Follow GFI:
Find us on Facebook Follow us on Twitter Find us on Linkedin Subscribe to our RSS Feed Find us on YouTube Find us on Google+

Report: Most vulnerable operating systems and applications in 2013

on February 3, 2014

The number of reported security vulnerabilities in 2013 continued to increase compared to 2012. In this post, I provide an overview of the statistics for 2013 related to software security vulnerabilities. These are compiled from data from the National Vulnerability Database (NVD).

On average, 13 new vulnerabilities per day were reported in 2013, for a total of 4,794 security vulnerabilities: the highest number in the last five years.

Vulnerabilities report

Around one-third of these vulnerabilities were classified ‘high severity’, meaning that an exploit for these vulnerabilities would have a high impact on the attacked systems. The number is higher than in 2011 and 2012, when we started to see a downward trend in high security vulnerabilities discovered.

vulnerability distribution

The vulnerabilities were discovered in software provided by 760 different vendors, but the top 10 vendors were found to have 50% of the vulnerabilities:


For the second year running, Oracle leads the pack, with 514 security vulnerabilities reported. A significant increase from 424 vulnerabilities discovered in 2012. Java alone had 193 vulnerabilities, with more than 100 of them ‘critical’.

Eight of the top 10 vendors registered a substantial increase in the number of vulnerabilities discovered in 2013. Microsoft has – by far – the most ‘high severity’ vulnerabilities, reversing the downward trend over the past few years.

vulnerability distribution by product type

Third-party applications continue to be the main source of vulnerabilities, however during the past year there has been a major increase in vulnerabilities reported for operating systems and hardware devices.

The number of hardware vulnerabilities is directly related to the number of vulnerabilities found for Cisco that – due to an important increase in 2013 – is now in the second place in top 10 vendors by number of vulnerabilities.

For operating systems and third-party applications more details are available in the table below.

Most Targeted Operating Systems in 2013


There has been an overall increase in number of vulnerabilities for all operating systems, irrespective of brand – Microsoft or Linux..Microsoft’s operating systems once again took top spot, overtaking Apple iOS, which had the highest number of vulnerabilities last year. The number of vulnerabilities in Apple iOS increased in 2013, but went down to 10th because Windows operating systems and Linux kernel vulnerabilities increased considerably more.

Most Targeted Applications in 2013

most targeted applications

In 2013 web browsers continued to justle – as in previous years – for first place on the list of third-party applications with the most security vulnerabilities. If Mozilla Firefox had the most security vulnerabilities reported last year and in 2009, Google Chrome had the “honor” in 2010 and 2011, it is now the turn of Microsoft Internet Explorer to lead with 128 vulnerabilities, 117 of them ‘critical’.

From a security perspective, Oracle and Java had a bad year in 2013 with 193 vulnerabilities reported for Java, 102 of them critical. To make matters worse, an high number of the critical vulnerabilities in Java were zero-days flaws (they were reported before a security patch was available to fix them).

To keep systems secure, it is critical to maintain them fully-patched. Extra attention is required for (patch them first):

  • Operating systems (Windows, Linux, OS X)
  • Web browsers
  • Java
  • Adobe free products (Flash Player, Reader, Shockwave Player, AIR).

About the Author:

Cristian Florian is product manager at GFI Software. Starting as a software developer, he developed his career step by step gaining more than 12 years of experience in network security and software development. He currently oversees GFI LanGuard, a successful network security scanning and patch management solution.

Eldon Ziegler February 4, 20141:02 pm

Is there a typo in the Linux kernel data? It is listed between 51 and 58 but has a value of 158!

Reply to this comment
Cristian Florian February 4, 20144:27 pm

The numbers are correct. The top is generated based on both number of vulnerabilities and their severity. E.g. 2 high severity vulnerabilities are considered more dangerous that 8 medium vulnerabilities…

Reply to this comment
Thanan February 5, 20142:17 am

What software(s) did you use to obtain the results and do you have the list of vulnerabilities that were present? Thanks for the reply in advance

Reply to this comment
Cristian Florian February 5, 201412:32 pm

The source is National Vulnerability Database, as stated in the first paragraph of the article. All vulnerabilities are publically available here:

Reply to this comment
Thanan February 7, 201412:38 am

Thanks you. Which free downloadable tools would u personally recommend to test the vulnerabilities in a computer system? because i am looking forward to analyse different tools to see which can detect and fix vulnerabilities.

Kris February 7, 201412:13 am

The thing to remember when comparing open source and free software to proprietary software like windows and apple is the the patches for operating system vulnerabilities are deployed on a weekly basis basis for free software like linux. The community of developers share full access to scrutinize the code. This makes the comparison quite flawed.

Reply to this comment
Kris February 7, 201412:35 am

Also it might be worth mentioning that the frequency or rate of vulnerabilities reported isn’t directly related to the quality of the software. In fact it maybe just the opposite. Software that doesn’t show signs of any vulnerabilities would be one to be concerned about.

Reply to this comment
Cristian Florian February 11, 201411:12 am

True. A higher number or rate of vulnerabilities does not indicate a lower quality product versus one that has fewer or no vulnerabilities. But, if security updates are released very often most companies remain behind with patching and this is where the danger really is.

Reply to this comment
Leon February 9, 20147:00 pm

When you say Java you mean the applet sandbox, right? Maybe you should write it explicitly, because otherwise it just reads like someone who doesn’t know anything about the topic. There were probably 2 real java vulnerabilities in last 5 years.

Reply to this comment
Cristian Florian February 11, 201411:26 am

By Java I mean all Java vulnerabilities. Indeed most of them apply to the client installation and can be exploited only through sandboxed Java Web Start applications and sandboxed Java applets. However your statement is far from true. Just the last Java update from 2013 contains 8 vulnerabilities that apply to Java server deployment:

Reply to this comment
Hausverwaltung Essen February 11, 20145:05 pm

Is Oracle because of Java in this range?

Reply to this comment

Leave a Comment

Name Required
Email Required