Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities.
Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS.
These results come from CVE Details, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures.
Here is the 2015 list of the top 50 software products in order of total distinct vulnerabilities:
You’ll notice that Windows versions are split separately, unlike OS X. Many of the vulnerabilities across various Windows versions are the same, so there is undoubtedly a lot of overlap. The argument for separating them is probably one of market share, though that’s a hard one to agree to, given that Android and iOS are not split into separate versions. This is the nature of CVEs.
It’s also worth pointing out that the Linux kernel is separate from various Linux distributions. This is likely because the Linux kernel can be upgraded independently of the rest of the operating system, and so its vulnerabilities are split off.
If we take the top 50 list of products and categorize them by company, it’s easy to see that the top three are Microsoft, Adobe, and Apple:
Keep in mind that tech companies have different disclosure policies for security holes. Again, this list paints a picture of the number of publicly known vulnerabilities, not of all vulnerabilities, nor of the overall security of a given piece of software.
If you work in IT, or are generally responsible for the security of multiple systems, there are some obvious trends to keep in mind. Based on this list, it’s clear you should always patch and update operating systems, browsers, and Adobe’s free products.