Vulnerabilities / Threats
7/12/2010
01:42 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Apple Ranks First In Vulnerabilities

Secunia's latest security report finds that investments in security by major vendors have not decreased vulnerabilities in their products.

Ten technology vendors account for 38% of all vulnerabilities disclosed over the past five years, a percentage that has remained relatively stable during this period.

Yet, the number of vulnerabilities affecting PC users has been rising rapidly, thanks largely to increasingly vulnerable third-party applications.

The number of vulnerabilities affecting PC users in the first six months of the year reached 380, about 90% of the vulnerability total for all of 2009, according to Secunia's Half Year Security Report 2010.

If the trend continues, Secunia predicts 760 vulnerabilities by the end of the year, almost double the 420 vulnerabilities detected in 2009, and approaching four times as many as the 220 vulnerabilities detected in 2007.

In the ranking of the ten vendors with the most vulnerabilities in their products, Apple overtook Oracle during the first six months of the year. Oracle dropped to second place, followed by Microsoft, HP, Adobe, IBM, VMware, Cisco, Google, and Mozilla.

Secunia says that the security of these vendors' products cannot be judged by vulnerability counts alone and that one must consider changes in the types of vulnerabilities reported, code quality, handling of vulnerability reports, update mechanisms, and other factors to fully assess security.

Indeed, one need only to look at vast amount of malware targeting the Windows platform to see that while users of Apple software may face largely theoretical risk, users of Windows (some of whom may be running Apple's iTunes or Safari) software face clearly demonstrated risk.

Secunia says that its report supports the perception that high market share correlates with a high number of vulnerabilities.

At the same time, the report notes that the security efforts by the top vendors haven't had much success in reducing vulnerability counts.

"Despite increased investments into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products," the report states. "On the contrary, the vulnerability count of each of these seven vendors has increased to reach in 2009 between 136% and 440% of the 2005 count."

But if the major vendors aren't seeing a reduction in vulnerabilities as a result of their efforts, at least they're doing better than third-party vendors.

According Secunia, third-party programs are almost exclusively to blame for the increased risk to end-users when using the Internet. The firm says that a typical PC with 50 applications installed had 3.5x more vulnerabilities in 24 third-party programs than in 26 Microsoft programs installed. And that ratio is expected to shift to 4.4x by the end of 2010.

The report calls for wider deployment of automated patching mechanisms, something Secunia just happens to be working on, in the form of its Personal Software Inspector (PSI) 2.0.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.