Mac OS X is the most vulnerable OS, claims security firm; Debate ensues

UPDATED: According to a report by security firm GFI, Apple's Mac OS X is the most vulnerable operating system, with the iOS platform coming in second. A debate over reporting nuances and merits of the report quickly followed.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor

Updated Feb. 25 12:40pm ET: According to a report by security firm GFI, Apple's Mac OS X is the most vulnerable operating system, with the iOS platform coming in second. But the report sparked a debate over its merits quickly.

During 2014, a total of 147 vulnerabilities were reported for OS X, with 64 of those being rated as high (these include vulnerabilities that can be exploited remotely), and 67 rated medium, claims the report. For iOS the total was 127, with 32 rated high, and another 72 rated medium.

In third place was the Linux kernel.

By comparison, Microsoft's operating systems fared well, with the now defunct Windows RT platform being the most secure on the list.

Update: The GFI report apparently doesn't account for the various disclosure policies among companies. As a result, Apple would argue that the GFI report only reflects disclosed and fixed issues---not the overall security of the OS. Apple reports every fixed security issue and assigns each one a CVE. The company also noted that iOS and OS X vulnerabilities may be double counted since they are often the same ones. Apple's other beef is that Windows as a platform isn't being aggregated.

Update 2: GFI responded to complaints that its report is full of holes. The company said:

The operating systems are different and it is hard to group them in a way that everybody agrees with. For example, unlike Windows, the Linux Kernel can be upgraded independently of the rest of the operating system; therefore it is hard to link Linux Kernel vulnerabilities to a specific Linux distribution or Linux distribution version. This is why Linux vulnerabilities are grouped under Linux Kernel as a separate product and then there are the specific vulnerabilities for each Linux distribution. The reason why only Linux Kernel and Apple OS X are listed at the top is because the number of vulnerabilities that specifically apply to other Linux distributions (like Red Hat, Debian, etc.) is lower than the number of vulnerabilities that apply to the operating systems already listed...
To conclude, the aim of the article is not to blame anyone - Apple or Linux or Microsoft. The message I am trying to get across is that all software products have vulnerabilities. The frequency of security updates increases with the product's popularity. At GFI we would like the people to use the information as a guide and to show which areas to pay more attention to when patching their systems.

When it comes to applications, it is little wonder that web browsers topped the list, with Microsoft's Internet Explorer up at the top with a total of 242 reported vulnerabilities, 220 of those rated high, and another 22 rated medium. For what it's worth, Safari wasn't counted in OS X or iOS vulnerabilities.


"To maintain an IT infrastructure secure, sysadmins need to continually monitor these operating systems and applications for the latest updates and ensure they are always fully patched," says GFI.

According to the report, IT admins should focus on patching the following as soon as updates become available:

  • Operating systems
  • Web browsers
  • Java
  • Adobe free products (Flash Player, Reader, Shockwave Player, AIR)

See also:

Editorial standards