Recommended + Security & Privacy + Security News

OS X and iOS Vulnerabilities Top Security Vulnerability Chart, Far Ahead of Windows

Posted on February 25th, 2015 by

Security holes

Here is some news which will upset the Apple fanboy in all of us.

A new report has found that the number of high severity security vulnerabilities increased in 2014, and the Mac OS X and iOS operating systems dominate the chart, while Windows recedes.

In short: security researchers are saying that Mac OS X is the most vulnerable operating system out there.

In total, 147 vulnerabilities were reported in OS X during 2014, with 64 rated as "high severity." Those are the most serious vulnerabilities that could be exploited by an attacker remotely. Meanwhile, 67 of the vulnerabilities were given a medium severity.

A combined 127 vulnerabilities were reported for iOS, with 32 of the security flaws rated high severity, and 72 medium.

Steel yourself, and take a quick look at the chart produced by security firm GFI:

Operating system vulnerabilities

The chart doesn't seem to be entirely fair from my perspective. For instance, each version of Microsoft Windows gets its own entry—but Apple operating systems have their different versions lumped together.

Still, there's a clear message here that Apple OSes are frequently the subject of serious vulnerability discovery. Something that may be a shock to those who dream that their devices "just work" perfectly.

The Good, The Bad, and The Ugly

If you wanted to try to put a positive spin on things, you might argue that it is good that so many vulnerabilities are being found on Apple operating systems, as that (hopefully) means they are getting patched promptly and who knows how many more severe vulnerabilities there might be in, say, Windows that as yet lie undiscovered.

You might also convince yourself that it doesn't matter that much just how many vulnerabilities are found in an operating system, but how actively attackers are attempting to exploit them in order to compromise systems or infect them with malware.

It's well known, for instance, that the number of new malware variants created for Macs is tiny compared to the onslaught analysed on Windows by anti-virus labs every day.

Not that any of this means that you shouldn't take security seriously, of course, and this doesn't negate the importance of applying security updates and running Mac anti-virus software. In an ideal world, these vulnerabilities should have been found and fixed before the software ever shipped out of Cupertino.

Every vulnerability found may be good news ("it's been found!"), but it's also a failure of quality control and testing.

Interestingly, things take a less Apple-y turn when you examine the chart showing not the list of operating systems with the most vulnerabilities—but the chart of applications with the most reported vulnerabilities.

And what do we find? Microsoft Internet Explorer is riddled with so many security holes that you might as well think of it as the Swiss cheese of web browsers.

Application vulnerabilities

Bet you're glad that you can't get Internet Explorer for your Mac any more, aren't you? 🙂

And it's no surprise at all to see familiar faces like Adobe Flash and Java taking a prominent position in this list alongside the most popular browsers.

Multi-Layered Approach to Security

In a nutshell, the takeaway from studies like this is not to crow about how much better one operating system might be than another one, but instead to remember that security must be taken seriously whatever flavour of OS you decided to run on your computer.

Basically, keep your security patches up to date or suffer the consequences! This highlights the fact that a multi-layered approach to security is the best method to protect your digital life from the bad guys.

Which is very easy for us to say, but not always easy for the average computer user to do. Because, obviously, there are still many people using older versions of OS X and iOS who might not be able to update their iPhones or iMacs, because their hardware no longer supports the latest and greatest (and safest) version.

Even though Apple has made some things better by making OS updates available for free, I do wish that they made more efforts to support legacy versions of their operating systems with security updates.

It's more effort for them to do, of course, but surely those users who made a purchase a few years ago deserve to be kept updated against the latest security vulnerabilities as much as those who just bought a shiny new gadget in the Apple Store last weekend?

About Graham Cluley

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats. Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security. Follow him on Twitter at @gcluley. View all posts by Graham Cluley →
  • Dan

    Not too much….the article is flawed! They single out versions of Windows, but put all versions of OS X and iOS into one pool along with Linux. One could argue that the updates are probably the same across the Windows versions, then why not just bundle them into one as well if that is true? You could add IE into the OS for Windows as well since its more integrated into the OS and again its way over the others. Either single out OS X, iOS and Linux versions or the article is fud!!

    • Eric

      Yep, seriously flawed. I counted 248 for MS Windows.

      • Gareth David

        And what about most of them overlapping…

    • Coyote

      If anything the chart is flawed. Big difference. Note that he didn’t create the chart (he links to another site for this, even!) as basic reading compression would show you. Ironically he also stated exactly what you did: that they separated Windows. It never fails to amuse me just how widespread poor reading comprehension is. Okay, fine, mistakes happen but it is quite obvious that there is poor reading comprehension or the Apple fan in you blinds you.

      As for updates being the same, that is NOT how it works. For example, the Linux kernel [Linux is a kernel, not an OS per se] has the 2.6.x tree, the 3.x.y trees, the rc 4.x.y tree and there were many more over the years. The APIs changes are not exactly little, as is expected by the major version. Sorry, but it isn’t that simple. Updates are never that simple! In the end – and this is what matters, at least to any worthy statistician – it is up those who did the research; you can’t really infer something from research if they didn’t consider it, can you? In fact, if you followed the link, you’d actually see that they address this issue directly and why they grouped it in such a way. It might be good, at least if you’re technically interested, if you read it. Aside this, they end by:

      “To conclude, the aim of the article is NOT TO BLAME ANYONE – Apple or Linux or Microsoft. The message I am trying to

      … which is the bottom line. (I uppercased the part that you also missed from this article)

      Incidentally, because of said blindness (that I suggest), you missed the point in full, something he also made clear, and something that applies to much more than computers. Particularly the point about what security consists of (layered) and that it doesn’t matter which OS you use. Reading comprehension would show this too.

      Same goes to Eric, of course.

      Edit: I have to point out something else. It is really, really, really amusing that you liken this article to being FUD. Yes, because it is spreading and abusing fear, causing uncertainty and doubt… to state that security is always an issue instead of only on Windows… If that makes you feel safer or happier, by all means. I hope you don’t maintain many networks, though.

    • Yǒuhǎo Huǒ Māo

      If you have a version of Windows, you’re stuck with it until you upgrade. So I will always have Windows 7 with its 36 vulnerabilities.

      OS X upgrades itself, you never have to buy a new version of OS X since you can just upgrade to the next. An OS X vulnerability is an OS X vulnerability.

      And Graham did point out that specific flaw in the article.

  • George Pollen

    If a vendor works harder at and does a better job of identifying (and fixing) vulnerabilities in their product, does that mean their product is less secure? Why are Windows systems compromised so much more often if they have less vulnerabilities?

    • Coyote

      More users (customers), for one thing. No privilege separation (last I knew…), for another. There is also more to compromising a system than known flaws (and I am not even considering social engineering, which is a big issue). There’s many more. No, it isn’t that Microsoft is somehow better than the others (as some others below seem to think the article is claiming/suggesting/whatever); they actually aren’t. That was besides the point, really. The main point was that just because it has less issues doesn’t mean it is to be dismissed as there are no issues.

    • Bruce N. Wheelock

      Microsoft has more products being used by more people than do its competitors, which translates into a greater likelihood that somebody is going to bump into an undiscovered problem more frequently. To use an analogy, a hole in a road used by 1000 cars a day is going to be hit more often than a hole in a road used by 10 cars a day.

      In addition, there are far more “hackers” actively hunting for, and often seeking to exploit, problems in Microsoft products. Not so many people with that mind bent are bothering with OSX, Linux, and the others, because even when they find them, they get no publicity. A lot of work for no acknowledgment. But find a Windows or IE vulnerability, and you may very well get your work written about by non-technical publications, handled by reporters and editors who don’t even understand half the words they type. AP, the New York Times, and CNN pay more attention to Microsoft stories that Apple stories because there are more readers or viewers who care about the former; news reporting is a business, and stories that don’t get viewers or clicks or whatever don’t boost ratings, so they don’t matter so much.

      To put it another way, Apple is a very small target that very few people throw darts at. Microsoft is a very large product that lots of people throw darts at. Just the center circle of the Microsoft target is far bigger than the entire Apple target. Everybody watches people throwing darts at the Microsoft target; hardly anybody is watching the Apple target.

  • Atlas

    Actually the reality is that OS X has less than Windows.

    Anyone can check the National Vulnerability and see for themselves.

    For example, Windows 8.1 has 82 vulnerabilities while Apple OS X 10.10 has 9.