Lunduke
News • Science & Tech
Which Operating System has the Most Vulnerabilities?
Windows? iOS? Ubuntu? Do you know... for sure?
April 02, 2024
post photo preview

The recent, high profile software vulnerabilities have raised a number of questions about the security of our software.

Three questions which have been on my mind:

  1. Is software less secure now... than it used to be?
  2. Which has more vulnerabilities... Open Source Software or Closed Source Software?
  3. Which Operating System has the most vulnerabilities... and which has the least?

These seem like fair questions to ask.  And, considering the massive amount of data available, we should be able to arrive at some definitive answers.  Yet, when we see discussions around exactly these topics, most of the statements seem to be based on feelings and preferences... rather than hard facts.

Let's fix that.

First we need to grab details on all publicly known CVEs (aka "Common Vulnerabilities and Exposures") -- the standard way of publishing details around exploits and vulnerabilities -- and drill down into that data.  Luckily CVEdetails.com makes obtaining this data incredibly simple (the data below is obtained from there).

Is software less secure now... than it used to be?

The easiest way to begin answering this question is to track the number of CVEs reported per year... and put that data into a pretty graph.

At the current rate, 2024 will have more CVEs than any previous year.

And the results are... not exactly difficult to read.  It goes up pretty much every year -- accelerating, significantly, over the last few years.

  • 2022: 25,083
  • 2023: 29,065

That's a roughly 16% increase in the total reported CVEs... in just one year.

And, at the current rate (January through March of this year), 2024 is on track to hit 35,484 by the end of the year.  Which would be a 22% increase, year on year.

There are two likely possibilities which could explain this:

  1. We are getting much better at finding the vulnerabilities in software.
  2. We are adding more vulnerabilities to software.

And, in fact, both could absolutely be true.

Considering the ever-increasing complexity of our software systems (both in terms of total Lines of Code and number of interdependent systems), it seems reasonable that at least some portion of this dramatic increase in CVEs is thanks to us simply having more vulnerabilities in software.

This is about as close to a definitive answer as we are going to get: Based on the available data, yes.  Software is less secure now than it used to be.

Which Operating System has the most vulnerabilities... and which has the least?

Now let's pull data on all known CVEs... and sort them by Operating System (again, using data gathered from CVEdetails.com).

Behold.

Hello, Debian!

Your eyes do not deceive you.  Debian Linux has had the highest number of reported vulnerabilities, clocking in at a whopping 8,751.

  • Android is in second place, with 7,008 CVEs.
  • And Ubuntu Linux was trailing in third place, with 4,058.

Windows, iOS, and macOS all had significantly lower total numbers of reported vulnerabilities.

Note: I left a variety of BSD and UNIX systems off this list as their number of total CVEs was lower than the lowest entry on the chart.  FreeBSD: 488, OpenBSD: 188, NetBSD: 167, Solaris: 532.

But... that chart above only provides part of the picture, as it includes all CVEs ever reported.

Therefore, while it is a fascinating glimpse into past (and overall) vulnerability, it does not give us a good indicator of the current security of each given OS.

To solve that, let's look at a singular recent major version of each OS.  While the versions below are not all of the same age, each was chosen as: 1) a recent release, 2) publicly available for enough time to be somewhat well tested, and 3) with sufficient data available to be worth evaluating.

Yikes, Android!

The results clearly show Android as the Operating System with the largest number of known vulnerabilities (currently).

  • iOS (for iPhone) has roughly 10% of the reported CVEs as Android.  Or, to put another way, "1,000% more secure".
  • Both Windows and macOS clock in as measurably more secure than Ubuntu (in terms of total number of vulnerabilities found).

The old narrative that "Linux is more secure" appears to be... mostly untrue.

That said, it's entirely possible that the Open Source nature of Linux (and the software ecosystem around it) has enabled a higher percentage of vulnerabilities to be found, compared to Closed Source systems.  But that is purely speculative, and we need to go on what data we have available.

No matter which way you slice it -- modern versions of major Linux Distributions have significantly more known vulnerabilities than modern versions of Windows or macOS.

The Findings

We can safely declare, based on available data, the following:

Q: Is software less secure now... than it used to be?

A: Yes.  Demonstrably so.  And it's getting worse, year on year.

Q: Which Operating System has the most vulnerabilities... and which has the least?

A: Linux based systems contain the most reported vulnerabilities, with Android (Linux-based) leading the pack by a large margin.  Windows, macOS, iOS (and most BSD / UNIX systems) all have significantly fewer known vulnerabilities.

Q: Which has more vulnerabilities... Open Source Software or Closed Source Software?

A: This is a mixed bag.  Open Source BSD systems have significantly less known vulnerabilities (both in total, and per version) than the Closed Source Microsoft Windows.  At the same time, Open Source Linux (and Android) led the pack in vulnerabilities.  One thing we can say for sure: The most vulnerable systems are Open Source (to one degree or another).

I don't like these numbers any more than you do.  Don't shoot the messenger.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
33
What else you may like…
Videos
Podcasts
Posts
Articles
$20,000 Bounty Offered to Bribe FFmpeg Team to Fire Contributor

A popular YouTuber named Theo Browne offered $20k to the Open Source FFmpeg team if they remove their social media person, who Theo calls a "motherf***er".

The X Thread:
https://x.com/LundukeJournal/status/1982569289237352620

More from The Lunduke Journal:
https://lunduke.com/

00:26:32
October 24, 2025
Rust Clone of Core Utils Breaks Ubuntu Updates

Ubuntu 25.10 dropped the battle tested GNU Core Utils, in favor of the untested, incomplete "uutils". Why? Because they were programmed in Rust. And, as expected, things are breaking.

More from The Lunduke Journal:
https://lunduke.com/

00:16:47
October 24, 2025
Fedora: The First Vibe Coded Linux Distro

What does an Al developed Linux Distribution look like? We'll soon find out, as Fedora (owned by Red Hat) now has a policy specifically allowing Al contributions.

More from The Lunduke Journal:
https://lunduke.com/

00:08:49
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044
7 hours ago

good news to share. a few days ago was my 1 year mark for using linux as my daily drive OS instead of windows. the irony is that i had to completely renew my windows install, what was it 2 weeks ago now, so i could play BF6 because that game has some BS requirements.

#SundaySounds is a tradition that seems to me to be slowly petering out. Time to resurrect it! I present to you a British band I have linked to in the past: Temples. This time it's their song Inner Space:

October 15, 2025
post photo preview
The Unpublished Anti-Lunduke Hit-Piece
A Tech Journalist interviewed me for a hit-piece article. But the questions made them look bad, and they shelved the story. So I'm publishing their hit-piece for them.

Back in September, shortly after the assassination of Charlie Kirk, I was contacted by a Tech Journalist writing for FossForce.com (a smaller, Open Source focused publication) who was working on an article around Open Source, Antifa, and the Lunduke Journal’s coverage of those topics.

This particular outlet had, several months prior, run an “anti-Lunduke” hit piece without first reaching out for comment — which resulted in their most popular article (at least on social media) in quite some time.

With that in mind, it seemed reasonable that they’d want to repeat that success with another “anti-Lunduke” story.

This time they were doing the responsible thing. They reached out to the subject of the hit-piece article with questions. I like encouraging Tech Journalists when they do actual journalism, so I answered each and every query with easy-to-quote responses.

But, it would appear that the answers they received were not conducive to creating the hit-piece they were hoping for — my guess is they realized their questions made them look like the villain in the story. The villain they, clearly, hoped to portray me as.

They opted to not publish the piece.

So I’m publishing their hit-piece for them.

Below is every question — and every answer (with no edits) — which I was asked, on September 19th, by a Tech Journalist by the name of Christine Hall, writing for FossForce.

Fair warning: This is very, very politically charged.

Enjoy.


September 19th

Hall:

The last time I mentioned you in an article, you castigated me for not reaching out to you beforehand. Well, I’m reaching out now. We’ll see what comes of this.

You do recognize that the vast majority of organizations using the term antifa as a descriptor are not in the least bit terrorist and pose no threat to society -- and indeed, the only threats they might pose to fascist groups are not physical or life-harming?

Lunduke:

Hello Christine! Nice to hear from you!

Many, if not most, of those proclaiming support for Antifa (within Open Source) have also made statements encouraging or supporting violence and discrimination.

Regardless of that fact -- which I have documented extensively in Lunduke Journal coverage -- when violent acts are committed (such as murder, riots, and lynchings) in the name of “Antifa”, to turn around and immediately declare yourself to be “Antifa” is a clear declaration of support of that violence.

Hall:

And why did you feel it necessary to call out Danielle Foré’s [the founder of the elementary OS Linux Distribution] trans status in such an ugly manner?

Lunduke:

There is a noteworthy overlap between “Trans activism” and support for political violence -- including in the recent murder of Charlie Kirk (the murderer’s boyfriend was “Trans”).

In the case of Daniel Fore, he, a leader of an Open Source project, regularly calls for discrimination (and violence) against people he disagrees with -- often in conjunction with his self-declaration as “Trans”.

Thus, his declaration of being “Trans” becomes a part of the overall story.

It is worth noting here that The Lunduke Journal has never -- and would never -- call for discrimination or violence against someone because of how they identify or who they may (or may not) vote for.

This is in stark contrast those, such as Mr. Fore, who consider themselves “Trans” or “Antifa” -- who actively advocate for both discrimination and violence.

Hall:

Mentioning a person’s trans status in ways that are pertinent to your argument necessates rudeness such as calling her a “dude who likes to wear dresses”?

Lunduke:

Dan Fore is, in fact, a dude who likes to wear dresses.

The only reason to view that as a negative is if you view dudes wearing dresses as a negative.

Hall:

I’ll quote you on that, which I’m pretty sure won’t bother you in the least.

Lunduke:

Absolutely! Quote anything I say here. In fact, I suggest quoting absolutely everything I’ve written to you here, today.

Hall:

You also understand, don’t you, that voicing disagreement with an assessment made by POTUS is not only legal but a healthy part of the national dialog.

Lunduke:

Absolutely! Did I say somewhere that it was illegal to disagree with a politician? It seems unlikely that I have ever said that.

Hall:

Also, how would you reply to this:

There have been very few murders linked to individuals associated with Antifa, some incidents of rioting attributed to Antifa supporters, and no credible evidence of lynchings conducted in the name of Antifa. Compared to far-right groups, violence attributed to Antifa is much less frequent and lethal, with only one suspected kill—Aaron Danielson in Portland, by an anti-fascist activist—officially confirmed in recent U.S. history.

Lunduke:

Murder is bad. I am opposed to all murder.

In the context of these discussions, bearing in mind the Kirk murder is important (as many statements were made in response to it). The murderer of Kirk appears to have been pro-Trans and pro-Antifa (based on all available information).

Hall:

Is there any evidence that the suspect was part of an antifa group? I haven’t seen any.

Lunduke:

I have seen some reporting to this effect (including statements from family and messages he wrote).

But, far more important to this story, is the response to the murder among Antifa supporters (including those within Open Source). A large portion of Antifa supporters have celebrated the murder as justified because it killed someone they considered to be a “fascist”.

Hall:

Also, no group should be held responsible for what some deranged person who identifies with the group has done.

Lunduke:

I agree that a broader group should not be held responsible for the actions of a small number of individuals.

However, and this is critically important, it is entirely appropriate to hold people responsible for their own statements and actions.

With that in mind: The overall messaging of Antifa (and Antifa supporters) tends heavily towards violence. Punching, killing, molotov cocktails, etc. are all common messaging used by Antifa (including by those I quote within the Open Source world -- many of whom have advocated violence against myself).

Advocating for violence, then celebrating when violence is committed, are not good things.

Yet we see a great deal of that among Open Source supporters of Antifa.

Read full Article
October 13, 2025
Sale ends in a few hours, Lifetime Subs set up.

Holy moly, you guys are amazing.

A few days ago I published a “50% off” sale for Lunduke Journal subscriptions… and all of you showed up. In a big way.

To everyone who grabbed a Lifetime Subscription over the last few days: All of you are set to full Lifetime access. You should have a confirmation email in your inbox. If not, email me and I’ll make sure you’re setup properly.

That “50% off” sale ends tonight at midnight. So you have a few hours to snag a discounted subscription, if you haven’t already.

A huge thank you to everyone who supports this work. Couldn’t do it without you.

-Lunduke

Read full Article
October 12, 2025
50% Off Lunduke Journal Extended Through Monday (Oct 13th)

Just a quick heads up:

The “50% off every kind of Subscription to The Lunduke Journal” sale has been extended through Monday (October 13th).

So. You know. Grab one at 50% off between now and end of the day on Monday.

To all of you amazing nerds who have picked up a Lifetime Subscription already this weekend: You are awesome. You’ll be receiving a confirmation email, with all of the Lifetime Subscription details, by tomorrow (if you haven’t already).

Oh, and remember how we hit 11 Million views last month? Yeah. We’re well on our way to blowing past those numbers in October.

Wild.

See you all on Monday!

-Lunduke

Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals