Which Software Had The Most Vulnerabilities In 2015? (Hint: It’s Not Windows)

Which Software Had The Most Vulnerabilities In 2015? (Hint: It’s Not Windows)

You’d think a Microsoft operating system or the notorious Adobe Flash would top a list of software with the most vulnerabilities last year. But according to security firm CVE Details, they didn’t nab first place on its annual software security bugs list. Apple’s Mac OS X took the top spot with 384 distinct vulnerabilities, but this doesn’t mean that Microsoft and Adobe should be cheering just yet.

Security breach image on Shutterstock

CVE Details released its list of the top 50 software with the most number of distinct vulnerabilities in 2015 and Mac OS X and iOS ended up taking first and second place. Adobe Flash Player came in third. Here’s a breakdown of the top 20 list:

Rank Destination # of vulnerabilities Rank Destination # of vulnerabilities
1 Mac OS X (Apple) 384 11 Ubuntu Linux (Canonical) 152
2 iPhone OS (Apple) 375 12 Windows 8.1 (Microsoft) 151
3 Flash Player (Adobe) 314 13 Windows Server 2008 (Microsoft) 149
4 Air SDK (Adobe) 246 14 Windows 7 (Microsoft) 147
5 AIR (Adobe) 246 15 Windows 8 (Microsoft) 146
6 Air SDK & Compiler (Adobe) 246 16 Window RT 8.1 (Microsoft) 139
7 Internet Explorer (Microsoft) 231 17 Windows RT (Microsoft) 138
8 Chrome (Google) 187 18 Windows Vista (Microsoft) 135
9 Firefox (Mozilla) 178 19 Safari (Apple) 135
10 Windows Server 2012 (Microsoft) 155 20 Android 130

As you can see here, while Mac OS X did come in at first place, bear in mind the operating system has been in existence since 2001 and Apple releases major updates regularly. Each update has not been split out by CVE Details and the same goes with iOS which is now up to version 9.

Windows operating systems, however, are broken out individually by the security firm. Collectively as a family, Windows OS blitzes Mac OS X in terms of number of vulnerabilities. As a side note, while Windows 10 appears further down on the list at 35th spot, the operating system was only released a few months ago and has already garnered 53 security bugs.

Also, considering Adobe applications dominated the list from 3rd to 6th place it actually fared quite poorly. CVE Details did consolidate the 2015 results by vendor in a separate graph:

Yes, the absolutely accuracy of these kinds of vulnerabilities lists do need to be scrutinised and questioned but they do provide an indication of what kinds of software attackers are targeting. Ubuntu Linux deserves a noteworthy mention here. You could say it’s bad that it appeared on the top 20 list but it could also be interpreted as an indication that Linux-based open source operating systems are becoming more popular; encouraging news for proponents of Linux.


  • but apple products are so secure – said every sheep ever.
    except the rare existent educated IT agnostic

  • It’s always challenging when the number of CVEs is used as some type of metric for vulnerabilities – companies each report vulnerabilities with their own differences.

    At Blackhat 2013 there was a great presentation on vulnerability stats – if you’re interested it’s a great explanation on vulnerability stats. It should be read either before authoring an article like this or to help interpret an article like this – http://blog.osvdb.org/2013/08/07/buying-into-the-bias-why-vulnerability-statistics-suck/

    • A good read. Thanks for the link Altonius.

      A few things that statistics like this don’t really take into account that would be good for users of the product to know I think would be.

      – Criticality of the CVE
      – Are any CVEs self reported? Some companies self report when they identify vulnerabilities in their own products where others don’t. Skews raw numbers like this.
      – Has the CVE been resolved/patched and what was the turn around? I’d probably want to know this mostly. I think most people would accept more CVEs that are resolved quickly rather than fewer that aren’t resolved or resolved much slower.

      • hahaha, you’ve confirmed this is an Aussie article not a US one rehashed. Good job mate! 🙂 Did you manage to find out why they split out all the Windowssses versions and not OSX or is it simply they were only going by the title of the software?

        • Not entirely sure why Mac OS X hasn’t been broken out by different versions, but probably because Microsoft, up until Win10, were big on standalone Windows releases. Either way, kudos to the CVE Details guys for providing a vendor graph though. They could have omitted that completely.

      • Rekt.

        I don’t see anything wrong with this article. Last paragraph is especially good.

  • I’m actually surprised by Apple products being first and then Flash what with all the press and tech companies like Apple blaming Flash for the issues they have with security and crashing. Interesting.

    I think one possible reason for breaking up the Windows Family is because they are actually different versions and could be different in coding, kernel etc or it could be because they still have so many versions still being supported and used. Who knows

    • the WIndows operating systems listed aren’t so significantly different at the kernel level to break them up even by minor version numbers – not when Mac OS isn’t also broken up by version number.

      • I believe the server OS’ like 2008 and 2012 ARE different enough to the everyday OS’ like 7,8, etc For instance there would be differences in the kernels. Server OS’ offer vastly more specialized software you wouldn’t find on an everyday OS. ie a Domain controller ,etc. Many of the CVE’s found were specific to these portions of the OS and I believe that is why they split them up. OSX is well OSX and there were A LOT of changes from 7 to 8/10 but they probably could of bundled those together. Still I hope this is a big wake up call to Apple and some sheep ignorance isn’t bliss, my point is you aren’t any more secure on OSX than windows it’s a false sense of security. All these operating systems have vulnerabilities and that’s never going to change.

    • Maybe it’s because the names of the software are different for Windows while Apple keeps the name of their OS and just ups the version number. “Windows 8.1” vs “Mac OS X”. Seems lazy to me for them to report it that way unless they had some kind of agenda.

  • How many versions are they counting with Mac OS? They haven’t even specified Mac OS X, if this list includes every version of Mac OS all the way to the classic then that’s amazingly small.

    • Clicking through will get you heaps more information. All statistics recorded are for 2015 only.
      Looks like it is Snow Leopard and Snow Leopard.1 (Apple Mac OS X 10.6.1)

      It also shows 86 patches during the period.

      Win7 compares with Microsoft Windows 7 x64 Service Pack 1
      Microsoft Windows 7 Professional
      Microsoft Windows 7 x64 Edition
      Microsoft Windows 7 (32-bit)
      Microsoft Windows 7
      Microsoft Windows 7 (32-bit)

      It had 92 patches in the same period.

      As mentioned above, statistics can be used to prove anything. CVE does have some ratings for the “danger” of the vulnerabilities, that would be interesting to see matched with the other graphs.

      This page has the details that we are more interested in. It gives weights to the vulns, and shows the real issues that stand out

  • They’ve picked a really odd way to tally these up, bundling some apps/os’s together while distinguishing others – and including EOL products which are no longer being supported or patched. If you want to look at the overall tally by company, Microsoft wouldn’t be nearly as high if EOL software wasn’t included – such as vista, rt, server 2008 and 2003.

    Even if the argument is that these are still being used so are being included in the list, it also begs to question how many of these vulnerabilities are actually version specific – or if repeating vulnerabilities are being counted multiple times across different versions of a product. Like Firefox and Firefox ESR – are those 94 vulnerabilities the same in both versions?

    It’s an amusing comparison, but I just think the data on the stats sheet is not consistent enough to be taken as anything more than that.

  • The statement ” Windows OS blitzes Mac OS X in terms of number of vulnerabilities.” is a very misleading as there is a lot of overlap between versions of Windows (8.1 and 8 list are almost identical). Applying the same collection of all versions of Windows as there are for Mac OS X would have produced a number a little larger then the version with the largest number of vulnerabilities.

Show more comments

Comments are closed.

Log in to comment on this story!