The popular statistics page CVE Details, a popular database that collects information about all software vulnerabilities that are discovered, has published a ranking of the products that have accumulated the most vulnerabilities in 2016. According to this table, the three most vulnerable products have been Android, Debian and Ubuntu.
These three operating systems have accumulated 523, 319 and 278 vulnerabilities each. Meanwhile, the fourth and fifth place in the table is occupied by Adobe Flash Player and Novell Leap with 266 and 259 vulnerabilities respectively. In the list we can also see how Windows 10 has managed to be less vulnerable than macOS and the Linux Kernel.
As for the vulnerabilities, Android has seen an increase in the number of Denial of Service, while those of memory corruption have been reduced. There are also almost a hundred vulnerabilities that allow information leakage, and a total of 250 security bugs that allow elevation of privileges, which last year were only 17.
In addition to Debian and Ubuntu, the linuxera family also has more members at the top of the list. We see for example the Leap and Opensuse developed by Novell and the Linux Kernel itself in the top ten. But keep the knives, because as we’ll explain later the total number of vulnerabilities is less important than it seems.
As for browsers, Google Chrome has a total of 172 vulnerabilities , followed by Microsoft’s Edge with 135 and Mozilla Firefox with 133. Safari instead stays well away from everyone having accumulated only 56 vulnerabilities throughout 2016.
CVE Details also shows a graph with the manufacturers that have accumulated more vulnerabilities with their products, and here the first place is taken by Adobe with 1383 vulnerabilities, followed by Microsoft with 1325. The third place is occupied by Google with a total of 695 Vulnerabilities, virtually all Android.
The important thing is how many of them are exploited
It is logical that the software and the operating systems accumulate vulnerabilities, and considering the free spirit of the Linux Kernel it is even reasonable that it has so many systems among the first ones. But here the important thing is not so much the total number of vulnerabilities that are discovered as how many of them end up being exploited or how many are really dangerous.
In this aspect, if we click on the amount of vulnerabilities of each product we see that among the information that is given there is a note of between 1 to 10 to rate the severity of each one. With this we can see, for example, Windows 10 or Adobe Flash have many more vulnerabilities with notes higher than 9 than Debian or Ubuntu, although Google is not far behind.
Another of the data that the list offers is the number of exploits found for each vulnerability. Organizing the table according to this parameter will see that the vast majority of the vulnerabilities have usually not been exploited. In fact, as we learned in December, the product with the most exploited vulnerabilities had been Adobe Flash.