Most people seem to think that Microsoft is the most insecure vendor while Apple reigns supreme at the top of the good security league. However, a new security report would appear to turn that assumption on its head, claiming that when it comes to the vendor with the most vulnerabilities Apple has consistently ranked higher than Microsoft and, indeed, now ranks number one in that particular bad guy top ten.
As the new Secunia Half Year Security Report 2010 is released, will Monday 12th July be remembered as the day Apple became the bad guy? The report reveals the evolution of the security threat that has been posed by the presence of vulnerabilities across the previous five years, as well as giving an outlook for the remainder of 2010 based upon the first six months of data so far. And things aren't looking too great for Apple.
Perhaps most surprising of the revelations contained within the Secunia report is the finding that a relatively small group of just ten vendors, including the likes of Adobe, Apple, Cisco, IBM, Microsoft and Oracle actually account for a staggering 38% of all the vulnerabilities that are disclosed on a yearly basis.
Well, that and the claim that, when ranked by the number of vulnerabilities found across the entire product ranges, Microsoft is only bad guy number three. Oracle, which has been ranked at number one for four of the last five years, has slipped to bad guy number two in this league table to be overtaken by Apple during the first six months of the year.
Other key findings kind of start to fall from grace as result of the whole Apple worse than Microsoft thing. I mean, sure it's interesting to note that in the two years from 2007 to 2009 the number of vulnerabilities impacting upon a typical end-user PC almost doubled from 200 to 420, and Secunia estimate that based upon the data in for the first half of 2010 that number is expected to almost double again to 760. It's also interesting that your typical end-user PC with 50 programs installed has 3.5 times more vulnerabilities in the 24 third party programs installed than in the 26 Microsoft ones. A ratio that Secunia predicts will rise to 4.4 by the end of this year.
But not as interesting as Apple being flagged as an insecure vendor. So how did Secunia come to this pretty astonishing conclusion?
According to the report, the Secunia Vulnerability Intelligence database "contains information about more than 29,000 products and 4,000 vendors" in order to assess "the evolution of software security in an increasingly networked environment". It validates, verifies, and tests the vulnerability information gathered with consistent and standard processes, and also looks at the evolution and the distribution of vulnerability aspects such as the criticality, impact, attack vector and availability of patches.
When it comes to the 'Vendors with the most Vulnerabilities' section of the report, Secunia states that "Oracle (including Sun Microsystems and BEA Logic) ranked #1 in four out of five years overtaken by Apple in the first half of 2010, with Apple consistently ranking higher than Microsoft". It does point out, however, that this ranking does not indicate the actual security or lack thereof in vendor products but rather "shows that vulnerabilities continue to be discovered in significant numbers in products from even the largest and most popular vendors including those who spend significant resources on improving the security of their products".
Secunia admits it is not possible to compare vendors based on the number of vulnerabilities alone, but rather the performance of vendors in terms of vulnerabilities is assessed by analysing the changes in type of vulnerability, code quality, the handling of vulnerability reports , quality of patches and ability to update users as well as the complexity of the product portfolio.
Niels Henrik Rasmussen, Secunia CEO and Founder, states in his introduction to the report that it "shows an alarming development in third party program vulnerabilities, representing an increasing threat to both users and business, which, however, continues to be greatly ignored. This trend is supported by the fact that users and businesses still perceive the operating system and Microsoft products to be the primary attack vector, largely ignoring 3rd party programs, and finding the actions to secure these too complex and time-consuming. Ultimately this leads to incomplete patch levels of the 3rd party programs, representing rewarding and effective targets for criminals".
The thing is, despite all this, I suspect that many people will simply find it hard to believe somehow, or anyhow for that matter, that Apple is a bigger security risk than Microsoft . I've read the report, and while the analysis and research is undoubtedly very thorough, the whole 'vulnerability performance' thing takes a lot of putting into perspective. As part of the bigger security picture though I'm just not sure that the evidence stacks up to support Apple being repositioned as public enemy number one.