Amassing 523 distinct coding flaws this past year, Google’s Android mobile operating system took top spot among the 50 products with the most discovered vulnerabilities in 2016, according to the security vulnerability database website CVE Details.
Android’s vulnerability totals far surpassed those of runners-up Debian Linux and Ubuntu Linux, which compiled 319 and 278 bugs respectively. Adobe’s multimedia viewer Flash Player, which had the third highest number of vulnerabilities in 2015, claimed the fourth most errors this past year with 266.
Google has a bug-bounty program that rewards independent researchers monetarily for finding vulnerabilities, which could be among the reasons that Android accumulated a disproportionate number of reported flaws last year. The most common classifications for Android vulnerabilities were privilege escalation (39.8 percent) and denial-of-service (25 percent). Among the 523 bugs, 254 had a CVSS (Common Vulnerability Scoring System) score of “9” or higher, meaning the vulnerabilities were deemed severely critical in nature. SC Media contacted Google for comment.
CVE Details includes vulnerabilities in its statistics if they has been officially registered with The MITRE Corporation’s Common Vulnerabilities and Exposures (CVE) database. Apple’s Mac Os X operating system emerged as the program with the most vulnerabilities in 2015, with 444 total flaws, but this year dropped to 11th with only 215.
With nine of its applications making the top 50, Adobe actually had the most overall vulnerabilities of any other product vendor on the list, with 1,383, edging out Microsoft’s 1,325 bugs. Adobe’s Acrobat Reader DC, Acrobat DC and Acrobat and Reader had the seventh, eighth, ninth and 12th most vulnerabilities, respectively.
While the statistics are intriguing to pore over, Adam Bacchus, chief bounty officer at HackerOne, told SC Media in an email statement that the figures must be looked at in the proper context. “CVEs provide a useful unique vulnerability identifier to allow anyone to ensure their software is patched for known vulnerabilities, but counting CVEs is not a meaningful way to assess the security of any product,” Bacchus explained. That’s like trying to assess your health by counting your number of visits to the doctor, instead of looking at the actual results. Not all CVEs are equal in severity, and there are many organizations that fix issues silently without assigning a CVE.”