With 2016 officially over, we can crown Android as 2016's product with most vulnerabilities, and Oracle as the vendor with the most security bugs.
This statistic is based on the number of vulnerabilities reported by security researchers in the past year, bugs which have received a CVE identifier.
Android is 2016's most vulnerable product
According to CVE Details, a website that aggregates historical data on security bugs that have received a CVE identifier, during 2016, security researchers have discovered and reported 523 security bugs in Google's Android OS, winner by far of this "award."
Second place in this ranking went to Debian Linux with 319 vulnerabilities, while third place went to Ubuntu Linux with 278 CVEs.
The rest of the top 10 is made up by Adobe Flash Player (266 bugs), openSUSE Leap (259 bugs), openSUSE (228 bugs), Adobe Acrobat DC (227 bugs), Adobe Acrobat Reader DC (227 bugs), Adobe Acrobat (224 bugs), and the Linux Kernel (216 bugs).
2015's winner, Mac OS X came only eleventh this year, with 215 security bugs, compared to last year, when researchers found 444 bugs in Apple's main OS.
Past winners of this "prestigious award" include:
- Apple Mac OS X in 2015 (444 bugs)
- Internet Explorer in 2014 (243 bugs)
- The Linux Kernel in 2013 (189 bugs)
- Google Chrome in 2012 (249 bugs)
- Google Chrome in 2011 (266 bugs)
- Google Chrome in 2010 (152 bugs)
- Mozilla Firefox in 2009 (126 bugs)
- Mozilla Firefox tied with Apple OS X in 2008 (96 bugs)
- PHP in 2007 (114 bugs)
- Apple OS X in 2006 (106 bugs)
- Linux Kernel in 2005 (133 bugs)
- Internet Explorer in 2004 (59 bugs)
- Solaris OS in 2003 (44 bugs)
- Internet Explorer in 2002 (54 bugs)
- RedHat Linux in 2001 (47 bugs)
- RedHat Linux again in 2000 (47 bugs)
- Windows NT in 1999 (64 bugs)
Oracle is 2016's vendor with most security bugs
When it comes to software vendors, the company for which the largest number of new CVE numbers have been assigned was Oracle, with a whopping 798 CVEs.
Most of these security bugs have been reported in Oracle products such as MySQL, Solaris, and its custom Linux OS version.
Second to Oracle was Google, with 698 security bugs, with the most being reported in products such as Android and Chrome. Third was Adobe with 548 bugs, with the vast majority of bugs reported in Flash Player and different Reader/Acrobat variants.
The rest of the top 10 is made up of Microsoft (492 bugs), Novell (394), IBM (382 bugs), Cisco (353 bugs), Apple (324 bugs), Debian Project (320 bugs), and Canonical (280 bugs).
Past vendors that have topped this unfortunate chart include:
- Apple in 2015 (708 bugs)
- IBM in 2014 (455 bugs)
- Oracle in 2013 (496 bugs)
- Oracle in 2012 (380 bugs)
- Google in 2011 (295 bugs)
- Microsoft in 2010 (317 bugs)
- Microsoft in 2009 (236 bugs)
- Microsoft in 2008 (236 bugs)
- Microsoft in 2007 (255 bugs)
- Microsoft in 2006 (267 bugs)
- Microsoft in 2005 (166 bugs)
- Microsoft in 2004 (148 bugs)
- Microsoft in 2003 (103 bugs)
- Microsoft in 2002 (243 bugs)
- Microsoft in 2001 (173 bugs)
- Microsoft in 2000 (143 bugs)
- Microsoft in 1999 (171 bugs)
Comments
JohnC_21 - 7 years ago
Google needs to get a handle on their fractured ecosystem. Many phones never get security updates( think pay as you go no contract phones) or if they do it takes too long.
Gorbulan - 7 years ago
Agreed John. Android's unintentional problem of being in the disposable cell phone industry is killing them, I think. I don't mean go phones, I mean the tendency for phones to be made with the idea you will need to buy a new one every 2 years. I hope the Google Pixel is the first attempt to break that behavior, make a phone that actually lasts, less of an open system and more of a closed one.
DodoIso - 7 years ago
Until further detailed, I think that this study has to be taken with a grain of salt. There are lots of sub-systems having vulnerabilities, and are part of all these OS. It would be interesting to have stats of problems on common sub-system codes and problems only found in a specific OS code. Can third-party code really be trusted?
upilaqws - 7 years ago
The number of CVEs alone is not a very useful metric, as it doesn't take into account the severity of the bugs, the size of the project, how many potential bugs remain, how much time and effort was spent on finding bugs or if it's possible to look at the source code.
joequincy - 7 years ago
I'm curious how this data is compiled. Apple, for instance, is listed as having a total of 324 vulnerabilities... but there are only two Apple products listed above, and they total to more than that: OS X -> 215, iOS -> 161.
Is this really implying that there's enough shared codebase between those two OSes that they share 52 vulnerabilities? Nearly a quarter of OS X vulnerabilities and a third of iOS?
lepoete73 - 7 years ago
Did Apple really had 7008 bugs in 2015 or is that a typing error?
campuscodi - 7 years ago
Typo. It's 708
Gorbush - 7 years ago
Can I know in which version of Android there were found more vulnerabilities than in Windows 10?
On CVEdetails.com site when I tried to confirm theses put into this article I found only 157 vulnerabilities in Android 5.0.1 during 2016. AFAIK from school 157 is smaller number than 172. Where is the rest? Source: http://www.cvedetails.com/version/187093/Google-Android-5.1.0.html
auto1571 - 6 years ago
I can't see how Linux, especially Debian coming second most vulnerable? I am not sure I convinced by these statistics.