Lies, damned lies and these lies: Security numbers don’t tell the story

Macalope

If there’s a metric Apple’s failing at you can be sure it’ll get reported, even if it’s a meaningless metric.

Writing for Tiger Beat in the Valley, Emil Protalinski runs the numbers. Or, well, looks at some numbers.

“Software with the most vulnerabilities in 2015: Mac OS X, iOS, and Flash.” (Tip o’ the antlers to @JonyIveParody and @_HairForceOne.)

Every so often someone rolls out this trope about CVE (Common Vulnerabilities and Exposures) counts as if it’s supposed to be meaningful for anyone other than ski-mask-wearing-hacker-stereotype guy in the Starbucks who ironically uses his real name for the coffee order because using a fake name is just what the NSA would expect.

But even he doesn’t care that much because just because there are a lot of vulnerabilities doesn’t mean they’re going to get him what he wants. He’s interested in two things: 1) “Is it a vulnerability I can exploit?” and 2) “Will exploiting it get me fame, riches, some killer cheat codes or maybe some male celebrity nipple slips or sumpin’?”

Which software had the most publicly disclosed vulnerabilities this year? The winner is none other than Apple’s Mac OS X, with 384 vulnerabilities.

Which is why OS X is the most hacked platform. The End.

So, these overall counts are stupid. You can see that, right? Well, would you be surprised to learn that they’re even stupider? That the stupid bends back into a fifth dimension of stupidity that is at first imperceptible to the human eye? At least until you look at the actual list of vulnerabilities.

You’ll notice that Windows versions are split separately, unlike OS X.

Oh. So, all of OS X’s are added up across versions while Windows’ are split out. Oh. Well. That is certainly convenient for… someone other than Apple. Indeed.

“You will notice that we also multiplied the number of OS X vulnerabilities by 10 because somehow the X and 10 got into the spreadsheet formula and, well, mistakes were made is what we’re saying. But please enjoy these crappy, meaningless numbers. Apple sucks.”

The argument for separating them is probably one of market share, though that’s a hard one to agree to, given that Android and iOS are not split into separate versions. This is the nature of CVEs.

Nuttin’ we can do ‘bout it. Can’t fight city hall. Or write a less salacious headline. My hands are tied.

If we take the top 50 list of products and categorize them by company, it’s easy to see that the top three are Microsoft, Adobe, and Apple…

Yeah, so, funny story. Turns out (turns out) that Apple’s actually third on the list when you look at it by vendor. And which platform has the most exploits, meaning which one is really the least secure on a practical level?

Who knows? These numbers don’t show that.

But they sure are numbers, aren’t they?

Subscribe to the Best of Macworld Newsletter

Comments