A new report by GFI found that Apple's Mac OS X and iOS operating systems were among the most vulnerable in 2014. Mac OS X takes the top spot with 147 vulnerabilities, of which 64 were rated as high risk. Microsoft's Windows 8.1 on the other hand had 36 vulnerabilities in 2014, of which 24 are marked as high risk.
In total, 7,038 new security vulnerabilities were reported during 2014, a stark increase over 2013's 4,794 vulnerabilities. Of the 7,038 vulnerabilities, around 24 percent was deemed high risk.
We have some questions/reservations about GDI’s numbers, and it relates to how the operating system vulnerabilities are being reported (we’ve reached out to GDI for clarification). First off, it appears that all versions of OS X (Lion, Mountain Lion, Mavericks, Yosemite, etc.) are lumped together under a single “OS X” line entry. However, all major Windows versions (Windows 7, Windows 8, Windows 8.1, Windows Vista, etc.) are given their own separate line entries. It’s possible that this was done because there is a lot of duplication among Windows versions when it comes to vulnerabilities (the number of total, high, medium, and low vulnerabilities among all Windows operating systems is remarkably similar). Regardless, it would be nice to have seen similar metrics used for all operating systems.
On a second note, Android has always been a very popular target for hackers but it’s not specifically called out in this study. Android is likely being lumped in with all Linux kernel operating systems, but again, it would be nice to see some distinctions made here to make a more reasoned comparison between platforms.
The report also calls out the most vulnerable applications. In this list Microsoft scores really bad as its Internet Explorer browser received 242 reports of vulnerabilities, of which a whopping 220 were classed as high risk. Google's Chrome takes the second spot with 124 vulnerabilities, of which 86 are deemed high risk, while Mozilla's Firefox rounds out the top three with 117 vulnerabilities, of which 57 are classed as high risk.
Popular browser plug-ins like Adobe's Flash Player, Adobe's Reader and Oracle's Java remain popular targets as well, as well as Mozilla's Thunderbird e-mail client.