And The Software With Most Vulnerabilities In 2016 Was… Android!

[LAwLz]

 

If you count the number of vulnerabilities in the CVE system (often hailed as THE source for publicly known vulnerabilities), Android was the software with the most known vulnerabilities in 2016, with a total of 523.

Before anyone loses their mind please remember that these are just the total number and does not put any weight on how severe the vulnerabilities are, or how complex they are to exploit.

 

Here is the "top 20" list:

	Product Name	Vendor	Product Type	Vulnerabilities
1	Android	Google	OS	523
2	Debian Linux	Debian	OS	319
3	Ubuntu Linux	Canonical	OS	278
4	Flash Player	Adobe	Application	266
5	Leap	Novell	OS	259
6	Opensuse	Novell	OS	228
7	Acrobat Reader Dc	Adobe	Application	227
8	Acrobat Dc	Adobe	Application	227
9	Acrobat	Adobe	Application	224
10	Linux Kernel	Linux	OS	217
11	Mac Os X	Apple	OS	215
12	Reader	Adobe	Application	204
13	Windows 10	Microsoft	OS	172
14	Chrome	Google	Application	172
15	Iphone Os	Apple	OS	161
16	Windows Server 2012	Microsoft	OS	156
17	Windows 8.1	Microsoft	OS	154
18	Windows Rt 8.1	Microsoft	OS	139
19	Edge	Microsoft	Application	135
20	Windows 7	Microsoft	OS	134

 

Another interesting tidbit from this is that Windows 10 (172) had more vulnerabilities than Windows 8.1 (154) and Windows 7 (134). But Mac OS X had even more than those, with 215 in total. Again, this is just the number of vulnerabilities that are publicly known, without taking into consideration how serious they are or how quickly they were fixed (a big problem with Android phones).

 

Last year's "winner" was OS X with 444 vulnerabilities, followed by iOS with 387.

 

 

You can interpret this in a few ways, and there are some things to take into consideration:

1) The software on this lists, especially the open source ones, might simply be better at having exploits found, and the less common something is the less vulnerabilities are found and reported.

2) A lot of the software on the list shares the same vulnerabilities so they get counted twice.

3) For the third time, this list only looks at the number of vulnerabilities and nothing else. How quickly something gets patched is very important. What the vulnerabilities does is also important. Being able to read a few bytes from memory while having physical access to a computer is the same as remotely being able to gain admin/root privilege though the click of a button in this list.

 

So while the list itself doesn't really give us any useful information, it is still interesting.

 

 

EDIT: This list shows how many vulnerabilities were discovered during 2016. It is not a list of how many vulnerabilities went unfixed.

[ProjectBox153]

It's kind of odd to see a server OS with more vulnerabilities than a client OS that is older. You'd think that Microsoft would have worked a bit more on the Windows Server 2012 vulnerabilities, right? Especially due to how long it's been out?

[zMeul]

there's something I don't understand from that list

 

Linux Kernel has 217 hits

when looking at Debian, for example, do I extract the Linux Kernel or those are it's own vulnerabilities (OS side)

 

---

 

ps:

I find it really funny how W7 has less vulnerabilities than W10 

[Princess Luna]

Windows 7 safer than Windows 10? so much for the Microsoft telling us to stay as up-to-date as possible to avoid vulnerabilities

[JoaoPRSousa]

Good to see Windows 10 under Mac OS X

[ProjectBox153]

4 minutes ago, JoaoPRSousa said:

Good to see Windows 10 under Mac OS X

Yeah, but it doesn't list the threat level of the vulnerabilities. Windows 10 could have the most harmful threats.

[Drak3]

5 minutes ago, zMeul said:

do I extract the Linux Kernel or those are it's own vulnerabilities (OS side)

You don't. Debian Linux would be garbled nothingness without the Kernel.

 

[LAwLz]

12 minutes ago, zMeul said:

there's something I don't understand from that list

 

Linux Kernel has 217 hits

when looking at Debian, for example, do I extract the Linux Kernel or those are it's own vulnerabilities (OS side)

Not necessarily. Kernel vulnerabilities are included in the 319 Debian ones, but because Debian doesn't use all the modules included in the Linux kernel, makes modifications to parts, adds things and so on, you can't just subtract one from another. It is also possible that something that is part of the kernel is only a vulnerability in combination with Debian specific code.

 

For example this one only affects Debian, while this one affects the Linux kernel, Debian and Ubuntu (and counts towards the total amount of vulnerabilities on all three).

 

 

The same goes for Windows. Here is a Windows 7 vulnerability that does not affect Windows 10, and here is one that is Windows 10 (and Server 2016) specific. But then we also have some like this one, which affects both 7 and 10.

 

So you can't really subtract between the Windows versions either.

[AlexGoesHigh]

8 minutes ago, zMeul said:

there's something I don't understand from that list

 

Linux Kernel has 217 hits

when looking at Debian, for example, do I extract the Linux Kernel or those are it's own vulnerabilities  (OS side)

 

---

 

ps:

I find it really funny how W7 has less vulnerabilities than W10 

makes sense tbh it would actually be more impressive if it was backward since 7 is older and has less features, removing the vulnerabilities that overlap from both. the ones 10 has on its own must be from feature that aren't in 7 and other releases of windows

[Prysin]

19 minutes ago, zMeul said:

there's something I don't understand from that list

 

Linux Kernel has 217 hits

when looking at Debian, for example, do I extract the Linux Kernel or those are it's own vulnerabilities (OS side)

 

---

 

ps:

I find it really funny how W7 has less vulnerabilities than W10 

The vulnerabilities in w7 Is shit that has existed for like 20+ years. W7 used large parts of the same kernel as W95

[DELTAprime]

This list makes open source look bad, I can't wait for the Linux hippies to respond.

[zMeul]

19 minutes ago, LAwLz said:

Not necessarily. Kernel vulnerabilities are included in the 319 Debian ones, but because Debian doesn't use all the modules included in the Linux kernel, makes modifications to parts, adds things and so on, you can't just subtract one from another. It is also possible that something that is part of the kernel is only a vulnerability in combination with Debian specific code.

 

For example this one only affects Debian, while this one affects the Linux kernel, Debian and Ubuntu (and counts towards the total amount of vulnerabilities on all three).

 

 

The same goes for Windows. Here is a Windows 7 vulnerability that does not affect Windows 10, and here is one that is Windows 10 (and Server 2016) specific. But then we also have some like this one, which affects both 7 and 10.

 

So you can't really subtract between the Windows versions either.

known Kernel vulnerabilities can be patched by the OS' devs, the people who compiled this list needed to be more clear

also, Debian vulnerabilities can be patched by Canonical for Ubuntu

 

the Windows comparison is not accurate since each OS has it's own Kernel

 

---

 

the source states that vulnerabilities are "distinct", so .. when talking about a Linux OS you should add the Kernel vulnerabilities - this makes matters much worse, but you need to know the data for each kernel version used 

[ProjectBox153]

4 minutes ago, DELTAprime said:

This list makes open source look bad, I can't wait for the Linux hippies to respond.

I like Linux, but I only use it on the Raspberry Pi.

[spellmanuk]

how did iPhone OS have that many vulnerabilities when it hasn't had a new version since 2009  

[captain_to_fire]

26 minutes ago, LAwLz said:

So while the list itself doesn't really give us any useful information, it is still interesting.

Am I the only one who doesn't buy the results because of the questionable legitimacy of the website? Who operates that website you cited? 

[MorganO]

1 minute ago, peej said:

how did iPhone OS have that many vulnerabilities when it hasn't had a new version since 2009  

what are you talking about?

[Dabombinable]

I'm outright calling BS on Windows being 13th, 17th, 18th and 20th. Though blow it your ass MS, Windows 7 is more secure than Windows 10

[TidaLWaveZ]

I wonder what the ratio of vulnerabilities to active devices/active users would look like.

[AlTech]

7 minutes ago, Dabombinable said:

I'm outright calling BS on Windows being 13th, 17th, 18th and 20th. Though blow it your ass MS, Windows 7 is more secure than Windows 10

And I'll steal a quote from Pirates of the Caribbean cos why not.

 

In response to your answer..... "So it would seem" .

[LAwLz]

14 minutes ago, hey_yo_ said:

Am I the only one who doesn't buy the results because of the questionable legitimacy of the website? Who operates that website you cited? 

The non-profit corporation MITRE, which is funded by the US department of homeland security and National Institute of Standards and Technology (NIST).

 

 

20 minutes ago, zMeul said:

known Kernel vulnerabilities can be patched by the OS' devs, the people who compiled this list needed to be more clear

also, Debian vulnerabilities can be patched by Canonical for Ubuntu

Yes, you are completely right.

If you look at the vulnerabilities listed you can see that a lot of them were fixed just one version after they were discovered.

[zMeul]

10 minutes ago, LAwLz said:

The non-profit corporation MITRE, which is funded by the US department of homeland security and National Institute of Standards and Technology (NIST).

 

 

Yes, you are completely right.

If you look at the vulnerabilities listed you can see that a lot of them were fixed just one version after they were discovered.

it more than that

I looked at the latest Linux Kernel and it shows a lot lower number for known vulnerabilities - so, the numbers are inflated adding all 2016 kernels under same roof

and this makes the whole list quite inaccurate and very sensationalist

and it's doing a bad service to Linux in general since Windows' kernels do not change

 

for example, Ubuntu 16.10 uses Linux Kernel 4.8.x

Kernel 4.8 and subversions have, in total, 18 known vulnerabilities: https://www.cvedetails.com/version-list/33/47/1/Linux-Linux-Kernel.html

[mynameisjuan]

This doesnt make much sense. 

 

So do vulnerabilities include ones found and reported as well? If so then this chart would be accurate. The fact that many linux distros are high up would be because there  are thousands of eyes on the code and if anyone notices a hole its reported and patched immediately which would explain for the high amount. But the more people report the more that is patch and the more secure it is. So I hope people dont take this as windows is more secure than any linux distro.

 

Also what version of android is this based on? Is it just number of vulerabilities for the year between 4.4 to 7.1.1? If so I would expect to see a shit ton since so many devices are still on 4.4.

 

[LAwLz]

9 minutes ago, zMeul said:

I look at the latest Linux Kernel and it shows only 11 known vulnerabilities - so, the numbers are inflated adding all 2016 kernels under same roof

That's the entire point of the list... It is not a list of how many vulnerabilities something has right now. It's a list of how many vulnerabilities were found during 2016.

 

11 minutes ago, zMeul said:

and this makes the whole list quite inaccurate and very sensationalist

It's not inaccurate because that is exactly what the list shows. It shows how many vulnerabilities were found in for example Android during 2016...

I never said in the original post that the list does not take into consideration how quickly the vulnerabilities were fixed.

[zMeul]

1 minute ago, LAwLz said:

It's not inaccurate because that is exactly what the list shows. It shows how many vulnerabilities were found in for example Android during 2016...

I never said in the original post that the list does not take into consideration how quickly the vulnerabilities were fixed.

Android is very fragmented

the list should've separated all Android versions not add them all up, like they did with Ubuntu and Debian for example

[Humbug]

is it any surprise that the most used operating system in the world...