Agree - to that extent, while I do care about raw number of vulnerabilities, I care more about the percentage of which were resolved, and how long it took for an issue to be patched.
“Apple, it turns out, had 91 vulnerabilities of this [very severe] severity in 2015, a mere 14 percent of their total vulnerabilities. Microsoft, however, had 332 very severe vulnerabilities, at 58 percent of their total. Adobe leads both with a whopping 389 very severe vulnerabilities, almost 85 percent of their total.”
“This tells us more clearly about the severity of the vulnerabilities in the data, which is a more important metric than just how many total vulnerabilities there are.”
Another thing that would add more information to the picture is something like "percent of installbase running vulnerable version."
If, for example, researchers found 10k vulnerabilities in windows 3.1, it wouldn't make sense to ding microsoft for an insecure operating system, because no one runs that and it's not reasonable to expect support.
> because no one runs that and it's not reasonable to expect support.
I would not be overly surprised if it turned out somebody was still using Windows 3.1 - I know of at least one company still running NT 4 on at least a few select machines. (This does not invalidate your point, though.)
Secondly, we know nothing about exposure, because we don't know how the relative levels of attention or how quickly the vulnerabilities are patched.
A high discovery rate is as indicative of the attention given to the platform as it is to the underlying number of vulnerabilities. A high discovery rate plus relatively high rate of distribution of patches could means a system is less vulnerable.
I'm not saying this is the case - just that the data presented are simply useless for ranking software vulnerability levels.
I would tend to wonder if there was a connection between how many Mac users who don't buy or need malwarebytes or for that matter any 3rd party security software and them wanting to scare people into buying their product.
>I would tend to wonder if there was a connection between how many Mac users who don't buy or need malwarebytes
but this article is critcal of the FUD that is being spread from poorly drawn conclusions about CVE statistics. they're not trying to sell you anything.
Are you sure? This company sells Windows-based security software. While we can't speak definitively to their intent, it is possible to objectively observe that they stand to gain from the impression that Windows is less secure (and more in need of security software like theirs).
Mac CVE numbers are not as discretized by type of component as Microsoft or Linux are. For Windows for example it is Windows 8, Windows 8.1, Windows 7, Windows 10, Windows RT, Internet Explorer. Google is Android, Chrome etc. Adobe is a large suite of products as well.
The goal of CVEs is not to point fingers to companies and compile statistics based on ownernship. I don't see any value or helpful outcome from these these "research" security firms (and the tech blogs) treating it like such and creating FUD.
There is probably greater variation in security mechanisms among versions of Windows than OSX due to OSX's remaining close to its *nix heritage. For better or worse, Microsoft has been rolling (or not rolling) its own security architecture for several decades.
On the other hand, the Linux CVEs count each bug several times - e.g. kernel exploit will be counted against Linux Kernel AND each distribution. I assume something similar for Windows too.
There's nothing in the article that suggests a smaller OSX attack surface and that there might be unlisted vulnerabilities in Windows Phone doesn't make OSX more secure. Beyond security by obscurity, vulnerabilities are absolute.
That's not at all the intention behind CVE numbers, so people trying to "add the numbers up" are demonstrating a lack of understanding of CVE, not a problem with it.
true...just playing on words. simply adding up CVE stats silly. actually any of these "top 10" vulnerability lists are idiotic. theres a hell of a lot of layers involved in any system from dozens (perhaps hundreds) of sources that lead to errors (undefined behavior). from the hardware, all the way up through the software stack.
>Comparing them is like comparing the number of hits made by two different baseball teams in a season without considering how many of those hits were foul balls, grounders, home runs, etc. One team may have a higher number of hits than another, but if they hit a lot more foul balls, while the team with fewer hits had a higher proportion of home runs and RBIs (runs batted in), the higher number of hits is revealed as a misleading statistic.
For what it's worth, in baseball, a foul ball or grounding into an out do not count as hits; a hit means a batter successfully reached first base without a fielder's choice. Number of hits is still not very meaningful — something like slugging, on-base percentage, or OPS is more instructive — but it's not as bad as this example is making out.
The data is presented very poorly. Mac OS X is all in one where as Windows is separated into different versions and just to screw with us more there is simply just a "Windows" entry further down.
Anyway the article is just about the amount of vulnerabilitys discovered it doesn't mention how fast it was patched or how serious they were.
26 comments
[ 3.1 ms ] story [ 47.7 ms ] thread“This tells us more clearly about the severity of the vulnerabilities in the data, which is a more important metric than just how many total vulnerabilities there are.”
And if you even ignore type of product, then Adobe goes first, but this has no impact on "which OS was the most vulnerable".
If, for example, researchers found 10k vulnerabilities in windows 3.1, it wouldn't make sense to ding microsoft for an insecure operating system, because no one runs that and it's not reasonable to expect support.
I would not be overly surprised if it turned out somebody was still using Windows 3.1 - I know of at least one company still running NT 4 on at least a few select machines. (This does not invalidate your point, though.)
Firstly the data aren't usable for this kind of analysis even if you bucket them differently: https://www.cvedetails.com/how-does-it-work.php
Secondly, we know nothing about exposure, because we don't know how the relative levels of attention or how quickly the vulnerabilities are patched.
A high discovery rate is as indicative of the attention given to the platform as it is to the underlying number of vulnerabilities. A high discovery rate plus relatively high rate of distribution of patches could means a system is less vulnerable.
I'm not saying this is the case - just that the data presented are simply useless for ranking software vulnerability levels.
but this article is critcal of the FUD that is being spread from poorly drawn conclusions about CVE statistics. they're not trying to sell you anything.
The goal of CVEs is not to point fingers to companies and compile statistics based on ownernship. I don't see any value or helpful outcome from these these "research" security firms (and the tech blogs) treating it like such and creating FUD.
http://www.imore.com/os-x-and-ios-security-vulnerabilities-a...
For what it's worth, in baseball, a foul ball or grounding into an out do not count as hits; a hit means a batter successfully reached first base without a fielder's choice. Number of hits is still not very meaningful — something like slugging, on-base percentage, or OPS is more instructive — but it's not as bad as this example is making out.