Apple + Software & Apps

Don’t Believe Headlines That Claim OS X Was The “Most Vulnerable” Software of 2015

Posted on January 5th, 2016 by


There is an old saying that is always worth remembering: "There are three kinds of lies: lies, damned lies, and statistics."

That's the thought that sprung to my mind in recent days as I read news stories claiming that OS X was the most vulnerable software of the year (e.g. Hackread, SC Magazine, Techworm, Fudzilla, and countless others...).

The news reports stem from a report produced by CVE Details, a website that keeps count of security vulnerabilities based upon their CVE identifiers. According to CVE Details, more new CVE numbers were assigned to Apple during 2015 than any other company.

Yes, more than Adobe or Microsoft or Google or Oracle...

And topping CVE Details' list, as the product with the most identified security vulnerabilities of all, is Apple's OS X operating system.

Vulnerability chart

According to the chart, OS X scored an impressive 384 vulnerabilities, marginally ahead of iOS at 375, and then a host of Adobe products, but clearly in front of Microsoft's first entry — Internet Explorer — in 7th place with 231 vulnerabilities reported.

In all, the researchers counted 654 publicly disclosed security flaws in Apple products, 83 more than Microsoft which came second in the corporate table at 571 vulnerabilities, and well ahead of Cisco (488), Oracle (479), Adobe (460), Google (323), IBM, (312), and Mozilla (188). But again, these statistics can be misleading.

The fundamental problem with charts like this — or rather the news stories they can generate — is that the assumption that more security advisories equates to greater vulnerability is itself, if you'll excuse the pun, fundamentally flawed.

Why, you ask? Because CVE Details' chart is not telling us anything about the severity of the vulnerabilities that were found, what the potential impact was, or whether the flaws were ever exploited in the wild.

This means that if a company is doing a good job of finding less serious security holes, and patching them promptly, it could still end up finding itself high up in a chart of what the media might portray as "most vulnerable" software or technology company most plagued with security issues.

In reality, a single critical security hole in a piece of software (such as a remote code execution flaw) could easily outweigh the importance of one hundred less important vulnerabilities found in another.

Although the geek in many of us loves the idea of making lists, and ranking software and vendors in an attempt to determine who might be the least or most secure, simply counting the number of publicly disclosed vulnerabilities is not a good way to go about it.

And, by the way, I'm not arguing that Apple is somehow perfect or that OS X isn't troubled with security issues. A quick look back on the Intego Mac Security Blog will find any number of articles about serious vulnerabilities that have been found in Apple's software for OS X and iOS.

But trying to make a sensible conclusion about which software is "most vulnerable" is going to lead you down a path of lies, damn lies, and statistics...

photo credit: flickr photo shared by Cayusa under a Creative Commons ( BY-NC ) license

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • John V. Keogh

    CVE capitalized OS and renamed iOS which flags a warning they do not know whereof they speak.

  • Gen. Chang

    As much as I like to rip Apple,…..and Google, I completely agree that the number of discovered and reported vulns,bugs,etc. do not reflect overall security. However, it is beneficial for people to understand that ALL software has vulnerabilities.
    Now,the problem with most updates,is they are not applied equally by user’s,and this is where Google largely fails compared to iOS. Most of Apples hardware received these updates, and Google has more than a gaggle of devices that will NEVER see the most important security updates,let alone advance os versions, but yet, I still prefer it over anything Apple. Because,in the end,Google did do their job,but the oem and carriers are the most to blame.

  • Americium Dream Documents

    cyb/sec/mac is quite vulnerable:
    . OS X is not a true microkernel;
    also, it allows usb devices,
    and yet doesn’t check for firmware modifications
    the way Chrome OS does with verified boot.

    • alex crago

      My favorite part about the article is how it refutes the claim by basically wanting an “*” thrown in and for it to say, “well since you didnt say what kind of flaws we are actually the most secure.” As if that some how makes it better.

  • alex crago

    i love how many apple sheople there are here. Yall chill on osx thinking you are secure. Ill be over here with centos, ubuntu, and windows for gaming. Such a biased article. Lel, Gaben would be so disappointed. Master Race ftw.

  • Robotica72

    Ill bet if Windows was #1 on the list this article wouldnt protect it as much, would it? So lets take your logic for 2014 : OSX had more HIGH issues than Windows as well, or Linux. So you mention the exact fact “Why, you ask? Because CVE Details’ chart is not telling us anything about the severity of the vulnerabilities that were found”. Well the 2014 list does and reinforces that OSX is not as secure as the fans would like you to think it is … None of the OS’s are, but to assume OSX is/was bulletproof is just ludicrous and is an old argument of Apple VS Others, be it Linux or Windows. Lets not forget over the years of some VERY large holes that took months to patch by Apple….

  • Steve

    I think it’s telling that Flash Player had 80% as many security vulnerabilities as all of OS X — and more than twice as many as any web browser.

    Of course, a computer is hit by vulnerabilities, not vulnerabilities-per-line-of-code, but I get to choose what parts of OS X get run, to a large extent. Lots of pieces of OS X simply never get run unless I choose to use them (like the built-in database clients, for example). Dozens of the OS X CVEs that year were with the font parser, and so if I’m not using any custom fonts, I should be safe from those.

    Flash is a runtime that, by its nature, is used by untrusted programs, so potentially every part of it is exercised all the time, and I have no control over which parts.