Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities (venturebeat.com) 111
An anonymous reader writes: Which software had the most publicly disclosed vulnerabilities in 2015? According to a site called CVE Details, which organizes data provided by the National Vulnerability Database, Apple's Mac OS X was near the top, with 384 vulnerabilities. iOS followed closely, with 375 vulnerabilities. The list splits out Windows into its separate versions, so it's hard to get an accurate count — simply adding them all together yields a total of over 1,000, but there are likely many duplicates. Other top spots went to Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. The four major web browsers also ranked quite highly.
Android. (Score:4, Insightful)
I find it hard to believe that iOS would be listed with 375 vulnerabilities, but android would be listed with 130 vulnerabilities. Everybody knows that android is insecure as shizz. Something is fishy here.
Re:Android. (Score:5, Interesting)
Maybe because Android isn't nearly as bad as people make out. It's actually got a pretty robust security system so vulnerabilities tend to be rather useless anyway, and there is less value in looking for them. Apple is more reliant on preventing malware through the app store, while at the same time more people are looking for flaws because it's more profitable (e.g. jailbreaks).
You know you are doing badly when you have more vulnerabilities than Flash, which is a major target and extremely badly written.
Re: Android. (Score:5, Informative)
The list is not a list of vulnerabilities. It's a list of known bugs fixed in the last year. It doesn't say anything about the severity of the bugs. For example, since Microsoft never discloses or fixes bugs in Windows Phone, it's very low on the list despite sharing a lot of code with Windows for the desktop. That doesn't mean Windows Phone is somehow more secure.
Re: (Score:2)
Flash is much smaller than an entire OS... It stands to reason that a larger and more complex system will have more vulnerabilities.
Re: Android. (Score:5, Informative)
Because the list includes bugs found and publicly disclosed, the company that fixes the most bugs has the highest number of disclosed bugs in any list. Since Google doesn't really disclose Android bugs, many never get added to the list.
Furthermore, Apple submits self-found security bugs and gets CVEs assigned to them. Most other vendors do not report self-found bugs.
Re: Android. (Score:5, Informative)
There are two ways to get a CVE assigned to an issue. Either report the issue on your software yourself and a CVE gets reserved or have someone else report the issue in your software and a CVE gets assigned.
Neither method actually determines if the CVE is a security issue or the severity if it is a security issue.
Re: Android. (Score:2)
No, they are not all security bugs in the software they were reported for. For example, some people make entries for third-party software when it is, in fact, the OS that prevents the third-party software from securing it.
There have also been times when things like "launching malware runs arbitrary code" get assigned CVE numbers when there hasn't actually been any bug. Because the user explicitly launched the malware.
Re: (Score:1)
I thought the way CVE worked is that it was a thing the US Government did to track vulnerabilities across multiple reporting sites. So there's no need for Microsoft or Google to self-submit a bug, as long as it gets reported somewhere, it ends up in CVE.
Still doesn't make "number of bugs" a really useful metric, especially given that Apple tends to dump all their vulnerabilities into a single report. (So they're probably undercounted if anything - yeah, OS X is that insecure.)
If OS X and iOS are "that insecure", why is it that we are at SIXTEEN YEARS for OS X, and EIGHT YEARS for iOS without a SINGLE actual self-replicating, self-distributing piece of Malware on either platform?
Comment removed (Score:5, Interesting)
Re: Android. (Score:2)
Dude your analogy makes no sense whatsoever.
Re:Android. (Score:5, Insightful)
Re: (Score:1)
Publicity.
Android is open source so its a target for those that hunt for fame. iOS is closed source so its harder to find the problems and thus they get less publicity since most are fixed internally.
In reality Android is more secure since its open source and all errors is easier to find for fame hunters.
Re: Android. (Score:5, Informative)
This is incorrect. If you look at any release notes [apple.com] for any Apple security update you will see numerous CVE that were discovered internally by Apple.
Re: Android. (Score:2)
Re: (Score:1)
Apple releases iOS when they feel like it. Google releases Android semi-annually (until recently, which I'm sure the security updates are exactly that -- fixing vulnerabilities). The fact that the release process was such a PITA has no relation to how much Android devs were hardening their system.
In case you haven't noticed, iOS pretty much gets updated continuously, or at least several times per year, with a major new release every September, when the new iOS hardware debuts.
So, although you can mischaracterize this as "when they feel like it"; the reality is that iOS is updated ALL THE WAY OUT TO THE USERS far more frequently than Android.
Not bad code, just no updates (Score:2, Insightful)
Android isn't insecure because it's full of bugs, it's insecure because out of those 130 vulns discovered, approximately 0 will get patched by the vendors.
Re: (Score:2)
Re: (Score:1)
That's not *Android* being insecure, that's the vendors' products being insecure. Those of us with Nexus devices get patches as they're released by Google, which happens quite quickly.
So do those of us with iOS devices.
Jus' sayin'...
Re: Not bad code, just no updates (Score:2)
Re: (Score:2)
Unless you have an older Nexus device, then you're just as screwed as everyone else who is stuck on Android 2.x or 4.x.
Re: (Score:2)
And, even before that announcement, Google's policy [google.com] has been to provide updates for 3 years from date of first sale, or 18mo from date of last sale in the Google store, whichever is longer. That sure beats most of Apple's offerings (I think they had one model that had support for longer than 18mo from last sal
Re: (Score:2)
If so, you need to remember that it's only "stuck" if you insist on running a factory image; there are plenty of Lollipop and Marshmallow ROMs [xda-developers.com] to choose from.
Re: (Score:2)
Re: (Score:2)
Android isn't insecure because it's full of bugs, it's insecure because out of those 130 vulns discovered, approximately 0 will get patched by the vendors.
Actually, this is not completely true. Large part of Android is now in APKs and system-related APKs get updated silently, unlike apps that require user to approve updates.
Re: (Score:1)
And you're a dumb little shit.
That's why I keep coming back to Slashdot: The erudite intellectual discourse.
Re:Android. (Score:5, Insightful)
Many of the security problems with Android are design problems rather than bugs. iOS tends to let the user control app access to shared data, whereas Android tends to put control over access rights in the hands of the developers. Android is getting better at this in recent versions, but there's still a bit of a stigma because of historical problems.
And as other folks have mentioned, Android's biggest problem is that Google lets hardware developers ship custom versions of the OS in ways that make future updates dependent on the hardware vendor. Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware. As a result, last I checked, a staggering percentage of Android users were running old, unpatched versions of the OS. So Android is insecure because Android *was* insecure when the devices shipped.
Re: (Score:2)
Many of the security problems with Android are design problems rather than bugs.
Which you admit they've fixed in recent versions.
The rest of your post, though: +1 as it applies to non-Nexus devices. Since Nexus devices *do* see updates, those tend to be much more secure.
Re: (Score:2)
Re: (Score:2)
i love how nothing is ever precious google's fault.
Re: (Score:2)
Re: (Score:2)
Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware.
Not in my experience. The phones they sell you here with a contract rarely get patched, despite the big mobile names from both operators and manfufacturers behind it.
The cheap c-brand android phones i order in China only not offer more value for money, but happily receive regular firmware updates.
At least in Europe many telecoms offer inverse service. Instead of buying extra good service, you pay to get ripped and run outdated inferior firmware.
Their motivation may similar as you suggested though, they pref
Re: (Score:2)
The reason for this is likely that there is a big difference between IOS and Android concerning what belongs to the system. It's a bit like Windows and Linux. A bug in XWindow would probably not be counted against "Linux", same for a bug in a RPC package. Both are on the other side of the fence part of the OS itself and thus would get counted against "Windows".
Re: (Score:1)
An interesting, to me, aside is that we'll count a vulnerability in IE, Outlook, Windows Mail, Windows Media Player, and all that sort of stuff as a "Windows" vulnerability. Yet, if there's an exploit in SSL, GRUB, or MKUSB then we immediately say, "Linux is the kernel!"
To be honest, Windows, the OS itself, hasn't really had a whole lot of exploits in a long time. Microsoft has really stepped up their game and have managed to harden it fairly well. Given the ubiquity, the need for backwards compatibility, a
Re: (Score:2)
Often it's the opposite, linux distros come with a huge array of software and the distro will announce any bugs in the software they distribute, which results in any given linux distro having a huge number of security advisories.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Are the top of the list insecure pieces of crap or are they simply the most active at patching? It doesn't say how many where released by the vendor, other sources, how many had exploits in the wild, or whether they were patched.
Adding together? (Score:4, Interesting)
Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together? Bash Microsoft all you want, sure, but hold them to the SAME standard as the rest, not a far harsher one.
Re: Adding together? (Score:4, Insightful)
All versions of Mac OS X and iOS are being added together already in the list.
Re: Adding together? (Score:2)
It only counts fixed bugs, so for Mac OS X, that'd be bugs in 10.8.x and later for 2015.
The funny part is the AppleTV bug list. Apple lists CVE numbers for WebKit in AppleTV security updates (as all 2nd gen and later AppleTVs share code with iOS) even though the WebKit framework is inaccessible.
That is, there's no way to trigger those bugs but they still get counted.
Re:Adding together? (Score:4, Interesting)
Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?
Linux, iOS, and OSX tend to improve monotonically, so few people are running older versions. With Windows, new versions are often worse than their predecessors, so older versions are still widely used.
Re:Adding together? (Score:4, Informative)
Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?
They are! Did you even glance at the article?
I wonder how much overlap there is between the Debian, Ubuntu, Fedora, and OpenSuSE counts?
And nothing for RHEL or CentOS? Good to know.
Re: (Score:2)
the most popular OS's... (Score:2)
um, so the most popular OS's in the world had the most reported vulnerabilities?
duh?
Ubuntu wins (Score:2)
Looks like Linux is better than Windows at something.
Re: (Score:1)
I dunno how accurate that is. See, I work hard to be objective an unbiased. I'll see how well I can articulate this, 'tis not my strong suit.
I use Lubuntu. I also have some Ubuntu installs. I also have some Mint installs and Mint is a derivative of Ubuntu. On top of this, I have all of those (except for server installs) set to update daily. Sometimes, out of boredom, I even will update manually in the middle of the day to see what's going on and if anything new has come down the pipe.
That said, I also read
Which Windows is "Windows"? (Score:2)
I would be interested to know what version of Windows is the one at position 39, as it looks safer to use than the other ones.
I might even consider switching from Linux...
Re: (Score:2)
Most likely it is XP.
Bah, I'll stick to Linux.
Re: (Score:1)
A detailed list of that windows can be viewed here:
http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3435/year-2015/Microsoft-Windows.html
It still doesn't say precisely which version of windows it is, but it tells what the individual fixes are. 40 out of 41 are can be triggered remotely. Also the score of most of them are well into the red area. On the other hand, OSX may have more fixes, but the percentage of local issues (non-remote) is much higher and the scores are rarely red. OSX lin
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
If you've not seen 'em, they're a quasi-frequent troll. I think it's copypasta. I'm going to guesstimate that they've been posting that for the past six months. It's not as frequent as Goatse, Cow, APPS!, or the Republicans hate us and want us to die but it's not actually original content or anything.
Yes, yes I do get bored and visit frequently. I've almost always got a Slashdot tab open so I meander over and read to see if someone's said something interesting. Usually the answer is in the affirmative - whi
Re: (Score:2)
Rust does not have a preprocessor thus is no worthy replacement for C.
Re: (Score:1)
Assuming you speak of the (patched) GRUB issue, that just gets 'em past the boot loader. That doesn't actually get them into the OS, don't actually decrypt the /home directory, and doesn't enable them to do anything they probably couldn't already do just by using a Live USB disk.
Yes, it was a silly bug and one that survived for a long time. However, most of us don't even use that and it doesn't actually portend to be much in the way of a security feature. Of the few places where I could see someone making l
But... but... wasn't OS-X supposed to be secure? (Score:3, Funny)
.
What happened? Did Apple mess up its development process?
Re: But... but... wasn't OS-X supposed to be secur (Score:5, Informative)
No, Apple assigns and patches security vulnerabilities in everything from its (open source) BSD core to their web stacks running in OS X Server. Also iOS == OS X so the vulnerabilities largely overlap. They also list potential vulnerabilities such as buffer overflows and input sanitation issues even without working exploits.
So you could have stuff from MachO to OpenSSL, Samba to Apache and Tomcat all mapping as OS X bugs. On the other hand Microsoft and some others don't even fix bugs without a working exploits much less report them.
Re: (Score:1)
Dude... I love to hate on Apple as much as the next graybeard but, really, having the most patched vulnerabilities is not necessarily a bad thing and, based on what I know and can see, the OS X operating system is, factually, quite secure by default. The greatest vulnerability that any operating system or software has is not actually in the code itself but in the seat of the user, in the minds of the maintainer, and in the implementation on the stack.
Hate on OS X all you want but, really, it's pretty damned
Re: (Score:1)
I take that back. In the effort to be accurate and honest, I made a mistake. I do, in fact, have my iPod with me. I did not recollect bringing it with me and I do not recollect having used it since I went on my wanderlust but She Who Must be Obeyed tells me that I do, in fact, have it with me - in my suitcase. How she knows this is beyond me - as not even I remember putting it there, pulling it out, or mentioning it. She was also not even known to me when I started this journey. She did, however, unpack my
Re: (Score:1)
Also, do not tell CanadianMacFan, macs4all, or Noah Haders that I said any of this. I reserve the right to retract the above statement if a desire to go trolling should come along. If they found out that I'd admitted such (though I have before) they might not let me live it down.
Too late, LOL!
I've already saved your post to disk for future bashing sessions! [j/k]
Re: (Score:1)
Hrmf! It wasn't me, it was someone who hacked my account and said that stuff!
Actually, no - it's pretty damned secure by default. You can make it less secure if you want. I understand that OS X has "locked" you out of a few system folders now but I presume there's a way to access them, perhaps by rebooting and using some sort of hidden administrator account? I'd not be surprised if one could set those permissions to allow the user access/control but I'm not sure what the benefit would be except maybe saying
Re: (Score:2)
This is not also for security, but also to stop users breaking things...
Home computers used to come with the OS in ROM which was therefore read only, and having a system which you couldn't break was in many ways beneficial as it gives users the confidence to experiment with the system and learn about it safe in the knowledge that they can't permanently damage it.
I find that people who started out on such systems tend to be more knowledgeable than those who learned on newer more fragile systems.
Re: (Score:1)
OS-X has never been "secure" just like Linux was never "secure" as demonstrated by long standing vulnerabilities.
That doesn't change the fact that on the whole you don't need to worry much about the viruses and vulnerabilities. The open attack surface doesn't matter much if the popularity (or lack of) makes attacking the platform economically unexciting.
Whenever competitions are held to exploit various pieces of software they all fall regardless if it's closed source from a hated vendor, closed source from
Re: (Score:1)
I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.
. What happened? Did Apple mess up its development process?
People write all kinds of things about OS X much of which is not true and that bit about it having no vulnerabilities is at the top of the list of crap statements about OS X along with claims that OS X is closed source. Apple has in the past tried to score marketing points with the fact that there is less malware floating around for OS X which I thought was pretty stupid since they were pushing security through obscurity as a feature which is guaranteed to come back and bite you. As far as I know even Apple
Re: (Score:3)
Nope, Apple didn't mess up. Just idiots like you who parrot shit someone else said without actually knowing if the person saying it was anything other than a rabid fanboy like yourself.
The only people who say stupid things like what you're claiming are people who don't know what they are talking about. If those are the people you are using for reference when it comes to computers, you're probably just as stupid as they are. Its generally a good idea to take your cues from people in the know, rather than
Re: But... but... wasn't OS-X supposed to be secur (Score:2)
Linux is one of the largest deployed operating systems in the world. Even very old versions like 2.2 are still prevalent in embedded devices that are never updated. If you're looking at all the consumer devices out there, Linux is running a LOT and most of them are unmanaged. For every Windows XP/2000 embedded still out there for which people are scrambling to contain them (often by using an unmanaged Linux based system) there is at least a magnitude more of the same era running Linux.
If you want to collect
Re: (Score:2)
Have you heard it from anyone who wasn't making a straw-man argument?
Kind of misleading (Score:2)
Re: (Score:1)
Follow the link in the article. You can get a full list of fixes, including severity on a 1-10 scale, user/admin access, local/remote and a text telling what each fix does. I would rather pick OSX with scale 5 issues, half of them local than windows with mainly scale 9-10 issues, mostly remote even though OSX seems to have a higher count of fixes.
Hope this article gets burried (Score:2)
Please don't use this data for a penis contest.
flash (Score:2)
Is flash's new motto "we try harder" ? Disappointed, flash has always been my favorite for # 1
Re: (Score:2)
I was kind of disappointed in Oracle. JDK is usually good for at least 100 on their own.
Oh, that's right... they basically gave up trying to run Java applets in a browser without half a dozen security dialogs two years ago.
Windows 10 (Score:1)
records your every key-press, compresses, encrypts, and sends them all back to Microsoft. Do you think your use of Tor, VPNs, and other encrypted channels were enough to stop anyone from pin-pointing a text on the Internet to you? Yeah, I think that classifies as a vulnerability.
OS X security (Score:2)
Many OS X security issues are related to OpenSSL, a graphics library (JPEG, PNG, etc) or webkit. Most of these issues would affect linux distros and other systems as well. Keep that in mind.
Mostly, only remote exploits are interesting. (Score:2)
Mostly, only remote exploits are interesting.
If you have local access to the machine, or the machine hosts remote shell accounts, then you care about credentials changes, including privilege escalation.
Most people have at most a few local users who aren't attacking the systems. So you really don't give a crap about local privilege escalation, since the same can be pretty much accomplished using a screwdriver or a boot into "safe mode", or whatever the OS equivalent happens to be.
If you are a server hosting
Adobe shareholders should act now (Score:1)
It is unbelievable, how Adobe manages to create so many vulnerabilities from a year to another. If a single piece of web video plugin (Flash) manages to contain almost as many vulnerabilities as whole operating systems, the Adobe really has a problem in their process. The company board should get rid of the technology management, as they clearly do not have a clue for software development.
Re: (Score:1)
Flash bashers? (Score:1)