A count of the number of CVEs (Common Vulnerabilities and Exposures) issued on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the “most vulnerable” of the lot.
According to CVE Details, Mac OS X (all versions) apparently had 384 CVE advisories in 2015, iOS had 375, with Flash recording 314. Windows CVEs are split out by platform, filling most positions from 10th to 18th, but Redmond's worst product, Internet Explorer, only managed 231 CVEs.
However, simply guffawing at Cupertino is problematic for many reasons.
The first is that the CVE Details survey makes no distinction between severity of vulnerabilities in the list. A low-risk vulnerability (for example, something that can only be exploited by an authenticated local user with administrative privilege) is not the same as a remote code execution bug that's easily exploited.
Second – and this applies to all platforms – many security bugs are cross-platform. A good example is libpng, which is everywhere from browsers to smart-watches. It may have had only had four advisories in 2015, but that will have drawn patches from a lot of other vendors.
Third: CVE Details seems arbitrary in its assignment of CVE to project. Hence, for example, a bunch of LibreOffice/OpenOffice bugs are counted as Debian CVEs, as are some Oracle MySQL bugs.
Fourth: CVEs only count reported vulnerabilities. They don't count anything that's being hoarded, whether by security agencies or by black-hats, for example. And there's nothing good to come out of turning CVEs into some kind of marketing scorecard.
As everyone's favourite infosec account put it:
Repeat after me: CVE counting is not helpful in gauging security of big players. But people love numbers, no matter how meaningless.— SecuriTay (@SwiftOnSecurity) January 2, 2016
As this chart (rather than the list favoured by most outlets) shows, Microsoft and Adobe both out-CVEd Apple for vulnerabilities “by vendor” across CVE Details' Top 50.
Even that's a problematic count. For example, by restricting the summary to CVEs in the Top 50 list, the summary is very kind to Cisco. Its IOS only racked up 84 vulnerabilities, but across all products, The Borg had a very busy 2015, recording 488 CVEs.
Cisco's to be commended for this, not held up as “less secure than Apple”. It, like most of the majors, is working hard to discover and fix its bugs, and to respond to bugs reported to it. ®