Vulnerabilities / Threats
7/12/2010
01:42 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Apple Ranks First In Vulnerabilities

Secunia's latest security report finds that investments in security by major vendors have not decreased vulnerabilities in their products.

Ten technology vendors account for 38% of all vulnerabilities disclosed over the past five years, a percentage that has remained relatively stable during this period.

Yet, the number of vulnerabilities affecting PC users has been rising rapidly, thanks largely to increasingly vulnerable third-party applications.

The number of vulnerabilities affecting PC users in the first six months of the year reached 380, about 90% of the vulnerability total for all of 2009, according to Secunia's Half Year Security Report 2010.

If the trend continues, Secunia predicts 760 vulnerabilities by the end of the year, almost double the 420 vulnerabilities detected in 2009, and approaching four times as many as the 220 vulnerabilities detected in 2007.

In the ranking of the ten vendors with the most vulnerabilities in their products, Apple overtook Oracle during the first six months of the year. Oracle dropped to second place, followed by Microsoft, HP, Adobe, IBM, VMware, Cisco, Google, and Mozilla.

Secunia says that the security of these vendors' products cannot be judged by vulnerability counts alone and that one must consider changes in the types of vulnerabilities reported, code quality, handling of vulnerability reports, update mechanisms, and other factors to fully assess security.

Indeed, one need only to look at vast amount of malware targeting the Windows platform to see that while users of Apple software may face largely theoretical risk, users of Windows (some of whom may be running Apple's iTunes or Safari) software face clearly demonstrated risk.

Secunia says that its report supports the perception that high market share correlates with a high number of vulnerabilities.

At the same time, the report notes that the security efforts by the top vendors haven't had much success in reducing vulnerability counts.

"Despite increased investments into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products," the report states. "On the contrary, the vulnerability count of each of these seven vendors has increased to reach in 2009 between 136% and 440% of the 2005 count."

But if the major vendors aren't seeing a reduction in vulnerabilities as a result of their efforts, at least they're doing better than third-party vendors.

According Secunia, third-party programs are almost exclusively to blame for the increased risk to end-users when using the Internet. The firm says that a typical PC with 50 applications installed had 3.5x more vulnerabilities in 24 third-party programs than in 26 Microsoft programs installed. And that ratio is expected to shift to 4.4x by the end of 2010.

The report calls for wider deployment of automated patching mechanisms, something Secunia just happens to be working on, in the form of its Personal Software Inspector (PSI) 2.0.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.