Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities. The runner-up? Apple’s iOS, with 375 vulnerabilities.
Rounding out the top five are Adobe’s Flash Player, with 314 vulnerabilities; Adobe’s AIR SDK, with 246 vulnerabilities; and Adobe AIR itself, also with 246 vulnerabilities. For comparison, last year the top five (in order) were: Microsoft’s Internet Explorer, Apple’s Mac OS X, the Linux Kernel, Google’s Chrome, and Apple’s iOS.
These results come from CVE Details, which organizes data provided by the National Vulnerability Database (NVD). As its name implies, the Common Vulnerabilities and Exposures (CVE) system keeps track of publicly known information-security vulnerabilities and exposures.
You’ll notice that Windows versions are split separately, unlike OS X. Many of the vulnerabilities across various Windows versions are the same, so there is undoubtedly a lot of overlap. The argument for separating them is probably one of market share, though that’s a hard one to agree to, given that Android and iOS are not split into separate versions. This is the nature of CVEs.
It’s also worth pointing out that the Linux kernel is separate from various Linux distributions. This is likely because the Linux kernel can be upgraded independently of the rest of the operating system, and so its vulnerabilities are split off.
If we take the top 50 list of products and categorize them by company, it’s easy to see that the top three are Microsoft, Adobe, and Apple: