![\"half-apple-600x300\"](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/01\/half-apple-600x300.jpeg\")
<\/p>\n<\/p>\n
There is an old saying that is always worth remembering: “There are three kinds of lies: lies, damned lies, and statistics.”<\/p>\n
That’s the thought that\u00a0sprung to my mind in recent days as I read news stories claiming that OS X was\u00a0the most vulnerable software of the year (e.g.\u00a0Hackread<\/a>, SC Magazine<\/a>, Techworm<\/a>, Fudzilla<\/a>, and countless others…).<\/p>\n The news reports stem from a report produced by CVE Details<\/a>, a website that keeps count of security vulnerabilities based upon their CVE identifiers. According to CVE Details, more new CVE numbers were assigned to Apple during 2015 than any other company.<\/p>\n Yes, more than Adobe or Microsoft or Google or Oracle…<\/p>\n And topping CVE Details’ list, as the product with the most identified security vulnerabilities of all, is Apple’s OS X operating system.<\/p>\n According to the chart, OS X scored an impressive 384 vulnerabilities, marginally ahead of iOS at 375, and then a host of Adobe products, but clearly in front of Microsoft’s first entry \u2014 Internet Explorer \u2014 in 7th place with 231 vulnerabilities reported.<\/p>\n In all, the researchers counted<\/a> 654 publicly disclosed security flaws in Apple products, 83 more than Microsoft which came second in the corporate table at 571 vulnerabilities, and well ahead of Cisco (488), Oracle (479), Adobe (460), Google (323), IBM, (312), and Mozilla (188).\u00a0But again, these statistics can be misleading.<\/p>\n The fundamental problem with charts like this \u2014 or rather the news stories they can generate \u2014 is that the assumption that more security advisories equates to greater vulnerability is itself, if you’ll excuse the pun, fundamentally flawed.<\/p>\n Why, you ask? Because CVE Details’ chart is not telling us anything about the severity of the vulnerabilities that were\u00a0found, what the potential impact was, or whether the flaws were\u00a0ever exploited in the wild.<\/p>\n This means that if a company is doing a good job of finding less serious security holes, and patching them promptly, it could still end up finding itself high up in a chart of what the media might portray as “most vulnerable” software or technology company most plagued with security issues.<\/p>\n In reality, a single critical security hole in a piece of software (such as a remote code execution flaw) could easily outweigh the importance of one hundred less important vulnerabilities found in another.<\/p>\n Although the geek in many of us loves the idea of making lists, and ranking software and vendors in an attempt to determine who might be the least or most secure, simply counting the number of publicly disclosed vulnerabilities is not a good way to go about it.<\/p>\n And, by the way, I’m not arguing that Apple is somehow perfect or that OS X isn’t troubled with security issues. A quick look back on the Intego Mac Security Blog will find any number of articles about serious vulnerabilities that have been found in Apple’s software for OS X and iOS.<\/p>\n But trying to make a sensible conclusion about which software is “most vulnerable” is going to lead you down a path of lies, damn lies, and statistics…<\/p>\n photo credit: flickr photo<\/a> shared by Cayusa<\/a> under a Creative Commons ( BY-NC ) license<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":" News reports have claimed that Mac OS X is the “most vulnerable” software of 2015. But can that really be true?<\/p>\n","protected":false},"author":34,"featured_media":49039,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false},"categories":[7,11],"tags":[3151,69,168,144],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\n\n\t\n\t\n\t\n![\"Vulnerability](\"https:\/\/www.intego.com\/mac-security-blog\/wp-content\/uploads\/2016\/01\/vuln-chart.jpeg\")
<\/p>\n