Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Data: More vulnerabilities found in Google Android than any other program in 2016

Amassing 523 distinct coding flaws this past year, Google's Android mobile operating system took top spot among the 50 products with the most discovered vulnerabilities in 2016, according to the security vulnerability database website CVE Details.

Android's vulnerability totals far surpassed those of runners-up Debian Linux and Ubuntu Linux, which compiled 319 and 278 bugs respectively. Adobe's multimedia viewer Flash Player, which had the third highest number of vulnerabilities in 2015, claimed the fourth most errors this past year with 266.

Google has a bug-bounty program that rewards independent researchers monetarily for finding vulnerabilities, which could be among the reasons that Android accumulated a disproportionate number of reported flaws last year. The most common classifications for Android vulnerabilities were privilege escalation (39.8 percent) and denial-of-service (25 percent). Among the 523 bugs, 254 had a CVSS (Common Vulnerability Scoring System) score of “9” or higher, meaning the vulnerabilities were deemed severely critical in nature. SC Media contacted Google for comment.

CVE Details includes vulnerabilities in its statistics if they has been officially registered with The MITRE Corporation's Common Vulnerabilities and Exposures (CVE) database. Apple's Mac Os X operating system emerged as the program with the most vulnerabilities in 2015, with 444 total flaws, but this year dropped to 11th with only 215.

With nine of its applications making the top 50, Adobe actually had the most overall vulnerabilities of any other product vendor on the list, with 1,383, edging out Microsoft's 1,325 bugs. Adobe's Acrobat Reader DC, Acrobat DC and Acrobat and Reader had the seventh, eighth, ninth and 12th most vulnerabilities, respectively.

A total of 695 coding issues made Google the vendor with the third most vulnerabilities on the 2016 top-50 product list, followed by Apple (611) and Red Hat (596).

While the statistics are intriguing to pore over, Adam Bacchus, chief bounty officer at HackerOne, told SC Media in an email statement that the figures must be looked at in the proper context. “CVEs provide a useful unique vulnerability identifier to allow anyone to ensure their software is patched for known vulnerabilities, but counting CVEs is not a meaningful way to assess the security of any product,” Bacchus explained. That's like trying to assess your health by counting your number of visits to the doctor, instead of looking at the actual results. Not all CVEs are equal in severity, and there are many organizations that fix issues silently without assigning a CVE.”

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.