They say that you should look to the past (to learn from it) to know what to expect from the future. This is especially true in the cyber security field, where not only do we have to learn fast, but also practice what we learn even faster.

Today I want to look at the most vulnerable software in 2016, to help you understand what has changed and how these changes impact our online (and sometimes offline) lives.

As we all know by now, 2016 was the most eventful year in cyber security… ever! Considering what challenges lie ahead, we can expect that 2017 will take the crown 12 months from now. However, until then we must proceed step by step.

The reason for this short analysis is to help you identify some of the sources that make your system vulnerable to cyber attacks. Not only that, but I’ve also included protection tips on how to deal with them.

Where the data comes from

In order to do this, I’ve gathered the data below from CVE Details, which is a point of reference for the industry and provides detailed information on software vulnerabilities.

For those who are new to the subject, a brief definition for the term “vulnerability” can be found in our cybersecurity glossary:

A vulnerability is a hole in computer security that leaves the system open to damages caused by cyber attackers.

Software vulnerabilities are defined by 3 factors:

  1. The existence of a flaw in the software
  2. The possibility of the attacker gaining access to the flaw
  3. The ability of the attacker to exploit that flaw or weakness, through tools or by using certain techniques.

In this quick examination, we will look not only at the number of vulnerabilities, but we will also take a peek at their severity. This qualitative data is provided by the CVSS system:

The Common Vulnerability Scoring System (CVSS) is an open framework for communicating the characteristics and severity of software vulnerabilities.

Now that the context is set, let’s see what we can learn from last year’s long list of software weaknesses.

The Most Vulnerable Software in 2016

When it comes to publicly disclosed security flaws, the list of top 10 software with most security flaws from 2016 is quite different from 2015 one, as you can see below:

Top 50 Products Distinct Vulnerabilities in 2015

Top 50 Product Distinct Vulnerabilities in 2016 progress

As you can see, some of the usual suspects remain [cough]Flash Player[cough], some left the top 10 (Mac OS X and iPhone OS), while others made their entry and headed straight for the top (Android).

The number of vulnerabilities alone should not make you want to uninstall this software ASAP. In fact, for many of us, this is not an option (except for Flash – uninstalling Flash is always an option). There is also the impact aspect to it, which we’re going to discuss in the second part of this analysis.

But first, let’s see how things have evolved in the past 3 years for the software that millions use on a daily basis, which directly impacts their security level.

Operating systems


Operating systems with the biggest market share – Windows 7 (48,34%) and Windows 10 (24,36%) – are actually not the ones with the most vulnerabilities in 2016. In fact, Microsoft has put a lot of work into making Windows 10 the most secure Windows to date and, for all intents and purposes, specialists show that this is the case (and could get even better with future updates).

Two Linux versions and two Novell OSs take the top spots, while Mac OS X follows. In spite of the rather sizeable number of vulnerabilities, Mac OS X remains almost impervious to malware attacks (almost being the keyword here – here’s proof).

top vulnerable operating systems 2016


Operating systems market share in December 2016

top vulnerable operating systems 2016


If you’re still on Windows XP, we highly recommend you upgrade to a newer operating system if you still use it, because XP is an open invitation to all kinds of cyber attacks, since it doesn’t get security updates anymore.

Mobile & IoT

As mobile devices and the Internet of Things comprise of millions of Internet-connected devices scattered across the world, it’s only natural that we check them out as well. Especially since Android dominates by the number of vulnerabilities.

But here’s the catch: one of the reasons that Android tops the vulnerable software list is because of the effective bug bounty program that Google put in place for it. The program offers hefty rewards to those who can find weaknesses in the most used mobile OS in the world. They also have to provide a proof of concept for the security hole and a patch for it in order to get the full amount of the reward.

As a result, Android has over 500 publicly disclosed vulnerabilities in the CVE Details database:

most vulnerable mobile and iot operating systems 2016

Unfortunately, the number of vulnerabilities in Android is not the only issue. Many of them were quite severe, allowing cybercriminals to execute malicious code, corrupt the devices’ memory, gain information privileges, cause denial of service or do other types of damage.

And cyber threats targeting Android specifically were abundant as well. From MazarBOT to HummingBad and beyond. With millions and millions of Android-powered devices in use, it’s only natural that cybercriminals would try to turn them into cash cows.

Going beyond Android, it’s important to note that the number of iOS vulnerabilities has dropped considerably.

Also, IoT operating systems are only beginning to grow and get included in vulnerability databases, so we recommend you keep an eye on this category as you get more Internet-connected gadgets at home.


Browser security plays a huge part in your online protection because it’s the main way that we access the Internet. This is the main reason why you should care if you’re using the latest version (always recommended) or an outdated one.

As you can see below, the most used browsers in the world have had their issues in 2016, and cybercriminals did not hesitate to pounce when the opportunity arose.

From browser hijackers to drive-by attacks and JavaScript malware, cybercriminals have plenty of tactics and tools they use to inject malicious code in your browsers.

vulnerabilities in the most used browsers in the world 2016

By taking a lot at browser usage by version number, we can see that:

  • More than half of Chrome users run outdated versions
  • 3/4 of Internet Explorer/Microsoft Edge users have older versions installed
  • 1/3 of Firefox users don’t use the latest variant of this browser
  • And 1/3 of Safari users do the same.

Browser market share in December 2016:

browser market share december 2016

Source: NetMarketShare

That leaves a market of millions open to attacks that feed malware into computers by exploiting security holes in vulnerable browsers. And many of these attacks take advantage of weaknesses that have already been patched in the latest version. Some vulnerabilities targeted in malicious campaigns can be a few years old!

If you need a quick way to check if your browsers are up to date, just open this link in each browser you have installed:

Besides finding out if you have the latest version of that browser installed, you’ll also be able to see details about JavaScript, cookies, Flash and Java. These are all very important for your security, as you’ll see in the next section.

is my browser up to date

A key reminder here is to be careful and avoid common tricks online attackers use. Sometimes, they disguise attacks as updates for your browsers. As you can imagine, clicking on the presumed update will infect your computer and may cause both financial damage and data leakage.

Two recent examples include malicious, fake updates for Firefox and Chrome. You’d be surprised how many Internet users get fooled by this. It’s not even because they’re new to the Internet, but rather because they’re not aware of the dangers and get carried away in their haste to get what they need.

In order to avoid such risky situations, you can turn auto-update on when available or automate your updates for free and save some time and hassle in the process.


When it comes to other pieces of software we use in our daily work (or fun), the usual suspects are under scrutiny. Acrobat with all its versions (Acrobat Dc and Acrobat Reader Dc) and Flash Player are the most troublesome in this small chart.

As an alternative to Acrobat Reader, you can use Foxit Reader (which only had 8 vulnerabilities last year). As for Flash, we’ve discussed this issue in a dedicated guide that continues to be relevant to this day. The conclusion here is that life without Flash is not only possible, but better.

vulnerabilities in utility apps in 2016

Not all vulnerabilities are created equal

As I mentioned when discussing the state of Android vulnerabilities, the number of security holes is not the most relevant indicator by itself. We also need a qualitative perspective, which is given by the CVSS score (defined in the introduction).

Here’s what happens: if a software maker has a good program in place for finding and patching security holes (internally, through a public bug bounty program or both), the number of publicly disclosed vulnerabilities will naturally be higher.

But tens of minor weaknesses can be outweighed by a single, critical vulnerability that can affect users severely. That is why it’s important to not equate amount and quality.

That being said, let’s take a look at the general CVSS scores for the top 20 products and for the top 20 vendors with the highest number of vulnerabilities.

In the table below:

1. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.

Source: National Vulnerability Database

CVSS Score Distribution For Top 50 Products

CVSS Score Distribution For Top 50 Vendors

As you can see, Adobe and Flash don’t really fare well from this perspective. We’re not building a case against it, but it’s undeniable Flash is a problem for every Internet user out there.

Where is the danger?

A recent malicious campaign we detailed in a security alert shows exactly why vulnerable apps pose a huge risk to their users.

In that alert, we showed how a string of vulnerabilities in Flash Player, Silverlight, Internet Explorer and Edge were used to infect computers with Cerber ransomware, one of the strongest types of encrypting malware, for which there is no decryption key available.

The thing is that those security holes used in the attack had been patched in 2016 and some of them in 2015 (!).

This is exactly why security experts insist on patching and its fundamental role in keeping systems and data safe for everyone involved.

How to avoid risky software vulnerabilities

The solution is super simple here: keep them up to date at all times!

How to get started:

1. Check the list of apps you have installed.  Sort by “Installed On” to see the software you may have forgotten about.

programs installed on

2. Uninstall what you don’t need and do a major spring cleaning (works in every season, not just during spring).

3. Automate your software updates to save time and energy and remember to always, always install operating system updates as well!

Did you come across any issues with software vulnerabilities last year? Share your stories in the comments below.

Spend time with your family, not updating their apps!
Heimdal™ Free - Software Updater
Let Heimdal™ FREE Silently and automatically update software Close security gaps Works great with your favorite antivirus


Download Heimdal™ FREE

Security Alert: RIG EK Spreads Cerber, Targets Outdated Popular Apps

15+ Experts Explain Why Software Patching is Key for Your Online Security

8 Vulnerable Software Apps Exposing Your Computer to Cyber Attacks [Infographic]


Windows Xp is no problem here. Have it tight up and this with just a new install of Software Ristriction Policy and get some goodies from NoVirusThanks and this all with a good AV+Emsisoft (not Malware bytes because it’s becoming crapware-> check MRG-Effitas-360-Assessment-2017-Q1_wm) and the good thing is that it is for hackers not the main OS for exploiting because the big money is not to find anymore on Xp but like we see on Mac OS And Linux. Follow the money and so with a few security tweaks is Xp secured than Mac OS. You do not follow the mainstream becausue it is the mainstream BS that makes you hackable an hen Im surfing I have such a fingerptint that it seems that I’m surfing here with chrome under Linux. So stop please follow this mainstream BS. In the 16 years that I’m on Xp I have never got something and this tells something also that you do not find in the mainstream fear-mongering.

Kind regards,

Kevin z. from Belgium

Hi Andra,

I do have a remark to the list of “top products” and their vulnerabilities. Number two is Debian GNU/Linux, number three is Ubuntu GNU/Linux, number six is OpenSuSE, and number ten is the Linux kernel itself.

If you take a look on what gets compared here it worries me a bit:
Debian contains almost 60,000 pre-compiled end-user packages, Ubuntu over 73,000, OpenSuSE 70,000.

The vulnerabilities of Debian contain all vulnerabilities reported via their bug tracking system. This includes all Debian-related bugs of LibreOffice, Firefox, and roughly 60,000 others as well. Further more: there are vulnerabilities reported to the Debian bug tracking system which corresponds to the vulnerabilities to OpenSuSE, Ubuntu and all other major Linux distributions. They get reported for each Linux distribution so that they get fixed either by upstream or within the distribution.

Whereas the Flash player or the Internet Explorer are just single products, Linux distributions represent a whole ecosystem with many thousands of products.

I don’t see any reasonable approach to compare whole ecosystems with single products on one list of vulnerabilities.

The only valid point is to list the Linux kernel and its reported vulnerabilities.

If you compare Windows 10 (OS with a maximum of a few dozen of low-profile add-on products) with let’s say the Debian GNU/Linux ecosystem (an operating system and additional 60,000 software products) this is just unfair to every definition of valid research.

This actually proves a point: if the whole Debian GNU/Linux ecosystem with *all* possible user-facing software products just has a bit more vulnerabilities than the Flash player, this demonstrates the extraordinary quality of open source Linux software altogether.

Awesome insights. Security is a constant problem with the Android OS thus hackers love to target it, not to mention the fact that the number of Android users are continuously growing.

Interesting article.


Interesting article. However, I must admit I don’t understand the statement
“…Mac OS X remains almost impervious to malware attacks…” 🙂

According to this page (hxxp:// Mac OS x has more than double vulnerabilities when compared to first Microsoft’s OS on list – Windows server 2008.

It doesn’t look so “impervious” to me 🙂 and I’d like some more explanation – maybe I’m just seeing things with wrong eye…


Best regards

Hi Tom!

As I mentioned in the article, the number of vulnerabilities alone is not enough to consider a piece of software vulnerable. The gravity of those weaknesses is also important. OS X is built as a rather closed operating system, very compartmentalized (among other details), which makes it much more difficult for attackers for successfully exploit a vulnerability. Statistically speaking, there are fewer examples of successful cyber attacks against OS X than against other operating systems.

Here are some useful debates on the matter that can provide more details:

Thanks, Andra.

Still not convinced 🙂 Quora is nice, but I’d like to move away a bit from personal oppinions…

If we check the mentioned CVE link and compare Mac OSx with Windows XP (which is often regarded as an school example of non-nsecure OS) we can see that OSx has ~290 vulnerabilities with CVSS score over 9, while XP has ~230 of them.

As per NetMarketShare (hxxps://, in December 2016 (meaning – more than two and a half years after XP was totally *abandoned* and everybody is leaving it) – XP still has more than double market share (9%) than OSx (~4,5%).

OSx may be nice but is way below “secure” level – I wonder what would happen with that security if it gained a popularity of XP in its best days 😉

Best regards

Hi Tom!

I’m not trying to build a case for OS X (I’m a Windows user myself), but it wouldn’t be entirely fair to compare it to XP, since XP has been unsupported for a while now.

Indeed, the more an OS gains market share, the more factors challenge its security level. What’s more, no OS is as secure as we wish it would be, but cybercriminals focus mainly on the ones with the most market share, which are likely to fall victim faster and make them more money.

Hopefully, things will evolve in a direction that would help us all have safer digital lives. But, in my opinion, the responsibility towards security is still shared between software makers and users, although not in the same percentage.

Leave a Reply

Your email address will not be published. Required fields are marked *