Incident Response, Patch/Configuration Management, TDR, Vulnerability Management

Not so fast, was OS X really the most vulnerable of 2015?

Researchers at Malwarebytes challenged published claims that Mac OS X systems contained the most vulnerabilities that year.

Although the report, the CVE Details "Top 50 Products By Total Number Of "Distinct" Vulnerabilities in 2015," used data from the National Vulnerability Database, researchers at Malwarebytes said the results were skewed. The report didn't properly categorize and prioritize the vulnerabilities, instead clumping all the OS X versions together in the same group while separately tallying different versions of Windows and other products, according a Jan. 8 Malwarebytes blog post.

The report listed Apple's Mac OS X and iPhone OS as the top two most vulnerable products with 384 and 375 vulnerabilities respectively and listed Adobe Flash Player as the third most vulnerable product with 314 vulnerabilities.  

The researchers said the report should have grouped the vulnerabilities by vendor for better “apples to apples” comparison. “Doing that, we see that Apple had a total of 654 vulnerabilities in 2015, while Microsoft had 571," researchers said in the post. Adobe landed at third place with 460 vulnerabilities.

In order to make the data more meaningful, reports should have taken into account the number of severe, higher than 9 on a scale of 1-10, vulnerabilities each vendor had and what percentage it made up of a vendor's total vulnerability count.

When the Malwarebytes researchers did this they found that Adobe led the pack with 389 very severe vulnerabilities that accounted for 85 percent of its total count while Apple had only 91 severe vulnerabilities which made up 14 percent of its total, according to the post.

Microsoft had 332 very severe vulnerabilities, or 58 percent of its total.

Even when accounting for vendors and severity levels, the researchers at Malwarebytes said that other immeasurable factors including the number of the vulnerabilities exploited in the wild and how many vulnerabilities remained unpatched should be considered as well.

Researchers at Malwarebytes admitted that Apple's products don't have the most secure operating systems in the world but warned users to “ignore any click-bait headlines about how Mac OS X is the 'most vulnerable system' based on this data.”  

Joseph Pizzo, field engineer at Norse, told via email that the integrity of the companies that self report vulnerabilities play a factor in the data as well adding that Apple could have more reported more of its bugs because its places an emphases on transparency.

“Based on this information, it appears that Apple is at the top of the list; however, this is for publicly disclosed vulnerabilities and exposures," said Pizzo. "There is no rule that says that Microsoft, Adobe or any Linux vendor has to disclose their vulnerabilities and exposures."

Wes Widner, Norse's director of threat intelligence and machine learning, told via email that "licensing plays a role in lumping all vulnerabilities for OSX into one broad category." 

"I expect this to change as threats increase and researchers become more sophisticated in identifying vulnerable subsystems," Widner said. 

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.