choices are a bit sparse in comparison to Windows machines). By the way, Windows 8.1 (like OSX) has anti-virus software built in, so you don’t NEED to spend any extra money on that either if you are just trying to protect your personal computer.
the bsd guy August 1, 2015 at 10:11 pm
why not freebsd

Comments are closed.

If you have used this form and would like a copy of the information held about you on this website, or would like the information deleted, please email privacy@gfisoftware.com from the email address you used when submitting this form.