Mac versus Windows vulnerability stats for 2007

Summary: The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5).

By George Ou for Zero Day | December 18, 2007 -- 07:14 GMT (23:14 PST)

The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5). But to get some perspective of how many publicly known holes found in these two operating systems, I've compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side. This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months. The more monthly flaws there are in the historical trend, the more likely it is that someone will find a hole to exploit in the future. For example back in April of this year, hackers took over a fully patched Macbook and won $10,000 plus the Macbook they hacked.

I used vulnerability statistics from an impartial third party vendor Secunia and I broke them down by Windows XP flaws, Vista flaws, and Mac OS X flaws. Since Secunia doesn't offer individual numbers for Mac OS X 10.5 and 10.4, I merged the XP and Vista vulnerabilities so that we can compare Vista + XP flaws to Mac OS X. In case you're wondering how 19 plus 12 could equal 23, this is because there are many overlapping flaws that is shared between XP and Vista so those don't get counted twice just as I don't count something that affects Mac OS X 10.4 and 10.5 twice.

Windows XP, Vista, and Mac OS X vulnerability stats for 2007
	XP	Vista	XP + Vista	Mac OS X
Total extremely critical	3	1	4	0
Total highly critical	19	12	23	234
Total moderately critical	2	1	3	2
Total less critical	3	1	4	7
Total flaws	34	20	44	243
Average flaws per month	2.83	1.67	3.67	20.25

X Extremely critical H Highly critical M Moderately critical L Less critical

So this shows that Apple had more than 5 times the number of flaws per month than Windows XP and Vista in 2007, and most of these flaws are serious. Clearly this goes against conventional wisdom because the numbers show just the opposite and it isn't even close.

Also noteworthy is that while Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP. Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use. The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.

Windows XP, Vista, and Mac OS X vulnerability details for 2007
Month	Windows XP	Windows Vista	Mac OS X
DEC	CVE-2007-0064 H CVE-2007-3039 L CVE-2007-3895 H CVE-2007-3901 H CVE-2007-5355 L	CVE-2007-0064 H CVE-2007-5350 L CVE-2007-3895 H CVE-2007-3901 H CVE-2007-5351 M CVE-2007-5355 L	CVE-2006-0024 H CVE-2007-1218 H CVE-2007-1659 H CVE-2007-1660 H CVE-2007-1661 H CVE-2007-1662 H CVE-2007-3798 H CVE-2007-3876 H CVE-2007-4131 H CVE-2007-4351 H CVE-2007-4572 H CVE-2007-4708 H CVE-2007-4709 H CVE-2007-4710 H CVE-2007-4766 H CVE-2007-4767 H CVE-2007-4768 H CVE-2007-4965 H CVE-2007-5379 H CVE-2007-5380 H CVE-2007-5398 H CVE-2007-5476 H CVE-2007-5770 H CVE-2007-5847 H CVE-2007-5848 H CVE-2007-5849 H CVE-2007-5858 H CVE-2007-5850 H CVE-2007-5851 H CVE-2007-5853 H CVE-2007-5854 H CVE-2007-5855 H CVE-2007-5856 H CVE-2007-5857 H CVE-2007-5859 H CVE-2007-5860 H CVE-2007-5861 H CVE-2007-5863 H CVE-2007-6077 H CVE-2007-6165 H CVE-2006-4339 H CVE-2006-6731 H CVE-2006-6736 H CVE-2006-6745 H CVE-2007-0243 H CVE-2007-2435 H CVE-2007-2788 H CVE-2007-2789 H CVE-2007-3004 H CVE-2007-3005 H CVE-2007-3503 H CVE-2007-3504 H CVE-2007-3655 H CVE-2007-3698 H CVE-2007-3922 H CVE-2007-4381 H CVE-2007-5232 H CVE-2007-5862 H CVE-2007-6276 M
NOV			CVE-2007-6165 H CVE-2007-4702 L CVE-2007-4703 L CVE-2007-4704 L CVE-2005-0953 H CVE-2005-1260 H CVE-2007-0464 H CVE-2007-0646 H CVE-2007-2926 H CVE-2007-3456 H CVE-2007-3749 H CVE-2007-3756 H CVE-2007-3758 H CVE-2007-3760 H CVE-2007-3999 H CVE-2007-4267 H CVE-2007-4268 H CVE-2007-4269 H CVE-2007-4671 H CVE-2007-4678 H CVE-2007-4679 H CVE-2007-4680 H CVE-2007-4681 H CVE-2007-4682 H CVE-2007-4683 H CVE-2007-4684 H CVE-2007-4685 H CVE-2007-4686 H CVE-2007-4687 H CVE-2007-4688 H CVE-2007-4689 H CVE-2007-4690 H CVE-2007-4691 H CVE-2007-4692 H CVE-2007-4693 H CVE-2007-4694 H CVE-2007-4695 H CVE-2007-4696 H CVE-2007-4697 H CVE-2007-4698 H CVE-2007-4699 H CVE-2007-4700 H CVE-2007-4701 H CVE-2007-4743 H
OCT	CVE-2007-5587 L CVE-2007-2217 H CVE-2007-2228 L CVE-2007-3897 H	CVE-2007-2228 L CVE-2007-3897 H
SEPT	CVE-2007-4916 M	CVE-2007-3036 L
AUG	CVE-2007-1749 H CVE-2007-3034 H CVE-2007-2224 H	CVE-2007-3033 H CVE-2007-3032 H CVE-2007-3891 H CVE-2007-1749 H	CVE-2004-0996 H CVE-2004-2541 H CVE-2005-0758 H CVE-2005-3128 H CVE-2006-2842 H CVE-2006-3174 H CVE-2006-4019 H CVE-2006-6142 H CVE-2007-0450 H CVE-2007-0478 H CVE-2007-1001 H CVE-2007-1262 H CVE-2007-1358 H CVE-2007-1460 H CVE-2007-1461 H CVE-2007-1484 H CVE-2007-1521 H CVE-2007-1583 H CVE-2007-1711 H CVE-2007-1717 H CVE-2007-1860 H CVE-2007-2403 H CVE-2007-2404 H CVE-2007-2405 H CVE-2007-2406 H CVE-2007-2407 H CVE-2007-2408 H CVE-2007-2409 H CVE-2007-2410 H CVE-2007-2442 H CVE-2007-2443 H CVE-2007-2446 H CVE-2007-2447 H CVE-2007-2589 H CVE-2007-2798 H CVE-2007-3742 H CVE-2007-3744 H CVE-2007-3745 H CVE-2007-3746 H CVE-2007-3747 H CVE-2007-3748 H CVE-2007-3944 H
JUL	CVE-2007-3896 H CVE-2007-4041 H CVE-2007-5020 H
JUN	CVE-2007-2219 H CVE-2007-2218 H CVE-2007-1658 H CVE-2007-2225 H CVE-2007-2227 H	CVE-2007-1658 H CVE-2007-2225 H CVE-2007-2227 H CVE-2007-2229 L	CVE-2007-2399 H CVE-2007-2401 H CVE-2007-2242 M
MAY			CVE-2005-3011 H CVE-2006-4095 H CVE-2006-4096 H CVE-2006-4573 H CVE-2006-5467 H CVE-2006-6303 H CVE-2007-0493 H CVE-2007-0494 H CVE-2007-0740 H CVE-2007-0750 H CVE-2007-0751 H CVE-2007-0752 H CVE-2007-0753 H CVE-2007-1536 H CVE-2007-1558 H CVE-2007-2386 H CVE-2007-2390 H
APR	CVE-2007-1205 H CVE-2007-1206 L CVE-2007-1973 L	CVE-2007-1209 L	CVE-2006-0300 H CVE-2006-5867 H CVE-2006-6143 H CVE-2006-6652 H CVE-2007-0022 H CVE-2007-0465 H CVE-2007-0646 H CVE-2007-0724 H CVE-2007-0725 H CVE-2007-0729 H CVE-2007-0732 H CVE-2007-0735 H CVE-2007-0736 H CVE-2007-0737 H CVE-2007-0738 H CVE-2007-0739 H CVE-2007-0741 H CVE-2007-0742 H CVE-2007-0743 H CVE-2007-0744 H CVE-2007-0745 H CVE-2007-0746 H CVE-2007-0747 H CVE-2007-0957 H CVE-2007-1216 H
MAR	CVE-2007-0038 X	CVE-2007-0038 X	CVE-2005-2959 H CVE-2006-0225 H CVE-2006-0300 H CVE-2006-1516 H CVE-2006-1517 H CVE-2006-2753 H CVE-2006-3081 H CVE-2006-3469 H CVE-2006-4031 H CVE-2006-4226 H CVE-2006-4829 H CVE-2006-4924 H CVE-2006-5051 H CVE-2006-5052 H CVE-2006-5330 H CVE-2006-5679 H CVE-2006-5836 H CVE-2006-6061 H CVE-2006-6062 H CVE-2006-6097 H CVE-2006-6129 H CVE-2006-6130 H CVE-2006-6173 H CVE-2007-0229 H CVE-2007-0236 H CVE-2007-0267 H CVE-2007-0299 H CVE-2007-0318 H CVE-2007-0463 H CVE-2007-0467 H CVE-2007-0588 H CVE-2007-0719 H CVE-2007-0720 H CVE-2007-0721 H CVE-2007-0722 H CVE-2007-0723 H CVE-2007-0724 H CVE-2007-0728 H CVE-2007-0726 H CVE-2007-0730 H CVE-2007-0731 H CVE-2007-0733 H CVE-2007-1071 H
FEB	CVE-2006-1311 L CVE-2007-0025 L CVE-2007-0026 M CVE-2007-0210 L CVE-2007-0211 L CVE-2006-5559 H CVE-2007-0214 H	CVE-2006-5270 H	CVE-2007-0021 H CVE-2007-0023 H CVE-2007-0197 H CVE-2007-0614 H CVE-2007-0710 H
JAN	CVE-2007-0024 X		CVE-2007-0462 L CVE-2007-0023 L CVE-2007-0355 L CVE-2007-0236 L CVE-2007-0229 H

Topics: Operating Systems, Apple, Hardware, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

407 comments

Log in or register to join the discussion

I'm sure...

...certain people would say that this can only mean one of three things:

1. Microsoft simply isn't reporting and fixing its flaws, since Windows obviously must have more flaws than OS X.

2. Microsoft is fixing flaws "stealthily" and not reporting them.

3. You're a Microsoft shill and hate Apple.

Or some combination of the above.

Carl Rapson

rapson
18 December, 2007 07:37

Reply Vote
- why does windows OS "have to" have more vulnorabilities than a mac?
  
  I don't see any need to criticize his findings...You can believe that microsoft doesnt report their problems but as of now the ones that are reported, microsft has far less.
  
  saint9121@...
  18 December, 2007 08:01
  
  Reply Vote
  - this is FUD who cares about vulenrabilities what of exploits?
    
    if George actually correlated vulnerabilities to exploits then this article would actually have some use to users of these systems.. as they might be able to predict how much trouble they might be in in the new year, but just trotting out vulnerabilities is pretty useless...
    
    doctorSpoc
    18 December, 2007 09:36
    
    Reply Vote
    - Your suggestion is useful but flawed
      
      It's useful, because, as you pointed out, it does predict how likely an attack will occur on your platform of choice.
      
      However, it says nothing about the security of that OS. Apple can have 10x the attack vectors and it still won't trump an attack on XP/Vista, because has roughly 15x as many users.
      
      The guys attacking PCs are playing the same game that the telemarketing scam artists played 20 years ago: numbers numbers numbers.
      
      And if you can write a single attack that could potentially hit 90% of the worlds PCs or you could write one that could potentially hit no more than 6%, it's pretty obvious where you'll put your criminal resources.
      
      The reality is that Apple is just now getting to the point where it's worth it to some security researches to find holes in OSX.
      
      My gut tells me that it's probably not much better nor much worse than Windows, but we won't really know until the OS X has at least 10-20% penetration.
      
      notsofast
      19 December, 2007 18:32
      
      Reply Vote
    - They are comming
      
      Those mac vs PC ads have angered more hackers than you might imagine. THe exploits are on the way I surmise.
      
      Baer
      20 December, 2007 14:50
      
      Reply Vote
    - really...
      
      george, you should really see if the ballet will have you back, we don't need your lack
      of knowledge here in the IT world. Nice try, your not fooling anyone that's not already
      a fool. it must be a sad sight in the mirror every morning [putting your IT face on
      instead of your tights].
      
      -sincerely
      os x leopard and vista user
      
      user00033
      21 December, 2007 08:44
      
      Reply Vote
  - This is an attempt at Tu Quoque
    
    The author is trying to say Windows doesn't suck at security because Apple is worse.
    
    frgough
    19 December, 2007 06:19
    
    Reply Vote
    - LOL! yes:
      
      I call bullshit on his 'research'
      Mac OS X is quite simply put, superior.
      
      dwalk51@...
      19 December, 2007 08:34
      
      Reply Vote
      - Based on what?
        
        Is it based on your non-research?
        
        It's strange how a year ago Mac fan boys always went by the metric of how many patches Windows had each month. Now that OSX has 10x as many, the metric has changed.
        
        If you like your Mac, then good for you. I don't think security alone is a good reason to switch from Windows to Mac or Mac to Windows.
        
        The reality is if you practice safe computing, you're unlikely to get attacked, regardless of the platform.
        
        The other reality is that most people practice unsafe computing.
        
        notsofast
        19 December, 2007 18:35
        
        Reply Vote
      - you're right ....
        
        most people don't use safe computing practices, because they don't understand
        what that means [and never will]. why should they have set of rules for safe
        computing. there is already a perfectly good solution. if you've ever used os x you
        would know there is no need to worry about surfing whatever part of the web you
        want. it just the web, not some gauntlet of spyware and viruses. to be honest you
        have to be quite naive to believe this isn't a biased story. all the mac haters [i use
        both] talk about this 'point' in the 'near future' when all macs will become a huge
        target to hackers. sounds kinda like wishful thinking to me. do really think the
        unix/linux foundation is new ??? or that it's only used in macs??? if 'hackers'
        wanted to attack that foundation [successfully, repeatedly] why wouldn't it have
        been done by now. what os do you think travelocity.com, yahoo.com. or
        newegg.com run on?? Microsoft Windows Server or Red Hat Linux Enterprise.
        There is ONLY one reason unix/linux has been chosen to run some of the biggest
        sites on the web [maybe even this one]. REAL WORLD SECURITY. so keep trying to
        convince yourself windows is more secure, because no one else is convinced. deal
        with it.
        
        ///
        
        user00033
        21 December, 2007 09:03
        
        Reply Vote
    - Tu Quoque is a logical, argumental fallacy
      
      "Tu Quoque is a very common fallacy in which one attempts to defend oneself or
      another from criticism by turning the critique back against the accuser. This is a
      classic Red Herring since whether the accuser is guilty of the same, or a similar,
      wrong is irrelevant to the truth of the original charge. However, as a diversionary
      tactic, Tu Quoque can be very effective, since the accuser is put on the defensive, and
      frequently feels compelled to defend against the accusation."
      
      MS Windows' security still sucks i.o.w.
      
      Mikael_z
      19 December, 2007 08:40
      
      Reply Vote
    - Rubbish...
      
      The author was saying nothing of the sort. He was merely pointing out that the Mac's much-ballyhooed invulnerability is a myth and that OSX is just as vulnerable as Windows (or, for that matter, any other operating system). [i]All[-i] operating systems are vulnerable. The suggestion that Apple's is not is absurd. The suggestion that Microsoft's are [i]more[-i] vulnerable than Apple's (which, incidentally, actually is an example of "Tu Quoque") is demonstrably false. Moreover, the notion that an Operating System [i]would[-i] be invulnerable if the company selling it were doing their job properly is ludicrous, and precisely analogous to the suggestion that if Schlage and Yale were doing their jobs properly it would be impossible for burglars to break into houses. As long as their are burglars it will be possible for the most skilled and determined of them to get past [i]any[-i] lock - and as long as their are hackers it will be possible for the most skilled and determined of them to get past [i]any[-i] OS security. To believe otherwise is naive (and dangerous), and to perpetuate the myth that one's chosen OS and platform is "safe" is either terminally stupid or deliberately disingenuous.
      
      craig-wilson@...
      19 December, 2007 12:33
      
      Reply Vote
      - Wait a minute
        
        Who is saying that Mac OS X is invulnerable? Not even rabid Mac fanbois are saying
        anything as stupid as that.
        
        That sort of strawman argument is just plainly idiotic on its face.
        
        What has been said repeatedly and accurately is that there are NO exploits in the
        wild.
        
        Where folks span the spectrum is determining WHY there are none. Security thru
        obscurity? Better security model? Reason X?
        
        And whatever the reason, there are NO exploits in the wild for Mac OS X.
        
        Vulnerabilities do NOT equal exploits.
        
        MacKeyser
        19 December, 2007 20:08
        
        Reply Vote
      - Vulnerabilities do equal
        
        that someone desiring to exploit (as has happened in the lab many times over) they surely can. So why you or anyone else things there is a mystery here is the mystery itself. Nobody is writing them. What profit is there to do so? <br>
        Hackers are not 15 year olds playing games, they are terrorists or criminals. If you know your code can hit 95% of every computer in the world by using mailing lists readily available on the internet, why would you write one that might hit 2 or 3% of machines, and then have little chance of spreading significantly? How hard is that to understand. <br>
        A remote exploit has been released for the Mac when there have been those with the time on their hands and any desire to do so. That is just history. Tells me nobody writes code to attack macs as is already obvious.
        
        xuniL_z
        20 December, 2007 06:22
        
        Reply Vote
      - And this all tells the world...
        
        That you're about as useful as beef in a vegetarian stew.
        
        Miscreants all over the world are in the business of hacking servers. They do not exclude based on "market share." From Mainframes on down to "Vista Ultimate" they are all active targets.
        
        But far be it for me to do too much to disturb your ignorance. Feel free to live in it, and enjoy it.
        
        ego.sum.stig
        20 December, 2007 11:31
        
        Reply Vote
    - That was an attempt at Misdirection
      
      "The author is trying to say Windows doesn't suck at security because Apple is worse."
      
      Sorry, no. The author is trying to say that Apple is worse because they have many more serious security vulnerabilities in their software.
      
      Fairly convincingly.
      
      confuzatron
      5 April, 2008 18:54
      
      Reply Vote
  - Percentage of users
    
    You ask why MS should have more vulnerabilities, well generally speaking it can have as MS has a much higher share of the market than Mac does. So the Criminals attack where it will cause the most damage. lets say MS has 80% share of the market, and Mac has 15% what part of the community would suffer most?
    
    KeithAu001
    19 December, 2007 18:56
    
    Reply Vote
  - Win XP SP3
    
    So if there as so few problems with Win XP why was the last XP SP3 update 336 MB? So has M$ even put out a service pack for Vista yet? Maybe Microsoft really doesn't care so much about the people that are using their operating systems. Oh yea, by the way if you really think any Microsoft OS's don't have many exploit issues just try running them without any antivirus program. By the way what about malware, spyware, and trojans which are associated predominately with M$ OS's, surely no problems exist as compared to other operating systems?
    
    CrazyPenguin
    21 December, 2007 00:58
    
    Reply Vote
    - Frothing Zealot
      
      Interesting tone - are you an angry teenager by any chance?
      
      If one isn't a naive user, there's no need to have anti-virus installed. I have never used an anti-virus and never got hit by a virus. I did get hit by a SQL Server vulnerability once (caused no damage), but that isn't something a virus scanner would have prevented.
      
      You need to get your keyboard looked at - something's wrong with your Shift+S.
      
      confuzatron
      5 April, 2008 18:49
      
      Reply Vote
- Some truth in that....
  
  What is the incentive for either one of them to report bugs/vulnerabilities that they discover internally? There is none. They will take their time and patch them quietly. With an open-source product it is difficult to get away with this, since there are outside eyeballs looking at the source and you, the internal team, know they either have or may soon find the issue you've just found. The incentive there is to be open and forthcoming about it and to show that you are quick and responsive when issues arise.
  
  techboy_z
  18 December, 2007 08:02
  
  Reply Vote