Lunduke
News • Science & Tech
Which Operating System has the Most Vulnerabilities?
Windows? iOS? Ubuntu? Do you know... for sure?
April 02, 2024
post photo preview

The recent, high profile software vulnerabilities have raised a number of questions about the security of our software.

Three questions which have been on my mind:

  1. Is software less secure now... than it used to be?
  2. Which has more vulnerabilities... Open Source Software or Closed Source Software?
  3. Which Operating System has the most vulnerabilities... and which has the least?

These seem like fair questions to ask.  And, considering the massive amount of data available, we should be able to arrive at some definitive answers.  Yet, when we see discussions around exactly these topics, most of the statements seem to be based on feelings and preferences... rather than hard facts.

Let's fix that.

First we need to grab details on all publicly known CVEs (aka "Common Vulnerabilities and Exposures") -- the standard way of publishing details around exploits and vulnerabilities -- and drill down into that data.  Luckily CVEdetails.com makes obtaining this data incredibly simple (the data below is obtained from there).

Is software less secure now... than it used to be?

The easiest way to begin answering this question is to track the number of CVEs reported per year... and put that data into a pretty graph.

At the current rate, 2024 will have more CVEs than any previous year.

And the results are... not exactly difficult to read.  It goes up pretty much every year -- accelerating, significantly, over the last few years.

  • 2022: 25,083
  • 2023: 29,065

That's a roughly 16% increase in the total reported CVEs... in just one year.

And, at the current rate (January through March of this year), 2024 is on track to hit 35,484 by the end of the year.  Which would be a 22% increase, year on year.

There are two likely possibilities which could explain this:

  1. We are getting much better at finding the vulnerabilities in software.
  2. We are adding more vulnerabilities to software.

And, in fact, both could absolutely be true.

Considering the ever-increasing complexity of our software systems (both in terms of total Lines of Code and number of interdependent systems), it seems reasonable that at least some portion of this dramatic increase in CVEs is thanks to us simply having more vulnerabilities in software.

This is about as close to a definitive answer as we are going to get: Based on the available data, yes.  Software is less secure now than it used to be.

Which Operating System has the most vulnerabilities... and which has the least?

Now let's pull data on all known CVEs... and sort them by Operating System (again, using data gathered from CVEdetails.com).

Behold.

Hello, Debian!

Your eyes do not deceive you.  Debian Linux has had the highest number of reported vulnerabilities, clocking in at a whopping 8,751.

  • Android is in second place, with 7,008 CVEs.
  • And Ubuntu Linux was trailing in third place, with 4,058.

Windows, iOS, and macOS all had significantly lower total numbers of reported vulnerabilities.

Note: I left a variety of BSD and UNIX systems off this list as their number of total CVEs was lower than the lowest entry on the chart.  FreeBSD: 488, OpenBSD: 188, NetBSD: 167, Solaris: 532.

But... that chart above only provides part of the picture, as it includes all CVEs ever reported.

Therefore, while it is a fascinating glimpse into past (and overall) vulnerability, it does not give us a good indicator of the current security of each given OS.

To solve that, let's look at a singular recent major version of each OS.  While the versions below are not all of the same age, each was chosen as: 1) a recent release, 2) publicly available for enough time to be somewhat well tested, and 3) with sufficient data available to be worth evaluating.

Yikes, Android!

The results clearly show Android as the Operating System with the largest number of known vulnerabilities (currently).

  • iOS (for iPhone) has roughly 10% of the reported CVEs as Android.  Or, to put another way, "1,000% more secure".
  • Both Windows and macOS clock in as measurably more secure than Ubuntu (in terms of total number of vulnerabilities found).

The old narrative that "Linux is more secure" appears to be... mostly untrue.

That said, it's entirely possible that the Open Source nature of Linux (and the software ecosystem around it) has enabled a higher percentage of vulnerabilities to be found, compared to Closed Source systems.  But that is purely speculative, and we need to go on what data we have available.

No matter which way you slice it -- modern versions of major Linux Distributions have significantly more known vulnerabilities than modern versions of Windows or macOS.

The Findings

We can safely declare, based on available data, the following:

Q: Is software less secure now... than it used to be?

A: Yes.  Demonstrably so.  And it's getting worse, year on year.

Q: Which Operating System has the most vulnerabilities... and which has the least?

A: Linux based systems contain the most reported vulnerabilities, with Android (Linux-based) leading the pack by a large margin.  Windows, macOS, iOS (and most BSD / UNIX systems) all have significantly fewer known vulnerabilities.

Q: Which has more vulnerabilities... Open Source Software or Closed Source Software?

A: This is a mixed bag.  Open Source BSD systems have significantly less known vulnerabilities (both in total, and per version) than the Closed Source Microsoft Windows.  At the same time, Open Source Linux (and Android) led the pack in vulnerabilities.  One thing we can say for sure: The most vulnerable systems are Open Source (to one degree or another).

I don't like these numbers any more than you do.  Don't shoot the messenger.

community logo
Join the Lunduke Community
To read more articles like this, sign up and join my community today
33
What else you may like…
Videos
Podcasts
Posts
Articles
NeXTStep, Desqview/X, & TRS-80 Model 100 Walls!

The Lunduke Journal now has close to 20 retro computer themed walls, filled with the names of subscribers. And that number is growing fast.

NeXTStep, Emacs, Desqview/X, & TRS-80 Model 100 Walls:
https://lunduke.locals.com/post/8056105/trs-80-model-100-joins-the-lunduke-journal-lifetime-wall-party

Get on The Wall with a Massively Discounted Lifetime Sub:
https://lunduke.substack.com/p/50-off-yearly-and-massively-discounted

More from The Lunduke Journal:
https://lunduke.com/

00:14:16
Rust is the Paper Straw of Computers

It solves a problem nobody had and makes everything worse. And those in power demand that you use it.

NeXTStep, Emacs, Desqview/X, & TRS-80 Model 100 Walls:
https://lunduke.locals.com/post/8056105/trs-80-model-100-joins-the-lunduke-journal-lifetime-wall-party

Get on The Wall with a Massively Discounted Lifetime Sub:
https://lunduke.substack.com/p/50-off-yearly-and-massively-discounted

More from The Lunduke Journal:
https://lunduke.com/

00:13:44
Linux Mint Says Wayland Worse Experience than X11

"We worked really hard on Wayland"... "and the experience is almost on par with X11."

NeXTStep, Emacs, Desqview/X, & TRS-80 Model 100 Walls:
https://lunduke.locals.com/post/8056105/trs-80-model-100-joins-the-lunduke-journal-lifetime-wall-party

Get on The Wall with a Massively Discounted Lifetime Sub:
https://lunduke.substack.com/p/50-off-yearly-and-massively-discounted

More from The Lunduke Journal:
https://lunduke.com/

00:03:59
November 22, 2023
The futility of Ad-Blockers

Ads are filling the entirety of the Web -- websites, podcasts, YouTube videos, etc. -- at an increasing rate. Prices for those ad placements are plummeting. Consumers are desperate to use ad-blockers to make the web palatable. Google (and others) are desperate to break and block ad-blockers. All of which results in... more ads and lower pay for creators.

It's a fascinatingly annoying cycle. And there's only one viable way out of it.

Looking for the Podcast RSS feed or other links? Check here:
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

The futility of Ad-Blockers
November 21, 2023
openSUSE says "No Lunduke allowed!"

Those in power with openSUSE make it clear they will not allow me anywhere near anything related to the openSUSE project. Ever. For any reason.

Well, that settles that, then! Guess I won't be contributing to openSUSE! 🤣

Looking for the Podcast RSS feed or other links?
https://lunduke.locals.com/post/4619051/lunduke-journal-link-central-tm

Give the gift of The Lunduke Journal:
https://lunduke.locals.com/post/4898317/give-the-gift-of-the-lunduke-journal

openSUSE says "No Lunduke allowed!"
September 13, 2023
"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044

This episode is free for all to enjoy and share.

Be sure to subscribe here at Lunduke.Locals.com to get all shows & articles (including interviews with other amazing nerds).

"Andreas Kling creator of Serenity OS & Ladybird Web Browser" - Lunduke’s Big Tech Show - September 13th, 2023 - Ep 044
18 minutes ago

Releasing sysdiff - AI Slop Challenge

I use projects to learn other things and build other things - in addition to the project itself. Introducing my new open source utility: sysdiff is a lightweight Linux utility that compares snapshots of a system’s configuration, packages, services, and files to quickly identify what has changed.

There were a number of things I was developing and using the systdiff project to accomplish.

1. Can I create an autonomous worker that will just build me useful linux utilities during the night as I sleep. I know LLM’s can code. This experiment was “can I give an autonomous AI employee a mission and have it pursue it based on its own initiative with minimal input or direction from me”.
1. I made wonderful progress doing that. My agent platform is still in development and a bit brittle, but using the sysdiff project to shake out the kinks in my AI platform was quite helpful.

2. Can I develop a “labor ladder” so that I distribute the work among highest intelligent and ...

6 hours ago
22 hours ago

AI Automation Helping My Job Search

Codex can now work with Outlook. I have a LinkedIn Job Board bot that's been running since I've been unemployed. Today I could ask:

go through my outlook email today and look for all the LinkedIn and Ladders job emails, evaluate and curate a list I should be applying to. Prepare to do the applications for me.

And off it goes, combing through all the email today, evaluating the jobs for suitability (is this work I do at the pay I need).

The applying for me has been a mixed bag so far. Still, it is definitely saving me time.

I've also had bots evaluating prospective clients within commuting distance from home and give me a prospecting list. After identifying companies, it found humans for me to contact, then wrote the opening pitch. After my review and approval, sent out the emails.

post photo preview
TRS-80 Model 100 joins The Lunduke Journal Lifetime Wall party!

Buckle up, Buttercup. Because The Lunduke Journal is about to blow your mind.

  1. The “BeOS” Wall Lifetime Subscriber Wall is now full (see all of them on Lunduke.com)!

  2. We’ve added a new “TRS-80 Model 100” Wall (because we can)! That’s the 19th Lifetime Subscriber Wall! 19!

  3. The discounted Lifetime Lunduke Journal Subscriptions are still available through to the end of this month (July).

Which means there are, as of this exact moment, 4 Walls with space available (see Lunduke.com for the full list of Walls). But these fill up wicked fast.

  1. Emacs (only a few spots left)

  2. Desqview/X (a little less than 2/3rd’s full)

  3. NeXTStep (still plenty of space)

  4. TRS-80 Model 100 (just launched)

 

Nice, right?

Worth noting: The “TRS-80 Model 100” has very limited screen resolution (240 x 64), which means only a small number of names can fit on that wall. If you want on it, I’d let me know right away.

Grab a discounted Lifetime Subscription (if you don’t already have one), then let me know (email “bryan at lunduke.com”) which Wall you’d like to see your name on.

Huge high five to everyone who has already added their name to a Wall. At the current rate, we’ll have over 20 retro computer themed walls, filled with all of your names, by the end of the month.

And, doggone it, that’s amazing.

-Lunduke

Read full Article
Vim beats Emacs!

Well, we’ve done it.

We’ve answered the eternal question: “Which Lunduke Journal Lifetime Subscriber Wall would fill with names quicker? Emacs or Vim?”

The answer, it turns out, is “Vim”. And it takes just 8 days.

 

A hearty “Thank You” to everyone who supports The Lunduke Journal by getting Lifetime Subscriptions (massively discounted throughout July) and getting on these walls! You make all of this possible!

Now. How long will it take for Emacs to fill up (matching the same number of names as the Vim Wall)?

Well, right now the Emacs Wall is a hair over 2/3rds of the way full. So we’ll find out!

Welcome NeXTStep Wall!

With the closing of the “Vim” Wall (and the BeOS Wall only having the space for 1 name left), now seemed like a good time to add a new retro computer wall: The NeXTStep 1.0 Wall.

Right now, there are 4 Walls available to add your name to (*cough* massive discount *cough*).

  • NeXTStep (just opened)

  • Emacs (about 2/3rds full)

  • BeOS R5 (1 spot left)

  • Desqview/X (1/2 full)

 

Once again, huge thanks to everyone who supports The Lunduke Journal!

-Lunduke

Read full Article
Lunduke's Week in Tech : June 28 - July 4, 2026

Lunduke’s Thoughts of The Week

Yesterday was the 4th of July.

As such, time that I normally would have spent writing up some thoughts on the Tech News of the Week (tm) was, instead, spent eating hamburgers, watching fireworks, and generally goofing off with my kids.

So allow me to briefly summarize my thoughts using as little effort as possible:

Rust is weird, Sony sucks, and America is awesome.

… Yup. That just about covers it.

I hope all of my fellow Americans had a truly splendid Independence Day.

Biggest Tech Stories - June 28 - July 4, 2026

Here are the major stories from the last week, with direct links to X and Substack.

See Lunduke.com for all other platforms (Rumble, RSS Audio Podcast, etc.).

  • Git Takes Another Step Towards Making Rust Mandatory (X, Substack)

  • 74 Million User Accounts Exposed in Breaches During June (X, Substack)

  • BCacheFS Adding Rust Dependency Even Though “Rust doesn’t have a stable ABI” (X, Substack)

  • Git Without Rust From Dev of XLibre (X, Substack)

  • Sony Says No More Physical PlayStation Games (X, Substack)

  • Ubuntu Sponsors Rust Clone Foundation (X, Substack)

  • Like Computers? Thank America. (X, Substack)

Huge thank you to all of The Lunduke Journal’s subscribers. You make all of this possible.

-Lunduke

 
Read full Article
See More
Available on mobile and TV devices
google store google store app store app store
google store google store app tv store app tv store amazon store amazon store roku store roku store
Powered by Locals