Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/27/2015
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Apple iTunes & QuickTime Named 'Most Exposed' To Threats In US

Vulnerability report finds users lazy about patching Apple applications. Plus, in Q3, U.S. had more unpatched operating systems than any other country.

Apple's closed development environment is still holding up relatively well and Mac is still targeted by attackers far less often than Windows -- and that's a very good thing because according to new research by Secunia Research, two Apple applications, iTunes and QuickTime, are the "most exposed" applications in the U.S. 

[A small market share and a trusted development environment protected Apple a long time, but will that last? Read "The State of Apple Security" on Dark Reading."]

Secunia Research (now part of Flexera Software) gathered vulnerability data from desktop/laptop computers in 14 countries, using its Personal Software Inspector software. The reports released today cover Oct. 1, 2014 through Sep. 30, 2015.  

Secunia determines what is "most exposed" based upon its market share and the percent of the applications remain unpatched. (Only supported applications still receiving security updates from their vendors are included in this category. Unsupported programs are discussed in a separate category.) In the U.S., QuickTime 7.x topped the list with 55 percent market share, 18 reported vulnerabilities, and 68 percent of users who had not installed the latest update. iTunes was next, with 40 percent market share, 106 vulnerabilities, and 47 percent unpatched.

QuickTime and iTunes were were also in the top three to five in the other countries monitored in the report -- mainly in Europe, plus Australia and New Zealand. Other highly exposed applications that showed up near the top of many lists were VLC Media Play 2.x, Java JRE, and various versions of Adobe Reader.

Few Microsoft programs made the top 10 list at all, on any country's report. The reason for that may be the ease of the patching process.

As the report explains, on a typical PC in the U.S., users have 76 programs installed, from 27 vendors -- so users have to manage security updates from 27 different sources. However, of all those programs, 31 are from just one vendor: Microsoft. So just one update mechanism can take care of over 40 percent of the applications on a PC, which makes it easier on users.

As for operating systems, 10.7 percent of users in the United States were running unpatched OSes. This was higher than any of the other 13 countries detailed in the Secunia Research reports. The worst offenders were users of Windows 8 (16 percent unpatched) and Windows 10 (15.6 percent unpatched).

The list of "exposed" apps does not include those that have gone past their end-of-life date, and are therefore no longer receiving security updates. Across the board in all countries, between 5 to 6 percent of the applications users are running on their PCs are end-of-life. 

In every country studied, Adobe Flash was the most prevalent end-of-life application. Flash Player 18, which was end-of-life as of Sep. 22, is still operating on 80 percent of machines in the U.S., with comparable market shares across other nations. Windows XP did not make it into the top 20 end-of-life applications, but it was still found on 9.5 percent of machines, according to Secunia researchers.

While Apple software may technically be "most exposed" in this report because of the prevalence of patchable programs that remain unpatched, the prevalence of unsupported Flash is a concern because of the recent flood of Flash zero-vulnerabilities and exploits.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Altonius
100%
0%
Altonius,
User Rank: Apprentice
10/30/2015 | 5:50:37 PM
QuickTime only available for Windows Vista and 7
I've been looking at the Secunia report, and it looks like part of the problem is that Apple state that QuickTime is only for Windows Vista and 7. Those with Windows 8 and above are having problems auto-updating to Quicktime 7.7.8. I've written a blog post on this.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/30/2015 | 10:32:24 AM
Mac is not a target?
I started doubting this premise, Mac is actually quite common among teens and if there is an easier way to attack it they would do that, it is most likely not that easy to break through Mac systems as they could the Win systems. Remember Mac is driven from Linux/UNIX.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/30/2015 | 10:31:28 AM
Re: Very Misleading Headline
But as I mentioned in the other post, least updated does not mean most vulnerable. That is true especially for Apple.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/30/2015 | 10:27:17 AM
Re: Very Misleading Headline
Agree. I did not even understand what "exposed" mean in the first place, but article clarifies it.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/30/2015 | 10:24:37 AM
Re: How could that be....
They are most likely not that much vulnerable , otherwise Apple would not be taking a risk of compromised.
Dr.T
50%
50%
Dr.T,
User Rank: Ninja
10/30/2015 | 10:20:11 AM
"most exposed?"
I am not sure how they are measuring this, no updates does not mean lost of vulnerability.
Uncle Dave
100%
0%
Uncle Dave,
User Rank: Apprentice
10/29/2015 | 12:26:58 PM
Very Misleading Headline
The headline implies that the iTunes and QuickTime applications are the most vulnerable to exploitation.  Based on the actual content of the article this is not the case.  Rather, they appear to be the app's most likely to go unpatched by users.  There is also no mention in the article as far as OS; in fact I'd speculate that most of the computers and tablets checked weren't running an Apple OS at all.

A better headline might be, "iTunes, QuickTime Named Least Updated Apps."  But then again, that doesn't grab ones attention to a "ho-hum" article.  Face it, Americans are lazy and expect things to just happen and keep themselves current.

What, me worry?
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
10/28/2015 | 12:51:28 PM
How could that be....
With the amount of times I get bombarded to update iTunes how could anyone possibly ignore that constant harrassment? All kidding aside, are the feature updates rolled out on the same cycle as the appsec updates?
COVID-19: Latest Security News & Commentary
Dark Reading Staff 5/28/2020
Stay-at-Home Orders Coincide With Massive DNS Surge
Robert Lemos, Contributing Writer,  5/27/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11844
PUBLISHED: 2020-05-29
There is an Incorrect Authorization vulnerability in Micro Focus Service Management Automation (SMA) product affecting version 2018.05 to 2020.02. The vulnerability could be exploited to provide unauthorized access to the Container Deployment Foundation.
CVE-2020-6937
PUBLISHED: 2020-05-29
A Denial of Service vulnerability in MuleSoft Mule CE/EE 3.8.x, 3.9.x, and 4.x released before April 7, 2020, could allow remote attackers to submit data which can lead to resource exhaustion.
CVE-2020-7648
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.72.2 are vulnerable to Arbitrary File Read. It allows arbitrary file reads for users who have access to Snyk's internal network by appending the URL with a fragment identifier and a whitelisted path e.g. `#package.json`
CVE-2020-7650
PUBLISHED: 2020-05-29
All versions of snyk-broker after 4.72.0 including and before 4.73.1 are vulnerable to Arbitrary File Read. It allows arbitrary file reads to users with access to Snyk's internal network of any files ending in the following extensions: yaml, yml or json.
CVE-2020-7654
PUBLISHED: 2020-05-29
All versions of snyk-broker before 4.73.1 are vulnerable to Information Exposure. It logs private keys if logging level is set to DEBUG.