Monday, February 23, 2015

Most vulnerable operating systems and applications in 2014


An average of 19 vulnerabilities per day were reported in 2014, according to the data from the National Vulnerability Database (NVD). The NVD provides a comprehensive list of software security vulnerabilities. In this article, I look at some of the trends and key findings for 2014 based on the NVD’s database.

Some of the questions asked are:

-       What are the latest vulnerability trends? Are we seeing an increase or a decrease in the number of vulnerabilities?

-       What percentage of these vulnerabilities are rated as critical? (e.g. high security impact – like allowing remote code execution – and thus easy to exploit)

-       In which areas do we see the most vulnerabilities? Are operating systems, third-party applications or network devices such as routers, switches, access points or printers most at risk?

-       Which operating systems and applications are listed with most vulnerabilities? This data is important because the products which are on top get the most frequent security updates. To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched.

7,038 new security vulnerabilities were added to the NVD database in 2014. This means an average of 19 new vulnerabilities per day. The number is significantly higher than in 2013 and continues the ascending trend over the past few years.

24% of these vulnerabilities are rated as high severity. The percentage is lower than in 2013, but the actual number of high security vulnerabilities has increased compared to last year.
Third-party applications are the most important source of vulnerabilities with over 80% of the reported vulnerabilities in third-party applications. Operating systems are only responsible for 13% of vulnerabilities and hardware devices for 4%.

It is interesting that although Microsoft operating systems still have a considerable number of vulnerabilities, they are no longer in the top 3. Apple with OS X and iOS is at the top, followed by Linux kernel.

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

The applications listed here are pretty much the same as in 2013. Not surprisingly at all, web browsers continue to have the most security vulnerabilities because they are a popular gateway to access a server and to spread malware on the clients. Adobe free products and Java are the main challengers but web browsers have continuously topped the table for the last six years. Mozilla Firefox had the most vulnerabilities reported in 2009 and 2012; Google Chrome in 2010 and 2011; Internet Explorer was at the top for the last two years.

To keep systems secure, it is critical that they are fully patched. IT admins should focus on (patch them first):


  1. An excellent example of how statistics can be distorted to support any desired conclusion.

    I especially like how Windows is broken out into its numerous versions while all OS X versions are lumped together as one line item in order to increase the vulnerability tally.

    Conspicuous in its absence is Android, the real winner (or loser), which suffers from over 90% of known mobile exploits.

    Elsewhere on the web you can find a more thorough list of criticisms of this report.

  2. Aww. Did someone upset the Apple fanboy? Take your buggy OS and overpriced hardware and go make your own blog. Unless you're a coward and want to hide behind anonymity by posting unsubstantiated claims in a comment section of a real blog. Put your money where your mouth is. Of course, if what you're saying is all lies and fluff, you'll do nothing.

  3. Hah. Didn't think so Brett. Your silence speaks volumes!


    1. My original comment was sufficient.

      Why was there no statistic reported for Android vulnerability? Were they too ashamed to list it? Why weren't the OS vulnerability counts split among legacy versions as they were for Windows (XP, 7, 8, 8.1, Vista)?

      I don't know if the report was intended to mislead or just incompetently prepared, but it is not a full and accurate accounting.

      Dave's response added nothing of substance worth refuting.

      You can both take your "hah", "aww", "upset", "fanboy" taunts back to elementary school.

  4. Windows total exploits = 210
    Mac OS X = 147
    Who is the loser here?
    Very telling that Android the most popular mobile OS is left off. Very biased report.
    Also, check out the browser vulnerabilities in same report. IE = 242, Chrome = 124.

  5. Posting as Anonymous.... really brave of you. Another butt-hurt Apple coward.

    1. And you're the guy who started commenting on this site using the user name I'd established rather than coming up with a unique name of your own.

      Did you learn how to slavishly copy from Samsung?

    2. Seriously. Why don't you use your Google account? That way you'll be completely unique. Unless you are too afraid.

  6. So I suppose there is only one Brett in the world now? Did you learn your backwards logic from Apple?

  7. It's really just showing that Apple is vulnerable like everything else. Apple isn't any better and, if you think about it, because they cost more they are actually worse. I've never had a virus and I've know Mac owners that have had many.