Vulnerabilities / Threats
7/12/2010
01:42 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Ranks First In Vulnerabilities

Secunia's latest security report finds that investments in security by major vendors have not decreased vulnerabilities in their products.

Ten technology vendors account for 38% of all vulnerabilities disclosed over the past five years, a percentage that has remained relatively stable during this period.

Yet, the number of vulnerabilities affecting PC users has been rising rapidly, thanks largely to increasingly vulnerable third-party applications.

The number of vulnerabilities affecting PC users in the first six months of the year reached 380, about 90% of the vulnerability total for all of 2009, according to Secunia's Half Year Security Report 2010.

If the trend continues, Secunia predicts 760 vulnerabilities by the end of the year, almost double the 420 vulnerabilities detected in 2009, and approaching four times as many as the 220 vulnerabilities detected in 2007.

In the ranking of the ten vendors with the most vulnerabilities in their products, Apple overtook Oracle during the first six months of the year. Oracle dropped to second place, followed by Microsoft, HP, Adobe, IBM, VMware, Cisco, Google, and Mozilla.

Secunia says that the security of these vendors' products cannot be judged by vulnerability counts alone and that one must consider changes in the types of vulnerabilities reported, code quality, handling of vulnerability reports, update mechanisms, and other factors to fully assess security.

Indeed, one need only to look at vast amount of malware targeting the Windows platform to see that while users of Apple software may face largely theoretical risk, users of Windows (some of whom may be running Apple's iTunes or Safari) software face clearly demonstrated risk.

Secunia says that its report supports the perception that high market share correlates with a high number of vulnerabilities.

At the same time, the report notes that the security efforts by the top vendors haven't had much success in reducing vulnerability counts.

"Despite increased investments into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products," the report states. "On the contrary, the vulnerability count of each of these seven vendors has increased to reach in 2009 between 136% and 440% of the 2005 count."

But if the major vendors aren't seeing a reduction in vulnerabilities as a result of their efforts, at least they're doing better than third-party vendors.

According Secunia, third-party programs are almost exclusively to blame for the increased risk to end-users when using the Internet. The firm says that a typical PC with 50 applications installed had 3.5x more vulnerabilities in 24 third-party programs than in 26 Microsoft programs installed. And that ratio is expected to shift to 4.4x by the end of 2010.

The report calls for wider deployment of automated patching mechanisms, something Secunia just happens to be working on, in the form of its Personal Software Inspector (PSI) 2.0.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: You are infected!  @malwareunicorn to the rescue...  
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.