Vulnerability statistics for Mac and Windows

Vulnerability statistics for Mac and Windows

Summary: The data is clear, and Apple has a lot more vulnerabilities of every kind ranging from moderately critical to extremely critical.

TOPICS: Security

In yesterday's article "Is Mac OS as safe as ever", Joris Evers poses the age old question if Mac OS security is myth or reality.  I decided to settle this once and for all with some hard numbers from the independent security research group Secunia along with the number of CVE issues for Microsoft Windows XP and Mac OS X within the last two years.

Before I post the data, I want to make a few things clear since I keep getting the same questions and accusations every single time I post data on vulnerability statistics.

  • When visiting the Secunia links I provide in this blog, please DO NOT quote me on the number of advisories for a particular OS and blast me for getting the numbers wrong.  I am NOT counting advisories; I'm counting the actual number of vulnerabilities.  There are many advisories that contain multiple vulnerabilities and CVE IDs.  Sorry for the shouting, but I get about 10 of these "I don't count the same number of issues" every time.
  • No matter what some people may say, vulnerability ratings from Secunia are a valid measurement of security risk.  If we can't count the number of actual security vulnerabilities (with severity and patch status in mind), what can we count?
  • There seems to be a cavalier attitude that a vulnerability is not a problem if it hasn't been widely hacked yet.  The truth is that professional hackers don't want notoriety because it's bad for business.  Before Microsoft's infamous WMF vulnerability was infamous because of all the press coverage, it sold on the black market for $4000.  Nothing kills a money maker in the digital underworld faster than public exposure.
  • There will always be those who say vulnerabilities are only "theoretical".  Anyone who feels this way should leave their computers unpatched for all "theoretical" problems and post their email and IP address in talkback section and I'll be sure to forward a copy to the hacker forums.  I'm sure it probably won't be a problem since the problem is only "theoretical".
  • I make no claims on which operating system is better.  You look at the data and you be the judge.

Data gathered from Secunia:

How to read chart:

  • The three most severe levels of vulnerabilities from Secunia are analyzed in this chart.
  • The two less critical categories from Secunia were left out so the significant data will fit better on the screen.
  • The grayed out section represents the vendor with the worst security of the month.
  • Red font text represents unpatched vulnerabilities correlating to the degree of vulnerability.  For example in the month of February 2006, Apple's Meta data shell script execution flaw hasn't been fixed yet so it gets a red 1 in the extremely vulnerable column.

The data is clear, and Apple has a lot more vulnerabilities of every kind ranging from moderately critical to extremely critical.  While Windows had some months with more security disclosures, they are more spread out while Apple tends to release mega-advisories with dozens of vulnerabilities at a time.  There were seven months where Apple disclosed more a dozen or more highly critical vulnerabilities and August 2005 saw nearly three dozen of them.  One of the most severe zero day exploits for Mac OS X disclosed this month with a working proof-of-concept has yet to be patched so we'll have to wait and see how long it takes Apple to release a patch.

Microsoft on the other hand seems to let some moderately critical and even one highly critical vulnerability go unpatched for more than a year.  I've hammered Microsoft for this issue in the past and Microsoft has responded to me that they are clarifying some of these issues with Secunia because some of the unpatched vulnerabilities may be moot.  I'm still waiting for Microsoft's detailed explanation on these unpatched vulnerabilities.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Sigh

    George, really why do you bother?

    Sure you may argue that "some people" say we shouldn't count vulnerabilities but you're methodology is superior to theirs.

    Well considering the "some people" are the [b]very people you are gathering statistics from[/b] then maybe you should bother listening to them. I'd like to think the people at Secunia are a touch smarter about this topic than you are. Maybe I'm being biased but considering that your bio talks about network security not OS security then how about we listen to the experts instead of continually trying to invent metrics.
    Robert Crocker
    • Sigh

      Sigh, does this guy have a reputation for crap?
    • You are being biased and your conclusion is wrong!

      George didn't invent a metric he counted vulnerabilities and arrainged them by criticality. You may argue about what it means but George invented nothing here.
      • Robert trust me Shade knows WRONG!!!

        heh heh heh...

        Pagan jim
        • Good one, Laff.

          Judas I.
        • I have raed a lot of your opinions so ...

          ... I do know wrong when I see it! Touche1
          • If raeding my comments makes you think you know

            my opinions or what I'm thinking you could not be more wrong...:)

            Pagan jim
          • You took the first shot and then come back ...

            ... with this weak retort? What are you trying to say that you don't mean what you post or you just don't have a clue?
          • I like playing and you are a game too me....:)

            Plus as a matter of personal stratedgy I NEVER reveal too much of
            myself to anyone.

            Pagan jim
          • I think...

            he's trying to point out that you don't know how to spell read, or you just don't do it before you post (spell checker not built into your browser? Use FireFox instead).
      • Really

        My point was that the source of his "metric" specifically says "do not use this information in this way as it will not provide useful information". But hey, since this isn't George's area of expertise he's free to ignore the experts and provide his analysis.
        Robert Crocker
        • If you can't refute the data then refute the ....

          ... method or the person presenting the data. Is it your contention that the software with more unpatched vulnerabilities and more critical ones at that is some how more secure? You don't have to be an expert to see the wholes in that logic!
          • more unpatched?....

            .... r u sure about that?
          • Shadetree, which OS has more unpatched...


            Did I read it wrong, or do they have one each? How old is the MS one and how old is the Apple one?
          • Who Cares, the point is made, like it or not.

            Im going to assume here that nobody is going to claim XP is invulnerable right? Im not going to have to argue that if you dont run XP with updates antivirus and such your just looking for trouble right? We all agree on that ...right? Well guess what. Apples are not invulnerable either. Once you have an XP box set up updates are automatic and if its set up right no problems for almost anyone. I hope the same goes for Apple computers. If it does, no more security arguments right. Both have their issues, if you take care niether amount to much. End of story. If you want to pay for an Apple do so, but dont do it for its superior security over XP. Thats a bit of fantasy in the real world.
          • You did read it wrong...

            Windows has THREE unpatched, one has been unpatched for over two years, and one for more than a year.

            Mac OS X has one unpatched from last month. (Which I suspect Apple will have patched in much less than two years!)

            BTW George, Feb-04 to Feb-06 is NOT two years, it is 25 month, or two years and one month. I hope the counting of the vulnerabilities was more accurate than the counting of the months!
    • Your being more then just a little disingenuous.

      The exact advisory is;

      "Please Note. The statistics below should not be used for a direct comparison of how secure two different products are. This is partly due to the fact that a Secunia advisory often cover multiple vulnerabilities. Also certain operating systems bundle a very large number of software packages and are therefore affected by many vulnerabilities that would be counted as a vulnerability in stand alone products for other operating systems / platforms. Other factors such as vendor response times and ability to properly fix vulnerabilities is also important."

      In other words don't use it unless you take into account multiple vulnerabilities per advisory, software bundles and length of time to patch. All of which George took into account. Now who is misleading who?
      • This is Easy . . .

        How many active infestations have there been on the Mac OS X?

        How many active infestations have there been on the PC/XP? I'll
        let you answer that one.

        A test of your honesty and integrity. Not how well you can spin
        BS . . . .

        • No, that's being simple...

          The article is about security holes and flaws, not attacks. Take a breath and look at this objectively, not as a fan, but as a pure exercise in numbers. And the numbers say there are more holes in OSX. Period.
          Since every other time we get in to one of these discussions we hear endless spouting about the one true OS being the one sold by Steve Jobs, and how it is much better code and much cleaner and a much better design, how does that rhetoric stand up in light of these holes reported by Secunia?

          You are right, no one has exploited almost any of the Mac problems, but the fact is they exist, and that is all that is being argued here. Does that affect the real world security of the machines that run the Os and the data on the machine? No, the Mac is far safer in the real world internet we all deal with daily. But is the OS actually more secure? Doesn't look like it. In other words, Mac OS is safer not because of better design, but simply because of lack of attacks. Which is what we PC fanatics have been saying for years. Sounds like the data backs up that claim IMHO. I may be reading it wrong, but it sounds like a lot of us are reading it that way.
          • Yes, but...

            Yes, those set of numbers do show that OSX has more flaws... but you are missing somethings that are important.
            1. the time it takes for the maker to get it fixed.
            2. the percentage of users it affects.
            3. the amount of flaws that go unfixed.
            4. the ease of infection.

            there are more variables to this than what is presented...