That’s the gist and part of the headline from Cristian Florian from GFI who quotes the National Vulnerability Database as proof (put your wading boots on; it’s slick and deep at NVD. It should be pointed out that GFI is in the operating system security business so might be a bit biased toward any news that would help it secure more customers.
The problem with GFI’s headline and graphics and tables which list the offending operating system and corresponding stats is multiple; there’s no glossary of terms, and no questions asked about the data.
For example, ‘What’s a vulnerability?‘ And, ‘What does a vulnerability mean to me, a Mac, iPhone, and iPad user (using OS X and iOS, respectively)?‘ How about, ‘Should I be worried?‘ Or, ‘Are there specific apps I should avoid using?‘ And, with little effort, I came up with, ‘What should I do about it?‘
Neither GFI nor NVD bothers to get that granular, but it took all of about 12 seconds for me to come up with a few questions.
First, what’s a vulnerability?
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance… Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities.
That brings up more unanswered question. ‘Are all vulnerabilities the same weight?’ I asked around and the answer is ‘No.’ And, ‘Are all vulnerabilities also exploited?’ Same answer; ‘No.’ Though you can’t have the latter without the former, which is worse; Vulnerability or Exploit? Easy answer. The latter.
Second, what’s an exploit?
An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug, glitch or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.
See? A vulnerability is one thing, but an exploit of a vulnerability is something else again. I’m less worried now but I still have plenty of questions for both GFI and NVD.
What comprises the NVD list of vulnerabilities? Vendors report vulnerabilities, and that includes Apple and other OS publishers. So, isn’t the list really more of a list of self-reported and reported vulnerabilities than it is an indictment against a particular operating system? Maybe Apple is just better at reporting such issues, or reports them differently than Microsoft or other OS publishers.
Also, why does the list break out versions of Windows, but not break out versions of Linux or OS X or iOS. It took all of 20-seconds to add up the various Windows versions and the result is that Windows has far more vulnerabilities than OS X.
Oh, one more thing. Where is Android OS on the list? GFI couldn’t find any numbers reflecting issues with Google’s Linux-based OS, or decided not to list anything about Android OS, or it was an oversight, despite the fact that over 98-percent of all mobile malware– including actual exploits– occurs on devices running Android OS.
You get the idea here, right? A company that specializes in security issues found a way to highlight security problems with major operating systems using supposedly non-biased government data without highlighting or explaining any details and completely missed the world’s most used mobile device operating system.
Yep, it’s another example of lies, damned lies, and statistics.