Mac OS X and iOS top 2014 security vulnerability list


MRU

Suspended
Aug 23, 2005
25,312
8,706
Other
Likewise I've fixed well over 100 computers in 2014 for malware & hijacks and other software errors - care to guess how many were macs ? I take neowin article with not a pinch, but a shovel of salt.
 
Last edited by a moderator:

Johnlpi

macrumors member
Feb 17, 2015
36
4
This post from the comment section made me laugh
virtorio
"OS X Yosemite was very secure for those who couldn't get their WiFi to stay connected."

lol Of course it's been fixed now but still....
 

Steve121178

macrumors 601
Apr 13, 2010
4,943
3,990
Bedfordshire, UK
So basically meaningless.
Only in the unlikely event that no one is using them.

Apple's quality has gone out the window so it wouldn't surprise me if most of the OS X vulnerabilities reported are for OS X versions Lion & above which affects pretty much everyone.

Apple had a horrible 2014 when it came to exploits, malware and security issues and this news has my I.T department rolling on the floor laughing at Apple. "We thought OS X was meant to be ultra secure & stable?" they said. "It used to be" was my reply.
 

I7guy

macrumors Core
Nov 30, 2013
20,456
8,282
Gotta be in it to win it
Actually it is a great reason to criticize the report. On the other hand, because "you" like the report doesn't means it's inherently useful.

So this is another case of "if it's published in the Internet it must be true and useful".
 

lowendlinux

macrumors 603
Sep 24, 2014
5,155
6,312
North Country (way upstate NY)
Actually it is a great reason to criticize the report. On the other hand, because "you" like the report doesn't means it's inherently useful.

So this is another case of "if it's published in the Internet it must be true and useful".
I actually don't like the report at all my two chosen computer OS's top that list. It was a bad year for *nix
 
Last edited:

maflynn

Moderator
Staff member
May 3, 2009
63,853
30,369
Boston
The problem is that since it doesn't break out by version (which it does for Windows), you don't know of the current versions are better/worse.

Seems like click bait to me, at least provide detailed information.
 

Michael Goff

Suspended
Jul 5, 2012
13,262
7,298
Their data came from that NVD. It's not like Neowin came up with these numbers...

Edit: Also, I'm guessing the people here will point to IE being high on the list at some point and ignore the fact that the browsers aren't by version either.
 
Last edited:

lowendlinux

macrumors 603
Sep 24, 2014
5,155
6,312
North Country (way upstate NY)
I get it now, but it would still be extremely useful to know what version as 2014 saw a myriad of iOS versions at the very least.
iOS and OS X share a kernel now so some of those vulnerabilities are probably shared. In Linux we've had more than a few kernels in '14 because there is a lot of sharing between OS X and Open Source some of them are probably shared between the two also. In any case it's just been a bad year in general.
 

maflynn

Moderator
Staff member
May 3, 2009
63,853
30,369
Boston
Their data came from that NVD. It's not like Neowin came up with these numbers...

Edit: Also, I'm guessing the people here will point to IE being high on the list at some point and ignore the fact that the browsers aren't by version either.
No I think the same argument applies, if you cannot split out the versions that the list is no good. IE11 may be rock solid but IE6 may be skewing the numbers.
 

phrehdd

macrumors 68040
Oct 25, 2008
3,266
725
No I think the same argument applies, if you cannot split out the versions that the list is no good. IE11 may be rock solid but IE6 may be skewing the numbers.
I have to agree that more details should be given. The simple list of vulnerabilities means very little without some specifics provided.

I'll add as example that a given OS might have a greater quantity of "severe" vulnerabilities yet, the frequency of occurrence might be negligible. There seems to be a lot of info missing from that article that can help us shape an educated opinion.

Candidly, I am not a fan of how Apple approach to Internet connectivity other than making a market for 3rd party tools to do what Apple does not. I switched to Apple around the time Vista's last non-pay-to-play beta was out. Over the years, I was surprised at some challenges (security-wise) existed for Apple and its flock of users. The vast majority of challenges was less about Apple (OSX etc.) but more about end user behavior and activities that caused issues and breaches.
 

ApfelKuchen

macrumors 68040
Aug 28, 2012
3,142
1,804
Between the coasts
In the case of the analysis by GFI... I'd have to question the validity of an analysis where Android is not listed among the operating systems. The chances of that OS having zero vulnerabilities seems to be near-zero, considering the numbers I pulled out of the NIST NVD database (below), and even if it was zero, it ought to be shown anyway, to keep people like us from rejecting the results out of hand.

Methodology is very important. We can go to https://web.nvd.nist.gov/view/vuln/statistics to crunch the data ourselves - create our own queries, come to our own conclusions. And most likely, fool ourselves and everyone else.

As it's been said, "There are lies, damn lies, and statistics."

If I query at that page by Keyword, I have to trust that I've used a useful keyword. The query results suggest it's not a particularly accurate approach:

Query period: January 2014-December 2014: Vulnerability Criteria: Contains Software Flaws > Keyword
And here are the results:
"android" - 19.13%, "iOS" 3.35%, "windows" 3.18%, "unix" 0.28%, "os x" 33.15%, "os_x" 3.5%, "mac" 1.31%, "apple" 4.17%, "microsoft" 4.55%, "google" 20.98%

Why is "os x" so high, while "mac" and "os_x" so much lower? Most likely, choice of keyword, as the database uses the "os_x" format in version-naming. (just plain "os" returns 57.67%).

Overall, Keyword seems to paint with a very broad, sloppy brush.

The search page also allows us to search by CPE Name, where both Vendor and Product are selected from drop-down lists. That would seem to be the more accurate way to go, but every .dot release provides separate results. To aggregate results for, say, all iOS 8.x releases, one has to do a lot of number crunching, apply various weighting factors, such as duration of release, adoption rate, whether the individual vulnerabilities are being counted twice (once for each version to which it applies), etc. By raw, unweighted measure, for the period of January-December 2014, iOS_7.1.2 is at 0.57%, and iOS_8.0.2 is at 0.14%. Of course, 7.1.2 was a final, stable release that was in service throughout 2014, while 8.0.2 was released in September and rapidly superceded.
 

roadbloc

macrumors G3
Aug 24, 2009
8,779
211
UK
Whereas I agree that OS X and iOS probably aren't as secure as many may think, this article is sheer garbage.
 

maflynn

Moderator
Staff member
May 3, 2009
63,853
30,369
Boston
http://www.theregister.co.uk/2015/02/26/windows_beats_apple_linux_with_fewest_bugs_for_2014/

Not just on OS X but on iOS too, the annual release is causing poor quality software to be pumped out.
While I agree with your fundamental point, the article linked as noted above does not break out the OS by version. We have no idea of the majority of vulnerabilities are with 10.10 and 10.9 or 10.6.8?

[MOD NOTE]
I merged this with the existing thread as the discussion is about the same report.
 

Ulenspiegel

macrumors 68040
Nov 8, 2014
3,070
2,268
Land of Flanders and Elsewhere
http://www.theregister.co.uk/2015/02/26/windows_beats_apple_linux_with_fewest_bugs_for_2014/

Not just on OS X but on iOS too, the annual release is causing poor quality software to be pumped out.
While I agree with you (we have a thead - by the way - about this issue), it should be said that the above link is based on a biased and misleading article: http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/.

P.S.: Oh, sorry, Mike, just saw you posted some mins before me almost the same. I will leave it here.