1.11M Members

Report: Apple overtakes Microsoft as most vulnerable vendor

 
0
 

Most people seem to think that Microsoft is the most insecure vendor while Apple reigns supreme at the top of the good security league. However, a new security report would appear to turn that assumption on its head, claiming that when it comes to the vendor with the most vulnerabilities Apple has consistently ranked higher than Microsoft and, indeed, now ranks number one in that particular bad guy top ten.

applesecurity.jpg As the new Secunia Half Year Security Report 2010 is released, will Monday 12th July be remembered as the day Apple became the bad guy? The report reveals the evolution of the security threat that has been posed by the presence of vulnerabilities across the previous five years, as well as giving an outlook for the remainder of 2010 based upon the first six months of data so far. And things aren't looking too great for Apple.

Perhaps most surprising of the revelations contained within the Secunia report is the finding that a relatively small group of just ten vendors, including the likes of Adobe, Apple, Cisco, IBM, Microsoft and Oracle actually account for a staggering 38% of all the vulnerabilities that are disclosed on a yearly basis.

Well, that and the claim that, when ranked by the number of vulnerabilities found across the entire product ranges, Microsoft is only bad guy number three. Oracle, which has been ranked at number one for four of the last five years, has slipped to bad guy number two in this league table to be overtaken by Apple during the first six months of the year.

Other key findings kind of start to fall from grace as result of the whole Apple worse than Microsoft thing. I mean, sure it's interesting to note that in the two years from 2007 to 2009 the number of vulnerabilities impacting upon a typical end-user PC almost doubled from 200 to 420, and Secunia estimate that based upon the data in for the first half of 2010 that number is expected to almost double again to 760. It's also interesting that your typical end-user PC with 50 programs installed has 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft ones. A ratio that Secunia predicts will rise to 4.4 by the end of this year.

But not as interesting as Apple being flagged as an insecure vendor. So how did Secunia come to this pretty astonishing conclusion?

According to the report, the Secunia Vulnerability Intelligence database "contains information about more than 29,000 products and 4,000 vendors" in order to assess "the evolution of software security in an increasingly networked environment". It validates, verifies, and tests the vulnerability information gathered with consistent and standard processes, and also looks at the evolution and the distribution of vulnerability aspects such as the criticality, impact, attack vector and availability of patches.

When it comes to the 'Vendors with the most Vulnerabilities' section of the report, Secunia states that "Oracle (including Sun Microsystems and BEA Logic) ranked #1 in four out of five years overtaken by Apple in the first half of 2010, with Apple consistently ranking higher than Microsoft". It does point out, however, that this ranking does not indicate the actual security or lack thereof in vendor products but rather "shows that vulnerabilities continue to be discovered in significant numbers in products from even the largest and most popular vendors including those who spend significant resources on improving the security of their products".

Secunia admits it is not possible to compare vendors based on the number of vulnerabilities alone, but rather the performance of vendors in terms of vulnerabilities is assessed by analysing the changes in type of vulnerability, code quality, the handling of vulnerability reports , quality of patches and ability to update users as well as the complexity of the product portfolio.

Niels Henrik Rasmussen, Secunia CEO and Founder, states in his introduction to the report that it "shows an alarming development in third party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals".

The thing is, despite all this, I suspect that many people will simply find it hard to believe somehow, or anyhow for that matter, that Apple is a bigger security risk than Microsoft . I've read the report, and while the analysis and research is undoubtedly very thorough, the whole 'vulnerability performance' thing takes a lot of putting into perspective. As part of the bigger security picture though I'm just not sure that the evidence stacks up to support Apple being repositioned as public enemy number one.

Attachments applesecurity.jpg 21.35KB
Member Avatar
Davey Winder

I'm a hacker turned writer and consultant, specialising in IT security. I've been a freelance word punk for over 20 years and along the way I have seen 23 of my books published, produced and presented programmes for TV and radio, picked up a bunch of awards and continue being a contributing editor with PC Pro - the best selling IT magazine in the UK .

 
0
 

It's a shame that after all these years of FUD around security related vulnerabilities none of your reporting takes into account the number issues which result in real world exposure. The argument that Apple just doesn't have enough market share fall to pieces when you compare it to the SmartPhone market. In this market Apple is clearly in a leadership position however the security issues reported have been around MS' mobile offering, bogus Android applications and jail-broken iPhones (the latter is of course such a small percentage of the overall market, yet because it is either lucrative or a matter of major pride it was hit, unlike Apple's desktop or it's locked down iPhones). Even the recent claims of iTunes being hacked turned out to be folks on the Windows side having malware on their machines which led to their accounts being compromised). Apple is the 2nd largest American Company by market cap and therefore its properties would be extremely high-value targets. The real difference is that Apple's OS is based on 40 years of hardened code, UNIX, while MS has only started hardening their OS in the last 7 years (based on the continual stream of news about security issues for MS I'd say they have years to go).

 
0
 

Here are the real-world facts: Microsoft Windows consistently gets infected with a myriad of viruses, malware, trojans, key-loggers, spyware, and more! It is well documented how entire institutions have been brought down simply because they were using Windows.

So you can study vulnerabilities all day long, but when it comes to real exploits- and real cases, Microsoft has proven that it is really incompetent compared with Apple and Linux.

 
0
 

Before I get Apple-bashed too much for this one, can I just point to the last paragraph which states: "many people will simply find it hard to believe somehow, or anyhow for that matter, that Apple is a bigger security risk than Microsoft" and "As part of the bigger security picture though I'm just not sure that the evidence stacks up to support Apple being repositioned as public enemy number one".

 
0
 

Before I get Apple-bashed too much for this one

More like secunia bashing.

 
0
 

I have seen fist fights in parking lots over the question "Ford or Chevy." This is the exact same scenario. Both vendors have their upsides and downsides. Trying to place one on a pedestal while kicking the other in the groin makes no sense. Apple, like any other company, has charged ahead with the goal of market share and "revolution" to the mobile field. In order to climb this ladder fast, compromises have to be made. For instance, Apple does not sign their patches. How hard would it be to inject a bad patch? Trivial, we have done it many times....at Starbucks (with our own hardware). Now, Apple has to start looking at how to protect itself. Market share dictates attacks, nothing more and nothing less. Yes, Apple is based on BSD and yes we hear all the time about *nix being superior. Again, NOTHING is impervious to compromise. I dislike all operating systems equally. But I despise the one that uses false advertising to lure customers into believing they are "safer" with their product. Just as many people have died in a Ford as a Chevy.

 
0
 

Again, the proof of Windows inferiority is in historical precedence. MS Windows, of all flavors, HAVE been compromised and trashed by everyone- from script kiddies to career hackers.

At the same time, I have never heard of anyone being inconvenienced by a virus or other rouge software while using OS X or Linux.

If NOTHING is impervious to compromise, please post an instance in which an Apple or Linux computer has been damaged for an individual or to the point of making headlines.

 
0
 

The one thing that's hard to dispute is that MacOS will be under more attack as its market share increases. However, given the choice, I'll stick with an open architecture where I know that a lot of smart people are looking for security holes and reporting and fixing them - out of self-interest - over a closed one where I have to rely on the bug getting noticed, approved for attention, placed on someone's stack, gotten to, checked, re-checked, sent to PR so the press release can present the fix to the company's best advantage, and finally pushed out as a release among a bunch of other questionably desirable "upgrades".

 
0
 

The one thing that's hard to dispute is that MacOS will be under more attack as its market share increases. However, given the choice, I'll stick with an open architecture where I know that a lot of smart people are looking for security holes and reporting and fixing them - out of self-interest - over a closed one where I have to rely on the bug getting noticed, approved for attention, placed on someone's stack, gotten to, checked, re-checked, sent to PR so the press release can present the fix to the company's best advantage, and finally pushed out as a release among a bunch of other questionably desirable "upgrades".

The argument that once OSX or Linux get out of the niche market and become 'popular' targets- with the assumption being that they will then be compromised just like Windows- is not valid.

Remember, it's the architecture: How the software stack is built determines its security and stability, and therefore how easily malware will be able to penetrate the system.

If popularity was a weighting factor for system infectiousness, then the software running the entire Internet would have been brought to a halt years ago.

 
0
 

I didn't say it would be under more successful attack, only that more people would find it worth while to attack those systems. I then went on to say precisely that I'm putting my money on the UNIX-type OS, for the same reasons you give.

But you can't deny that the people who are trying to get their hooks into machines will be looking at the Mac/Linux machines with more interest as they are running on more machines. They might not find holes, and the holes might not last long, but they'll be looking for them.

 
0
 

Well, yes of course. Where there is a challenge, there will be a restless mind.

Isn't it about time forums rewarded their contributors?

Earn rewards points for helping others. Gain kudos. Cash out. Get better answers yourself.

It's as simple as contributing editorial or replying to discussions labeled or OP Kudos

You
This is an OP Kudos discussion and contributors may be rewarded
Post:
Start New Discussion
View similar articles that have also been tagged: