2014's vulnerability surge left Mac OS, iOS more exposed than Windows

The rate of new software vulnerabilities jumped dramatically between 2014 and 2013, with 19 new vulnerabilities disclosed every day last year and an upwards trend suggesting things could only get worse this year.

An analysis of the US National Vulnerability Database, the central repository for vulnerability-related reports, found that some 7038 new vulnerabilities were disclosed during 2014 – up from 4794 vulnerabilities in 2013 and 4347 in 2012.

The number of vulnerabilities rated as being of high severity also grew during the year, with the 1705 such vulnerabilities added to the database in 2014 accounting for 24 percent of all vulnerabilities detected during the year.

The analysis was conducted by Cristian Florian, GFI LanGuard product manager with Adelaide-based GFI Software, in an annual exercise that has revealed the disturbing industry trend towards more, not fewer, software vulnerabilities.

Notably, 2014 saw Apple's Mac OS X top the charts with 147 vulnerabilities, including 64 of high severity and 67 of medium severity. Apple's iOS mobile operating system was second most vulnerable, with 127 in total, 32 high severity and 72 medium severity.

The various versions of Microsoft Windows on the market each had around three dozen vulnerabilities, around two dozen of which were of high severity and the remainder medium severity.

“A lot of Windows vulnerabilities apply to multiple Windows versions and because of that there is not a huge difference between the number for the entire Windows operating systems family,” Florian wrote.

The Linux kernel took third place, with 119 vulnerabilities including 24 high-severity and 74 of medium severity. These contributed to what Florian said was “a tough year for Linux users from a security point of view, coupled with the fact that some of the most important security issues of the year were reported for applications that usually run on Linux systems.”

Ranked by the total number of high-severity vulnerabilities, the least secure applications were Microsoft Internet Explorer (220 of 224 total), Google Chrome (86/124), Mozilla FireFox (57/117), Adobe Flash Player (65/76), and Oracle's Java (50/104).

Third party applications were responsible for around 83 percent of all vulnerabilities, with operating systems named in 13 percent of cases and hardware accounting for the remaining 4 percent.

While the products with the most vulnerabilities provide guidance for security managers keen to target their patching and remediation efforts, Florian warned against spending too much time just addressing issues in the products in the report.

“All software products have vulnerabilities,” he wrote, and “the frequency of security updates increases with the product's popularity.... At the end of the day, an IT admin's attention should be on ALL products in his network and not limited to those at the top of the vulnerability list.”

“Neither,” he added, “should the assumption be made that those further down the list are safer. Every software product can be exploited at some point. Patching is the answer and that is the key message.”

Read more: Facebook ‘tag’ bait malware spreads via Google Chrome store extensions

This article is brought to you by Enex TestLab, content directors for CSO Australia.


Upcoming IT Security Events

Read more: Risks in Retail: New POS Vulnerabilities and Malware

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Join the CSO newsletter!

Error: Please check your email address.

Tags GFI LanGuardapplicationsdatabaseiosWindowsvulnerabilityCristian FlorianGoogle Chromemozilla firefoxlinux kernelMac OSMicrosoft Windowssoftware vulnerabilities

More about AppleCSOEnex TestLabGFIGFI SoftwareGoogleIT SecurityLinuxMicrosoftMozillaOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place