As we begin the new decade, you should be mindful that your online activity is being monitored. While federal agencies may claim to do it to protect Americans, big-name companies like Google, Apple, and Facebook financially benefit from putting consumer data out on the auction block.
What you do online is also susceptible to attackers who aim to hack into your applications, social media accounts, and, in some cases, seek to collect financial information. All of us are vulnerable when we connect to the internet, but some technology products are more prone to invasion.
To examine technical vulnerabilities of various vendors and products, we used recent data from the National Institute of Standards and Technology’s National Vulnerability Database, which updates frequently. Our findings outline the type of vulnerabilities that users should be privy to and indicate the severity of attacks.
Vulnerabilities Over Time
Consumer data, which should be kept private, might be more lucrative than oil – federal law allows internet service providers (ISPs) to profit from your data. However, your online activity is also susceptible to exploitation from attackers who seek “to gain unauthorized access or misuse your network and its resources.”
Only 894 technical vulnerabilities were reported in 1999; 20 years later, that figure had increased nearly 14 times to 12,174. However, 2018 showed the highest number of vulnerabilities: 16,556. According to the National Vulnerability Database, Debian GNU/Linux, an open-source repository, was listed as experiencing 1,197 vulnerabilities in 2018. Due to the nature of open-source software, it’s licensed so that users are free to use, copy, study, and alter source cord within their own forked repositories.
Although such large numbers might be alarming, technical vulnerabilities are detected, on average, in 197 days and contained in 69, but a recent two-year iOS breach affecting thousands of iPhones terrified experts. Still, Android had the most vulnerabilities reported in 2016, 2017, and 2019, while iOS didn’t make the list at all.
There are various types of vulnerabilities: Some grant attackers the ability to access private information, while others enable unwanted commands or crash applications. The iOS breach was shocking because of how long it went undetected, but also because of its scope. Among “14 security flaws” accessed using a chain of code, the attack allowed predators to collect sensitive information about iPhone users, including passwords, and listen to encrypted communication.
Code execution, which allows an attacker to execute arbitrary commands, was responsible for more than 1 in 4 technical vulnerabilities in 2019, followed by cross-site scripting (17.7%). Code execution was also the most common type of vulnerability in 2018 and accounted for 3,041 security holes.
Denial-of-service (DoS) attacks were only responsible for about 10% of product vulnerabilities in 2019, but they outnumbered all other vulnerabilities in 2017. However, GitHub experienced the largest DoS attack ever seen in 2018 when its website went offline for about five minutes. Perhaps that’s why there were only 919 DoS attacks in 2019 – companies took note and fit their products with necessary defenses.
HTTP response splitting is historically the least common type of technical vulnerability reported. This is likely because applications succeed in identifying foreign input values.
Businesses have become more “reliant on digital data, cloud computing, and workforce mobility” in the last 20 years, which has increased their exposure to cyberattacks.
Founded in 1975, Microsoft is one of the world’s most successful technology companies. There were 668 reported Microsoft vulnerabilities in 2019. Since 2009, Microsoft is listed as experiencing 6,814 technical vulnerabilities.
However, Linux was identified in the NIST’s National Vulnerability Database as experiencing the most reported vulnerabilities per product at 139.4, which is likely because the software company is relatively young and has fewer products.
It should be noted that all vendor and product classifications are those identified by the database.
Trouble With Your Operating System?
In the last 20 years, free and user-friendly software Debian Linux was listed in the database as experiencing 3,067 reported technical vulnerabilities. According to its website, the community that uses Debian Linux is “very responsive,” and vulnerabilities are usually fixed within a few days.
Android reported 54 more vulnerabilities than Debian Linux in 2019. This could be because Android phones are built with pre-installed third-party applications, ultimately exposing users to unchecked bugs.
The three products that followed Android and Debian Linux were all from Microsoft: Windows Server 2016, Windows 10, and Windows Server 2019.
Should You Worry?
Using the Common Vulnerability Scoring System (CVSS), which ranges from 0 to 10, we outlined the products with the vulnerabilities that posed the highest risks from 1999 to 2019. Looking at the top 50 products with the most vulnerabilities in the last 20 years, Adobe Flash Player had the highest weighted average at 9.4.
Of the 15 products listed, watchOS and iTunes (both Apple products) experienced the least-severe product vulnerabilities (although their exposure still remained in the 7.0 range).
Browsing in Private
Internet access is a human right, but experts report that the majority of Americans feel they have very little to no control over their privacy. And there is cause for worry. Our findings show that technology products housing your sensitive data have become increasingly vulnerable to bad actors over the past 20 years. Everything from your bank information to what you print out is susceptible, but that doesn’t have to be acceptable.
Although roughly 6 in 10 Americans believe it is not possible to go through daily life without having their data collected, you can take control of your sensitive information. Consider setting up a virtual private network (VPN) to keep your browsing history and data out of criminal hands. Visit TheBestVPN.com for comparison guides and resources to help you choose the best VPN to keep your online activity private.
Using data from the National Institute of Standards and Technology’s National Vulnerability Database, which we accessed through the CVE Details security database, we explored the technical vulnerabilities of a number of technology vendors and consumer products.
The data were available for every year from 1999 to 2019. Data for 2019 were pulled on Jan. 2, 2020, and included data for every month of that calendar year. Due to the fact that the database constantly updates, it’s possible that the numbers presented may have changed.
The database looked at 13 types of technical vulnerabilities. We included all types in our analysis of the data. It should be noted that other sources may describe or name types of vulnerabilities slightly differently. We chose to keep the type names consistent with those in the database accessed through CVE Details.
All product and vendor classifications in this project were identified as such in the NIST’s database. We did not perform any manual classification and present the data as listed in the database. This may create potential issues with comparisons between different products and vendors.
The vulnerabilities-by-product calculation was done by dividing a vendor’s total number of vulnerabilities by the number of reported products that the vendor makes. The calculation was done within the database. However, we recreated the calculation and rounded numbers up, whereas the database rounded the calculated values down. Therefore, the numbers presented here might vary slightly from the database.
When looking at specific products, the lists of top products for vulnerabilities were calculated by the database. We chose to show the top 20 in our final representations of the data, with the exception of the CVSS scores where we included the top 25.
With the product lists, it’s important to note that some products are defined multiple times with different names in the database. Therefore, our lists may contain the same product under different names.
Finally, we examined the risk posed by product vulnerabilities. This was done using the Common Vulnerability Scoring System (CVSS). Vulnerabilities are given a score of 0 to 10 based on multiple metrics. More information on this system can be found here.
The database provided CVSS weighted averages for the top 50 products by the total number of distinct vulnerabilities. Our final representation shows the top 25 products with the highest CVSS weighted averages. More information on how the weighted averages were calculated can be found here.
Fair Use Statement
We live in an increasingly connected world, and that comes with pros and cons. The best way to stay protected is to remain vigilant and informed. If someone you know would benefit from the information presented in this project, you’re free to share it for any noncommercial reuse. However, we ask that you link back here so that people can view the entire project and read the methodology. This also gives credit to our contributors whose efforts make projects like this possible.