Linux is the world’s most vulnerable operating system

World’s worse are Debian, Android, macOS and Ubuntu

The idea that Microsoft’s Windows is the world’s most buggy and vulnerable operating system is pants, and it is so-called cast iron operating systems like Linux and macOS which are the worst.

An analysis of the National Institute of Standards and Technology’s National Vulnerability Database, compiled by, tracked ‘technical vulnerabilities’ in popular pieces of software between 1999 and 2019.

The world’s worst was  Debian, a flavour of Linux, top of the table with 3,067 vulnerabilities over the last two decades. Close behind was Android on 2,563 vulnerabilities, with the Linux kernel in third place having racked up a count of 2,357. Apple’s macOS was only slightly behind that with 2,212, with Ubuntu in fifth place on 2,007.

All of the top five places were taken by operating systems, although Firefox and Chrome filled the next two positions with 1,873 and 1,858 vulnerabilities respectively.

Microsoft’s Windows 7 bore 1,283 vulnerabilities, and Windows 10 carried 1,111. If you add those together, you get a total of 2,394 for the past decade.

Although note that some of the other figures mentioned represent a full two decades of existence – like Debian, which has been around since 1993 – so it’s difficult to make direct comparisons.

So when a Linux or Mac user tells you that their operating system is less buggy you can tell them to bog off with a pointy stick.

Looking at the figures for 2019 alone, Android was the most vulnerable piece of software with 414 reported vulnerabilities, followed by Debian Linux on 360, and Windows 10 was in third place in this case with 357.

The main problem with Microsoft’s image is that it is the most targeted by malware because there is more value in knocking over business systems.

As for the type of vulnerabilities found, in 2019, a quarter of all the observed security flaws were code execution vulnerabilities. Cross-site scripting was the second most prevalent gremlin in the works at 17.7 percent, followed by buffer overflows at 13.9 percent, and then denial of service attacks at 10.2 percent.