On the last day of 2015, CVE Details published their annual security-by-number-of-vulnerabilities report again. Although there are some interesting numbers to take away (e.g., comparing vulnerability counts of a single piece of software, like those from Adobe, versus an entire OS), publishing data like this only perpetuates the misleading myth that the security of a product is somehow related to its number of vulnerabilities.
First though, the most obvious flaw in this year’s report was grouping all Mac OS X versions as one piece of software while splitting out Windows by version. There’s probably some overlap in the number of vulnerabilities in each Windows version but I don’t see it being that hard to overtake OS X’s 384. Plus vendors often play other games, such as hiding multiple vulnerabilities in one CVE or just not disclosing them. Who knows what the real numbers are?
But the most serious misconception is the unspoken inference that number of vulnerabilities somehow equates to the security of a piece of software. Many readers, including even myself when just lazily skimming news, will see a headline saying that some program had the most number of vulnerabilities and immediately process that statement as it being less secure. There are many other factors that need to be included before making this conclusion, the most important of which is if the software is actually being targeted. For example, Macs are getting hit harder and harder but attacks against them still pale in comparison to those on Windows. So in general Macs are probably much safer to use.
As always read reports like this closely and consider that they may only be looking for a splashy headline.
Today’s post pic is from Perspecsys.com. See ya!