And the product with the most distinct vulnerabilities in 2015 is..
Rarely a day goes by without news of another vulnerability hitting an operating system, software, device, or service on the web.Â These reports have become part of everyone's online life and all users can do is stay informed and close security issues as soon as companies make available patches for them to do so.
While it is sometimes possible to mitigate vulnerabilities, often users are left with no other recourse but to wait for a company to release a patch. Sometimes, that patch is never produced.
CVE Details, calling itself the "ultimate security vulnerability datasource", has published its annually updated product vulnerability listing.
The list, which ranks products based by total number of distinct vulnerabilities, may come as a surprise to computer users who'd except all-time favorites such as Flash Player, Java or Windows to fight for the top spot.
In fact, it is Apple with its Mac Os X and iPhone OS that is taking up the top two spots of the ranking. The two top spots are followed by four Adobe products, namely Flash Player, Air SDK, Air SDK & Compiler, and AIR in the places three to six.
Then you find the three browsers Internet Explorer, Chrome and Firefox in the positions seven to nine, and another Microsoft product, Windows Server 2012 in the tenth spot.
You find other Windows versions, Safari, Ubuntu Linux and Android in the top 20 listing as well. If you are looking for Java, another product that is attacked regularly, you'll have to scroll down to position 29 and 30 where you find it listed as JRE and JDK separately.
Other products of note in the listing include Acrobat and Acrobat Reader, Linux flavors such as Debian and OpenSuse, and products such as Apple TV, MySQL or Wireshark near the end of the listing.
The company released a total number of vulnerabilities by vendor as well which Microsoft leads before Adobe and Apple.
Probably the main reason why Microsoft is up that high is that all of the company's operating system versions are listed separately in the ranking. It is likely that there is at least some cross-over between different Microsoft Windows versions. A quick check reveals that it is indeed the case. The same can probably be said for other products by the same company, e.g. Adobe or Apple.
The service takes the data from the National Vulnerability Database. The ranking does not reflect the severity of vulnerabilities.
If you compare it to 2014 top 50 listing, you will notice that things changed dramatically in a year. The top five products in that year were Internet Explorer, Mac Os X, Linux Kernel, Chrome and iPhone Os. Java was found in positions six and seven, and Flash Player ranked 11 in the listing.
Now You: Are you surprised about the ranking?
All a bit controversial, especially for Apple fans.
Top 50 Vendors By Total Number Of “Distinct” Vulnerabilities in 2015:
If you want to do it by adding up the total number of product vulnerabilities per vendor try to figure in that MS have 14 products listed, Apple have 6.
Good point. The “By Vendor” graph is pretty much useless, Wireshark, for example, is in the same chart with Microsoft or even Apple.
Wow. Inclusion of “Ubuntu Linux” in the CVE “top-50-products” CVE list seems… inane.
Debian repositories contain 30,000+ packaged software(s); Ubuntu, with its ‘universe’ repositories list, along with PPAs, probably represents well over 50,000 software(s). Nearly all of those packaged-for-distribution products are authored externally. While they’re at it (CVE), might as well throw softpedia, sourceforge, github etc. into the list of “products”, eh?
full disclosure (or something):
I’m not an Ubuntu Linux user.
At the end of the day, simply going by the number of vulnerabilities is a misleading way of looking at things.
Not all vendors report vulnerabilities in the same way, if at all. Some even have monetary rewards for doing so, providing an incentive to report them. One vendor may have more vulnerabilities but they may also fix them quicker. And of course, not all vulnerabilities are equal.
Too many problems interpreting this list. How many items of software does each company produce? How much effort does each company make to identify vulnerabilities? How much effort do external third parties make to identify vulnerabilities in a particular product? How likely are companies to hide their products’ vulnerabilities from the public? How likely are companies to act on the vulnerabilities and prevent them from accumulating? Etcetera ad nauseum.
These questions create so much complexity that – I hate to say it – the listing by “CVE Details” is basically useless. A better approach would be to create a standardized metric, like “number of vulnerabilities discovered per month of search effort per million users of the software”. That would create its own interpretation complexities, but it would be much more meaninful than a simple table of counts.
While i agree that the list is very open to interpretation it’s better than nothing, no?
If it is misused, then it IS worse than nothing! How severe? Impact on users? Errors per lines of code? Just like any raw data, it is how it is interpreted that matters.
If it’s misused then that’s the fault of the person misusing it, not the data itself.
If someone misused a knife to kill someone do you blame the knife or the person who misused it?
Like most security warnings, then. Shock, horror, you might get run over by a bus. Depends where you live, if you cross the road, whether you look before you do, blah, blah, blah.
This is an unfortunate consequence of the compiler having too much processing-power and time on its hands, resulting in useless (as presented) information of the the type better suited to politicians rather than to scientists.
Windows and Mac OSX each have a fraction of the number shown as the chart adds up vulnerabilities for all versions. If I recall correctly Windows 10 has about 25% of the vulnerabilities of Windows 7. Here’s a link to a chart from Neowin with the breakdown per version as much as possible: https://www.neowin.net/images/uploaded/2016/01/security-flaws-by_product_2015.jpg
Or you could just use the data broken down by versions from CVSS themselves.