What operating system has the most vulnerabilies?

US-CERT has the answers, and it's not Windows.
Written by Suzi Turner, Contributor


Cyber Security Bulletin 2005 Summary

2005 Year-End Index
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, so the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.

This bulletin provides a year-end summary of software vulnerabilities that were identified between January 2005 and December 2005. The information is presented only as a index with links to the US-CERT Cyber Security Bulletin the information was published in. There were 5198 reported vulnerabilities: 812 Windows operating system vulnerabilities; 2328 Unix/Linux operating vulnerabilities; and 2058 Multiple operating system vulnerabilities.

Emphasis mine. The bulletin lists all of the vulnerabilities by operating system.  Note they have Apple/Mac included in the Unix/Linux category.

I was looking for stats on market share for operating systems and found this. I can't vouch for the accuracy of these stats, but here's the rundown.

Windows XP    77.92%
Windows 2000    9.82%
Windows 98    4.78%
Mac OS    4.11%
Windows ME    1.99%
Windows NT    0.86%
Linux    0.30%
Windows 95    0.12%
Web TV    0.03%
Windows CE    0.02% 
SunOS sun4u    0.01% 
PSP    0.01% 
Hiptop    0.01% 
Unknown    0.00% 
FreeBSD i386    0.00%

What if Mac OS and Linux were at the top of the list?  Would those 2328 'nix vulnerabilities (which include Apple/Mac) result in massive exploits putting malware/spyware on those machines?  I don't know, but I think it's food for thought.  If Mac and 'nix had top market share, my guess is the malware pushers would be all over them. Comments?

US-CERT link via Security Fix.

Editorial standards