Security Market Segment LS
Sunday, 03 March 2013 15:23

25 Years of vulnerabilities - Linux has the most Featured


Researchers at Sourcefire have analysed 25 years of vulnerabilities that were reported to CVE and NVD databases and found some interesting results.

According to the report (lead author Yves Younan, Senior Research Engineer at Sourcefire):

We leveraged two well-respected data sources for our research. First, our classifications of vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) database which is used today as an international standard for vulnerability numbering or identification. The database provides 25 years of information on vulnerabilities to assess, spanning 1988 to current.

Next, we used information hosted in the National Vulnerability Database (NVD) at the National Institute of Standards and Technology (NIST). We did some normalization to the data with respect to vulnerability categorization to be able to provide more complete statistics.

Not wishing to steal all of the report's thunder, we will summarise only a few of the findings, the full report is available here (free registration is required).

The following three charts (derived from the report) illustrate the fact that the raw numbers of detected vulnerabilities peaked in around 2006 / 07 and have since declined to pre-2005 levels (the jury is still out on whether 2012 is an outlier or the start of a new trend).


Figure1: Total Vulnerabilities by Year


Figure2: High Severity Vulnerabilities by Year


Figure3: High Severity Vulnerabilities as a percentage of Total by Year

When the report turned its attention to the actual vulnerabilities independently of the products, it found that Cross-Site Scripting (XSS) vulnerabilities were very high in frequency, however, when the analysis was tightened to show only critical errors, this category almost completely vanished, instead, buffer overflows became the force to be reckoned with. "we believe it is now safe to declare the buffer overflow the vulnerability of the quarter-century."


Figure 4: Critical Vulnerabilities as a percentage by type

It would also appear that researchers (and 'hackers') appear to have a "flavour of the year" when it comes to discovered and reported issues.


Figure 5: Top three vulnerability types by year

Of some interest to the various OS and manufacturer bashers, the report found that, as a product, the Linux kernel had the most vulnerabilities, while, as a manufacturer, Microsoft won top place - Microsoft winning purely for having such a broad product offering, and being such an obvious target.

Although Linux is listed as number one, it's worth noting that various iterations of Windows are considered different products, while Linux is considered a single product and Mac OS X are considered three products, which further skews the data. If we account for unique CVEs for every possible version of Windows excluding the mobile ones (that's a total of 13 versions), we get a total of 1114 vulnerabilities in Windows. For Mac OS, which has three versions (including X and the previous Mac OS iterations), we get a total of 827. Of course these vulnerabilities in Windows and Mac OS are not solely in the kernel. Doing the same for Linux as Windows (by adding the unique CVEs assigned to major vendors like Ubuntu and Red Hat), we get a total of 1752 vulnerabilities.

No attempt is made to explain reasons for the relative values.  For instance the easy availability of Linux kenel code may-well make it easier to locate problems, giving strength to the "many eyes" argument; should Microsoft's products have the same scrutiny, they may-well have exceeded Linux in the vulnerability count.  However, there is no way to know.

The report also considered the various software products in a variety of categories in some depth. The following comment makes a useful summary.

Google and Apple […] have significantly different track records for their browsers when compared to their mobile operating systems. Chrome is ranked as one of the highest for vulnerabilities, while Android has very few; iPhone has a significant lead on vulnerabilities, while Safari has the fewest compared to the other browsers.

Of course this report makes no effort to compare the number and severity of vulnerabilities with the interest in them by the bad guys. For instance, the very public problems recently seen in Flash and other consumer-oriented tools is in sharp contrast with these product's positions in the frequency charts.

We commend this report to our readers.

Subscribe to ITWIRE UPDATE Newsletter here


The much awaited iTWire Shop is now open to our readers.

Visit the iTWire Shop, a leading destination for stylish accessories, gear & gadgets, lifestyle products and everyday portable office essentials, drones, zoom lenses for smartphones, software and online training.

PLUS Big Brands include: Apple, Lenovo, LG, Samsung, Sennheiser and many more.

Products available for any country.

We hope you enjoy and find value in the much anticipated iTWire Shop.



iTWire TV offers a unique value to the Tech Sector by providing a range of video interviews, news, views and reviews, and also provides the opportunity for vendors to promote your company and your marketing messages.

We work with you to develop the message and conduct the interview or product review in a safe and collaborative way. Unlike other Tech YouTube channels, we create a story around your message and post that on the homepage of ITWire, linking to your message.

In addition, your interview post message can be displayed in up to 7 different post displays on our the site to drive traffic and readers to your video content and downloads. This can be a significant Lead Generation opportunity for your business.

We also provide 3 videos in one recording/sitting if you require so that you have a series of videos to promote to your customers. Your sales team can add your emails to sales collateral and to the footer of their sales and marketing emails.

See the latest in Tech News, Views, Interviews, Reviews, Product Promos and Events. Plus funny videos from our readers and customers.


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.

Share News tips for the iTWire Journalists? Your tip will be anonymous




Guest Opinion

Guest Reviews

Guest Research

Guest Research & Case Studies

Channel News