Apple had more CVEs than any single MS product in 2015, but it doesn't really matter
Meaningless league table sparks silly schadenfreude
A count of the number of CVEs (Common Vulnerabilities and Exposures) issued on different platforms in 2015 has concluded that Apple was the most-advisoried operating system of the year, leading to gloating headlines that OS X is the “most vulnerable” of the lot.
According to CVE Details, Mac OS X (all versions) apparently had 384 CVE advisories in 2015, iOS had 375, with Flash recording 314. Windows CVEs are split out by platform, filling most positions from 10th to 18th, but Redmond's worst product, Internet Explorer, only managed 231 CVEs.
However, simply guffawing at Cupertino is problematic for many reasons.
The first is that the CVE Details survey makes no distinction between severity of vulnerabilities in the list. A low-risk vulnerability (for example, something that can only be exploited by an authenticated local user with administrative privilege) is not the same as a remote code execution bug that's easily exploited.
Second – and this applies to all platforms – many security bugs are cross-platform. A good example is libpng, which is everywhere from browsers to smart-watches. It may have had only had four advisories in 2015, but that will have drawn patches from a lot of other vendors.
Third: CVE Details seems arbitrary in its assignment of CVE to project. Hence, for example, a bunch of LibreOffice/OpenOffice bugs are counted as Debian CVEs, as are some Oracle MySQL bugs.
Fourth: CVEs only count reported vulnerabilities. They don't count anything that's being hoarded, whether by security agencies or by black-hats, for example. And there's nothing good to come out of turning CVEs into some kind of marketing scorecard.
歡迎光臨 伊莉討論區 (http://a401.file-static.com/) | Powered by Discuz! |