1. Forum
  2. Newsgroups
  3. comp.sys.mac.advocacy

  • What does the CISA KEV database say about Android/iOS known critical exploits?

    From Marian@marianjones@helpfulpeople.com to misc.phone.mobile.iphone,comp.sys.mac.advocacy on Mon Dec 22 11:20:58 2025
    From Newsgroup: comp.sys.mac.advocacy

    You are apparently attempting to reduce a very complex subject to a single >> metric (malware prevalence), and that is not how security professionals
    evaluate operating system security. Malware rates are not the definition of >> security. They are one symptom of a much larger system.

    Here are some of the much more complicated facts that matter:

    CISA KEV data does not show iOS as "way more secure." When you query the
    CISA Known Exploited Vulnerabilities database, iOS and Android have roughly >> similar numbers of actively exploited CVEs over time. That is the only U.S. >> government maintained list of real-world, in-the-wild exploited
    vulnerabilities. It does not show iOS as dramatically safer.

    As we've discussed before the KEV cannot be used to make any extrapolation
    or implication. It is an extremely narrow view of the landscape ignoring
    96% of known vulnerabilities.

    Chris, I think it's clear that you are misrepresenting the data in KEV.

    No one is claiming the KEV represents the entire vulnerability landscape.
    a. Of course it does not.
    b. It is intentionally narrow.
    That is the whole reason it is useful in this specific context.

    The KEV is the only US government maintained list that tracks
    vulnerabilities that are actually being exploited in the wild.

    It filters out the noise and focuses on the subset that matters for
    real-world operational risk. That makes it appropriate for comparing
    practical exposure between platforms.

    Saying "the KEV ignores 96 percent of known vulnerabilities" is not an
    argument against using it. That is simply a description of its purpose.

    Most CVEs are never exploited, never weaponized, and never used against
    real targets. Counting every CVE equally is a poor way to measure security because it treats theoretical bugs the same as actively exploited ones.

    If your claim is that iOS is "way more secure," then the KEV is exactly the kind of dataset you should be able to point to.

    It reflects real exploitation, not hypothetical attack surfaces.

    And when you look at that data, iOS and Android show broadly similar levels
    of exploited CVEs over time. That directly contradicts the idea that one platform is dramatically safer than the other.

    If you want to argue that the KEV is not the right metric, that is fine,
    but then you need to provide a better one. Simply dismissing the only authoritative exploited-in-the-wild dataset because it does not support
    your conclusion is not a technical argument that is logically tenable.
    --
    I respond as an adult to anyone as long as they act like an adult.
    My goal is to help people & to learn more from those people I help.
    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Chris@ithinkiam@gmail.com to misc.phone.mobile.iphone,comp.sys.mac.advocacy on Mon Dec 22 19:10:20 2025
    From Newsgroup: comp.sys.mac.advocacy

    Marian <marianjones@helpfulpeople.com> wrote:


    Chris, I think it's clear that

    WTF is it with you spamming this ng with new threads?! Your posting
    diarrhoea is getting worse. Time to see a doctor.

    I'll only respond to you if you maintain the most basic ng etiquette.

    --- Synchronet 3.21a-Linux NewsLink 1.2
  • From Marian@marianjones@helpfulpeople.com to misc.phone.mobile.iphone,comp.sys.mac.advocacy on Mon Dec 22 12:41:05 2025
    From Newsgroup: comp.sys.mac.advocacy

    Chris wrote:
    Marian <marianjones@helpfulpeople.com> wrote:


    Chris, I think it's clear that

    WTF is it with you spamming this ng with new threads?! Your posting
    diarrhoea is getting worse. Time to see a doctor.

    I'll only respond to you if you maintain the most basic ng etiquette.

    Chris, the topic is very simple:

    Q: What does the CISA KEV actually show about exploited iOS
    and Android vulnerabilities?
    A: That is the question you are apparently now refusing to answer.

    You made the claim, quoted here verbatim:

    "As we've discussed before the KEV cannot be used to make any extrapolation
    or implication. It is an extremely narrow view of the landscape ignoring 96 percent of known vulnerabilities."

    You are free to hold that view, but if you want to be taken seriously, you
    need to defend it with something more than repetition. KEV is the only US government maintained list of vulnerabilities confirmed to be exploited in
    the wild. It is the standard reference for real-world exploitation.
    Dismissing it without explanation is not a technical argument.

    Calling any attempt to discuss the data "spamming" does not change the
    facts. It only avoids them.

    If you want a civil, adult conversation, then engage with the substance of
    your own claim. If you do not want to defend it, that is your choice, but
    it does not make the claim any more credible.
    --- Synchronet 3.21a-Linux NewsLink 1.2