Lunduke
News • Science & Tech
Which Operating System has the Most Vulnerabilities?
Windows? iOS? Ubuntu? Do you know... for sure?
April 02, 2024
post photo preview

The recent, high profile software vulnerabilities have raised a number of questions about the security of our software.

Three questions which have been on my mind:

  1. Is software less secure now... than it used to be?
  2. Which has more vulnerabilities... Open Source Software or Closed Source Software?
  3. Which Operating System has the most vulnerabilities... and which has the least?

These seem like fair questions to ask.  And, considering the massive amount of data available, we should be able to arrive at some definitive answers.  Yet, when we see discussions around exactly these topics, most of the statements seem to be based on feelings and preferences... rather than hard facts.

Let's fix that.

First we need to grab details on all publicly known CVEs (aka "Common Vulnerabilities and Exposures") -- the standard way of publishing details around exploits and vulnerabilities -- and drill down into that data.  Luckily CVEdetails.com makes obtaining this data incredibly simple (the data below is obtained from there).

Is software less secure now... than it used to be?

The easiest way to begin answering this question is to track the number of CVEs reported per year... and put that data into a pretty graph.

At the current rate, 2024 will have more CVEs than any previous year.

And the results are... not exactly difficult to read.  It goes up pretty much every year -- accelerating, significantly, over the last few years.

  • 2022: 25,083
  • 2023: 29,065

That's a roughly 16% increase in the total reported CVEs... in just one year.

And, at the current rate (January through March of this year), 2024 is on track to hit 35,484 by the end of the year.  Which would be a 22% increase, year on year.

There are two likely possibilities which could explain this:

  1. We are getting much better at finding the vulnerabilities in software.
  2. We are adding more vulnerabilities to software.

And, in fact, both could absolutely be true.

Considering the ever-increasing complexity of our software systems (both in terms of total Lines of Code and number of interdependent systems), it seems reasonable that at least some portion of this dramatic increase in CVEs is thanks to us simply having more vulnerabilities in software.

This is about as close to a definitive answer as we are going to get: Based on the available data, yes.  Software is less secure now than it used to be.

Which Operating System has the most vulnerabilities... and which has the least?

Now let's pull data on all known CVEs... and sort them by Operating System (again, using data gathered from CVEdetails.com).

Behold.

Hello, Debian!

Your eyes do not deceive you.  Debian Linux has had the highest number of reported vulnerabilities, clocking in at a whopping 8,751.

  • Android is in second place, with 7,008 CVEs.
  • And Ubuntu Linux was trailing in third place, with 4,058.

Windows, iOS, and macOS all had significantly lower total numbers of reported vulnerabilities.

Note: I left a variety of BSD and UNIX systems off this list as their number of total CVEs was lower than the lowest entry on the chart.  FreeBSD: 488, OpenBSD: 188, NetBSD: 167, Solaris: 532.

But... that chart above only provides part of the picture, as it includes all CVEs ever reported.

Therefore, while it is a fascinating glimpse into past (and overall) vulnerability, it does not give us a good indicator of the current security of each given OS.

To solve that, let's look at a singular recent major version of each OS.  While the versions below are not all of the same age, each was chosen as: 1) a recent release, 2) publicly available for enough time to be somewhat well tested, and 3) with sufficient data available to be worth evaluating.

Yikes, Android!

The results clearly show Android as the Operating System with the largest number of known vulnerabilities (currently).

  • iOS (for iPhone) has roughly 10% of the reported CVEs as Android.  Or, to put another way, "1,000% more secure".
  • Both Windows and macOS clock in as measurably more secure than Ubuntu (in terms of total number of vulnerabilities found).

The old narrative that "Linux is more secure" appears to be... mostly untrue.

That said, it's entirely possible that the Open Source nature of Linux (and the software ecosystem around it) has enabled a higher percentage of vulnerabilities to be found, compared to Closed Source systems.  But that is purely speculative, and we need to go on what data we have available.

No matter which way you slice it -- modern versions of major Linux Distributions have significantly more known vulnerabilities than modern versions of Windows or macOS.

The Findings

We can safely declare, based on available data, the following:

Q: Is software less secure now... than it used to be?

A: Yes.  Demonstrably so.  And it's getting worse, year on year.

Q: Which Operating System has the most vulnerabilities... and which has the least?

A: Linux based systems contain the most reported vulnerabilities, with Android (Linux-based) leading the pack by a large margin.  Windows, macOS, iOS (and most BSD / UNIX systems) all have significantly fewer known vulnerabilities.

Q: Which has more vulnerabilities... Open Source Software or Closed Source Software?

A: This is a mixed bag.  Open Source BSD systems have significantly less known vulnerabilities (both in total, and per version) than the Closed Source Microsoft Windows.  At the same time, Open Source Linux (and Android) led the pack in vulnerabilities.  One thing we can say for sure: The most vulnerable systems are Open Source (to one degree or another).

I don't like these numbers any more than you do.  Don't shoot the messenger.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
33
What else you may like…
Videos
Podcasts
Posts
Articles
November 04, 2024
Will Voting Machines Get Hacked? Almost Certainly.

Huge number of targets, high value, & many exploits makes voting related hacking a certainty.

00:28:10
November 02, 2024
Apple Removes Ability to Run Unsigned Apps in macOS 15.1

Big Tech's war against "sideloading" continues. With Microsoft and Google not far behind.

The article:
https://lunduke.locals.com/post/6304352/apple-removes-ability-to-run-unsigned-apps-in-macos-15-1

00:23:36
October 31, 2024
Wayback Machine & Google Website Cache Go Offline Weeks Before 2024 Election

With a Presidential election days away, the biggest ways to record online statements are conspicuously broken.

00:13:05
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044
3 hours ago

I, for one, look forward to returning to posts featuring my favorite TUI apps and IDE releases.

4 hours ago

I go back and forth on my opinion of Dave and some of his takes...

This video is excellent - and rewatching it just reminds me how ephemeral our data really is - even with SSDs. Actually SSDs are worse than disks IMNSHO. For servers I still prefer to use good 'ol spinning rust and pair it with a good cache like Primocache with SSD as L2 write-through cache. Guess I'm just old fashioned still.

Mozilla Foundation lays off 30% staff, drops advocacy division

https://techcrunch.com/2024/11/05/mozilla-foundation-lays-off-30-staff-drops-advocacy-division/

November 03, 2024
post photo preview
Last week at The Lunduke Journal (Oct 20 - Nov 2, 2024)
Linux v. Russia! Internet Archive Weirdness! RISC OS Web Browsing!

Ok, first off: I totally forgot to publish a "week in review" article last week.  Woops.  My bad.  So this article covers the last two weeks.

Second: Over the last 14 days, apparently there's been 16 shows.  Hot dang.

And the news has been all over the map!  The big story, obviously, was the "Linux v. Russia" craziness.  The really wild part of that story is that it's still ramping up.  The next month is going to see some wild stories relating to open source software and sanctions compliance.

Oh!  Oh!  And the Internet Archive stuff!  Insane!

But, you know what my absolute favorite news story was for the last two weeks?  The one about RISC OS having WiFi and a modern web browser now.  That story just made me happy.  It's nice to know that, even when various software companies and organizations are losing their darned minds... there's still bright spots of nerdy joy out there.

The Shows

The Articles

Read full Article
November 02, 2024
post photo preview
Apple Removes Ability to Run Unsigned Apps in macOS 15.1
Big Tech's war against "sideloading" continues.

On Monday, October 28th, Apple released the macOS 15.1 update.  And, with that update, Apple has ratcheted up their war on "sideloading" by completely disabling the ability to run unsigned macOS software.

And signing software, of course, requires an Apple Developer Connection subscription.  Which, for most people, is a costly thing.

 

Every Few Months, A Little Less Freedom

 

Just a little over one month ago (September of 2024), the initial release of macOS 15.0 brought with it a new round of restrictions on running non-signed (also called "non-notarized") applications.  With 15.0, users could still run non-signed software... but they needed to jump through a few extra hoops by openning the System Settings and manually enabling each application they wanted to run.

 

 

This change made running unsigned software on macOS a bit more annoying -- additional steps to do something that used to be a simple "double click on the darned icon" process.  Annoying, to be sure.  But, luckily, all software could still be run.

That all changed -- less than 45 days later -- as Apple released the 15.1 update to macOS, which included the removal of the "Click around in System Settings" option to allow unsigned apps to run.

Now, in 15.1, when you attempt to run a non-notarized piece of Mac software, you will be greeted by a simple error message: "The application 'Finder' does not have permission to open '(null)'."

 

 

No option to run the software whatsoever.  Effectively banning all non-signed software (such as those developed by a hobbyist).

 

The War on Sideloading Continues

 

This isn't exactly a surprising move by Apple.  Over the last few years, all of the Big Tech operating system companies (Microsoft, Apple, and Google) have pushed -- with increasing intensity -- to lock down what software users are allowed to run on their computers.

Increasingly restrictive "application signing" systems, and the removal of "features" which allowed non-signed applications to run, have been a stated goal of all three corporations.

All in the name of a war on, what Big Tech has termed, "Sideloading".

What is "Sideloading", you ask?

"Sideloading" is most simply defined as "The act of installing software on a real computer."  And Apple, Google, & Microsoft are determined to stop people from doing that.

 

 

These companies haven't exactly been quiet about their goal to stop people from installing software on their computers (outside of approved, heavily restrictive mechanisms).  Back in 2021, Apple published a whitepaper entitled "Building a Trusted Ecosystem for Millions of Apps - A threat analysis of sideloading".

 

 

That's right.  Apple considers you having the freedom to install whatever software you want on the computer you own -- something every real computer (including those made by Apple) have done since the dawn of Personal Computing -- to be a "threat".

With macOS 15.1, Apple is taking significant steps to neutralize that "threat".

No software freedom for you.

 

The Last Workaround

 

As of now -- with macOS 15.1 -- there remains one final way to work around these draconian and artificial restrictions.

To do so requires the complete disabling of "Gatekeeper", the system which verifies downloads and restricts the running of non-signed applications.

This can be done via a fairly simple terminal command run as root:

 

sudo spctl --master-disable

 

However, it should be noted that with Apple's ever increasing requirements of application "notarization" -- and increasing reliance on the Mac App Store for software distribution (which ties into Gatekeeper) -- the full disabling of "Gatekeeper" seems likely to cause issues going forward with "Apple approved" methods of installing software.

Likewise, at Apple's current rate of attacks against "sideloading", the ability to turn off Gatekeeper may not be long for this world at all.

 

Don't Laugh, Google & Microsoft Users

 

While the news, today, is focused on Apple (their fight against the most basic freedoms of computing -- the ability to run software)... both Microsoft and Google have made it clear that they are all in on the war against sideloading.

Case in point: Google is migrating Android software away from "APK" application packages... to the far more restrictive "AAB" application bundles.  Microsoft, likewise, is pushing for a reliance on their online store.

So users of Android, ChromeOS, & Windows shouldn't laugh.  You're next.

Users of a variety of open source, alternative operating systems (such as Linux, BSDs, and many others), however, can laugh all they want.

Read full Article
November 02, 2024
post photo preview
Funny Programming Pictures Part LXII
Number 7 will SHOCK you!

No Ctrl-C's were harmed in the making of this post.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals