From Newsgroup: misc.phone.mobile.iphone

What do folks make of this graph from the CISA data?
<https://blog.ostorlab.co/static/img/2024_01_10_Known_exploitable_vulnerabilities/distribution_of_RE_NRE_CVES.png>

REFERENCE:
*Ostorlab Known Exploitable Vulnerabilities: Catching them all*
<https://blog.ostorlab.co/known_exploitable_vulnerabilities_catching_them_all.html>

See also:
*Cybersecurity Insiders Vulnerability Comparison: Android vs iOS*
<https://www.cybersecurity-insiders.com/vulnerability-comparison-android-vs-ios-in-the-face-of-cyber-attacks/>
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On Sep 26, 2025 at 12:36:26rC>PM EDT, "Marion" <marionf@fact.com> wrote:

What do folks make of this graph from the CISA data?

<https://blog.ostorlab.co/static/img/2024_01_10_Known_exploitable_vulnerabilities/distribution_of_RE_NRE_CVES.png>

REFERENCE:
*Ostorlab Known Exploitable Vulnerabilities: Catching them all*

<https://blog.ostorlab.co/known_exploitable_vulnerabilities_catching_them_all.html>

See also:
*Cybersecurity Insiders Vulnerability Comparison: Android vs iOS*

<https://www.cybersecurity-insiders.com/vulnerability-comparison-android-vs-ios-in-the-face-of-cyber-attacks/>

I am surprised that you posted this.

It shows what we already know. Microsoft is a security nightmare.

Apple - with arguably as many (or more) hardware and software products than Microsoft - is remarkably secure.

And - as has been pointed out to you before - if you have a Samsung phone, you have to add up the Google, Android and Samsung numbers. Which puts it equal to overall Apple.

Yes, the "Android" bar looks very small in comparison. But note that "Apple"
is a combination of ALL Apple products. There is no breakout of iOS. Or anything else.

Not to mention this quote:

"Android Security Landscape: Android, known for its open-source nature, boasts a vast app ecosystem and customization options. However, this openness also presents certain challenges in terms of security. Due to the diverse array of manufacturers and devices running on Android, the operating system faces fragmentation, which can delay the distribution of security updates. This fragmentation, combined with the ability for users to install apps from
sources other than the official Google Play Store, can create a larger attack surface. As a result, *Android devices tend to be more susceptible to malware and phishing attacks*.

iOS Security Landscape: On the other hand, iOS, developed by Apple, follows a more closed ecosystem. This closed nature contributes to a more controlled environment, where Apple meticulously reviews apps before allowing them onto the App Store. This process significantly reduces the risk of malicious apps reaching usersrCO devices. Additionally, iOS benefits from a unified hardware and software platform, resulting in more timely updates and a reduced fragmentation problem. The use of a tightly controlled app distribution model and strong encryption measures *enhances the overall security posture of
iOS*."

End of quotes, which you obviously missed.

So if your point was to ONCE AGAIN claim "Look at this! Android is more secure than iOS!", you have failed. Again. Because that claim is not based in reality.

Just like ALL of your claims, your links do not support your claim.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Tyrone <none@none.none> wrote:

Apple - with arguably as many (or more) hardware and software products than Microsoft

https://gs.statcounter.com/os-market-share

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

badgolferman wrote:

Tyrone <none@none.none> wrote:

Apple - with arguably as many (or more) hardware and software products than >> Microsoft

https://gs.statcounter.com/os-market-share

iOS consistently has more in-the-wild zero-days than Android flagships.
<https://bing.com/th/id/BCEI.558ae610-b94b-4d20-a760-0224f71df53e.png>

In some years, the difference is 3iV4 times more than Pixels + Galaxies.
2020 zero-days: iOS = 5 Pixel/Galaxy = 2
2021 zero-days: iOS = 12 Pixel/Galaxy = 3
2022 zero-days: iOS = 9 Pixel/Galaxy = 2
2023 zero-days: iOS = 13 Pixel/Galaxy = 3
2024 zero-days: iOS = 10 Pixel/Galaxy = 2
2025 zero-days: iOS = 7 Pixel/Galaxy = 2

Pixel devices get patched immediately (as Google controls the hw + sw).


Galaxy devices lag slightly (a few weeks to a month) because Samsung
has to integrate Google's fixes into One UI, but Samsung is still far
ahead of most Android OEMs.

iOS Rapid Security Response (since iOS 16) has improved patch speed,
but it hasn't reduced the number of zero-days being exploited.
<https://bing.com/th/id/BCEI.cac39e40-757c-47be-9936-6cdfdd6fdc81.png>

2020: iOS=5 Pix/Gal=2 Cum iOS=5 Cum Pix/Gal=2
2021: iOS=12 Pix/Gal=3 Cum iOS=17 Cum Pix/Gal=5
2022: iOS=9 Pix/Gal=2 Cum iOS=26 Cum Pix/Gal=7
2023: iOS=13 Pix/Gal=3 Cum iOS=39 Cum Pix/Gal=10
2024: iOS=10 Pix/Gal=2 Cum iOS=49 Cum Pix/Gal=12
2025: iOS=7 Pix/Gal=2 Cum iOS=56 Cum Pix/Gal=14

But all of these are undercounts as zero-days are classified differently.
For example, webkit zero-days are omitted in the above, as are chrome.

But it gives us a rough idea where if the Apple trolls want to claim that
iOS is "more secure" than Android flagships like Pixels & Galaxies, let's
see their data.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion <marionf@fact.com> wrote:

badgolferman wrote:

Tyrone <none@none.none> wrote:

Apple - with arguably as many (or more) hardware and software products than >>> Microsoft

https://gs.statcounter.com/os-market-share

iOS consistently has more in-the-wild zero-days than Android flagships.
<https://bing.com/th/id/BCEI.558ae610-b94b-4d20-a760-0224f71df53e.png>

In some years, the difference is 3rCo4 times more than Pixels + Galaxies.
2020 zero-days: iOS = 5 Pixel/Galaxy = 2
2021 zero-days: iOS = 12 Pixel/Galaxy = 3
2022 zero-days: iOS = 9 Pixel/Galaxy = 2
2023 zero-days: iOS = 13 Pixel/Galaxy = 3
2024 zero-days: iOS = 10 Pixel/Galaxy = 2
2025 zero-days: iOS = 7 Pixel/Galaxy = 2

Pixel devices get patched immediately (as Google controls the hw + sw).

Galaxy devices lag slightly (a few weeks to a month) because Samsung
has to integrate Google's fixes into One UI, but Samsung is still far
ahead of most Android OEMs.

iOS Rapid Security Response (since iOS 16) has improved patch speed,
but it hasn't reduced the number of zero-days being exploited.
<https://bing.com/th/id/BCEI.cac39e40-757c-47be-9936-6cdfdd6fdc81.png>

2020: iOS=5 Pix/Gal=2 Cum iOS=5 Cum Pix/Gal=2
2021: iOS=12 Pix/Gal=3 Cum iOS=17 Cum Pix/Gal=5
2022: iOS=9 Pix/Gal=2 Cum iOS=26 Cum Pix/Gal=7
2023: iOS=13 Pix/Gal=3 Cum iOS=39 Cum Pix/Gal=10
2024: iOS=10 Pix/Gal=2 Cum iOS=49 Cum Pix/Gal=12
2025: iOS=7 Pix/Gal=2 Cum iOS=56 Cum Pix/Gal=14

But all of these are undercounts as zero-days are classified differently.
For example, webkit zero-days are omitted in the above, as are chrome.

But it gives us a rough idea where if the Apple trolls want to claim that
iOS is "more secure" than Android flagships like Pixels & Galaxies, let's
see their data.

What's the verifiable source of this data? Is it Bing + CoPilot?

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

https://gs.statcounter.com/os-market-share

iOS consistently has more in-the-wild zero-days than Android flagships.

What's the verifiable source of this data?

FACTS.

1. Everyone but the Apple trolls has been providing the cites.
2. The only thing the Apple trolls do is not click on those cites.
3. Well, the Apple trolls do something else - they deny everything.

Apple trolls have been doing that for decades, and they're doing it now.
If the Apple trolls want to refute the cites, then let's see their cites.

HINT: Apple trolls almost never can find a cite for their belief system.

Now, to answer Chris' question for badgolferman's factual cite:
a. The source of badgolferman's data was Statcounter's web analytics data
<https://gs.statcounter.com/os-market-share>
b. Statcounter's operating system market share data is based on over
5 billion monthly page views collected from websites that use
their analytics service, so it's skewed toward web view activity.
c. It's broad and timely because it captures billions of real-world
visits, but it's biased toward websites using their analytics

Now, to answer Chris' question for Marion's factual cite:
a. The source of the graphs was the government's own respected CISA data.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
b. CISA's vulnerability catalog is compiled from confirmed exploitation
reports across federal and private networks, so it reflects real-world
threat activity but may lag behind emerging or unreported exploits.
c. It's authoritative and grounded in verified incidents, but it's reactive
by nature & may miss zero-day threats or underreported vulnerabilities.

For decades, the Apple trolls have refuted all data that doesn't support
their opinion of Apple (which was formed by brilliant Apple marketing).

Adults base their assessments/opinions on actual provable respected facts. Apple religious zealot nutcases don't (and never have, for decades).

Case in point:
1. My opinion is Windows has the most 0-days & iOS has more than
its flagship competitors combined, namely Pixels & Galaxies.
2. One set of facts backing up that opinion is the respected CISA data.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>

All I ask Chris to do is supply two things which I have supplied to him:
1. What is his opinion on the number of zero days for the various OS's?
2. What are the facts that back up his opinion (particularly for iOS)?

HINT: Watch how Apple religious zealot nutcases respond to a simple
question of where they get their data from. Just watch.

I'll simplify the question for Chris:
Q: Chris: What do you think the cumulative number of zero days
affecting iPhones are compared to Galaxy/Pixel flagships?
A: ?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On 2025-09-26 18:06, badgolferman wrote:

Tyrone <none@none.none> wrote:

Apple - with arguably as many (or more) hardware and software products than >> Microsoft

https://gs.statcounter.com/os-market-share

You have a lot of trouble with reading comprehension, don't you?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion <marionf@fact.com> wrote:

Chris wrote:

https://gs.statcounter.com/os-market-share

iOS consistently has more in-the-wild zero-days than Android flagships.

What's the verifiable source of this data?

FACTS.

You have no source. Was it made up?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On Sep 26, 2025 at 9:06:13rC>PM EDT, "badgolferman" <REMOVETHISbadgolferman@gmail.com> wrote:

Tyrone <none@none.none> wrote:

Apple - with arguably as many (or more) hardware and software products than >> Microsoft

https://gs.statcounter.com/os-market-share

What does that have to do with anything?
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Tyrone wrote:

Apple - with arguably as many (or more) hardware and software products than >>> Microsoft

https://gs.statcounter.com/os-market-share

What does that have to do with anything?

Different business models.
<https://businessmodelanalyst.com/apple-vs-microsoft/>

Microsoft's business model is software-centric, with deep roots in
operating systems, productivity tools, cloud services, developer platforms,
and enterprise solutions.

Key software families include:
a. Windows OS (multiple versions)
b. Microsoft Office Suite (Word, Excel, PowerPoint, Outlook, etc.)
c. Azure (cloud computing)
d. Visual Studio, GitHub, Teams, OneDrive, Edge, Xbox software

Apple, by contrast, focuses more on hardware and integrated software:

Core software includes:
a. macOS, iOS, iPadOS, watchOS, tvOS
b. Apps like Safari, iMovie, GarageBand, Final Cut Pro, Logic Pro, Pages, Numbers, Keynote
c. Services like iCloud, Apple Music, Apple TV+, Apple Arcade

<https://www.investopedia.com/articles/markets/111015/apple-vs-microsoft-vs-google-how-their-business-models-compare.asp>

By all accounts, Microsoft dominates the desktop OS market (~71%) and has a vast ecosystem of software tools for consumers and businesses.

Apple focused on niche hardware-software integration, so its software
catalog is far narrower and more focused on enhancing its devices.

Given Apple's market is far less than Microsoft & Android, it would be
shocking to an untrained eye that Apple has more zero-days than anyone
except Microsoft.

However, if you understood Apple, you'd know it's a "paper tiger" in that Apple, like Russian diplomats, makes sweeping claims, almost all of which
are lies.

The result is that Apple has the worst full hotfix support in the industry. It's astoundingly huge number of zero-days simply is one metric of that.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

You have no source. Was it made up?

a. The source of the graphs was the government's own respected CISA data.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
b. CISA's vulnerability catalog is compiled from confirmed exploitation
reports across federal and private networks, so it reflects real-world
threat activity but may lag behind emerging or unreported exploits.
c. It's authoritative and grounded in verified incidents, but it's reactive
by nature & may miss zero-day threats or underreported vulnerabilities.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On 9/27/2025 12:54 PM, Marion wrote:

Chris wrote:

https://gs.statcounter.com/os-market-share

iOS consistently has more in-the-wild zero-days than Android flagships.

What's the verifiable source of this data?

FACTS.

1. Everyone but the Apple trolls has been providing the cites.
2. The only thing the Apple trolls do is not click on those cites.
3. Well, the Apple trolls do something else - they deny everything.

Apple trolls have been doing that for decades, and they're doing it now.
If the Apple trolls want to refute the cites, then let's see their cites.

HINT: Apple trolls almost never can find a cite for their belief system.

Now, to answer Chris' question for badgolferman's factual cite:
a. The source of badgolferman's data was Statcounter's web analytics data
<https://gs.statcounter.com/os-market-share>
b. Statcounter's operating system market share data is based on over
5 billion monthly page views collected from websites that use
their analytics service, so it's skewed toward web view activity.
c. It's broad and timely because it captures billions of real-world
visits, but it's biased toward websites using their analytics

Now, to answer Chris' question for Marion's factual cite:
a. The source of the graphs was the government's own respected CISA data.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
b. CISA's vulnerability catalog is compiled from confirmed exploitation
reports across federal and private networks, so it reflects real-world
threat activity but may lag behind emerging or unreported exploits.
c. It's authoritative and grounded in verified incidents, but it's reactive
by nature & may miss zero-day threats or underreported vulnerabilities.

For decades, the Apple trolls have refuted all data that doesn't support their opinion of Apple (which was formed by brilliant Apple marketing).

Adults base their assessments/opinions on actual provable respected facts. Apple religious zealot nutcases don't (and never have, for decades).

Case in point:
1. My opinion is Windows has the most 0-days & iOS has more than
its flagship competitors combined, namely Pixels & Galaxies.
2. One set of facts backing up that opinion is the respected CISA data.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>

All I ask Chris to do is supply two things which I have supplied to him:
1. What is his opinion on the number of zero days for the various OS's?
2. What are the facts that back up his opinion (particularly for iOS)?

HINT: Watch how Apple religious zealot nutcases respond to a simple
question of where they get their data from. Just watch.

I'll simplify the question for Chris:
Q: Chris: What do you think the cumulative number of zero days
affecting iPhones are compared to Galaxy/Pixel flagships?
A: ?

Apple trolls have repeatedly countered you with verified data you refuse
to acknowledge.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion <marionf@fact.com> wrote:

Chris wrote:

You have no source. Was it made up?

Firstly, I should acknowledge that you're trying to respond to my challenge
to you to make proper comparative claims rather than focus purely on iOS deficiencies. As we all know, all software has bugs, vulnerabilities and deficiencies.

So well done.

Sadly, I can't reproduce your numbers, however.

a. The source of the graphs was the government's own respected CISA data.
<https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
b. CISA's vulnerability catalog is compiled from confirmed exploitation
reports across federal and private networks, so it reflects real-world
threat activity but may lag behind emerging or unreported exploits.
c. It's authoritative and grounded in verified incidents, but it's reactive
by nature & may miss zero-day threats or underreported vulnerabilities.

Some of that may be true, however, you don't reflect the true scale of the
gaps in the CISA KEV. For example, KEV misses 94% of exploitable vulnerabilities found in the CVE list. https://medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9



--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On 9/28/2025 6:01 AM, Tom Elam wrote:

<snip>

First let me state that I have two iPhones, an Apple Watch, and an iPad Pro.

I looked at the spreadsheet from CISA, removed all the lines other than Android, Apple (iOS, iPadOS, and WatchOS), and Samsung.

It may not be perfect because so many of the Apple entries just said
"Multiple Products" but I removed those lines even though they might
have included some of the mobile products.

Shared at https://docs.google.com/spreadsheets/d/1h24C9L9TronxU2X0UVcpncM606NPDaIeRlM4FfA_bg4/

Totals
------
11 Android
13 Samsung
33 iOS, iPadOS, WatchOS

In any case, the exploits are closed after being discovered and it's not
like there is an order of magnitude difference.

And of course these are only the zero-day-exploits, they don't represent
any other security concerns.

It's very difficult to install non-app store apps on an iOS device, but
it's fairly easy on Android. Some of those non-Google Android apps are
very useful, but also potentially dangerous if you're not careful, like
SMS forwarding which isn't possible on a non-jail broken iPhone.

--

rCLIf you are not an expert on a subject, then your opinions about it
really do matter less than the opinions of experts. It's not
indoctrination nor elitism. It's just that you don't know as much as
they do about the subject.rCYrCoTin Foil Awards
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Tom Elam wrote:

Q: Chris: What do you think the cumulative number of zero days
affecting iPhones are compared to Galaxy/Pixel flagships?
A: ?

Apple trolls have repeatedly countered you with verified data you refuse
to acknowledge.

Heh heh heh... Apple trolls are like Russian diplomats.

You Apple "say" you provided "verified data" but it turns out always to be
a lie because all you do is say all verified facts about Apple are wrong.

For decades, you Apple nutcase religious zealots have denied all facts.
And yet, you never provide a single cite that backs up any of your claims.

Like Russian diplomats, you "claim" you provided cites.
But nobody can find them.

Not even you.

Q: Where are the cites, Tom Elam, that back up your claims?
A: ???

Hint: They don't exist.
--
Apple nutcase religious zealot beliefs cannot be supported on facts.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On 9/28/2025 10:20 AM, sms wrote:

On 9/28/2025 6:01 AM, Tom Elam wrote:

<snip>

First let me state that I have two iPhones, an Apple Watch, and an iPad
Pro.

I looked at the spreadsheet from CISA, removed all the lines other than Android, Apple (iOS, iPadOS, and WatchOS), and Samsung.

It may not be perfect because so many of the Apple entries just said "Multiple Products" but I removed those lines even though they might
have included some of the mobile products.

Shared at https://docs.google.com/spreadsheets/ d/1h24C9L9TronxU2X0UVcpncM606NPDaIeRlM4FfA_bg4/

Totals
------
11 Android
13 Samsung
33 iOS, iPadOS, WatchOS

Oops, it's 12 Android, 13 Samsung, 32 iOS, iPadOS, WatchOS.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On Sep 26, 2025 at 11:50:44rC>PM EDT, "Marion" <marionf@fact.com> wrote:

badgolferman wrote:

Tyrone <none@none.none> wrote:

Apple - with arguably as many (or more) hardware and software products than >>> Microsoft

https://gs.statcounter.com/os-market-share

iOS consistently has more in-the-wild zero-days than Android flagships.
<https://bing.com/th/id/BCEI.558ae610-b94b-4d20-a760-0224f71df53e.png

You Apple trolls, even the links YOU PROVIDE say that iOS is more secure:

"Android Security Landscape: Android, known for its open-source nature, boasts a vast app ecosystem and customization options. However, this openness also presents certain challenges in terms of security. Due to the diverse array of manufacturers and devices running on Android, the operating system faces fragmentation, which can delay the distribution of security updates. This fragmentation, combined with the ability for users to install apps from
sources other than the official Google Play Store, can create a larger attack surface. As a result, *Android devices tend to be more susceptible to malware and phishing attacks*.

iOS Security Landscape: On the other hand, iOS, developed by Apple, follows a more closed ecosystem. This closed nature contributes to a more controlled environment, where Apple meticulously reviews apps before allowing them onto the App Store. This process significantly reduces the risk of malicious apps reaching usersrCO devices. Additionally, iOS benefits from a unified hardware and software platform, resulting in more timely updates and a reduced fragmentation problem. The use of a tightly controlled app distribution model and strong encryption measures *enhances the overall security posture of
iOS*."
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

Firstly, I should acknowledge that you're trying to respond to my challenge to you to make proper comparative claims rather than focus purely on iOS deficiencies. As we all know, all software has bugs, vulnerabilities and deficiencies.

So well done.

I think it's great that we're working together, as a team, to come to an answer where I don't care what the answer is, as long as it's a good one.

I don't care if Apple is higher. Or lower. I just want the right answer.
All I care about are making good assessments of valid verifiable facts.

So are you, it appears.

As such, I commend you & Steve as it appears we are at least making an
attempt to parse the complex CISA database to gain knowledge from it.

Up until today I parsed CISA KEV JSON data using this type of script:
@echo off
setlocal EnableDelayedExpansion

if "%~1"=="" (
echo Usage: %~nx0 path\to\catalog.json
exit /b 1
)

set "INPUT=%~1"

for %%V in (Apple Android Samsung Microsoft Qualcomm Google) do (
for /f "usebackq" %%C in (`powershell -NoLogo -NoProfile -Command ^
"Get-Content '%INPUT%' ^| ConvertFrom-Json ^| Select-Object -ExpandProperty vulnerabilities ^| Where-Object { $_.vendorProject -eq '%%V' } ^| Measure-Object ^| Select-Object -ExpandProperty Count"`) do (
echo %%V vulnerabilities: %%C
)
)

endlocal

But today, I decided to start again from scratch and parse the CSV.

Sadly, I can't reproduce your numbers, however.

My numbers came from that JSON parser I listed for you above; but today
I decided to change the parser to parse the CISA KEV CSV file instead.

Bearing in mind I don't care what the answer is in that I just want the answer, I will agree with you that it's hard to get the same counts twice
out of the CISA data because counts depend on how you gather them.

I think I have a solution for that problem, which I worked on for a few
hours tonight, after I saw Steve's numbers and your honest reply above.

Let's all run the SAME batch script that gathers the data.
Then we can each TWEAK that batch script so it gathers what we want?

As always, I will volunteer the batch script that I wrote to do that.

Then you & Steve can run it first, and see if you reproduce my numbers.
Maybe badgolferman can run it also, as we're the main credible posters.

a. The source of the graphs was the government's own respected CISA data. >> <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
b. CISA's vulnerability catalog is compiled from confirmed exploitation
reports across federal and private networks, so it reflects real-world >> threat activity but may lag behind emerging or unreported exploits.
c. It's authoritative and grounded in verified incidents, but it's reactive >> by nature & may miss zero-day threats or underreported vulnerabilities.

Some of that may be true, however, you don't reflect the true scale of the gaps in the CISA KEV. For example, KEV misses 94% of exploitable vulnerabilities found in the CVE list. https://medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9

Sadly, only 6% of vulnerabilities with known exploits in the CVE list are included in the KEV catalog (meaning 94% are missing); but that's part of
why it's such a well-vetted database - as only known exploits are included.

Yotam Perkal wrote that well-researched article titled "CISA KEV: A
Balanced Perspective" by Yotam Perkal where he argues that while the CISA
KEV catalog is valuable, it covers only a small fraction of known
exploitable vulnerabilities.

Yotam based that percentage on comparing the KEV database against other exploit intelligence sources like ExploitDB, Metasploit and vendor
advisories. Perkal emphasizes that the narrower scope is because KEV is curated for confirmed active exploitation, not just theoretical or proof-of-concept exploits.

I've never said otherwise, in that these are known exploits in the wild.

So yes, the 94% figure is accurate within the context of his analysis, but
it reflects a deliberate tradeoff where KEV prioritizes real-world exploitation over completeness. That makes it useful for prioritization,
but not exhaustive for vulnerability management.

In addition, the CISA KEV database is only for already-patched exploits
which have a CV number assigned to them, so that further limits scope.

Can we work together? You, me, Steve and badgolferman at least?
Would you run this batch script on Windows, macOS or Linux please?

@echo off
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: This is kev.bat v1.0
:: Usage: C:\> kev.bat
:: Extensible Windows batch/powershell script to parse csv/json CISA KEV db
:: kev.ps1 must reside in same folder as kev.bat
:: kev.bat calls kev.ps1 using powershell with execution policy bypass
:: Output pauses so user can read results before window closes
:: The goal is to determine if Apple is telling the truth when Apple "says"
:: they locked iOS users into a walled prison garden "for their own safety".
:: As one step of that goal, the question to answer is simply thus:
:: Q: What are cumulative exploits between iPhone/iPad & Android flagships?
:: <https://github.com/cisagov/kev-data>
:: <https://www.cisa.gov/known-exploited-vulnerabilities>
:: <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
:: Note this db is only about 6% of all known vulnerabilities!
:: <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
:: That's because the KEV db only contains exploits meeting these criteria:
:: 1. The exploit has a valid CVE ID.
:: 2. There is reliable evidence of active exploitation.
:: 3. A clear remediation action is already available to the general public.
:: The KEV database is in three files:
:: a. CSV (Comma-Separated Values)
:: <github.com/cisagov/kev-data/blob/develop/known_exploited_vulnerabilities.csv>
:: b. JSON (JavaScript Object Notation)
:: <github.com/cisagov/kev-data/blob/develop/known_exploited_vulnerabilities.json>
:: c. JSON Schema (Defines the structure of the JSON data)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: REVISION HISTORY:
:: Version v1.0 20250929 (45L)
:: Invokes powershell to parse csv/json CISA database for iOS vs Android
:: Version 1.1 2025???? (??L)
:: TBD
:: Version 1.2 2025???? (??L)
:: TBD
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: 72 char 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

set "PS_SCRIPT=kev.ps1" REM iOS vs Android known patched exploits
powershell -ExecutionPolicy Bypass -File "%~dp0%PS_SCRIPT%"
pause
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: End of kev.bat
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


The PowerShell script that works with that batch file is shown below.
###############################################################################
## This is kev.ps1 v2.1
## An Extensible cross-platform batch/powershell script to parse CISA KEV db
## Analyzes the CISA Known Exploited Vulnerabilities (KEV) database
## to compare iOS and Android-related security threats.
## a. Downloads lates KEV CSV or uses a local copy of the KEV CSV file
## b. Filters out irrelevant entries (e.g., smart appliances, printers)
## c. Uses keywords & vendor-product logic for platform-specific exploits
## d. Identifies shared vulnerabilities affecting both ecosystems
## e. Logs results to timestamped files in a clean ./logs directory
## f. Outputs Apple vs Android exploit summaries to console & log files
## All logs are saved in the ./logs directory:
## A. ios_matches_YYYYMMDD_HHMMSS.log
## B. android_matches_YYYYMMDD_HHMMSS.log
## C. shared_matches_YYYYMMDD_HHMMSS.log
## D. kev_output_YYYYMMDD_HHMMSS.log (summary)
## Note the CISA KEV db lists only about 6% of all known vulnerabilities!
## <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
## That's because the KEV db only contains exploits meeting these criteria:
## 1. The exploit has a valid CVE ID.
## 2. There is reliable evidence of active exploitation.
## 3. A clear remediation action is already available to the general public.
###############################################################################
## Windows Usage: C:\> kev.bat
## Linux/macOS Usage: $ pwsh ./kev.ps1
## Requires PowerShell Core (pwsh) <https://github.com/PowerShell/PowerShell>
## Make sure execution policy allows script execution:
## $ pwsh -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass"
###############################################################################
## Version 1.0 20250829 (41L)
## Extensible Windows batch/powershell script to parse csv/json CISA KEV db
## Uses powershell to parse csv/json CISA database for iOS vs Android
## Added comment discipline rules for ASCII-only and no oxford comma
## CSV downloaded from GitHub mirror of CISA KEV database
## Keyword logic uses lowercase match on vendor, product, and vuln name
## Matching uses wildcard logic with simple substring detection
## Results printed to console with Write-Host
## Script can be extended to log output or refine keyword logic
## Verson 1.1 20250929 (56L)
## Adds time-stamped output file to current directory
## Uses Get-Date with custom format for filename
## Output file includes iOS and Android known exploit counts
## Output file UTF8 encoding for platform/editor compatibility
## Version 1.2 20250929 (68L)
## Expands keyword logic for iOS and Android ecosystems
## Adds ipad, watchos, macos, pixel, samsung, qualcomm, mediatek
## Improves platform distinction across shared components like WebKit
## Android common vendors & chipsets: pixel, samsung, qualcomm, mediatek
## iOS platforms: ipad, ipados, watchos, macos
## Used Join-Path to make filespecs usable on Windows/Linux/macOS
## Version 1.3 20250929 (87L)
## Added an output log to a separate file of each match with its source line
## Modified filespecs to enable macOS/Linux PowerCore portability
## Version 1.4 20250929 (97L)
## Included CVE ID in logs (Adds traceability & audit value)
## Added platform detection (Join-Path & $PWD)
## Add toggle for local file (avoid unnecessary d/l when testing)
## Version 1.5 20250929 (108L)
## Add exclusion filtering logic (e.g., samsung TVs)
## Exclusion filtering removes Apple smart home devices.
## Version 1.6 20250929 (130L)
## Added shared-match detection to avoid double counting overlapping attack
## surfaces in platform-specific summaries
## Version 1.7 20250929 (141L)
## Added vendor-product dictionary-style mapping to excluse false positives
## like "Samsung tv" or "refrigerator" or "Apple tv" or "homepod"
## Version 1.8 20250929 (148L)
## Refined keyword logic for deeper iOS & Android exploit detection
## around shared components like WebKit & cryptographic modules
## Apple includes subsystems like secure enclave, coremedia & launchd
## Android includes cryptographic modules & shared components like
## keymaster, webkit & play services.
## Version 1.9 20250929 (163L)
## Moved all log files into ./logs directory to reduce clutter
## Added usage instructions for macOS/Linux (pwsh)
## Version 2.0 20250929 (207L)
## Added toggle to include/exclude macOS from iOS counts
## Fixed platform detection (Join-Path & $PWD) console output
## Version 2.1 20250929 (212L)
## Added output of the PowerShell version (in case of mismatches)
###############################################################################
# Platform detection (v2.3)
$platform = $PSVersionTable.PSEdition
$version = $PSVersionTable.PSVersion
if ($platform -eq "Desktop") {
Write-Host "Running on platform: Windows PowerShell"
} elseif ($platform -eq "Core") {
if ($IsWindows) {
Write-Host "Running on platform: Windows (pwsh)"
} elseif ($IsLinux) {
Write-Host "Running on platform: Linux (pwsh)"
} elseif ($IsMacOS) {
Write-Host "Running on platform: macOS (pwsh)"
} else {
Write-Host "Running on platform: Unknown Core edition"
}
} else {
Write-Host "Running on platform: Unknown"
}
Write-Host "PowerShell version: $version"
# Download the KEV CSV from GitHub
# $useLocalFile = $true # Set to $false to force download
$useLocalFile = $false # Set to $true for testing of existing downloads
$includeMacOS = $true # Set to $false to exclude macOS in iOS counts
# $includeMacOS = $false # Set to $true to include macOS in iOS counts
if ($useLocalFile) {
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Write-Host "Using local file: $csvPath"
} else {
$csvUrl = "https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv"
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Invoke-WebRequest -Uri $csvUrl -OutFile $csvPath
Write-Host "Downloaded fresh file: $csvPath"
}
# Define keyword logic for iOS and Android
# iOS includes Apple platforms and WebKit-based browsers
$iosKeywords = @(
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox"
)
if ($includeMacOS) {
$iosKeywords += "macos"
}
# Android includes Google platforms and common Android vendors
$androidKeywords = @(
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit" # added for hybrid apps and embedded browsers
)
# Initialize counters for each platform
$iosCount = 0
$androidCount = 0
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$logDir = Join-Path -Path "." -ChildPath "logs"
if (-not (Test-Path $logDir)) {
New-Item -ItemType Directory -Path $logDir | Out-Null
}
$iosLogPath = Join-Path -Path $logDir -ChildPath "ios_matches_$timestamp.log"
$androidLogPath = Join-Path -Path $logDir -ChildPath "android_matches_$timestamp.log"
$sharedLogPath = Join-Path -Path $logDir -ChildPath "shared_matches_$timestamp.log"
$outputFile = Join-Path -Path $logDir -ChildPath "kev_output_$timestamp.log"
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot", "industrial", "printer", "apple tv", "homepod", "airtag"
)
$vendorProductMap = @{
"samsung" = @("galaxy", "android", "mobile", "tablet")
"qualcomm" = @("snapdragon", "modem", "chipset")
"apple" = @("iphone", "ipad", "ios", "watchos", "macbook")
}
if ($includeMacOS) {
$vendorProductMap["apple"] += "macos"
}
Import-Csv $csvPath | ForEach-Object {
$text = ($_.vendorProject + " " + $_.product + " " + $_.vulnerabilityName).ToLower()
$vendor = $_.vendorProject.ToLower()
$product = $_.product.ToLower()
# Skip irrelevant matches
if ($excludeKeywords | Where-Object { $text -like "*$_*" }) {
return
}
# Skip mismatched vendor-product combos
if ($vendorProductMap.ContainsKey($vendor)) {
$validProducts = $vendorProductMap[$vendor]
if (-not ($validProducts | Where-Object { $product -like "*$_*" })) {
return
}
}
$logEntry = "$($_.cveID): $text"
$iosMatch = $iosKeywords | Where-Object { $text -like "*$_*" }
$androidMatch = $androidKeywords | Where-Object { $text -like "*$_*" }
if ($iosMatch -and $androidMatch) {
$iosCount++
$androidCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
Add-Content -Path $androidLogPath -Value "$logEntry`n"
Add-Content -Path $sharedLogPath -Value "$logEntry`n"
} elseif ($iosMatch) {
$iosCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
} elseif ($androidMatch) {
$androidCount++
Add-Content -Path $androidLogPath -Value "$logEntry`n"
}
}
# Output results to console
Write-Host "Estimated Apple-related exploits: $iosCount"
Write-Host "Estimated Android-related exploits: $androidCount"
if (Test-Path $sharedLogPath) {
$sharedCount = (Get-Content $sharedLogPath | Measure-Object).Count
Write-Host "Estimated shared exploits: $sharedCount"
Add-Content -Path $sharedLogPath -Value "Shared iOS/Android vulnerabilities:`n"
Add-Content -Path $sharedLogPath -Value "`nTotal shared matches: $sharedCount"
} else {
Write-Host "Estimated shared exploits: 0"
}
# Create time-stamped output file in current directory
# $outputFile = "kev_output_$timestamp.log"
# Allow for macOS/Linux PowerShell Core portability (filespec syntax)
# Write results to file
@(
"KEV vulnerability summary $timestamp",
"Estimated Apple-related exploits: $iosCount",
"Estimated Android-related exploits: $androidCount"
) | Out-File -FilePath $outputFile -Encoding UTF8
# Append a summary line to each match log (v1.4)
Add-Content -Path $iosLogPath -Value "`nTotal iOS matches: $iosCount"
Add-Content -Path $androidLogPath -Value "`nTotal Android matches: $androidCount"
###############################################################################
## end of kev.ps1
###############################################################################


Here is a sample output but it depends on how you set the switches.
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
Estimated Apple-related exploits: 106
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

For auditing, that also produces the following log files:
android_matches_20250929_055357.log
ios_matches_20250929_055357.log
shared_matches_20250929_055357.log

Here are just the first five lines of each of those log files:
android_matches_20250929_055357.log
CVE-2025-10585: google chromium v8 google chromium v8 type confusion vulnerability

CVE-2025-48543: android runtime android runtime use-after-free vulnerability

CVE-2025-6558: google chromium google chromium angle and gpu improper input validation vulnerability

CVE-2025-6554: google chromium v8 google chromium v8 type confusion vulnerability

CVE-2025-5419: google chromium v8 google chromium v8 out-of-bounds read and write vulnerability
ios_matches_20250929_055357.log
CVE-2025-43300: apple ios, ipados, and macos apple ios, ipados, and macos out-of-bounds write vulnerability

CVE-2019-6693: fortinet fortios fortinet fortios use of hard-coded credentials vulnerability

CVE-2025-2783: google chromium mojo google chromium mojo sandbox escape vulnerability

CVE-2025-24472: fortinet fortios and fortiproxy fortinet fortios and fortiproxy authentication bypass vulnerability

CVE-2025-24200: apple ios and ipados apple ios and ipados incorrect authorization vulnerability

shared_matches_20250929_055357.log
CVE-2025-2783: google chromium mojo google chromium mojo sandbox escape vulnerability

CVE-2016-4657: apple ios apple ios webkit memory corruption vulnerability

CVE-2019-8720: webkitgtk webkitgtk webkitgtk memory corruption vulnerability

CVE-2022-22620: apple ios, ipados, and macos apple ios, ipados, and macos webkit use-after-free vulnerability

CVE-2021-30762: apple ios apple ios webkit use-after-free vulnerability

Let's work together to know, for sure, what the difference is in exploits.

If you can, please run the script above on macOS, Linux or on Windows.
Let us know the results as we can only make good assessments on good data.

Note: I don't care which platform fares better or worse; I just want the facts. --- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

sms wrote:

On 9/28/2025 10:20 AM, sms wrote:

On 9/28/2025 6:01 AM, Tom Elam wrote:

<snip>

First let me state that I have two iPhones, an Apple Watch, and an iPad
Pro.

I looked at the spreadsheet from CISA, removed all the lines other than
Android, Apple (iOS, iPadOS, and WatchOS), and Samsung.

It may not be perfect because so many of the Apple entries just said
"Multiple Products" but I removed those lines even though they might
have included some of the mobile products.

Shared at https://docs.google.com/spreadsheets/
d/1h24C9L9TronxU2X0UVcpncM606NPDaIeRlM4FfA_bg4/

Totals
------
11 Android
13 Samsung
33 iOS, iPadOS, WatchOS

Oops, it's 12 Android, 13 Samsung, 32 iOS, iPadOS, WatchOS.

I think it's great that we're working together, as a team, to come to an answer where I don't care what the answer is, as long as it's a good one.

As such, I commend you & Chris as it appears we are at least making an
attempt to parse the complex CISA KEV database to gain knowledge from it.

Up until today I parsed CISA KEV JSON data using this type of script:
@echo off
setlocal EnableDelayedExpansion

if "%~1"=="" (
echo Usage: %~nx0 path\to\catalog.json
exit /b 1
)

set "INPUT=%~1"

for %%V in (Apple Android Samsung Microsoft Qualcomm Google) do (
for /f "usebackq" %%C in (`powershell -NoLogo -NoProfile -Command ^
"Get-Content '%INPUT%' ^| ConvertFrom-Json ^| Select-Object -ExpandProperty vulnerabilities ^| Where-Object { $_.vendorProject -eq '%%V' } ^| Measure-Object ^| Select-Object -ExpandProperty Count"`) do (
echo %%V vulnerabilities: %%C
)
)

endlocal

But today, I decided to start again from scratch to parse the CSV.

Let's all run the SAME x-platform batch script that gathers the data.
Then we can each TWEAK that batch script so it gathers what we want?

As always, I will volunteer the batch script that I wrote to do that.

Then you & Chris can run it first, and see if you reproduce my numbers.
Maybe badgolferman can run it also, as we're the main credible posters.

Can we work together? You, me, Chris and badgolferman at least?
Would you run this batch script on Windows, macOS or Linux please?

@echo off
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: This is kev.bat v1.0
:: Usage: C:\> kev.bat
:: Extensible Windows batch/powershell script to parse csv/json CISA KEV db
:: kev.ps1 must reside in same folder as kev.bat
:: kev.bat calls kev.ps1 using powershell with execution policy bypass
:: Output pauses so user can read results before window closes
:: The goal is to determine if Apple is telling the truth when Apple "says"
:: they locked iOS users into a walled prison garden "for their own safety".
:: As one step of that goal, the question to answer is simply thus:
:: Q: What are cumulative exploits between iPhone/iPad & Android flagships?
:: <https://github.com/cisagov/kev-data>
:: <https://www.cisa.gov/known-exploited-vulnerabilities>
:: <https://www.cisa.gov/known-exploited-vulnerabilities-catalog>
:: Note this db is only about 6% of all known vulnerabilities!
:: <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
:: That's because the KEV db only contains exploits meeting these criteria:
:: 1. The exploit has a valid CVE ID.
:: 2. There is reliable evidence of active exploitation.
:: 3. A clear remediation action is already available to the general public.
:: The KEV database is in three files:
:: a. CSV (Comma-Separated Values)
:: <github.com/cisagov/kev-data/blob/develop/known_exploited_vulnerabilities.csv>
:: b. JSON (JavaScript Object Notation)
:: <github.com/cisagov/kev-data/blob/develop/known_exploited_vulnerabilities.json>
:: c. JSON Schema (Defines the structure of the JSON data)
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: REVISION HISTORY:
:: Version v1.0 20250929 (45L)
:: Invokes powershell to parse csv/json CISA database for iOS vs Android
:: Version 1.1 2025???? (??L)
:: TBD
:: Version 1.2 2025???? (??L)
:: TBD
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: 72 char 1234567890 1234567890 1234567890 1234567890 1234567890 1234567890 12
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

set "PS_SCRIPT=kev.ps1" REM iOS vs Android known patched exploits
powershell -ExecutionPolicy Bypass -File "%~dp0%PS_SCRIPT%"
pause
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: End of kev.bat
:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


The PowerShell script that works with that batch file is shown below.
###############################################################################
## This is kev.ps1 v2.1
## An Extensible cross-platform batch/powershell script to parse CISA KEV db
## Analyzes the CISA Known Exploited Vulnerabilities (KEV) database
## to compare iOS and Android-related security threats.
## a. Downloads lates KEV CSV or uses a local copy of the KEV CSV file
## b. Filters out irrelevant entries (e.g., smart appliances, printers)
## c. Uses keywords & vendor-product logic for platform-specific exploits
## d. Identifies shared vulnerabilities affecting both ecosystems
## e. Logs results to timestamped files in a clean ./logs directory
## f. Outputs Apple vs Android exploit summaries to console & log files
## All logs are saved in the ./logs directory:
## A. ios_matches_YYYYMMDD_HHMMSS.log
## B. android_matches_YYYYMMDD_HHMMSS.log
## C. shared_matches_YYYYMMDD_HHMMSS.log
## D. kev_output_YYYYMMDD_HHMMSS.log (summary)
## Note the CISA KEV db lists only about 6% of all known vulnerabilities!
## <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
## That's because the KEV db only contains exploits meeting these criteria:
## 1. The exploit has a valid CVE ID.
## 2. There is reliable evidence of active exploitation.
## 3. A clear remediation action is already available to the general public.
###############################################################################
## Windows Usage: C:\> kev.bat
## Linux/macOS Usage: $ pwsh ./kev.ps1
## Requires PowerShell Core (pwsh) <https://github.com/PowerShell/PowerShell>
## Make sure execution policy allows script execution:
## $ pwsh -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass"
###############################################################################
## Version 1.0 20250829 (41L)
## Extensible Windows batch/powershell script to parse csv/json CISA KEV db
## Uses powershell to parse csv/json CISA database for iOS vs Android
## Added comment discipline rules for ASCII-only and no oxford comma
## CSV downloaded from GitHub mirror of CISA KEV database
## Keyword logic uses lowercase match on vendor, product, and vuln name
## Matching uses wildcard logic with simple substring detection
## Results printed to console with Write-Host
## Script can be extended to log output or refine keyword logic
## Verson 1.1 20250929 (56L)
## Adds time-stamped output file to current directory
## Uses Get-Date with custom format for filename
## Output file includes iOS and Android known exploit counts
## Output file UTF8 encoding for platform/editor compatibility
## Version 1.2 20250929 (68L)
## Expands keyword logic for iOS and Android ecosystems
## Adds ipad, watchos, macos, pixel, samsung, qualcomm, mediatek
## Improves platform distinction across shared components like WebKit
## Android common vendors & chipsets: pixel, samsung, qualcomm, mediatek
## iOS platforms: ipad, ipados, watchos, macos
## Used Join-Path to make filespecs usable on Windows/Linux/macOS
## Version 1.3 20250929 (87L)
## Added an output log to a separate file of each match with its source line
## Modified filespecs to enable macOS/Linux PowerCore portability
## Version 1.4 20250929 (97L)
## Included CVE ID in logs (Adds traceability & audit value)
## Added platform detection (Join-Path & $PWD)
## Add toggle for local file (avoid unnecessary d/l when testing)
## Version 1.5 20250929 (108L)
## Add exclusion filtering logic (e.g., samsung TVs)
## Exclusion filtering removes Apple smart home devices.
## Version 1.6 20250929 (130L)
## Added shared-match detection to avoid double counting overlapping attack
## surfaces in platform-specific summaries
## Version 1.7 20250929 (141L)
## Added vendor-product dictionary-style mapping to excluse false positives
## like "Samsung tv" or "refrigerator" or "Apple tv" or "homepod"
## Version 1.8 20250929 (148L)
## Refined keyword logic for deeper iOS & Android exploit detection
## around shared components like WebKit & cryptographic modules
## Apple includes subsystems like secure enclave, coremedia & launchd
## Android includes cryptographic modules & shared components like
## keymaster, webkit & play services.
## Version 1.9 20250929 (163L)
## Moved all log files into ./logs directory to reduce clutter
## Added usage instructions for macOS/Linux (pwsh)
## Version 2.0 20250929 (207L)
## Added toggle to include/exclude macOS from iOS counts
## Fixed platform detection (Join-Path & $PWD) console output
## Version 2.1 20250929 (212L)
## Added output of the PowerShell version (in case of mismatches)
###############################################################################
# Platform detection (v2.3)
$platform = $PSVersionTable.PSEdition
$version = $PSVersionTable.PSVersion
if ($platform -eq "Desktop") {
Write-Host "Running on platform: Windows PowerShell"
} elseif ($platform -eq "Core") {
if ($IsWindows) {
Write-Host "Running on platform: Windows (pwsh)"
} elseif ($IsLinux) {
Write-Host "Running on platform: Linux (pwsh)"
} elseif ($IsMacOS) {
Write-Host "Running on platform: macOS (pwsh)"
} else {
Write-Host "Running on platform: Unknown Core edition"
}
} else {
Write-Host "Running on platform: Unknown"
}
Write-Host "PowerShell version: $version"
# Download the KEV CSV from GitHub
# $useLocalFile = $true # Set to $false to force download
$useLocalFile = $false # Set to $true for testing of existing downloads
$includeMacOS = $true # Set to $false to exclude macOS in iOS counts
# $includeMacOS = $false # Set to $true to include macOS in iOS counts
if ($useLocalFile) {
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Write-Host "Using local file: $csvPath"
} else {
$csvUrl = "https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv"
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Invoke-WebRequest -Uri $csvUrl -OutFile $csvPath
Write-Host "Downloaded fresh file: $csvPath"
}
# Define keyword logic for iOS and Android
# iOS includes Apple platforms and WebKit-based browsers
$iosKeywords = @(
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox"
)
if ($includeMacOS) {
$iosKeywords += "macos"
}
# Android includes Google platforms and common Android vendors
$androidKeywords = @(
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit" # added for hybrid apps and embedded browsers
)
# Initialize counters for each platform
$iosCount = 0
$androidCount = 0
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$logDir = Join-Path -Path "." -ChildPath "logs"
if (-not (Test-Path $logDir)) {
New-Item -ItemType Directory -Path $logDir | Out-Null
}
$iosLogPath = Join-Path -Path $logDir -ChildPath "ios_matches_$timestamp.log"
$androidLogPath = Join-Path -Path $logDir -ChildPath "android_matches_$timestamp.log"
$sharedLogPath = Join-Path -Path $logDir -ChildPath "shared_matches_$timestamp.log"
$outputFile = Join-Path -Path $logDir -ChildPath "kev_output_$timestamp.log"
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot", "industrial", "printer", "apple tv", "homepod", "airtag"
)
$vendorProductMap = @{
"samsung" = @("galaxy", "android", "mobile", "tablet")
"qualcomm" = @("snapdragon", "modem", "chipset")
"apple" = @("iphone", "ipad", "ios", "watchos", "macbook")
}
if ($includeMacOS) {
$vendorProductMap["apple"] += "macos"
}
Import-Csv $csvPath | ForEach-Object {
$text = ($_.vendorProject + " " + $_.product + " " + $_.vulnerabilityName).ToLower()
$vendor = $_.vendorProject.ToLower()
$product = $_.product.ToLower()
# Skip irrelevant matches
if ($excludeKeywords | Where-Object { $text -like "*$_*" }) {
return
}
# Skip mismatched vendor-product combos
if ($vendorProductMap.ContainsKey($vendor)) {
$validProducts = $vendorProductMap[$vendor]
if (-not ($validProducts | Where-Object { $product -like "*$_*" })) {
return
}
}
$logEntry = "$($_.cveID): $text"
$iosMatch = $iosKeywords | Where-Object { $text -like "*$_*" }
$androidMatch = $androidKeywords | Where-Object { $text -like "*$_*" }
if ($iosMatch -and $androidMatch) {
$iosCount++
$androidCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
Add-Content -Path $androidLogPath -Value "$logEntry`n"
Add-Content -Path $sharedLogPath -Value "$logEntry`n"
} elseif ($iosMatch) {
$iosCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
} elseif ($androidMatch) {
$androidCount++
Add-Content -Path $androidLogPath -Value "$logEntry`n"
}
}
# Output results to console
Write-Host "Estimated Apple-related exploits: $iosCount"
Write-Host "Estimated Android-related exploits: $androidCount"
if (Test-Path $sharedLogPath) {
$sharedCount = (Get-Content $sharedLogPath | Measure-Object).Count
Write-Host "Estimated shared exploits: $sharedCount"
Add-Content -Path $sharedLogPath -Value "Shared iOS/Android vulnerabilities:`n"
Add-Content -Path $sharedLogPath -Value "`nTotal shared matches: $sharedCount"
} else {
Write-Host "Estimated shared exploits: 0"
}
# Create time-stamped output file in current directory
# $outputFile = "kev_output_$timestamp.log"
# Allow for macOS/Linux PowerShell Core portability (filespec syntax)
# Write results to file
@(
"KEV vulnerability summary $timestamp",
"Estimated Apple-related exploits: $iosCount",
"Estimated Android-related exploits: $androidCount"
) | Out-File -FilePath $outputFile -Encoding UTF8
# Append a summary line to each match log (v1.4)
Add-Content -Path $iosLogPath -Value "`nTotal iOS matches: $iosCount"
Add-Content -Path $androidLogPath -Value "`nTotal Android matches: $androidCount"
###############################################################################
## end of kev.ps1
###############################################################################


Here is a sample output but it depends on how you set the switches.
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
Estimated Apple-related exploits: 106
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

For auditing, that also produces the following log files:
android_matches_20250929_055357.log
ios_matches_20250929_055357.log
shared_matches_20250929_055357.log

Here are just the first five lines of each of those log files:
android_matches_20250929_055357.log
CVE-2025-10585: google chromium v8 google chromium v8 type confusion vulnerability
CVE-2025-48543: android runtime android runtime use-after-free vulnerability
CVE-2025-6558: google chromium google chromium angle and gpu improper input validation vulnerability
CVE-2025-6554: google chromium v8 google chromium v8 type confusion vulnerability
CVE-2025-5419: google chromium v8 google chromium v8 out-of-bounds read and write vulnerability

ios_matches_20250929_055357.log
CVE-2025-43300: apple ios, ipados, and macos apple ios, ipados, and macos out-of-bounds write vulnerability
CVE-2019-6693: fortinet fortios fortinet fortios use of hard-coded credentials vulnerability
CVE-2025-2783: google chromium mojo google chromium mojo sandbox escape vulnerability
CVE-2025-24472: fortinet fortios and fortiproxy fortinet fortios and fortiproxy authentication bypass vulnerability
CVE-2025-24200: apple ios and ipados apple ios and ipados incorrect authorization vulnerability

shared_matches_20250929_055357.log
CVE-2025-2783: google chromium mojo google chromium mojo sandbox escape vulnerability
CVE-2016-4657: apple ios apple ios webkit memory corruption vulnerability
CVE-2019-8720: webkitgtk webkitgtk webkitgtk memory corruption vulnerability
CVE-2022-22620: apple ios, ipados, and macos apple ios, ipados, and macos webkit use-after-free vulnerability
CVE-2021-30762: apple ios apple ios webkit use-after-free vulnerability

Let's work together to know, for sure, what the difference is in exploits.

If you can, please run the script above on macOS, Linux or on Windows.
Let us know the results as we can only make good assessments on good data.

Note: I don't care which platform fares better or worse; I just want the facts. --- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Tyrone wrote:

As a result, *Android devices tend to be more susceptible to malware

Tyrone,

You are likely one of the few people on this newsgroup who knows
anything about other platforms, such as about Windows PowerShell.

So I ask you to look at the scripts I provided to Steve & Chris.
a. kev.bat
b. kev.ps1
Run them.

Apple locked you behind a barbed-wired fenced prison because Apple "said"
it was for your "security", and yet, nobody can find that security you paid
so dearly for. If that "security" exists, then why are there so many bugs?

Here are the numbers I'm asking the adults on this newsgroup to ponder:
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
Estimated Apple-related exploits: 106
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

For auditing, that also produces the following log files:
android_matches_20250929_055357.log
ios_matches_20250929_055357.log
shared_matches_20250929_055357.log

Here are just the first five lines of each of those log files:
android_matches_20250929_055357.log
CVE-2025-10585: google chromium v8 google chromium v8 type confusion vulnerability
CVE-2025-48543: android runtime android runtime use-after-free vulnerability
CVE-2025-6558: google chromium google chromium angle and gpu improper input validation vulnerability
CVE-2025-6554: google chromium v8 google chromium v8 type confusion vulnerability
CVE-2025-5419: google chromium v8 google chromium v8 out-of-bounds read and write vulnerability

ios_matches_20250929_055357.log
CVE-2025-43300: apple ios, ipados, and macos apple ios, ipados, and macos out-of-bounds write vulnerability
CVE-2019-6693: fortinet fortios fortinet fortios use of hard-coded credentials vulnerability
CVE-2025-2783: google chromium mojo google chromium mojo sandbox escape vulnerability
CVE-2025-24472: fortinet fortios and fortiproxy fortinet fortios and fortiproxy authentication bypass vulnerability
CVE-2025-24200: apple ios and ipados apple ios and ipados incorrect authorization vulnerability

shared_matches_20250929_055357.log
CVE-2025-2783: google chromium mojo google chromium mojo sandbox escape vulnerability
CVE-2016-4657: apple ios apple ios webkit memory corruption vulnerability
CVE-2019-8720: webkitgtk webkitgtk webkitgtk memory corruption vulnerability
CVE-2022-22620: apple ios, ipados, and macos apple ios, ipados, and macos webkit use-after-free vulnerability
CVE-2021-30762: apple ios apple ios webkit use-after-free vulnerability

Let's work together to know, for sure, what the difference is in exploits.

If you can, please run the scripts I provided on macOS, Linux or Windows.
Let us know the results as we can only make good assessments on good data.

Note: I don't care which platform fares better or worse; I just want the facts. --- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On 29/09/2025 13:16, Marion wrote:

Can we work together? You, me, Steve and badgolferman at least?
Would you run this batch script on Windows, macOS or Linux please?

Not possible as batch scripts are Windows only and barely portable.

I prefer open source, portable code like R. You can install R from here: https://cran.r-project.org/

You can find my version of the code here (note the 'blob:' is a valid
part of the url): blob:https://creativedemon.github.io/654c1274-4117-4e0b-adfb-48ca3dc38fa8

It reads the data and makes two plots. The general threat distribution
and the time-based comparison between iOS and Android (by best
approximation and given the significant caveats of CISA).

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

Can we work together? You, me, Steve and badgolferman at least?
Would you run this batch script on Windows, macOS or Linux please?

Not possible as batch scripts are Windows only and barely portable.

Hi Chris,

I write portable code. I write extensible code. I write readable code.
I think ahead. I am always thinking strategically.

I want others to run the code so I wrote it to be cross platform portable.
Out of the box.

I want others to improve the code so I wrote it to be easily extensible.
Out of the box.

Since you're trying to parse the data to get the truth out of it, I'll be gentle when I say "you're wrong" on that - but I understand why you think
that powershell doesn't run on Linux or macOS so I'll explain further below.

I *designed* the process to run on Linux, macOS or Windows.
I just didn't test it on macOS or Linux but I designed it as X-platform.

Here is a readme that I just now wrote to make it more obvious to others
that what I wrote was designed to work on Linux, macOS and on Windows.

========================================================================
Begin README.txt (v1.0) for kev.ps1 (running kev.ps1 on all platforms).
========================================================================
This script analyzes the CISA Known Exploited Vulnerabilities (KEV)
database to compare Apple's iOS & Android-related security threats.

It works on macOS, Linux & Windows (I only tested it on Windows).
========================================================================
SCRIPT OVERVIEW: What kev.ps1 Does
========================================================================
kev.ps1 is a cross-platform PowerShell script that analyzes the CISA
Known Exploited Vulnerabilities (KEV) database to compare threats.
------------------------------------------------------------------------
KEY FEATURES
------------------------------------------------------------------------
1. Downloads the latest KEV CSV file from GitHub
(or uses a local copy if configured)
2. Filters out irrelevant entries (e.g., smart appliances, printers, IoT)
3. Uses keyword matching & vendor-product logic to identify:
a. iOS-specific vulnerabilities
b. Android-specific vulnerabilities
c. Shared vulnerabilities affecting both platforms
4. Saves results to timestamped log files in a ./logs directory:
a. ios_matches_YYYYMMDD_HHMMSS.log
b. android_matches_YYYYMMDD_HHMMSS.log
c. shared_matches_YYYYMMDD_HHMMSS.log
d. kev_output_YYYYMMDD_HHMMSS.log (summary)
5. Outputs results to the console (with added platform-detection info)
6. Includes toggle to count or exclude macOS vulnerabilities
7. Designed for portability across Windows, macOS, & Linux
8. Designed for extensibility to hone the desired output data.
========================================================================
Windows users can run kev.bat, but macOS & Linux users should follow
these instructions below to run kev.ps1 directly.
========================================================================
------------------------------------------------------------------------
REQUIREMENTS (PowerShell runs on Windows, macOS & Linux)
------------------------------------------------------------------------
PowerShell Core (pwsh) must be installed
<https://github.com/PowerShell/PowerShell>
------------------------------------------------------------------------
INSTALLATION
------------------------------------------------------------------------
macOS:
$ brew install --cask powershell

Ubuntu/Debian:
$ sudo apt-get install -y powershell

Fedora/RHEL:
$ sudo dnf install -y powershell
------------------------------------------------------------------------
USAGE
------------------------------------------------------------------------
1. Open a terminal & navigate to the folder containing kev.ps1
2. Run the script using PowerShell Core:
$ pwsh ./kev.ps1
3. If you see an execution policy error, bypass it temporarily:
$ pwsh -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass"
------------------------------------------------------------------------
OPTIONAL: Use Local CSV Instead of Downloading
------------------------------------------------------------------------
To avoid downloading the KEV CSV every time:

1. Edit kev.ps1 & change:
$useLocalFile = $false
to:
$useLocalFile = $true
2. Place kev.csv in the same folder as kev.ps1
------------------------------------------------------------------------
OUTPUT
------------------------------------------------------------------------
Results will be saved in the ./logs directory:
a. ios_matches_YYYYMMDD_HHMMSS.log
b. android_matches_YYYYMMDD_HHMMSS.log
c. shared_matches_YYYYMMDD_HHMMSS.log
d. kev_output_YYYYMMDD_HHMMSS.log
========================================================================
End of README.txt for kev.ps1, version 1.0
========================================================================

I prefer open source, portable code like R. You can install R from here: https://cran.r-project.org/

From their FAQ:
"R is a system for statistical computation and graphics.
It consists of a language plus a run-time environment with graphics,
a debugger, access to certain system functions, and the ability to
run programs stored in script files."

That works fine I'm sure.

The real problem with parsing the CISA KEV database is how the database
is organized. The organization is what's difficult about parsing it.

You can find my version of the code here (note the 'blob:' is a valid
part of the url): blob:https://creativedemon.github.io/654c1274-4117-4e0b-adfb-48ca3dc38fa8

I tried a couple of browsers and it said it didn't exist.

It reads the data and makes two plots. The general threat distribution
and the time-based comparison between iOS and Android (by best
approximation and given the significant caveats of CISA).

I'm sure those plots are nice, and if I had wanted them, what I'd use is Python which would go something like this first version (needs improvement).

########################################################################
# plotkev.py
# Requires: pandas, matplotlib
# Usage: python plotkev.py
########################################################################
# DESCRIPTION
########################################################################
# plotkev.py analyzes the CISA Known Exploited Vulnerabilities
# (KEV) database to compare iOS and Android-related security threats.
#
# It performs the following tasks:
# 1. Downloads the latest KEV CSV from GitHub
# 2. Filters out irrelevant entries (e.g., smart appliances, printers)
# 3. Uses keyword logic to classify each vulnerability as iOS, Android,
# Shared, or Other
# 4. Generates two plots:
# a. kev_distribution.png
# (Bar chart showing total vulnerabilities by platform)
# b. kev_time_comparison.png
# (Line chart showing cumulative vulnerabilities over time)
#
# This script is designed to approximate platform-specific threat exposure
# using public KEV data, with known limitations due to KEV scope and bias.
########################################################################
import pandas as pd
import matplotlib.pyplot as plt
from datetime import datetime

# Download or load the KEV CSV
csv_url =
"https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv"
df = pd.read_csv(csv_url)

# Define keyword logic
ios_keywords = [
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox", "macos"
]
android_keywords = [
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit"
]
exclude_keywords = [
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot",
"industrial", "printer", "apple tv", "homepod", "airtag"
]

# Normalize text
df["text"] = (df["vendorProject"].fillna("") + " " +
df["product"].fillna("") + " " +
df["vulnerabilityName"].fillna("")).str.lower()

# Filter out irrelevant entries
for keyword in exclude_keywords:
df = df[~df["text"].str.contains(keyword)]

# Classify entries
def classify(row):
ios = any(k in row["text"] for k in ios_keywords)
android = any(k in row["text"] for k in android_keywords)
if ios and android:
return "Shared"
elif ios:
return "iOS"
elif android:
return "Android"
else:
return "Other"

df["Platform"] = df.apply(classify, axis=1)

# Plot 1: General Threat Distribution
platform_counts = df["Platform"].value_counts()
plt.figure(figsize=(8, 5))
platform_counts.plot(kind="bar", color=["skyblue", "lightgreen",
"orange", "gray"])
plt.title("General Threat Distribution (CISA KEV)")
plt.ylabel("Number of Vulnerabilities")
plt.xticks(rotation=0)
plt.tight_layout()
plt.savefig("kev_distribution.png")
plt.close()

# Plot 2: Time-Based Comparison
df["dateAdded"] = pd.to_datetime(df["dateAdded"], errors="coerce")
df = df.dropna(subset=["dateAdded"])
df["date"] = df["dateAdded"].dt.to_period("M").dt.to_timestamp()

time_series = df[df["Platform"].isin(["iOS", "Android", "Shared"])]
time_counts = time_series.groupby(["date",
"Platform"]).size().unstack(fill_value=0)
time_counts["iOS_total"] = time_counts["iOS"] + time_counts["Shared"]
time_counts["Android_total"] = time_counts["Android"] +
time_counts["Shared"]

plt.figure(figsize=(10, 6))
plt.plot(time_counts.index, time_counts["iOS_total"].cumsum(),
label="iOS", color="blue")
plt.plot(time_counts.index, time_counts["Android_total"].cumsum(),
label="Android", color="green")
plt.title("Cumulative Vulnerabilities Over Time")
plt.xlabel("Date Added to KEV")
plt.ylabel("Cumulative Count")
plt.legend()
plt.grid(True)
plt.tight_layout()
plt.savefig("kev_time_comparison.png")
plt.close()

########################################################################
# End of plotkev.py
########################################################################
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

sms wrote:

In any case, the exploits are closed after being discovered and it's not like there is an order of magnitude difference.

This post contains more insight than you've ever had in your entire life, Steve.

Apple locked you into the barbed-wire prison garden for your safety.
And yet, you gained no safety.

You lost everything buying Apple products.
And gained nothing.

Why?
Apple lied.

They didn't lock you into the walled garden for your safety after all.
Fancy that.

And of course these are only the zero-day-exploits, they don't represent
any other security concerns.

Actually, they're three things, and not necessarily zero days:
1. The exploit has a valid CVE ID.
2. There is reliable evidence of active exploitation.
3. A clear remediation action is already available to the general public.

As Chris pointed out, the CISA database is only about 6% of the known bugs.

It's very difficult to install non-app store apps on an iOS device, but
it's fairly easy on Android.

You lost everything buying Apple products.
And gained nothing.

The security on iOS is about the same as the security on Android.
Here is a sample CISA KEV output but it depends on how you set switches.
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
Estimated Apple-related exploits: 106
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

Apple "said" they wrapped you in barbed wire "for your safety".
And yet, that safety never existed. And never will.

Because that's NOT why Apple locked you in that barbed-wire prison garden.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion <marionf@fact.com> wrote:

As Chris pointed out, the CISA database is only about 6% of the known bugs.

That's not accurate. CISA only includes 6% of *exploitable*
vulnerabilities.

There are many, many more "bugs".
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

As Chris pointed out, the CISA database is only about 6% of the known bugs.

That's not accurate. CISA only includes 6% of *exploitable*
vulnerabilities.

There are many, many more "bugs".

Good point, Chris. You've opened my eyes, and, since I'm not an Apple
troll, I'm happy to say you taught me a lot about what the CISA KEV is.

I respect that you UNDERSTOOD what the CISA KEV database is, and isn't.
Even better than I did, in fact (and certainly better than Steve does).

But Steve is trying to understand it - which is really all that matters.
As am I.

Only you seem to have understood what's going on in the CISA database,
where when I first opened this thread, even I wasn't aware it wasn't zero
days, for example, but that it was three things and three things only.
1. The exploit has a valid CVE ID.
2. There is reliable evidence of active exploitation.
3. A clear remediation action is already available to the general public.

I learned from that research from Yotam Perkal which you unearthed for us.
<https://medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>

It turns out the CISA KEV is not a comprehensive database of all
exploitable or dangerous vulnerabilities. It's deliberately narrower since
the CISA KEV db only includes vulnerabilities with verified, in-the-wild exploitation and a known fix which is already available to the public.

Summarized, the CISA KEV is more of a 'must patch' list than 'all risks'.

As you know, I wrote a cross-platform script anyone can run to parse KEV.
Here is a sample recent output but it depends on how you set the switches.
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
Estimated Apple-related exploits: 106
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

With all that in mind, the best insight I can offer the people on this newsgroup is the observation Apple "said" that they locked you into the barbed-wire prison garden for your safety. And yet, you gained no safety.

Why?
Apple lied.

They didn't lock you into the walled garden for your safety after all.
That is one of the insightful observations I can teach folks on this ng.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion <marionf@fact.com> wrote:

Chris wrote:

Can we work together? You, me, Steve and badgolferman at least?
Would you run this batch script on Windows, macOS or Linux please?

Not possible as batch scripts are Windows only and barely portable.

Hi Chris,

I write portable code. I write extensible code. I write readable code.
I think ahead. I am always thinking strategically.

I want others to run the code so I wrote it to be cross platform portable. Out of the box.

I want others to improve the code so I wrote it to be easily extensible.
Out of the box.

Since you're trying to parse the data to get the truth out of it, I'll be gentle when I say "you're wrong" on that - but I understand why you think that powershell doesn't run on Linux or macOS so I'll explain further below.

I *designed* the process to run on Linux, macOS or Windows.
I just didn't test it on macOS or Linux but I designed it as X-platform.

Here is a readme that I just now wrote to make it more obvious to others
that what I wrote was designed to work on Linux, macOS and on Windows.

========================================================================
Begin README.txt (v1.0) for kev.ps1 (running kev.ps1 on all platforms).
========================================================================
This script analyzes the CISA Known Exploited Vulnerabilities (KEV)
database to compare Apple's iOS & Android-related security threats.

It works on macOS, Linux & Windows (I only tested it on Windows).
========================================================================
SCRIPT OVERVIEW: What kev.ps1 Does
========================================================================
kev.ps1 is a cross-platform PowerShell script that analyzes the CISA
Known Exploited Vulnerabilities (KEV) database to compare threats.
------------------------------------------------------------------------
KEY FEATURES
------------------------------------------------------------------------
1. Downloads the latest KEV CSV file from GitHub
(or uses a local copy if configured)
2. Filters out irrelevant entries (e.g., smart appliances, printers, IoT)
3. Uses keyword matching & vendor-product logic to identify:
a. iOS-specific vulnerabilities
b. Android-specific vulnerabilities
c. Shared vulnerabilities affecting both platforms
4. Saves results to timestamped log files in a ./logs directory:
a. ios_matches_YYYYMMDD_HHMMSS.log
b. android_matches_YYYYMMDD_HHMMSS.log
c. shared_matches_YYYYMMDD_HHMMSS.log
d. kev_output_YYYYMMDD_HHMMSS.log (summary)
5. Outputs results to the console (with added platform-detection info)
6. Includes toggle to count or exclude macOS vulnerabilities
7. Designed for portability across Windows, macOS, & Linux
8. Designed for extensibility to hone the desired output data.
========================================================================
Windows users can run kev.bat, but macOS & Linux users should follow
these instructions below to run kev.ps1 directly.
========================================================================
------------------------------------------------------------------------
REQUIREMENTS (PowerShell runs on Windows, macOS & Linux)
------------------------------------------------------------------------
PowerShell Core (pwsh) must be installed
<https://github.com/PowerShell/PowerShell>
------------------------------------------------------------------------
INSTALLATION
------------------------------------------------------------------------
macOS:
$ brew install --cask powershell

Ubuntu/Debian:
$ sudo apt-get install -y powershell

Fedora/RHEL:
$ sudo dnf install -y powershell
------------------------------------------------------------------------
USAGE
------------------------------------------------------------------------
1. Open a terminal & navigate to the folder containing kev.ps1
2. Run the script using PowerShell Core:
$ pwsh ./kev.ps1
3. If you see an execution policy error, bypass it temporarily:
$ pwsh -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass"
------------------------------------------------------------------------
OPTIONAL: Use Local CSV Instead of Downloading
------------------------------------------------------------------------
To avoid downloading the KEV CSV every time:

1. Edit kev.ps1 & change:
$useLocalFile = $false
to:
$useLocalFile = $true
2. Place kev.csv in the same folder as kev.ps1
------------------------------------------------------------------------
OUTPUT
------------------------------------------------------------------------
Results will be saved in the ./logs directory:
a. ios_matches_YYYYMMDD_HHMMSS.log
b. android_matches_YYYYMMDD_HHMMSS.log
c. shared_matches_YYYYMMDD_HHMMSS.log
d. kev_output_YYYYMMDD_HHMMSS.log
========================================================================
End of README.txt for kev.ps1, version 1.0
========================================================================

I prefer open source, portable code like R. You can install R from here:
https://cran.r-project.org/

From their FAQ:
"R is a system for statistical computation and graphics.
It consists of a language plus a run-time environment with graphics,
a debugger, access to certain system functions, and the ability to
run programs stored in script files."

That works fine I'm sure.

The real problem with parsing the CISA KEV database is how the database
is organized. The organization is what's difficult about parsing it.

You can find my version of the code here (note the 'blob:' is a valid
part of the url):
blob:https://creativedemon.github.io/654c1274-4117-4e0b-adfb-48ca3dc38fa8

I tried a couple of browsers and it said it didn't exist.

It reads the data and makes two plots. The general threat distribution
and the time-based comparison between iOS and Android (by best
approximation and given the significant caveats of CISA).

I'm sure those plots are nice, and if I had wanted them, what I'd use is Python which would go something like this first version (needs improvement).

########################################################################
# plotkev.py
# Requires: pandas, matplotlib
# Usage: python plotkev.py
########################################################################
# DESCRIPTION
########################################################################
# plotkev.py analyzes the CISA Known Exploited Vulnerabilities
# (KEV) database to compare iOS and Android-related security threats.
#
# It performs the following tasks:
# 1. Downloads the latest KEV CSV from GitHub
# 2. Filters out irrelevant entries (e.g., smart appliances, printers)
# 3. Uses keyword logic to classify each vulnerability as iOS, Android,
# Shared, or Other
# 4. Generates two plots:
# a. kev_distribution.png
# (Bar chart showing total vulnerabilities by platform)
# b. kev_time_comparison.png
# (Line chart showing cumulative vulnerabilities over time)
#
# This script is designed to approximate platform-specific threat exposure
# using public KEV data, with known limitations due to KEV scope and bias.
########################################################################
import pandas as pd
import matplotlib.pyplot as plt
from datetime import datetime

# Download or load the KEV CSV
csv_url =

"https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv"
df = pd.read_csv(csv_url)

# Define keyword logic
ios_keywords = [
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox", "macos"
]
android_keywords = [
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit"
]
exclude_keywords = [
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot",
"industrial", "printer", "apple tv", "homepod", "airtag"
]

# Normalize text
df["text"] = (df["vendorProject"].fillna("") + " " +
df["product"].fillna("") + " " +
df["vulnerabilityName"].fillna("")).str.lower()

# Filter out irrelevant entries
for keyword in exclude_keywords:
df = df[~df["text"].str.contains(keyword)]

# Classify entries
def classify(row):
ios = any(k in row["text"] for k in ios_keywords)
android = any(k in row["text"] for k in android_keywords)
if ios and android:
return "Shared"
elif ios:
return "iOS"
elif android:
return "Android"
else:
return "Other"

df["Platform"] = df.apply(classify, axis=1)

# Plot 1: General Threat Distribution
platform_counts = df["Platform"].value_counts()
plt.figure(figsize=(8, 5))
platform_counts.plot(kind="bar", color=["skyblue", "lightgreen",
"orange", "gray"])
plt.title("General Threat Distribution (CISA KEV)")
plt.ylabel("Number of Vulnerabilities")
plt.xticks(rotation=0)
plt.tight_layout()
plt.savefig("kev_distribution.png")
plt.close()

# Plot 2: Time-Based Comparison
df["dateAdded"] = pd.to_datetime(df["dateAdded"], errors="coerce")
df = df.dropna(subset=["dateAdded"])
df["date"] = df["dateAdded"].dt.to_period("M").dt.to_timestamp()

time_series = df[df["Platform"].isin(["iOS", "Android", "Shared"])]
time_counts = time_series.groupby(["date",
"Platform"]).size().unstack(fill_value=0)
time_counts["iOS_total"] = time_counts["iOS"] + time_counts["Shared"]
time_counts["Android_total"] = time_counts["Android"] +
time_counts["Shared"]

plt.figure(figsize=(10, 6))
plt.plot(time_counts.index, time_counts["iOS_total"].cumsum(),
label="iOS", color="blue")
plt.plot(time_counts.index, time_counts["Android_total"].cumsum(),
label="Android", color="green")
plt.title("Cumulative Vulnerabilities Over Time")
plt.xlabel("Date Added to KEV")
plt.ylabel("Cumulative Count")
plt.legend()
plt.grid(True)
plt.tight_layout()
plt.savefig("kev_time_comparison.png")
plt.close()

########################################################################
# End of plotkev.py
########################################################################

This code will definitely not do what you want it to do. For example, you include "macos" in your you ios keywords list. Plus, you don't deal with
iOS false positives like IOS and FortiOS.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

This code will definitely not do what you want it to do. For example, you include "macos" in your you ios keywords list.

Chris,

Thanks for taking a look at the code as we all want to make it even better.
I designed the code to not only be cross platform, but to be extensible.

To that end, you'll see a macOS switch which is trivial to turn on/off.
$includeMacOS = $true # Set to $false to exclude macOS in iOS counts
$includeMacOS = $false # Set to $true to include macOS in iOS counts

The macOS exploits are a funny thing about the KEV database.
It doesn't really matter whether you include them, or not.

Try it.

Here's a run, just now, with the $includeMacOS switch turned on:
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary for: 2025-09-30 21:15:03
Estimated Apple-related exploits: 107
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

Here's a run with the $includeMacOS switch turned off.
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Downloaded fresh file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary for: 2025-09-30 21:16:24
Estimated Apple-related exploits: 102
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

It doesn't really change things by much.

But it's good that you're looking at what the code does, as we all want to make it better so that it reports the truth about Apple & Android in KEV.

Plus, you don't deal with
iOS false positives like IOS and FortiOS.

Ah, now we're working together to improve the output accuracy!
Thanks. I hadn't even noticed the FortiOS entries until you pointed it out. Good. Let's remove them.

I'll change from this:
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance",
"iot", "industrial", "printer", "apple tv", "homepod", "airtag"
)

To this:
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance",
"iot", "industrial", "printer", "apple tv", "homepod", "airtag",
"fortinet", "fortios", "fortiproxy"
)

Wow. That made much more of a difference than the macOS switch did!
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Using local file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary for: 2025-09-30 21:24:10
Estimated Apple-related exploits: 88
Estimated Android-related exploits: 110
Estimated shared exploits: 20
Press any key to continue . . .

This is great. Let's keep the suggestions coming, as the goal is to
accurately parse the KEV data, which admittedly is difficult to do.

Unfortunately, when I added chrome to both Android & iOS, the numbers shot
up for both, but the goal is to simply arrive at the correct answer.

I changed this:
# Define keyword logic for iOS and Android
# iOS includes Apple platforms and WebKit-based browsers
$iosKeywords = @(
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox"
)
if ($includeMacOS) {
$iosKeywords += "macos"
}
# Android includes Google platforms and common Android vendors
$androidKeywords = @(
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit" # added for hybrid apps and embedded browsers
)

To this:
# Define keyword logic for iOS and Android
# iOS includes Apple platforms and WebKit-based browsers
$iosKeywords = @(
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox", "chromium", "mojo"
)
if ($includeMacOS) {
$iosKeywords += "macos"
}
# Android includes Google platforms and common Android vendors
$androidKeywords = @(
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit", "chromium", "mojo"
)
The addition of 'chromium' and 'mojo' to both the iOS and Android keyword lists enables the script to correctly identify vulnerabilities in shared browser components. This ensures that exploits affecting Chromium-based technologies (such as sandbox escapes or rendering engine flaws) are
counted as shared threats across both platforms, rather than being misclassified as Android-only or missed entirely.

That improved the accuracy of the output greatly.
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Using local file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary for: 2025-09-30 21:30:10
Estimated Apple-related exploits: 145
Estimated Android-related exploits: 110
Estimated shared exploits: 134
Press any key to continue . . .

The Cisco "IOS" problem is harder to solve as we can't trust that it will always be uppercased, do I'm adding an exclusion for all Cisco products.

Here is the exclusion list before I made the changes:
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot",
"industrial", "printer", "apple tv", "homepod", "airtag",
"fortinet", "fortios", "fortiproxy"
)

Here is the exclusion list after I added Cisco products.
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot",
"industrial", "printer", "apple tv", "homepod", "airtag",
"fortinet", "fortios", "fortiproxy", "cisco"
)

That changed the numbers to:
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Using local file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary for: 2025-09-30 21:38:22
Estimated Apple-related exploits: 103
Estimated Android-related exploits: 110
Estimated shared exploits: 134
Press any key to continue . . .

I was going to post the code for all to audit, but then I looked even
closer and found the following false positives in the Apple output.
CVE-2012-5076 (Oracle Java)
CVE-2013-0431 (Oracle JRE)
CVE-2014-0546 (Adobe Acrobat)
CVE-2019-1003029 (Jenkins)
CVE-2019-11708 (Mozilla Firefox/Thunderbird)
CVE-2019-15949 (Nagios)
CVE-2021-25296, CVE-2021-25297, CVE-2021-25298 (Nagios)
CVE-2022-0543 (Redis)
CVE-2023-47565 (QNAP)
CVE-2024-4040 (CrushFTP)

Looking at them in detail, for example, take the adobe acrobat one.
CVE-2014-0546 (Adobe Acrobat) Sandbox bypass in Adobe Acrobat and Reader.
Primarily affects desktop environments (Windows/macOS).
Acrobat Reader is available on mobile, but this CVE targets desktops.
So it's not directly related to iOS or Android.

Likewise with the Firefox exploit:
CVE-2019-11708 (Mozilla Firefox/Thunderbird) Sandbox escape vulnerability.
Firefox is available on Android, but this CVE targets desktop builds.
Thunderbird is not available on mobile (well, kind of sort of).
So it's likely not directly related to iOS or Android.

But then I had to look at why the Oracle and Redis and others were caught.
CVE-2012-5076: Oracle Java SE sandbox bypass -> matched "sandbox"
CVE-2013-0431: Oracle JRE sandbox bypass -> matched "sandbox"
CVE-2019-1003029: Jenkins sandbox bypass -> matched "sandbox"
CVE-2019-15949: Nagios RCE -> matched "remote code execution"
CVE-2021-25296-25298: Nagios command injection -> matched "command"
CVE-2022-0543: Redis sandbox escape -> matched "sandbox"
CVE-2023-47565: QNAP command injection -> matched "command"
CVE-2024-4040: CrushFTP sandbox escape -> matched "sandbox"

So I modified the exclusion list from this:
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot",
"industrial", "printer", "apple tv", "homepod", "airtag", "fortinet",
"fortios", "fortiproxy", "cisco"
)

To this:
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot",
"industrial", "printer", "apple tv", "homepod", "airtag", "fortinet",
"fortios", "fortiproxy", "cisco", "oracle", "adobe", "jenkins", "mozilla",
"nagios", "redis", "qnap", "crushftp"
)

That changed the resulting output summary to this:
Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Using local file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary for: 2025-09-30 22:05:46
Estimated Apple-related exploits: 91
Estimated Android-related exploits: 110
Estimated shared exploits: 134
Press any key to continue . . .

This is getting long so I'll post the results in the next post instead.
But here is the comment section showing I added all your suggestions.
Please keep them coming as I don't care what the KEV database says.
I care only that we correctly analyze what it says.
It's what intelligent people do.


###############################################################################
## Version 1.0 20250829 (41L)
## Extensible Windows batch/powershell script to parse csv/json CISA KEV
db
## Uses powershell to parse csv/json CISA database for iOS vs Android
## Added comment discipline rules for ASCII-only and no oxford comma
## CSV downloaded from GitHub mirror of CISA KEV database
## Keyword logic uses lowercase match on vendor, product, and vuln name
## Matching uses wildcard logic with simple substring detection
## Results printed to console with Write-Host
## Script can be extended to log output or refine keyword logic
## Verson 1.1 20250929 (56L)
## Adds time-stamped output file to current directory
## Uses Get-Date with custom format for filename
## Output file includes iOS and Android known exploit counts
## Output file UTF8 encoding for platform/editor compatibility
## Version 1.2 20250929 (68L)
## Expands keyword logic for iOS and Android ecosystems
## Adds ipad, watchos, macos, pixel, samsung, qualcomm, mediatek
## Improves platform distinction across shared components like WebKit
## Android common vendors & chipsets: pixel, samsung, qualcomm, mediatek
## iOS platforms: ipad, ipados, watchos, macos
## Used Join-Path to make filespecs usable on Windows/Linux/macOS
## Version 1.3 20250929 (87L)
## Added an output log to a separate file of each match with its source line
## Modified filespecs to enable macOS/Linux PowerCore portability
## Version 1.4 20250929 (97L)
## Included CVE ID in logs (Adds traceability & audit value)
## Added platform detection (Join-Path & $PWD)
## Add toggle for local file (avoid unnecessary d/l when testing)
## Version 1.5 20250929 (108L)
## Add exclusion filtering logic (e.g., samsung TVs)
## Exclusion filtering removes Apple smart home devices.
## Version 1.6 20250929 (130L)
## Added shared-match detection to avoid double counting overlapping
attack
## surfaces in platform-specific summaries
## Version 1.7 20250929 (141L)
## Added vendor-product dictionary-style mapping to excluse false
positives
## like "Samsung tv" or "refrigerator" or "Apple tv" or "homepod"
## Version 1.8 20250929 (148L)
## Refined keyword logic for deeper iOS & Android exploit detection
## around shared components like WebKit & cryptographic modules
## Apple includes subsystems like secure enclave, coremedia & launchd
## Android includes cryptographic modules & shared components like
## keymaster, webkit & play services.
## Version 1.9 20250929 (163L)
## Moved all log files into ./logs directory to reduce clutter
## Added usage instructions for macOS/Linux (pwsh)
## Version 2.0 20250929 (207L)
## Added toggle to include/exclude macOS from iOS counts
## Fixed platform detection (Join-Path & $PWD) console output
## Version 2.1 20250929 (212L)
## Added output of the1 PowerShell version (in case of mismatches)
## Version 2.2 20250930 (219L)
## Added date in the console output
## Version 2.3 20250930 (228L)
## Removed false positives from desktop and server-side CVEs
## Added 'chromium' & 'mojo' to iOS & Android keyword lists
## Improved detection of shared browser & sandbox escape exploits
## Added exclusion for Fortinet, Cisco, Oracle & Adobe using keywords of
## fortinet, fortios, fortiproxy, cisco, oracle, adobe, jenkins,
mozilla,
## nagios, redis, qnap, crushftp

############################################################################### --- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion wrote:

This is getting long so I'll post the results in the next post instead.
But here is the comment section showing I added all your suggestions.
Please keep them coming as I don't care what the KEV database says.
I care only that we correctly analyze what it says.
It's what intelligent people do.

Below is the latest kev.ps1 version

This kev.ps1 is a cross-platform (mac/linux/windows) PowerShell script that analyzes the CISA Known Exploited Vulnerabilities (KEV) catalog to estimate how many listed CVEs affect Apple (iOS/macOS) and Android platforms.

It uses keyword matching to classify exploits, filters out false positives, and outputs a summary with counts for Apple-related, Android-related, and shared vulnerabilities.

Here is the latest summary from that file (with macOS exploits excluded). Detailed logs are output for every CVE found, for reliable auditing.

###############################################################################
# Define script version
$scriptVersion = "kev.ps1 version 2.4 20250930"
## An Extensible cross-platform batch/powershell script to parse CISA KEV db
## Analyzes the CISA Known Exploited Vulnerabilities (KEV) database
## to compare iOS and Android-related security threats.
## a. Downloads lates KEV CSV or uses a local copy of the KEV CSV file
## b. Filters out irrelevant entries (e.g., smart appliances, printers)
## c. Uses keywords & vendor-product logic for platform-specific exploits
## d. Identifies shared vulnerabilities affecting both ecosystems
## e. Logs results to timestamped files in a clean ./logs directory
## f. Outputs Apple vs Android exploit summaries to console & log files
## All logs are saved in the ./logs directory:
## A. ios_matches_YYYYMMDD_HHMMSS.log
## B. android_matches_YYYYMMDD_HHMMSS.log
## C. shared_matches_YYYYMMDD_HHMMSS.log
## D. kev_output_YYYYMMDD_HHMMSS.log (summary)
## Note the CISA KEV db lists only about 6% of all known vulnerabilities!
## <medium.com/@yotamperkal/cisa-kev-a-balanced-perspective-ff3856e69ba9>
## That's because the KEV db only contains exploits meeting these criteria:
## 1. The exploit has a valid CVE ID.
## 2. There is reliable evidence of active exploitation.
## 3. A clear remediation action is already available to the general public.
###############################################################################
## Windows Usage: C:\> kev.bat
## Where kev.bat is the following three lines of code:
## set "PS_SCRIPT=kev.ps1" REM iOS vs Android known patched exploits
## powershell -ExecutionPolicy Bypass -File "%~dp0%PS_SCRIPT%"
## pause
## Linux/macOS Usage: $ pwsh ./kev.ps1
## Requires PowerShell Core (pwsh) <https://github.com/PowerShell/PowerShell>
## Make sure execution policy allows script execution:
## $ pwsh -Command "Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass"
###############################################################################
## Version 1.0 20250829 (41L)
## Extensible Windows batch/powershell script to parse csv/json CISA KEV db
## Uses powershell to parse csv/json CISA database for iOS vs Android
## Added comment discipline rules for ASCII-only and no oxford comma
## CSV downloaded from GitHub mirror of CISA KEV database
## Keyword logic uses lowercase match on vendor, product, and vuln name
## Matching uses wildcard logic with simple substring detection
## Results printed to console with Write-Host
## Script can be extended to log output or refine keyword logic
## Verson 1.1 20250929 (56L)
## Adds time-stamped output file to current directory
## Uses Get-Date with custom format for filename
## Output file includes iOS and Android known exploit counts
## Output file UTF8 encoding for platform/editor compatibility
## Version 1.2 20250929 (68L)
## Expands keyword logic for iOS and Android ecosystems
## Adds ipad, watchos, macos, pixel, samsung, qualcomm, mediatek
## Improves platform distinction across shared components like WebKit
## Android common vendors & chipsets: pixel, samsung, qualcomm, mediatek
## iOS platforms: ipad, ipados, watchos, macos
## Used Join-Path to make filespecs usable on Windows/Linux/macOS
## Version 1.3 20250929 (87L)
## Added an output log to a separate file of each match with its source line
## Modified filespecs to enable macOS/Linux PowerCore portability
## Version 1.4 20250929 (97L)
## Included CVE ID in logs (Adds traceability & audit value)
## Added platform detection (Join-Path & $PWD)
## Add toggle for local file (avoid unnecessary d/l when testing)
## Version 1.5 20250929 (108L)
## Add exclusion filtering logic (e.g., samsung TVs)
## Exclusion filtering removes Apple smart home devices.
## Version 1.6 20250929 (130L)
## Added shared-match detection to avoid double counting overlapping attack
## surfaces in platform-specific summaries
## Version 1.7 20250929 (141L)
## Added vendor-product dictionary-style mapping to excluse false positives
## like "Samsung tv" or "refrigerator" or "Apple tv" or "homepod"
## Version 1.8 20250929 (148L)
## Refined keyword logic for deeper iOS & Android exploit detection
## around shared components like WebKit & cryptographic modules
## Apple includes subsystems like secure enclave, coremedia & launchd
## Android includes cryptographic modules & shared components like
## keymaster, webkit & play services.
## Version 1.9 20250929 (163L)
## Moved all log files into ./logs directory to reduce clutter
## Added usage instructions for macOS/Linux (pwsh)
## Version 2.0 20250929 (207L)
## Added toggle to include/exclude macOS from iOS counts
## Fixed platform detection (Join-Path & $PWD) console output
## Version 2.1 20250929 (212L)
## Added output of the1 PowerShell version (in case of mismatches)
## Version 2.2 20250930 (219L)
## Added date in the console output
## Version 2.3 20250930 (228L)
## Removed false positives from desktop and server-side CVEs
## Added 'chromium' & 'mojo' to iOS & Android keyword lists
## Improved detection of shared browser & sandbox escape exploits
## Added exclusion for Fortinet, Cisco, Oracle & Adobe using keywords of
## fortinet, fortios, fortiproxy, cisco, oracle, adobe, jenkins, mozilla,
## nagios, redis, qnap, crushftp
## Version 2.4 20250930 (231L)
## Added the script version to the console output for auditing purposes
###############################################################################
# Platform detection (v2.3)
$platform = $PSVersionTable.PSEdition
$version = $PSVersionTable.PSVersion
if ($platform -eq "Desktop") {
Write-Host "Running on platform: Windows PowerShell"
} elseif ($platform -eq "Core") {
if ($IsWindows) {
Write-Host "Running on platform: Windows (pwsh)"
} elseif ($IsLinux) {
Write-Host "Running on platform: Linux (pwsh)"
} elseif ($IsMacOS) {
Write-Host "Running on platform: macOS (pwsh)"
} else {
Write-Host "Running on platform: Unknown Core edition"
}
} else {
Write-Host "Running on platform: Unknown"
}
Write-Host "PowerShell version: $version"
# Download the KEV CSV from GitHub
$useLocalFile = $false # Set to $true for testing of existing downloads
$useLocalFile = $true # Set to $false to force download
$includeMacOS = $true # Set to $false to exclude macOS in iOS counts
$includeMacOS = $false # Set to $true to include macOS in iOS counts
if ($useLocalFile) {
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Write-Host "Using local file: $csvPath"
} else {
$csvUrl = "https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.csv"
$csvPath = Join-Path -Path $PWD -ChildPath "kev.csv"
Invoke-WebRequest -Uri $csvUrl -OutFile $csvPath
Write-Host "Downloaded fresh file: $csvPath"
}
# Define keyword logic for iOS and Android
# iOS includes Apple platforms and WebKit-based browsers
$iosKeywords = @(
"apple", "ios", "ipados", "watchos", "webkit", "safari",
"secure enclave", "coregraphics", "coremedia", "corefoundation",
"springboard", "launchd", "sandbox", "chromium", "mojo"
)
if ($includeMacOS) {
$iosKeywords += "macos"
}
# Android includes Google platforms and common Android vendors
$androidKeywords = @(
"android", "google", "pixel", "samsung", "qualcomm", "mediatek",
"play services", "keymaster", "keystore", "secure element", "omapi",
"webkit", "chromium", "mojo"
)
# Initialize counters for each platform
$iosCount = 0
$androidCount = 0
$timestamp = Get-Date -Format "yyyyMMdd_HHmmss"
$logDir = Join-Path -Path "." -ChildPath "logs"
if (-not (Test-Path $logDir)) {
New-Item -ItemType Directory -Path $logDir | Out-Null
}
$iosLogPath = Join-Path -Path $logDir -ChildPath "ios_matches_$timestamp.log"
$androidLogPath = Join-Path -Path $logDir -ChildPath "android_matches_$timestamp.log"
$sharedLogPath = Join-Path -Path $logDir -ChildPath "shared_matches_$timestamp.log"
$outputFile = Join-Path -Path $logDir -ChildPath "kev_output_$timestamp.log"
# Parse KEV CSV and count keyword matches
$excludeKeywords = @(
"refrigerator", "tv", "washer", "dryer", "smart appliance", "iot", "industrial", "printer",
"apple tv", "homepod", "airtag", "fortinet", "fortios", "fortiproxy", "cisco",
"oracle", "adobe", "jenkins", "mozilla", "nagios", "redis", "qnap", "crushftp"
)
$vendorProductMap = @{
"samsung" = @("galaxy", "android", "mobile", "tablet")
"qualcomm" = @("snapdragon", "modem", "chipset")
"apple" = @("iphone", "ipad", "ios", "watchos", "macbook")
}
if ($includeMacOS) {
$vendorProductMap["apple"] += "macos"
}
Import-Csv $csvPath | ForEach-Object {
$text = ($_.vendorProject + " " + $_.product + " " + $_.vulnerabilityName).ToLower()
$vendor = $_.vendorProject.ToLower()
$product = $_.product.ToLower()
# Skip irrelevant matches
if ($excludeKeywords | Where-Object { $text -like "*$_*" }) {
return
}
# Skip mismatched vendor-product combos
if ($vendorProductMap.ContainsKey($vendor)) {
$validProducts = $vendorProductMap[$vendor]
if (-not ($validProducts | Where-Object { $product -like "*$_*" })) {
return
}
}
$logEntry = "$($_.cveID): $text"
$iosMatch = $iosKeywords | Where-Object { $text -like "*$_*" }
$androidMatch = $androidKeywords | Where-Object { $text -like "*$_*" }
if ($iosMatch -and $androidMatch) {
$iosCount++
$androidCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
Add-Content -Path $androidLogPath -Value "$logEntry`n"
Add-Content -Path $sharedLogPath -Value "$logEntry`n"
} elseif ($iosMatch) {
$iosCount++
Add-Content -Path $iosLogPath -Value "$logEntry`n"
} elseif ($androidMatch) {
$androidCount++
Add-Content -Path $androidLogPath -Value "$logEntry`n"
}
}
# Output results to console
Write-Host "KEV vulnerability summary ($scriptVersion) for: $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')"
Write-Host "Estimated Apple-related exploits: $iosCount"
Write-Host "Estimated Android-related exploits: $androidCount"
if (Test-Path $sharedLogPath) {
$sharedCount = (Get-Content $sharedLogPath | Measure-Object).Count
Write-Host "Estimated shared exploits: $sharedCount"
Add-Content -Path $sharedLogPath -Value "Shared iOS/Android vulnerabilities:`n"
Add-Content -Path $sharedLogPath -Value "`nTotal shared matches: $sharedCount"
} else {
Write-Host "Estimated shared exploits: 0"
}
# Create time-stamped output file in current directory
# $outputFile = "kev_output_$timestamp.log"
# Allow for macOS/Linux PowerShell Core portability (filespec syntax)
# Write results to file
@(
"KEV vulnerability summary $timestamp",
"Estimated Apple-related exploits: $iosCount",
"Estimated Android-related exploits: $androidCount"
) | Out-File -FilePath $outputFile -Encoding UTF8
# Append a summary line to each match log (v1.4)
Add-Content -Path $iosLogPath -Value "`nTotal iOS matches: $iosCount"
Add-Content -Path $androidLogPath -Value "`nTotal Android matches: $androidCount"
###############################################################################
## end of kev.ps1
###############################################################################
--
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion wrote:

Here is the latest summary from that file (with macOS exploits excluded).

Oops. I forgot to list the summary.

Running on platform: Windows PowerShell
PowerShell version: 5.1.19041.6328
Using local file: C:\data\sys\batch\cisa\kev.csv
KEV vulnerability summary (kev.ps1 version 2.4 20250930)
for: 2025-09-30 23:31:40
Estimated iOS-related exploits: 91
Estimated Android-related exploits: 110
Estimated shared exploits: 134
Press any key to continue . . .

Note that Apple locked users into a barbed-wire prison garden "for your safety", and yet, there is no safety. Apple lied. Fancy that.

There's a reason Apple locked you into that barbed-wire prison.
But it wasn't "for your safety".

Because if it was "for your safety", then you paid dearly.
For nothing.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Marion <marionf@fact.com> wrote:

Marion wrote:

This is getting long so I'll post the results in the next post instead.
But here is the comment section showing I added all your suggestions.
Please keep them coming as I don't care what the KEV database says.
I care only that we correctly analyze what it says.
It's what intelligent people do.

Below is the latest kev.ps1 version

ngs are a terrible place for sharing code. There are dozens of better ways
used by millions of developers the world over. Keeping your privacy is also trivial.

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris wrote:

Below is the latest kev.ps1 version

ngs are a terrible place for sharing code. There are dozens of better ways used by millions of developers the world over. Keeping your privacy is also trivial.

Chris,
The whole point isn't "sharing my code" but to garner information from the
KEV db, which I did. Anyone can get the EXACT SAME INFORMATION as I did.

Which is the point.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Chris <ithinkiam@gmail.com> wrote:

On 29/09/2025 13:16, Marion wrote:

Can we work together? You, me, Steve and badgolferman at least?
Would you run this batch script on Windows, macOS or Linux please?

Not possible as batch scripts are Windows only and barely portable.

I prefer open source, portable code like R. You can install R from here: https://cran.r-project.org/

You can find my version of the code here (note the 'blob:' is a valid
part of the url): blob:https://creativedemon.github.io/654c1274-4117-4e0b-adfb-48ca3dc38fa8

For some reason that doesn't always work. Here's a better option and
includes the results as well:
https://rpubs.com/ithinkiam/cisa2025

I'll use this resource from now on as a permanent store of facts. Arlen,
you're more than welcome to use it as a source of truth.



--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

On 9/26/2025 12:36 PM, Marion wrote:

What do folks make of this graph from the CISA data?
<https://blog.ostorlab.co/static/img/2024_01_10_Known_exploitable_vulnerabilities/distribution_of_RE_NRE_CVES.png>

REFERENCE:
*Ostorlab Known Exploitable Vulnerabilities: Catching them all*
<https://blog.ostorlab.co/known_exploitable_vulnerabilities_catching_them_all.html>

See also:
*Cybersecurity Insiders Vulnerability Comparison: Android vs iOS*
<https://www.cybersecurity-insiders.com/vulnerability-comparison-android-vs-ios-in-the-face-of-cyber-attacks/>

Quote from link #3

"iOS Security Landscape: On the other hand, iOS, developed by Apple,
follows a more closed ecosystem. This closed nature contributes to a
more controlled environment, where Apple meticulously reviews apps
before allowing them onto the App Store. This process significantly
reduces the risk of malicious apps reaching usersrCO devices.
Additionally, iOS benefits from a unified hardware and software
platform, resulting in more timely updates and a reduced fragmentation problem. The use of a tightly controlled app distribution model and
strong encryption measures enhances the overall security posture of iOS."
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: misc.phone.mobile.iphone

Tom Elam wrote:

"iOS Security Landscape: On the other hand, iOS, developed by Apple,
follows a more closed ecosystem. This closed nature contributes to a
more controlled environment, where Apple meticulously reviews apps
before allowing them onto the App Store. This process significantly
reduces the risk of malicious apps reaching userso devices.
Additionally, iOS benefits from a unified hardware and software
platform, resulting in more timely updates and a reduced fragmentation problem. The use of a tightly controlled app distribution model and
strong encryption measures enhances the overall security posture of iOS."

You gave away all your hardware & software freedom of action to buy into a system so closed it is surrounded by barbed wire, for what? Security right?

And yet, iOS is no more secure than Android, and in many ways less secure.
Why?

HINT: The reason Apple locked up iOS is not for security after all, Tom.
*it's for profits*
--- Synchronet 3.21a-Linux NewsLink 1.2