Apple wins the prize in 2015 the number of fixed vulnerabilities. Really ? – ZDNet France

iOS and OSX, most software holes 2015? This may surprise, but it’s more or less what suggests several articles based on statistics compiled by the website CVE Details, a US website whose business is to compile and index the vulnerabilities identified by number CVE (Common Vulnerability Exposure).

And according to their figures, Apple dethrones Adobe the charts in the number of faults corrected. In 2015, MAC OS X and wins the prize with no less than 384 375 fixed vulnerabilities and flaws corrected for iOS. These figures allow Apple to steal the show from Adobe, which is in third place with 314 flaws corrected on Flash, and used it to win later in the standings with 246 flaws corrected the AIR environment.
 

This figure is surprising: if Apple had its share of interesting flaws in 2015, many fire burns rather side with Flash. Many publishers also call to abandon this technology, now considered redundant facing the rise of HTML5 technology and the source of many security flaws may affect users.

But the outright ranking security vulnerabilities finally said not long on the different policies applied by the publishers in this field: thus, the ranking by CVE Details ignores the criticality of vulnerabilities identified and merely aggregating all vulnerabilities receiving a CVE number in its countdown. And all VECs are not equal: thus cover some common faults to multiple systems, while others are true, but technically impossible for attackers to exploit, others are finally peremptorily attributed to certain projects without this particularly justified.
 

The way to count the faults plays a lot in the final classification of these lists. Thus, if one refers to the classification as proposed by publisher CVE Details, classification changes, including Cisco and Microsoft sees take second and third place, but Adobe continues to lead when it comes to critical flaws, with 334 flaws corrected on all of its products in 2015.
 

A figure in perspective, therefore, and deserves to be taken with a grain of salt. Many factors are taken into account and assessing the safety of a product can not be reduced to the simple counting of CVE year end. It is well known fact: the most dangerous faults have no CVE and are kept warm by cybercriminals and other government agencies, who are careful to communicate their discoveries.