Report: OS X, iOS, Linux were the most vulnerable OSes in 2014

The Lenovo-Superfish fiasco might have some contemplating an OS switch, but the grass isn’t greener on the other side—at least not according to GFI. The security firm has published a report ranking last year’s most vulnerable OSes and applications, and guess what? OS X, iOS, and Linux made the top of the list. Take a look:

Windows 7 is a distant fifth, with four times fewer total vulnerabilities than OS X. Windows 8.1 is neck and neck with Windows 7 in terms of total vulnerabilities, but it suffered from fewer “high” vulnerabilities, knocking it down to eighth place. Not bad.

Why did Linux do so badly? GFI explains:

2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.

Windows users shouldn’t gloat too much, though. GFI’s rankings also list last year’s most vulnerable applications, and Internet Explorer is number one there. (Thanks to Neowin for the link.)

Comments closed
    • ronch
    • 5 years ago

    Windows 7 FTW.

      • colinstu12
      • 5 years ago

      And 8.1!

    • Pholostan
    • 5 years ago

    Tables like this are soo stupid on so many levels. Someone else wrote a nice post on the subject:

    [url<]https://plus.google.com/u/0/+JustinSchuh/posts/CNEgtJWYTb5[/url<] [quote<] tl;dr: Vendor provided vulnerability information covers a very broad spectrum, where the quantity of vulnerabilities listed and the details included within vary wildly, are heavily influenced by the approach of the vendor itself, and can change regularly over the lifetime of a given product. Simply put, it’s just not possible to use that information to make qualitative statements about the relative security of a single product, much less for comparing different products or different vendors. In the end, it’s going to be an apples-to-bowling-balls comparison at best and an apples-to-interstellar-warcraft comparison at worst. In closing... Please, in the name of everyone’s sanity, just don’t play the vulnerability counting game. It doesn't do anyone any good.[/quote<]

    • VincentHanna
    • 5 years ago

    vista beats windows 7 & 8 in every category.

    who knew?

    • Angst
    • 5 years ago

    Am I the only one who chuckled from reading the headline? (Not for the linux part but for all the others)

    • UnfriendlyFire
    • 5 years ago

    Long story short: Every OS is vulnerable. Don’t click on every link, be suspicious of “free” downloads, and know the common social engineering practices.

    If you’re up against the NSA, good luck. You wouldn’t know if your router, HDD’s firmware or your ISP have been compromised.

    EDIT: A friend came across a malware that infects OpenSUSE, OSX and Windows 8 through USB flash drives. It’s most likely a backdoor or keylogger.

      • Deanjo
      • 5 years ago

      [quote<]EDIT: A friend came across a malware that infects OpenSUSE, OSX and Windows 8 through USB flash drives. It's most likely a backdoor or key logger.[/quote<] Proof?

        • UnfriendlyFire
        • 5 years ago

        Would you like me to dig up the infected USB stick from the landfill and upload it on a website for you to download?

          • l33t-g4m3r
          • 5 years ago

          I like this idea. Sounds like there would be interesting results.

    • danny e.
    • 5 years ago

    [url<]http://www.dannyde.com/betterChart.jpg[/url<]

    • AdamDZ
    • 5 years ago

    I smell bulshit. I support around 400 Macs and maybe 50 PCs. I still cleanup more PCs than Macs. The only thing that Macs have been getting recently is adware that is trivial to remove. Working with PCs is like working in a sewer. I feel like I have to wear rubber gloves.

    Every single personal Windows 7 laptop that came thorough was infected. Managed PCs do better.

      • brucethemoose
      • 5 years ago

      OSX tends to discourage people from running those trashy, malware-infested applications they just love to download, where Windows doesn’t. There’s also more trash to choose from on Windows.

      There are other factors too (browser choice and usage habits being big ones), but my point is that OS security vulnerabilities aren’t the only reason people get malware.

      • EV42TMAN
      • 5 years ago

      Well that’s because the only things you can do on a Mac are what Apple allows you to do not what you want to do. Also if you have a 8:1 ratio on Mac vs Windows and Windows is the problem you’re doing something wrong.

        • Deanjo
        • 5 years ago

        [quote<]Well that's because the only things you can do on a Mac are what Apple allows you to do not what you want to do.[/quote<] Oh that is so much BS that I can tell that you have zero experience with OS X or familiar with it's workings.

          • danny e.
          • 5 years ago

          Typing what Apple wants you to type just makes his case.

            • Deanjo
            • 5 years ago

            Any day you would like to put your money where your mouth is to back up those claims you just let me know.

      • Deanjo
      • 5 years ago

      Bang on the money.

      • Zizy
      • 5 years ago

      Obviously PCs have way more junk on them. Because more people bother writing crap for them due to market share, plus easier to propagate – again due to market share.
      “Oh, there is UAC popping out asking whether I want to install some virus from untrustworthy source? Why does it bother me, sure I do, whatever that means.”
      ALL non-sandboxed OSes are equally vulnerable to this shit, the only protection is a good enough user. Even antivirus doesn’t help much here, as some people do want toolbars, some want screen capture tools and so on.

      Don’t worry, most of that crap is going multiplatform now 🙂

    • blastdoor
    • 5 years ago

    “Vulnerable” to what? Real world threats, or hypothetical threats?

    For example, I need a better explanation of how iOS is number two, given the lack of a command shell or user-installable software from any source other than the app store (unless you jailbreak, but if they are including vulnerabilities that only exist after jailbreaking, then they should break out iOS and jailbroken iOS as two separate things).

      • trackerben
      • 5 years ago

      Mostly minor threats involving social engineering stuff and rogue apps, but there was that tandem exploit involving OSX-iOS USB infection which was big to Mac users. Regular iOS and WinPhone mobiles which default system and common apps are backended and updated OTA are the still best hardened consumer computers available.

      • albundy
      • 5 years ago

      they were vulnerable because they ate my sandwich. nobody eats my sandwich but me, dammmit!

        • trackerben
        • 5 years ago

        Were you hypothesizing about something?

      • brucethemoose
      • 5 years ago

      Most “jailbreaks” are actually a hardware/software vulnerability cocktail. Those same exploits could be used by hackers… You don’t have to jailbreak the device to be vulnerable, the very existence of a jailbreak proves that your iDevice is vulnerable.

        • blastdoor
        • 5 years ago

        How many jailbreaks are possible without being in possession of the device?

          • brucethemoose
          • 5 years ago

          Some older jailbreaks were purely browser based. Otherwise, iDevices could easily be infected if/when they’re plugged into another computer.

          But those are just the exploits that a small group of devs know about and use. The larger implication is more important: Apple’s hardware/software is NOT airtight, despite their reputation.

        • trackerben
        • 5 years ago

        Unless you’re some person of interest the same physical exploit is far more useful to robbers who’d just reset and reactivate if possible. This is by far the more common scenario for iOS devices ending up in unauthorized hands. Apple’s defaulting of Activation Lock has drastically cut down opportunistic thefts for newer versions, though.

        The problem remains on the Mac side as a result of BadUSB-like schemes proliferating across all OSes. Still, users who operate their mobiles in tandem with their Macs only have to avoid “…third-party app stores, keep operating system software up to date, don’t pair iOS devices with untrusted desktop systems and don’t accept an unknown enterprise provisioning profile unless an authorized, trusted party explicitly instructs you to do so…”
        [url<]http://www.zdnet.com/article/os-x-malware-infecting-connected-iphones-ipads.[/url<] Mitigation practices for other mobile OSes (except maybe WinPhone) are nowhere near as easy to follow for ordinary users.

      • VincentHanna
      • 5 years ago

      [url<]https://web.nvd.nist.gov/view/vuln/search-results?query=apple+ios&search_type=last3months&cves=on[/url<]

    • DragonDaddyBear
    • 5 years ago

    A lot of this has to do with the number of installations of Linux and the size of the target. POSIX OS’s are widely popular, a lot of people just don’t know it.

    Linux is the most popular kernel in the world. Just because people don’t install it at home and use it to surf the internet does not mean it’s not out there. Home routers, Android, network appliances, web servers, etc are all running Linux. OSX and iOS are FreeBSD based. It’s out there people.

    So when a big bug hits a popular component of a popular OS (OpenSSL and the BASH shell) it’s a BIG deal. That’s not to say Windows didn’t have an almost 20-year-old bug get discovered that allows remote code execution, it’s just not as big of a deal because the (internet facing) footprint is just not there. It’s not as valuable of an initial target.

    • WasabiVengeance
    • 5 years ago

    I do wonder what ‘linux kernel’ covers. If that category is including shellshock, then it’s clearly not actually just kernel vulnerabilities as shellshocked wasn’t a kernel problem. Also, there is a *huge* difference in attack surface between, say, android and ubuntu 14.04 server. It’d be nice to see a good comparison between server OS’s only, mobile OS’s only, etc.

    • anotherengineer
    • 5 years ago

    FreeBSD not on that list, must be 0 😉

    • ludi
    • 5 years ago

    Windows XP: [url=http://i.ytimg.com/vi/LqSg9yVfzV0/maxresdefault.jpg<]We all know what this links to[/url<]

      • NeelyCam
      • 5 years ago

      That actually made me laugh.

    • omf
    • 5 years ago

    Hard to take this seriously with ZERO low vulnerabilities across all Windows versions.

    • Wirko
    • 5 years ago

    Adobe Reader.

    The small utility that displays formatted pages according to long established standards has more vurnubilities than several complete operating systems with loads of innovation built in.

    This world has a half-life, it’s just been confirmed, and it’s getting shorter by the day.

      • LostCat
      • 5 years ago

      I just use the Windows Runtime version. Not really comfortable with the desktop one, and I don’t use it often enough that I want to care about whether or not it’s updated.

    • slowriot
    • 5 years ago

    I would like to know the method they used to pull and sort from NVD. I’m concerned that the snippet you copied from GFI indicates they haven’t properly sorted these results. Neither Heartbleed or Shellshock are vulnerabilities in the Linux Kernel. OpenSSL and Bash are not part of the kernel, they’re separate software packages and should be grouped like Internet Explorer, Firefox, Java, etc.

    The comment on Heartbleed/Shellshock also highlights how useless raw numbers like these can be and how you can’t trust mainstream reporting on these issues. Frankly, both of these issues were not near the security risk the news would lead you to believe. On the other hand, there’s GHOST which isn’t getting anywhere close to the same press but is a far larger concern out in the real world.

      • atari030
      • 5 years ago

      I have to assume that the report chart labeling is simply branding all Linux OS distributions as ‘Linux Kernel’ (i.e. any OS running the Linux kernel, per the column title of ‘Operating system’). They could have avoided all confusion and improper association by simply using ‘Linux’ as the label. ‘Linux Kernel’ is not an operating system.

        • Deanjo
        • 5 years ago

        Sure but the fact still remains that they are lumping programs that are their own separate entity and associating them with some of the OS’s and not evenly across all operating systems that have the same programs available for it. If we applied the same criteria to Windows and say included IE vulnerabilities to their total the results drastically change.

          • atari030
          • 5 years ago

          Agreed! An interesting question arises though. Whereas the bash shell, openssl libs, and glibc are truly core OS components to a Linux distro, can the same be said for IE as it pertains to Windows? I’m not a Windows server admin (by choice) so I don’t know from a Windows Server 20xx perspective….is IE a core component that will always be installed by default in a deployment? My assumption is yes.

          Then again, we’re not just talking server versions of the OS either are we?…it includes all desktop versions…..so…..

            • Deanjo
            • 5 years ago

            [quote<] Whereas the bash shell, openssl libs are truly core OS components to a Linux distro[/quote<] Not really, they are optional installations and not part of the core OS and alternatives are commonly used such as NSS, csh, ash, etc.

            • atari030
            • 5 years ago

            True enough….but I’m again taking the Linux server mindset, not the desktop Linux mindset. Any standard Linux server will use bash and, until recently, SSH always had a OpenSSL dependency, so I always have considered them core components.

            Are there any stats out there as to Linux server vs Linux desktop usage? I would be curious to know numbers or percentages, not that there’s anything out there that could possibly report that information with any accuracy.

            Queue smart-alecky comments re: Linux on the desktop……

            • brucethemoose
            • 5 years ago

            Last I checked, trying to remove IE basically breaks Windows. IMHO it’s safe to call it a core component of the OS.

          • bjm
          • 5 years ago

          Well, where do you draw the line then between an OS and it’s applications? With Windows, there is a clear distinction between Windows and the third party applications. With Linux distributions, there is no such clear distinction. Do you draw it at what most operation systems include in their “base” install? Is there a certain dependency depth that you consider before it’s not part of the “OS”? Do you draw it at the unsupported/supported repositories Ubuntu uses?

          And therein lies the problem with these issues and blanket claims about “Linux/Windows is more secure than that!”. They are ridiculous benchmarks that don’t really compare much of anything and end up as ammo for fanboys. I know it’s cliche, but it definitely applies here: Security is a process, not a product.

      • dragontamer5788
      • 5 years ago

      GFI is being honest about their reporting.

      Its the next level of sites that need to make this clear. There’s some benefit to testing the kernels specifically for software bugs (indeed, the kernels provide the basis for all code run on an OS). But as you’ve noted, Ghost, Heartbeat, and Shellshock are all [b<]missing[/b<] from this report (being vulnerabilities in GLibC, OpenSSL, and GNU Bash... none of which are "Linux Kernel" proper). Strangely enough, this makes Windows much safer in comparison. Windows surely includes the "WinShock" SSL buffer-overflow for example... since "Windows" code covers a larger breadth. People need to read between the lines and understand the real message here. Its more nuanced than what a lot of people are reporting.

        • slowriot
        • 5 years ago

        Err what? First, I’m not suggesting they’re being dishonest. What I’m pointing out is they’ve provided zero insight into how they’ve performed the analysis. Which is incredible given that they’re just pulling data from the NVD. But, GFI decided to use their own way of dividing up the categories. And then the author made it even more confusing by writing the paragraph about Heartbleed and Shellshock under the OS section as an example of Linux’s vulnerabilities.

        So, how do you know those were not counted under Linux Kernel? I don’t see where in the article this was made clear.

        Even just basic stuff like a link to which dataset they’re using instead of a generic top level one to the NVD site would have been nice. A general description of each label… basic stuff is all I’m asking.

        This doesn’t even begin to touch on the issues with the NVD system.

    • sweatshopking
    • 5 years ago

    DEANJO.

      • Deanjo
      • 5 years ago

      [quote<]2014 was a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems. Heartbleed, for example, is a critical security vulnerability detected in OpenSSL while Shellshock is a vulnerability that affects GNU Bash.[/quote<] This is why they look the way that they do. Both examples that they list not only effect Linux or OS X but anything that those programs were installed to. Both also are available on Windows as well and carried the same vulnerabilities but were not included in the Windows totals so they are not exactly comparing the same items.

        • anotherengineer
        • 5 years ago

        Well there goes my

        In before Deanjo tries to brush it off………………….

        😉

      • flip-mode
      • 5 years ago

      This is your funniest comment in a long, long time. DEANJO….. I did in fact audibly snort. You’re still batting a .005 or something like that, though.

        • sweatshopking
        • 5 years ago

        WE USED TO BE SUCH BROS. WHAT HAPPENED, FLIP, WHAT HAPPENED?

          • flip-mode
          • 5 years ago

          Don’t think we are not still bros! I don’t come around much anymore, though.

            • sweatshopking
            • 5 years ago

            I noticed. been missing you
            <3 forever

    • nico1982
    • 5 years ago

    As someone pointed out on another forum, why are OSX and Linux vulnerabilities accumulated under an unique entry while Windows ones are per OS version? I get that OSX versions are more of a service pack since Leopard, and the Linux kernel is more or less the same across the different distributions, while Windows versions are more self contained, but still…

      • derFunkenstein
      • 5 years ago

      Since Apple supports the previous 2 releases for security updates, it could be that many of those are counted triple, but maybe they accounted for that. OS X releases aren’t really service packs, because outside of XP SP2, service packs are not feature releases. 10.6 was advertised as such, but it wouldn’t be included. It’d be 10.7, 10.8, and 10.9 for most of the year, and then 10.8 and 10.9 after mid-October.

      • Kretschmer
      • 5 years ago

      OSX install base is too small for anyone to care about breaking it down further?

      • qasdfdsaq
      • 5 years ago

      Absolutely this.

      Particularly since several of the Windows versions listed share substantially the same kernel, if not identical, as well as pretty much the same userspace. And why would they bundle Server 2012 and 2012 R2 together but not Windows 8.0 and 8.1? Same goes for Vista/7 and Server 2008/R2.

    • ioconnor
    • 5 years ago

    The mac has always been super hackable since the 80s. Linux has always flown under the radar but probably just as unsafe. And windows only reports a small subset of their bugs so any comparison to the others is flawed. What we really need is a third party that has access to all the problems. Which probably will never exist because neither Apple or Microsoft will ever open up. So these stories will always be the same as comparing apples to oranges to bananas. The story can be shaped as pleased.

      • Variable
      • 5 years ago

      NM…Totally read that wrong…

    • NeelyCam
    • 5 years ago

    I always knew Android has zero vulnerabilities.

      • sweatshopking
      • 5 years ago

      lolirl. The funny thing is that i’m sure some people actually took that away from the article.

      • l33t-g4m3r
      • 5 years ago

      Android had heartbleed, I know that much. Also, a high percentage of android devices do not get security updates at all, making them throwaway devices if you actually care about security.

      • Wirko
      • 5 years ago

      I, however, didn’t know that Windows XP has none.

        • sweatshopking
        • 5 years ago

        THEY DIDN’T BOTHER TO INCLUDE IT BECAUSE IT HAS ALL THE VULNERABILITIES EVER. THAT’S WHY YOUR BANK AND UTILITY COMPANIES STILL USE IT.

    • flip-mode
    • 5 years ago

    Brace yourselves for all kinds of nerd rage up in this mutha.

      • NeelyCam
      • 5 years ago

      On the article comments, people are already whining about Windows being split to multiple versions to make it look better

        • sweatshopking
        • 5 years ago

        Yeah, but they addressed that by stating that so many of the bugs were shared across versions. They can’t count it twice because the same bug exists in 7 and 8.

        • dragontamer5788
        • 5 years ago

        Yeah, but “Linux Kernel” doesn’t include SSL or GNU Bash. Which means the “big ones” of 2014 aren’t even counted on the list.

        Frankly, looking at the kernels specifically is kind of… useless. The main vulnerabilities seem to be in application code: MS Word, Adobe Reader, Flash, Web Browsers, etc. etc.

      • tootercomputer
      • 5 years ago

      Yep. This should be interesting.

      • anotherengineer
      • 5 years ago

      Is mutha pronounced mootha?

      And what is that exactly?? My slang/movie/American language needs some brushing up 🙂

      • danny e.
      • 5 years ago

      Linux nerds I’d expect better of since they should know something about all software having issues. Apple cultists .. yeah.

    • odizzido
    • 5 years ago

    I imagine linux/OSX are still safer….not because they actually are but because you can fly under the radar with them. I also bet if linux/OSX were suddenly the popular choice there would have been more security issues discovered.

      • LoneWolf15
      • 5 years ago

      They don’t fly under the radar for people who do massive exploits. The kind that are used for botnets, identity theft, or fraud that actually makes money, and are exploited by people with experience.

      Linux and OS X are only safer in the eyes of the general public. Any security expert would tell you different. And this has nothing to do with my preference of operating system, it’s just the real world.

        • Thrashdog
        • 5 years ago

        OS X still benefits from it’s 5% market share. Even though some really glaring vulnerabilities have been found, it’s still not a high-value target because of its low installed base. Linux, on the other hand, is a really juicy target now, since it’s the OS of choice for the legions of (for example) absentee Wordpess admins running three years out of date on OS and software. Easy to compromise, and easy to turn into an infector or C&C system for other malware once you’ve pwned it.

      • DarkMikaru
      • 5 years ago

      Security through obscurity is no safe bet my friend.

        • cheesyking
        • 5 years ago

        which is why you should always choose open source software 😉

          • sweatshopking
          • 5 years ago

          Why? So you can be obscure and vulnerable? See the story above.

            • cheesyking
            • 5 years ago

            Nope, so you can be popular with the opposite (or same, if that’s your bag) sex.

        • Zizy
        • 5 years ago

        Safer than you think 😉
        You can’t rely only on that obviously, but there is a tremendous benefit from having quirks in your hardware/software.
        Not to mention most of the crap is “install this free program and get virus gratis”. Targeting 95% vs 100% doesn’t make much difference and having secure OS does not help here.
        Plus, why bother targeting OS when flash+IE have plenty of vulnerabilities?

Pin It on Pinterest

Share This