Mac versus Windows vulnerability stats for 2007

Mac versus Windows vulnerability stats for 2007

Summary: The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5).

SHARE:

The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5).   But to get some perspective of how many publicly known holes found in these two operating systems, I've compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side.  This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months.  The more monthly flaws there are in the historical trend, the more likely it is that someone will find a hole to exploit in the future.  For example back in April of this year, hackers took over a fully patched Macbook and won $10,000 plus the Macbook they hacked.

I used vulnerability statistics from an impartial third party vendor Secunia and I broke them down by Windows XP flaws, Vista flaws, and Mac OS X flaws.  Since Secunia doesn't offer individual numbers for Mac OS X 10.5 and 10.4, I merged the XP and Vista vulnerabilities so that we can compare Vista + XP flaws to Mac OS X.  In case you're wondering how 19 plus 12 could equal 23, this is because there are many overlapping flaws that is shared between XP and Vista so those don't get counted twice just as I don't count something that affects Mac OS X 10.4 and 10.5 twice.

Windows XP, Vista, and Mac OS X vulnerability stats for 2007
  XP Vista XP + Vista Mac OS X
Total extremely critical 3 1 4 0
Total highly critical 19 12 23 234
Total moderately critical 2 1 3 2
Total less critical 3 1 4 7
Total flaws 34 20 44 243
Average flaws per month 2.83 1.67 3.67 20.25
 X Extremely critical  H Highly critical  M Moderately critical  L Less critical

So this shows that Apple had more than 5 times the number of flaws per month than Windows XP and Vista in 2007, and most of these flaws are serious.  Clearly this goes against conventional wisdom because the numbers show just the opposite and it isn't even close.

Also noteworthy is that while Windows Vista shows fewer flaws than Windows XP and has more mitigating factors against exploitation, the addition of Windows Defender and Sidebar added 4 highly critical flaws to Vista that weren't present in Windows XP.  Sidebar accounted for three of those additional vulnerabilities and it's something I am glad I don't use.  The lone Defender critical vulnerability that was supposed to defend Windows Vista was ironically the first critical vulnerability for Windows Vista.

Windows XP, Vista, and Mac OS X vulnerability details for 2007
Month Windows XP Windows Vista Mac OS X
DEC CVE-2007-0064 H CVE-2007-3039 L CVE-2007-3895 H CVE-2007-3901 H CVE-2007-5355 L CVE-2007-0064 H CVE-2007-5350 L CVE-2007-3895 H CVE-2007-3901 H CVE-2007-5351 M CVE-2007-5355 L   CVE-2006-0024 H CVE-2007-1218 H CVE-2007-1659 H CVE-2007-1660 H CVE-2007-1661 H CVE-2007-1662 H CVE-2007-3798 H CVE-2007-3876 H CVE-2007-4131 H CVE-2007-4351 H CVE-2007-4572 H CVE-2007-4708 H CVE-2007-4709 H CVE-2007-4710 H CVE-2007-4766 H CVE-2007-4767 H CVE-2007-4768 H CVE-2007-4965 H CVE-2007-5379 H CVE-2007-5380 H CVE-2007-5398 H CVE-2007-5476 H CVE-2007-5770 H CVE-2007-5847 H CVE-2007-5848 H CVE-2007-5849 H CVE-2007-5858 H CVE-2007-5850 H CVE-2007-5851 H CVE-2007-5853 H CVE-2007-5854 H CVE-2007-5855 H CVE-2007-5856 H CVE-2007-5857 H CVE-2007-5859 H CVE-2007-5860 H CVE-2007-5861 H CVE-2007-5863 H CVE-2007-6077 H CVE-2007-6165 H CVE-2006-4339 H CVE-2006-6731 H CVE-2006-6736 H CVE-2006-6745 H CVE-2007-0243 H CVE-2007-2435 H CVE-2007-2788 H CVE-2007-2789 H CVE-2007-3004 H CVE-2007-3005 H CVE-2007-3503 H CVE-2007-3504 H CVE-2007-3655 H CVE-2007-3698 H CVE-2007-3922 H CVE-2007-4381 H CVE-2007-5232 H CVE-2007-5862 H CVE-2007-6276 M
NOV     CVE-2007-6165 H CVE-2007-4702 L CVE-2007-4703 L CVE-2007-4704 L CVE-2005-0953 H CVE-2005-1260 H CVE-2007-0464 H CVE-2007-0646 H CVE-2007-2926 H CVE-2007-3456 H CVE-2007-3749 H CVE-2007-3756 H CVE-2007-3758 H CVE-2007-3760 H CVE-2007-3999 H CVE-2007-4267 H CVE-2007-4268 H CVE-2007-4269 H CVE-2007-4671 H CVE-2007-4678 H CVE-2007-4679 H CVE-2007-4680 H CVE-2007-4681 H CVE-2007-4682 H CVE-2007-4683 H CVE-2007-4684 H CVE-2007-4685 H CVE-2007-4686 H CVE-2007-4687 H CVE-2007-4688 H CVE-2007-4689 H CVE-2007-4690 H CVE-2007-4691 H CVE-2007-4692 H CVE-2007-4693 H CVE-2007-4694 H CVE-2007-4695 H CVE-2007-4696 H CVE-2007-4697 H CVE-2007-4698 H CVE-2007-4699 H CVE-2007-4700 H CVE-2007-4701 H CVE-2007-4743 H
OCT CVE-2007-5587 L CVE-2007-2217 H CVE-2007-2228 L CVE-2007-3897 H CVE-2007-2228 L CVE-2007-3897 H  
SEPT CVE-2007-4916 M CVE-2007-3036 L  
AUG CVE-2007-1749 H CVE-2007-3034 H CVE-2007-2224 H CVE-2007-3033 H CVE-2007-3032 H CVE-2007-3891 H CVE-2007-1749 H CVE-2004-0996 H CVE-2004-2541 H CVE-2005-0758 H CVE-2005-3128 H CVE-2006-2842 H CVE-2006-3174 H CVE-2006-4019 H CVE-2006-6142 H CVE-2007-0450 H CVE-2007-0478 H CVE-2007-1001 H CVE-2007-1262 H CVE-2007-1358 H CVE-2007-1460 H CVE-2007-1461 H CVE-2007-1484 H CVE-2007-1521 H CVE-2007-1583 H CVE-2007-1711 H CVE-2007-1717 H CVE-2007-1860 H CVE-2007-2403 H CVE-2007-2404 H CVE-2007-2405 H CVE-2007-2406 H CVE-2007-2407 H CVE-2007-2408 H CVE-2007-2409 H CVE-2007-2410 H CVE-2007-2442 H CVE-2007-2443 H CVE-2007-2446 H CVE-2007-2447 H CVE-2007-2589 H CVE-2007-2798 H CVE-2007-3742 H CVE-2007-3744 H CVE-2007-3745 H CVE-2007-3746 H CVE-2007-3747 H CVE-2007-3748 H CVE-2007-3944 H  
JUL CVE-2007-3896 H CVE-2007-4041 H CVE-2007-5020 H    
JUN CVE-2007-2219 H CVE-2007-2218 H CVE-2007-1658 H CVE-2007-2225 H CVE-2007-2227 H CVE-2007-1658 H CVE-2007-2225 H CVE-2007-2227 H CVE-2007-2229 L CVE-2007-2399 H CVE-2007-2401 H CVE-2007-2242 M
MAY     CVE-2005-3011 H CVE-2006-4095 H CVE-2006-4096 H CVE-2006-4573 H CVE-2006-5467 H CVE-2006-6303 H CVE-2007-0493 H CVE-2007-0494 H CVE-2007-0740 H CVE-2007-0750 H CVE-2007-0751 H CVE-2007-0752 H CVE-2007-0753 H CVE-2007-1536 H CVE-2007-1558 H CVE-2007-2386 H CVE-2007-2390 H
APR CVE-2007-1205 H CVE-2007-1206 L CVE-2007-1973 L CVE-2007-1209 L CVE-2006-0300 H CVE-2006-5867 H CVE-2006-6143 H CVE-2006-6652 H CVE-2007-0022 H CVE-2007-0465 H CVE-2007-0646 H CVE-2007-0724 H CVE-2007-0725 H CVE-2007-0729 H CVE-2007-0732 H CVE-2007-0735 H CVE-2007-0736 H CVE-2007-0737 H CVE-2007-0738 H CVE-2007-0739 H CVE-2007-0741 H CVE-2007-0742 H CVE-2007-0743 H CVE-2007-0744 H CVE-2007-0745 H CVE-2007-0746 H CVE-2007-0747 H CVE-2007-0957 H CVE-2007-1216 H
MAR CVE-2007-0038 X CVE-2007-0038 X CVE-2005-2959 H CVE-2006-0225 H CVE-2006-0300 H CVE-2006-1516 H CVE-2006-1517 H CVE-2006-2753 H CVE-2006-3081 H CVE-2006-3469 H CVE-2006-4031 H CVE-2006-4226 H CVE-2006-4829 H CVE-2006-4924 H CVE-2006-5051 H CVE-2006-5052 H CVE-2006-5330 H CVE-2006-5679 H CVE-2006-5836 H CVE-2006-6061 H CVE-2006-6062 H CVE-2006-6097 H CVE-2006-6129 H CVE-2006-6130 H CVE-2006-6173 H CVE-2007-0229 H CVE-2007-0236 H CVE-2007-0267 H CVE-2007-0299 H CVE-2007-0318 H CVE-2007-0463 H CVE-2007-0467 H CVE-2007-0588 H CVE-2007-0719 H CVE-2007-0720 H CVE-2007-0721 H CVE-2007-0722 H CVE-2007-0723 H CVE-2007-0724 H CVE-2007-0728 H CVE-2007-0726 H CVE-2007-0730 H CVE-2007-0731 H CVE-2007-0733 H CVE-2007-1071 H
FEB CVE-2006-1311 L CVE-2007-0025 L CVE-2007-0026 M CVE-2007-0210 L CVE-2007-0211 L CVE-2006-5559 H CVE-2007-0214 H CVE-2006-5270 H CVE-2007-0021 H CVE-2007-0023 H CVE-2007-0197 H CVE-2007-0614 H CVE-2007-0710 H
JAN CVE-2007-0024 X   CVE-2007-0462 L CVE-2007-0023 L CVE-2007-0355 L CVE-2007-0236 L CVE-2007-0229 H

Topics: Operating Systems, Apple, Hardware, Microsoft, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

407 comments
Log in or register to join the discussion
  • I'm sure...

    ...certain people would say that this can only mean one of three things:

    1. Microsoft simply isn't reporting and fixing its flaws, since Windows obviously must have more flaws than OS X.

    2. Microsoft is fixing flaws "stealthily" and not reporting them.

    3. You're a Microsoft shill and hate Apple.

    Or some combination of the above.

    Carl Rapson
    rapson
    • why does windows OS "have to" have more vulnorabilities than a mac?

      I don't see any need to criticize his findings...You can believe that microsoft doesnt report their problems but as of now the ones that are reported, microsft has far less.
      saint91211
      • this is FUD who cares about vulenrabilities what of exploits?

        if George actually correlated vulnerabilities to exploits then this article would actually have some use to users of these systems.. as they might be able to predict how much trouble they might be in in the new year, but just trotting out vulnerabilities is pretty useless...
        doctorSpoc
        • Your suggestion is useful but flawed

          It's useful, because, as you pointed out, it does predict how likely an attack will occur on your platform of choice.

          However, it says nothing about the security of that OS. Apple can have 10x the attack vectors and it still won't trump an attack on XP/Vista, because has roughly 15x as many users.

          The guys attacking PCs are playing the same game that the telemarketing scam artists played 20 years ago: numbers numbers numbers.

          And if you can write a single attack that could potentially hit 90% of the worlds PCs or you could write one that could potentially hit no more than 6%, it's pretty obvious where you'll put your criminal resources.

          The reality is that Apple is just now getting to the point where it's worth it to some security researches to find holes in OSX.

          My gut tells me that it's probably not much better nor much worse than Windows, but we won't really know until the OS X has at least 10-20% penetration.
          notsofast
        • They are comming

          Those mac vs PC ads have angered more hackers than you might imagine. THe exploits are on the way I surmise.
          Baer
        • really...

          george, you should really see if the ballet will have you back, we don't need your lack
          of knowledge here in the IT world. Nice try, your not fooling anyone that's not already
          a fool. it must be a sad sight in the mirror every morning [putting your IT face on
          instead of your tights].

          -sincerely
          os x leopard and vista user
          user00033
      • This is an attempt at Tu Quoque

        The author is trying to say Windows doesn't suck at security because Apple is worse.
        frgough
        • LOL! yes:

          I call bullshit on his 'research'
          Mac OS X is quite simply put, superior.
          dwalk51
          • Based on what?

            Is it based on your non-research?

            It's strange how a year ago Mac fan boys always went by the metric of how many patches Windows had each month. Now that OSX has 10x as many, the metric has changed.

            If you like your Mac, then good for you. I don't think security alone is a good reason to switch from Windows to Mac or Mac to Windows.

            The reality is if you practice safe computing, you're unlikely to get attacked, regardless of the platform.

            The other reality is that most people practice unsafe computing.
            notsofast
          • you're right ....

            most people don't use safe computing practices, because they don't understand
            what that means [and never will]. why should they have set of rules for safe
            computing. there is already a perfectly good solution. if you've ever used os x you
            would know there is no need to worry about surfing whatever part of the web you
            want. it just the web, not some gauntlet of spyware and viruses. to be honest you
            have to be quite naive to believe this isn't a biased story. all the mac haters [i use
            both] talk about this 'point' in the 'near future' when all macs will become a huge
            target to hackers. sounds kinda like wishful thinking to me. do really think the
            unix/linux foundation is new ??? or that it's only used in macs??? if 'hackers'
            wanted to attack that foundation [successfully, repeatedly] why wouldn't it have
            been done by now. what os do you think travelocity.com, yahoo.com. or
            newegg.com run on?? Microsoft Windows Server or Red Hat Linux Enterprise.
            There is ONLY one reason unix/linux has been chosen to run some of the biggest
            sites on the web [maybe even this one]. REAL WORLD SECURITY. so keep trying to
            convince yourself windows is more secure, because no one else is convinced. deal
            with it.

            ///
            user00033
        • Tu Quoque is a logical, argumental fallacy

          "Tu Quoque is a very common fallacy in which one attempts to defend oneself or
          another from criticism by turning the critique back against the accuser. This is a
          classic Red Herring since whether the accuser is guilty of the same, or a similar,
          wrong is irrelevant to the truth of the original charge. However, as a diversionary
          tactic, Tu Quoque can be very effective, since the accuser is put on the defensive, and
          frequently feels compelled to defend against the accusation."

          MS Windows' security still sucks i.o.w.
          Mikael_z
        • Rubbish...

          The author was saying nothing of the sort. He was merely pointing out that the Mac's much-ballyhooed invulnerability is a myth and that OSX is just as vulnerable as Windows (or, for that matter, any other operating system). [i]All[-i] operating systems are vulnerable. The suggestion that Apple's is not is absurd. The suggestion that Microsoft's are [i]more[-i] vulnerable than Apple's (which, incidentally, actually is an example of "Tu Quoque") is demonstrably false. Moreover, the notion that an Operating System [i]would[-i] be invulnerable if the company selling it were doing their job properly is ludicrous, and precisely analogous to the suggestion that if Schlage and Yale were doing their jobs properly it would be impossible for burglars to break into houses. As long as their are burglars it will be possible for the most skilled and determined of them to get past [i]any[-i] lock - and as long as their are hackers it will be possible for the most skilled and determined of them to get past [i]any[-i] OS security. To believe otherwise is naive (and dangerous), and to perpetuate the myth that one's chosen OS and platform is "safe" is either terminally stupid or deliberately disingenuous.
          craig-wilson
          • Wait a minute

            Who is saying that Mac OS X is invulnerable? Not even rabid Mac fanbois are saying
            anything as stupid as that.

            That sort of strawman argument is just plainly idiotic on its face.

            What has been said repeatedly and accurately is that there are NO exploits in the
            wild.

            Where folks span the spectrum is determining WHY there are none. Security thru
            obscurity? Better security model? Reason X?

            And whatever the reason, there are NO exploits in the wild for Mac OS X.

            Vulnerabilities do NOT equal exploits.
            MacKeyser
          • Vulnerabilities do equal

            that someone desiring to exploit (as has happened in the lab many times over) they surely can. So why you or anyone else things there is a mystery here is the mystery itself. Nobody is writing them. What profit is there to do so? <br>
            Hackers are not 15 year olds playing games, they are terrorists or criminals. If you know your code can hit 95% of every computer in the world by using mailing lists readily available on the internet, why would you write one that might hit 2 or 3% of machines, and then have little chance of spreading significantly? How hard is that to understand. <br>
            A remote exploit has been released for the Mac when there have been those with the time on their hands and any desire to do so. That is just history. Tells me nobody writes code to attack macs as is already obvious.
            xuniL_z
          • And this all tells the world...

            That you're about as useful as beef in a vegetarian stew.

            Miscreants all over the world are in the business of hacking servers. They do not exclude based on "market share." From Mainframes on down to "Vista Ultimate" they are all active targets.

            But far be it for me to do too much to disturb your ignorance. Feel free to live in it, and enjoy it.
            ego.sum.stig
        • That was an attempt at Misdirection

          "The author is trying to say Windows doesn't suck at security because Apple is worse."

          Sorry, no. The author is trying to say that Apple is worse because they have many more serious security vulnerabilities in their software.

          Fairly convincingly.
          confuzatron
      • Percentage of users

        You ask why MS should have more vulnerabilities, well generally speaking it can have as MS has a much higher share of the market than Mac does. So the Criminals attack where it will cause the most damage. lets say MS has 80% share of the market, and Mac has 15% what part of the community would suffer most?
        KeithAu001
      • Win XP SP3

        So if there as so few problems with Win XP why was the last XP SP3 update 336 MB? So has M$ even put out a service pack for Vista yet? Maybe Microsoft really doesn't care so much about the people that are using their operating systems. Oh yea, by the way if you really think any Microsoft OS's don't have many exploit issues just try running them without any antivirus program. By the way what about malware, spyware, and trojans which are associated predominately with M$ OS's, surely no problems exist as compared to other operating systems?
        CrazyPenguin
        • Frothing Zealot

          Interesting tone - are you an angry teenager by any chance?

          If one isn't a naive user, there's no need to have anti-virus installed. I have never used an anti-virus and never got hit by a virus. I did get hit by a SQL Server vulnerability once (caused no damage), but that isn't something a virus scanner would have prevented.

          You need to get your keyboard looked at - something's wrong with your Shift+S.
          confuzatron
    • Some truth in that....

      What is the incentive for either one of them to report bugs/vulnerabilities that they discover internally? There is none. They will take their time and patch them quietly. With an open-source product it is difficult to get away with this, since there are outside eyeballs looking at the source and you, the internal team, know they either have or may soon find the issue you've just found. The incentive there is to be open and forthcoming about it and to show that you are quick and responsive when issues arise.
      Techboy_z