Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
Get HideMyAss! VPN, PC Mag's Top 10 VPNs of 2016 for 55% off for a Limited Time ×
Software Bug OS X Security Windows

Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities (venturebeat.com) 111

An anonymous reader writes: Which software had the most publicly disclosed vulnerabilities in 2015? According to a site called CVE Details, which organizes data provided by the National Vulnerability Database, Apple's Mac OS X was near the top, with 384 vulnerabilities. iOS followed closely, with 375 vulnerabilities. The list splits out Windows into its separate versions, so it's hard to get an accurate count — simply adding them all together yields a total of over 1,000, but there are likely many duplicates. Other top spots went to Adobe's Flash Player, with 314 vulnerabilities; Adobe's AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. The four major web browsers also ranked quite highly.
This discussion has been archived. No new comments can be posted.

Windows, OS X, and iOS Top 2015's List of Software With the Most Vulnerabilities

Comments Filter:
  • Android. (Score:4, Insightful)

    by Noah Haders ( 3621429 ) on Friday January 01, 2016 @10:24AM (#51221279)

    I find it hard to believe that iOS would be listed with 375 vulnerabilities, but android would be listed with 130 vulnerabilities. Everybody knows that android is insecure as shizz. Something is fishy here.

    • Re:Android. (Score:5, Interesting)

      by AmiMoJo ( 196126 ) <mojo AT world3 DOT net> on Friday January 01, 2016 @10:31AM (#51221301) Homepage

      Maybe because Android isn't nearly as bad as people make out. It's actually got a pretty robust security system so vulnerabilities tend to be rather useless anyway, and there is less value in looking for them. Apple is more reliant on preventing malware through the app store, while at the same time more people are looking for flaws because it's more profitable (e.g. jailbreaks).

      You know you are doing badly when you have more vulnerabilities than Flash, which is a major target and extremely badly written.

      • Re: Android. (Score:5, Informative)

        by Rosyna ( 80334 ) on Friday January 01, 2016 @10:37AM (#51221321) Homepage

        The list is not a list of vulnerabilities. It's a list of known bugs fixed in the last year. It doesn't say anything about the severity of the bugs. For example, since Microsoft never discloses or fixes bugs in Windows Phone, it's very low on the list despite sharing a lot of code with Windows for the desktop. That doesn't mean Windows Phone is somehow more secure.

      • by Bert64 ( 520050 )

        Flash is much smaller than an entire OS... It stands to reason that a larger and more complex system will have more vulnerabilities.

    • Re: Android. (Score:5, Informative)

      by Rosyna ( 80334 ) on Friday January 01, 2016 @10:32AM (#51221303) Homepage

      Because the list includes bugs found and publicly disclosed, the company that fixes the most bugs has the highest number of disclosed bugs in any list. Since Google doesn't really disclose Android bugs, many never get added to the list.

      Furthermore, Apple submits self-found security bugs and gets CVEs assigned to them. Most other vendors do not report self-found bugs.

      • Re: Android. (Score:5, Interesting)

        by matbury ( 3458347 ) on Friday January 01, 2016 @01:03PM (#51221759) Homepage

        In support of @Rosyna's comment: An interesting and relevant anecdote about not thinking through what the evidence tells us: During WWII the allies were losing a lot of bombers from German anti-aircraft defences. They brought in a bunch of statisticians and analysts to work out how to bring that number of bombers shot down, down. They looked at the damaged bombers that had returned to see where they were getting hit and decided to armour those places. Big mistake... why? Well, someone pointed out that those were the bombers that weren't actually shot down and that they should do precisely the opposite and armour the areas that didn't get shot full of holes - The planes that got shot there were the ones that weren't coming back. The new policy was a big success.

        So yes, the software projects that report the most vulnerabilities may be the ones that are working hardest to make their software more secure and may also be more open about it, thereby inviting more vulnerability reporting by independent 3rd parties too.

        tl;dr - Lots of publicly reported bugs may be a good thing! :) (As long as they're being patched, of course).

    • Re:Android. (Score:5, Insightful)

      by JaredOfEuropa ( 526365 ) on Friday January 01, 2016 @10:33AM (#51221309) Journal
      Probably depends on what constitutes a "vulnerability". This ranges from the serious "SMS remotely roots your phone without you knowing about it" to the less serious "If you jailbreak your phone and install this dodgy Chinese app, an attacker who gets his hand on your phone may be able to read your last Tweet without having to enter your PIN". Nr/ of vulnerabilities in itself is a crappy measure of security.
    • Publicity.

      Android is open source so its a target for those that hunt for fame. iOS is closed source so its harder to find the problems and thus they get less publicity since most are fixed internally.

      In reality Android is more secure since its open source and all errors is easier to find for fame hunters.

      • Re: Android. (Score:5, Informative)

        by Rosyna ( 80334 ) on Friday January 01, 2016 @10:40AM (#51221329) Homepage

        This is incorrect. If you look at any release notes [apple.com] for any Apple security update you will see numerous CVE that were discovered internally by Apple.

        • Apple releases iOS when they feel like it. Google releases Android semi-annually (until recently, which I'm sure the security updates are exactly that -- fixing vulnerabilities). The fact that the release process was such a PITA has no relation to how much Android devs were hardening their system.
          • Apple releases iOS when they feel like it. Google releases Android semi-annually (until recently, which I'm sure the security updates are exactly that -- fixing vulnerabilities). The fact that the release process was such a PITA has no relation to how much Android devs were hardening their system.

            In case you haven't noticed, iOS pretty much gets updated continuously, or at least several times per year, with a major new release every September, when the new iOS hardware debuts.

            So, although you can mischaracterize this as "when they feel like it"; the reality is that iOS is updated ALL THE WAY OUT TO THE USERS far more frequently than Android.

    • by Anonymous Coward

      Android isn't insecure because it's full of bugs, it's insecure because out of those 130 vulns discovered, approximately 0 will get patched by the vendors.

      • That's not *Android* being insecure, that's the vendors' products being insecure. Those of us with Nexus devices get patches as they're released by Google, which happens quite quickly.
        • That's not *Android* being insecure, that's the vendors' products being insecure. Those of us with Nexus devices get patches as they're released by Google, which happens quite quickly.

          So do those of us with iOS devices.

          Jus' sayin'...

        • Unless you have an older Nexus device, then you're just as screwed as everyone else who is stuck on Android 2.x or 4.x.

          • Huh... [androidpolice.com] What more do you want? Once it's 2 years old it's well past obsolete, and at 3 years it's unlikely current versions of many popular apps (e.g. what you can get from the market) will run on it.

            And, even before that announcement, Google's policy [google.com] has been to provide updates for 3 years from date of first sale, or 18mo from date of last sale in the Google store, whichever is longer. That sure beats most of Apple's offerings (I think they had one model that had support for longer than 18mo from last sal
            • To clarify, the newest Nexus phone that is stuck on 4.x is the Galaxy nexus, which is over 4 years old. Is that what you're complaining about?

              If so, you need to remember that it's only "stuck" if you insist on running a factory image; there are plenty of Lollipop and Marshmallow ROMs [xda-developers.com] to choose from.
      • Android isn't insecure because it's full of bugs, it's insecure because out of those 130 vulns discovered, approximately 0 will get patched by the vendors.

        Actually, this is not completely true. Large part of Android is now in APKs and system-related APKs get updated silently, unlike apps that require user to approve updates.

    • Re:Android. (Score:5, Insightful)

      by dgatwood ( 11270 ) on Friday January 01, 2016 @11:24AM (#51221453) Homepage Journal

      Many of the security problems with Android are design problems rather than bugs. iOS tends to let the user control app access to shared data, whereas Android tends to put control over access rights in the hands of the developers. Android is getting better at this in recent versions, but there's still a bit of a stigma because of historical problems.

      And as other folks have mentioned, Android's biggest problem is that Google lets hardware developers ship custom versions of the OS in ways that make future updates dependent on the hardware vendor. Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware. As a result, last I checked, a staggering percentage of Android users were running old, unpatched versions of the OS. So Android is insecure because Android *was* insecure when the devices shipped.

      • Many of the security problems with Android are design problems rather than bugs.

        Which you admit they've fixed in recent versions.

        The rest of your post, though: +1 as it applies to non-Nexus devices. Since Nexus devices *do* see updates, those tend to be much more secure.

      • by xonen ( 774419 )

        Companies that make cheap commodity hardware have little incentive to provide those updates, because they are better off selling replacement hardware.

        Not in my experience. The phones they sell you here with a contract rarely get patched, despite the big mobile names from both operators and manfufacturers behind it.

        The cheap c-brand android phones i order in China only not offer more value for money, but happily receive regular firmware updates.

        At least in Europe many telecoms offer inverse service. Instead of buying extra good service, you pay to get ripped and run outdated inferior firmware.

        Their motivation may similar as you suggested though, they pref

    • The reason for this is likely that there is a big difference between IOS and Android concerning what belongs to the system. It's a bit like Windows and Linux. A bug in XWindow would probably not be counted against "Linux", same for a bug in a RPC package. Both are on the other side of the fence part of the OS itself and thus would get counted against "Windows".

      • by KGIII ( 973947 )

        An interesting, to me, aside is that we'll count a vulnerability in IE, Outlook, Windows Mail, Windows Media Player, and all that sort of stuff as a "Windows" vulnerability. Yet, if there's an exploit in SSL, GRUB, or MKUSB then we immediately say, "Linux is the kernel!"

        To be honest, Windows, the OS itself, hasn't really had a whole lot of exploits in a long time. Microsoft has really stepped up their game and have managed to harden it fairly well. Given the ubiquity, the need for backwards compatibility, a

      • by Bert64 ( 520050 )

        Often it's the opposite, linux distros come with a huge array of software and the distro will announce any bugs in the software they distribute, which results in any given linux distro having a huge number of security advisories.

    • I seem to recall arguing at length with someone about this on here. Good to see that actual sources (of which he provided none) agree with my position, as well as me own experience.
    • Are the top of the list insecure pieces of crap or are they simply the most active at patching? It doesn't say how many where released by the vendor, other sources, how many had exploits in the wild, or whether they were patched.

  • Adding together? (Score:4, Interesting)

    by Calydor ( 739835 ) on Friday January 01, 2016 @10:25AM (#51221283)

    Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together? Bash Microsoft all you want, sure, but hold them to the SAME standard as the rest, not a far harsher one.

    • by Rosyna ( 80334 ) on Friday January 01, 2016 @10:33AM (#51221313) Homepage

      All versions of Mac OS X and iOS are being added together already in the list.

    • Re:Adding together? (Score:4, Interesting)

      by ShanghaiBill ( 739463 ) on Friday January 01, 2016 @10:41AM (#51221339)

      Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

      Linux, iOS, and OSX tend to improve monotonically, so few people are running older versions. With Windows, new versions are often worse than their predecessors, so older versions are still widely used.

    • Re:Adding together? (Score:4, Informative)

      by darthsilun ( 3993753 ) on Friday January 01, 2016 @10:43AM (#51221343)

      Why would you add different versions of Windows together if you're not adding different versions of iOS or Linux together?

      They are! Did you even glance at the article?

      I wonder how much overlap there is between the Debian, Ubuntu, Fedora, and OpenSuSE counts?

      And nothing for RHEL or CentOS? Good to know.

    • The Slashdot title doesn't match the article to, it lists Windows first, whereas it doesn't appear in the Venture Beat title.
  • um, so the most popular OS's in the world had the most reported vulnerabilities?

    duh?

  • Looks like Linux is better than Windows at something.

    • by KGIII ( 973947 )

      I dunno how accurate that is. See, I work hard to be objective an unbiased. I'll see how well I can articulate this, 'tis not my strong suit.

      I use Lubuntu. I also have some Ubuntu installs. I also have some Mint installs and Mint is a derivative of Ubuntu. On top of this, I have all of those (except for server installs) set to update daily. Sometimes, out of boredom, I even will update manually in the middle of the day to see what's going on and if anything new has come down the pipe.

      That said, I also read

  • I would be interested to know what version of Windows is the one at position 39, as it looks safer to use than the other ones.

    I might even consider switching from Linux...

    • by Anonymous Coward

      A detailed list of that windows can be viewed here:
      http://www.cvedetails.com/vulnerability-list/vendor_id-26/product_id-3435/year-2015/Microsoft-Windows.html

      It still doesn't say precisely which version of windows it is, but it tells what the individual fixes are. 40 out of 41 are can be triggered remotely. Also the score of most of them are well into the red area. On the other hand, OSX may have more fixes, but the percentage of local issues (non-remote) is much higher and the scores are rarely red. OSX lin

  • by QuietLagoon ( 813062 ) on Friday January 01, 2016 @11:48AM (#51221537)
    I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.

    .
    What happened? Did Apple mess up its development process?

    • No, Apple assigns and patches security vulnerabilities in everything from its (open source) BSD core to their web stacks running in OS X Server. Also iOS == OS X so the vulnerabilities largely overlap. They also list potential vulnerabilities such as buffer overflows and input sanitation issues even without working exploits.

      So you could have stuff from MachO to OpenSSL, Samba to Apache and Tomcat all mapping as OS X bugs. On the other hand Microsoft and some others don't even fix bugs without a working exploits much less report them.

    • OS-X has never been "secure" just like Linux was never "secure" as demonstrated by long standing vulnerabilities.

      That doesn't change the fact that on the whole you don't need to worry much about the viruses and vulnerabilities. The open attack surface doesn't matter much if the popularity (or lack of) makes attacking the platform economically unexciting.

      Whenever competitions are held to exploit various pieces of software they all fall regardless if it's closed source from a hated vendor, closed source from

    • I had always read that Apple's OS-X operating system was secure and that its users didn't have to worry about viruses and security vulnerabilities.

      . What happened? Did Apple mess up its development process?

      People write all kinds of things about OS X much of which is not true and that bit about it having no vulnerabilities is at the top of the list of crap statements about OS X along with claims that OS X is closed source. Apple has in the past tried to score marketing points with the fact that there is less malware floating around for OS X which I thought was pretty stupid since they were pushing security through obscurity as a feature which is guaranteed to come back and bite you. As far as I know even Apple

    • Nope, Apple didn't mess up. Just idiots like you who parrot shit someone else said without actually knowing if the person saying it was anything other than a rabid fanboy like yourself.

      The only people who say stupid things like what you're claiming are people who don't know what they are talking about. If those are the people you are using for reference when it comes to computers, you're probably just as stupid as they are. Its generally a good idea to take your cues from people in the know, rather than

      • Linux is one of the largest deployed operating systems in the world. Even very old versions like 2.2 are still prevalent in embedded devices that are never updated. If you're looking at all the consumer devices out there, Linux is running a LOT and most of them are unmanaged. For every Windows XP/2000 embedded still out there for which people are scrambling to contain them (often by using an unmanaged Linux based system) there is at least a magnitude more of the same era running Linux.

        If you want to collect

    • Have you heard it from anyone who wasn't making a straw-man argument?

  • It's one thing to list bug fixes as vulnerabilities but it's a bit misleading. Is it extremely minor or does it fully root the system? It would be way more informative to rate them 1-5 so at least someone could have a basic understanding of how bad the situation is even if it is somewhat subjective.
    • by Anonymous Coward

      Follow the link in the article. You can get a full list of fixes, including severity on a 1-10 scale, user/admin access, local/remote and a text telling what each fix does. I would rather pick OSX with scale 5 issues, half of them local than windows with mainly scale 9-10 issues, mostly remote even though OSX seems to have a higher count of fixes.

  • NVD [nist.gov] and CVE are great tools for finding if there are vulnerabilities that effect you... but they are largely self reported and lumping a bunch of bugs into one "vulnerability" only helps with BS lists like this while hurting the usefulness of the databases.

    Please don't use this data for a penis contest.
  • Is flash's new motto "we try harder" ? Disappointed, flash has always been my favorite for # 1

    • I was kind of disappointed in Oracle. JDK is usually good for at least 100 on their own.

      Oh, that's right... they basically gave up trying to run Java applets in a browser without half a dozen security dialogs two years ago.

  • by Anonymous Coward

    records your every key-press, compresses, encrypts, and sends them all back to Microsoft. Do you think your use of Tor, VPNs, and other encrypted channels were enough to stop anyone from pin-pointing a text on the Internet to you? Yeah, I think that classifies as a vulnerability.

  • Many OS X security issues are related to OpenSSL, a graphics library (JPEG, PNG, etc) or webkit. Most of these issues would affect linux distros and other systems as well. Keep that in mind.

  • Mostly, only remote exploits are interesting.

    If you have local access to the machine, or the machine hosts remote shell accounts, then you care about credentials changes, including privilege escalation.

    Most people have at most a few local users who aren't attacking the systems. So you really don't give a crap about local privilege escalation, since the same can be pretty much accomplished using a screwdriver or a boot into "safe mode", or whatever the OS equivalent happens to be.

    If you are a server hosting

  • by Anonymous Coward

    It is unbelievable, how Adobe manages to create so many vulnerabilities from a year to another. If a single piece of web video plugin (Flash) manages to contain almost as many vulnerabilities as whole operating systems, the Adobe really has a problem in their process. The company board should get rid of the technology management, as they clearly do not have a clue for software development.

    • You forget about the many security flaws Microsoft and Apple do not tell us about. Can't really compare just by those numbers.
  • So where are all the Flash bashers who claim that every software is perfect except for Flash with its 234242424242342424324 vulnerabilities? OK, 314 vulnerabilities is nothing to party about, but it is apparently industry average...as far as we know. Who knows how many vulnerabilities are known, undisclosed, and still unfixed because cramming in yet another buggy feature is always more important than fixing bugs.

Interchangeable parts won't.

Working...