Despite having four PC operating systems to support (which will be reduced to three in two months), three server operating systems, and a smartphone OS, not to mention a lot of popular apps, Microsoft is doing a fairly good job of keeping up with the threats against its products.
A new study just published by GFI Labs shows where the threats were in 2013, and as you would expect, Microsoft shows up on all of the various platforms and apps, though it's not alone.
In 2013, Microsoft fixed a total of 344 security vulnerabilities, while in 2012, it only had 169 to fix. However, the numbers were up across the board for everyone, not just Microsoft. For 2013, the total number of vulnerabilities recorded was 4,794, a 10% increase over the prior year's 4,347.
"There has been an overall increase in number of vulnerabilities for all operating systems, irrespective of brand – Microsoft or Linux. Microsoft’s operating systems once again took top spot, overtaking Apple iOS, which had the highest number of vulnerabilities last year," the report said.
The number of vulnerabilities in Apple iOS increased in 2013, from 86 in 2012 to 89 in 2013. However, iOS dropped to 10th place because Windows operating systems and Linux kernel vulnerabilities increased considerably more. Microsoft also had eight operating systems on the list, so the cumulative number was also much higher. MacOS was much further down the list, with 63 vulnerabilities reported in 2013.
The surprise leader in operating systems with the most vulnerabilities? The Linux kernel, with 158 total vulnerabilities. However, only 15 of them were considered high severity. The majority were medium severity. By comparison, Windows Server 2008 had the next most, with 104 vulnerabilities, 58 of which were high severity.
Windows 7 was right behind Server 2008, with 100 vulnerabilities, 55 of high severity, Vista had 96, 53 high severity, and XP had 88, with 47 high severity. Windows 8, for all of the vitriol hurled at it, did well, with just 58 vulnerabilities, with 43 high severity. The fact that all these operating systems have numbers very close to each other isn't surprising since there is so much code reuse between them. If one has a bug, they often all have it.
Among the most targeted apps, the top spot was a horse race between Internet Explorer and Java. Java had many more vulnerabilities – 193, way up from 58 in 2012 – but IE had more high-severity vulnerabilities, 117 vs. 102 for Java. Chrome had 168 vulnerabilities, 100 of which were high severity. After that, it was a mish mash of Mozilla and Adobe products.
You could argue these guys are making more mistakes; I prefer to think they are getting better at finding and fixing vulnerabilities.