Vulnerabilities / Threats
7/12/2010
01:42 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Ranks First In Vulnerabilities

Secunia's latest security report finds that investments in security by major vendors have not decreased vulnerabilities in their products.

Ten technology vendors account for 38% of all vulnerabilities disclosed over the past five years, a percentage that has remained relatively stable during this period.

Yet, the number of vulnerabilities affecting PC users has been rising rapidly, thanks largely to increasingly vulnerable third-party applications.

The number of vulnerabilities affecting PC users in the first six months of the year reached 380, about 90% of the vulnerability total for all of 2009, according to Secunia's Half Year Security Report 2010.

If the trend continues, Secunia predicts 760 vulnerabilities by the end of the year, almost double the 420 vulnerabilities detected in 2009, and approaching four times as many as the 220 vulnerabilities detected in 2007.

In the ranking of the ten vendors with the most vulnerabilities in their products, Apple overtook Oracle during the first six months of the year. Oracle dropped to second place, followed by Microsoft, HP, Adobe, IBM, VMware, Cisco, Google, and Mozilla.

Secunia says that the security of these vendors' products cannot be judged by vulnerability counts alone and that one must consider changes in the types of vulnerabilities reported, code quality, handling of vulnerability reports, update mechanisms, and other factors to fully assess security.

Indeed, one need only to look at vast amount of malware targeting the Windows platform to see that while users of Apple software may face largely theoretical risk, users of Windows (some of whom may be running Apple's iTunes or Safari) software face clearly demonstrated risk.

Secunia says that its report supports the perception that high market share correlates with a high number of vulnerabilities.

At the same time, the report notes that the security efforts by the top vendors haven't had much success in reducing vulnerability counts.

"Despite increased investments into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products," the report states. "On the contrary, the vulnerability count of each of these seven vendors has increased to reach in 2009 between 136% and 440% of the 2005 count."

But if the major vendors aren't seeing a reduction in vulnerabilities as a result of their efforts, at least they're doing better than third-party vendors.

According Secunia, third-party programs are almost exclusively to blame for the increased risk to end-users when using the Internet. The firm says that a typical PC with 50 applications installed had 3.5x more vulnerabilities in 24 third-party programs than in 26 Microsoft programs installed. And that ratio is expected to shift to 4.4x by the end of 2010.

The report calls for wider deployment of automated patching mechanisms, something Secunia just happens to be working on, in the form of its Personal Software Inspector (PSI) 2.0.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7830
Published: 2014-11-24
Cross-site scripting (XSS) vulnerability in mod/feedback/mapcourse.php in the Feedback module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 allows remote authenticated users to inject arbitrary web script or HTML by leveraging the mod/feedback:mapcourse cap...

CVE-2014-7831
Published: 2014-11-24
lib/classes/grades_external.php in Moodle 2.7.x before 2.7.3 does not consider the moodle/grade:viewhidden capability before displaying hidden grades, which allows remote authenticated users to obtain sensitive information by leveraging the student role to access the get_grades web service.

CVE-2014-7832
Published: 2014-11-24
mod/lti/launch.php in the LTI module in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 performs access control at the course level rather than at the activity level, which allows remote authenticated users to bypass the mod/lti:view capability requirement by vi...

CVE-2014-7833
Published: 2014-11-24
mod/data/edit.php in Moodle through 2.4.11, 2.5.x before 2.5.9, 2.6.x before 2.6.6, and 2.7.x before 2.7.3 sets a certain group ID to zero upon a database-entry change, which allows remote authenticated users to obtain sensitive information by accessing the database after an edit by a teacher.

CVE-2014-7834
Published: 2014-11-24
mod/forum/externallib.php in Moodle 2.6.x before 2.6.6 and 2.7.x before 2.7.3 does not verify group permissions, which allows remote authenticated users to access a forum via the forum_get_discussions web service.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?