Windows Patches Fastest but Has 4X More Bugs Than Mac OS

Written by

Around four times more vulnerabilities are discovered in Microsoft Windows systems than Mac OS X but they are patched far quicker, according to new research from Kenna Security.

The vulnerability management firm commissioned the Cyentia Institute to analyze data from nine million assets at 450 organizations, in order to compile its report, Prioritization to Prediction Volume 5: In Search of Assets at Risk.

It revealed that the assets with fewer bugs tend to be patched slower by manufacturers, while those with more are fixed quicker.

For example, it found that a Windows-based asset has an average of 119 vulnerabilities per month: four times the median number found in Mac OS X (32) and 30 times that of network appliances (4).

However, those Windows vulnerabilities are patched within 36 days on average, while it takes an average of one year (369 days) to fix network devices like routers, printers, or Internet of Things appliances.

It was calculated that it takes Apple 70 days on average to release patches for Mac OS X machines, nearly twice as long as Microsoft, and 254 days for Linux/Unix.

Microsoft was found to have a critical patch rate of 83%, with Mac OS X in second (79%), then network appliances/devices (64%) and finally Linux (63%).

This is despite the fact that in the study, researchers found 215 million bugs on Microsoft machines. Although 179 million were fixed, the remaining 36 million exceeded the total number of patched and unpatched vulnerabilities on Mac, Linux, Unix, and network devices combined.

“With automated patching and Patch Tuesdays, the speed at which Microsoft is able to fix critical vulnerabilities on their systems is remarkable, but there still tend to be a lot of them,” said Wade Baker, partner and founder at Cyentia Institute.

“On the other hand, we see lots of assets like routers and printers where high-risk vulnerabilities have a longer shelf life. Companies need to align their risk tolerance, strategy, and vulnerability management capabilities around these trade-offs.”

What’s hot on Infosecurity Magazine?