According to research from Beyond Trust, the total number of vulnerabilities relating to Microsoft products had risen by 48% comparted to 2019. To break the numbers down, I looked to my go-to for vulnerability statistics, Stack Watch.
This is where things get interesting for Microsoft watchers, with the company taking top place, by vendor, with 1,188 published security vulnerabilities in 2020 compared to Google, in second place, on 950. Apple, for the record, came in at number eight with 381 vulnerabilities.
At the time of writing, the 2021 statistics are similar in terms of positioning: Microsoft at number one with 510 vulnerabilities, Google just behind on 507 and Apple down in ninth with 147.
How does Windows 10 compare to Android or iOS in security vulnerability terms?
What if we were to look at product rather than vendor? Would Microsoft fare any better? Erm, no is the answer.
In 2020, Microsoft products took seven of the top ten places by product vulnerability. Windows 10 was top of the tree with 802 vulnerabilities, followed by Windows Server 2016 on 790 and Windows Server 2019 with 743.
The remaining Microsoft top ten products were Windows Server 2012 in at six, Windows 8.1 at seven, Windows RT 8.1 at eight and Windows 7 at ten.
Google, meanwhile, slotted in at number four thanks to 696 Android vulnerabilities. Apple, however, didn’t appear until number 14 with 233 iOS vulnerabilities.
So far, the 2021 published security vulnerabilities table looks better for Microsoft with Windows 10 dropping to number three on 256, behind Fedora and Debian Linux.
Microsoft still manages to claim six of the top ten spots, though. Google has also dropped down the table to number six with 219 Android vulnerabilities, but Chrome is new in at seven on 172. How is Apple doing so far this year? iOS has dropped to 15 with 111 vulnerabilities, but macOS is in at 14 with 112.
The good news for Microsoft is that it looks like Windows 10 is on track to have fewer published security vulnerabilities than last year. The bad news is that the average Common Vulnerabilities and Exposures (CVE) criticality rating in 2021 is greater than 2020, 7.54 compared to 7.42. Both of which fall into the high severity category.
For comparison, Android vulnerabilities averaged 6.99 last year and 6.84 this, which fall into the medium severity category. As for Apple iOS, it’s also firmly in the high rated category across both years, albeit lower than Windows 10 on 7.12 for 2020 and 7.30 in 2021.
Are published vulnerabilities a good metric for measuring Windows 10 insecurity?
So, is this all bad news for Windows 10 users? The answer is both yes and no.
In my never humble opinion, it reflects poorly on Microsoft for there being so many security issues with Windows 10. Still, it also shows that vulnerability discovery platforms (bounty hunting hackers) and reporting processes are working well.
I approached Microsoft regarding whether the codebase size, Windows 10 is said to have around 50 million lines of code, was an issue along with in-house devsec processes failing to work as well as they should but had not heard back before publication.
“There is a bittersweet level in numbers of reporting vulnerabilities,” Jake Moore, cybersecurity specialist for ESET, says, “when there seems to be a huge amount or increase in CVEs, it is often wrongly assumed there were too many bugs in the first place but what it also represents is that the vulnerability discovery platform and patching functionality is working well and in full flow.”
And, as Shlomie Liberow, principal security architect at HackerOne, says, another explanation is that “since Windows 10 is so much more widely used, researchers devote more time to looking for vulnerabilities in it.”
“Organizations are doing the right thing with regards to bolstering their security, as security testing and remediating progress is improving, and this is great to see, especially as the impact of cyber-attacks is becoming more prevalent,” Liberow adds.
The plain truth of the matter is that all code almost inevitably will contain bugs.
“Whether they are evil or not, the most important point to note is how quickly they can be patched once they are discovered before they are exploited nefariously in the wild.”
And on that basis, Microsoft is doing the right thing with the monthly Patch Tuesday rollouts, and occasional emergency updates, despite how shocking the headline vulnerability figures may appear.