No, OS X is NOT the 'most vulnerable OS' despite shoddy reporting

Security, as we take great pains to repeatedly point out, is something that deeply affects people. It affects their stress and trust levels when dealing with technology. When it's misreported it turns what should be an empowering experience into one of fear, uncertainty, and doubt. And it's far too frequently done just to get the worst kind of attention. The latest case in point is a — I don't want to call it a report — from GFI which claims OS X and iOS were the "most vulnerable operating systems of 2014. And, frankly, it's bullshit.

There are so many problems with GFI's not-a-report that it's hard to figure out where to begin.

  • OS X and iOS are listed as single line items on the chart yet Windows is broken down by version. Why wouldn't all operating systems be listed the same way? Can we just add all the Windows numbers up and see how big that number is in comparison?
  • The National Vulnerability Database (NVD) lists everything reported to it by vendors, including Apple, Microsoft, and others. That doesn't make it an accurate measure of vulnerabilities. It makes it an accurate measure of reporting. Why isn't that distinction properly reflected?
  • Different vendors, including Apple and Microsoft, have different policies and procedures when it comes to reporting vulnerabilities to the NVD. Apple reports every fix in their advisories. (You can find them via the Apple Security Updates page.) If there's no uniform reporting standard, how uniform conclusions be drawn?
  • Microsoft has no "low vulnerabilities" listed. Does that mean there aren't any or they don't report them the way other platforms do?
  • OS X and iOS both have significant UNIX and open source software (OSS) components shared by BSD and other operating systems. That makes for a much different, and much wider possible reporting pool than, for example, Windows. How was that accounted for?

The relative security of a platform has nothing to do with how well a company reports the vulnerabilities they fix — though seeing good reporting is certainly comforting. The relative security of a platform certainly has nothing to do with grossly distorted and disingenuous attention-bait.

I'm not sure how this not-a-report got approved for publication, and I'm flabbergasted that it got picked up by mainstream outlets, seemingly without even a cursory look to see if it made any sense whatsoever.

See more

In an era where some vendors have intentionally gone from defending to attacking their own customers, proper security reporting couldn't be any more important.

This type of misrepresentation happens regularly enough, however, that I'm beginning to suspect it's not done for the benefit of consumers at all. And that feels more like a security threat than anything contained in this not-a-report.

Rene Ritchie
Contributor

Rene Ritchie is one of the most respected Apple analysts in the business, reaching a combined audience of over 40 million readers a month. His YouTube channel, Vector, has over 90 thousand subscribers and 14 million views and his podcasts, including Debug, have been downloaded over 20 million times. He also regularly co-hosts MacBreak Weekly for the TWiT network and co-hosted CES Live! and Talk Mobile. Based in Montreal, Rene is a former director of product marketing, web developer, and graphic designer. He's authored several books and appeared on numerous television and radio segments to discuss Apple and the technology industry. When not working, he likes to cook, grapple, and spend time with his friends and family.