Vulnerability report finds users lazy about patching Apple applications. Plus, in Q3, U.S. had more unpatched operating systems than any other country.

Sara Peters, Senior Editor

October 27, 2015

3 Min Read

Apple's closed development environment is still holding up relatively well and Mac is still targeted by attackers far less often than Windows -- and that's a very good thing because according to new research by Secunia Research, two Apple applications, iTunes and QuickTime, are the "most exposed" applications in the U.S. 

[A small market share and a trusted development environment protected Apple a long time, but will that last? Read "The State of Apple Security" on Dark Reading."]

Secunia Research (now part of Flexera Software) gathered vulnerability data from desktop/laptop computers in 14 countries, using its Personal Software Inspector software. The reports released today cover Oct. 1, 2014 through Sep. 30, 2015.  

Secunia determines what is "most exposed" based upon its market share and the percent of the applications remain unpatched. (Only supported applications still receiving security updates from their vendors are included in this category. Unsupported programs are discussed in a separate category.) In the U.S., QuickTime 7.x topped the list with 55 percent market share, 18 reported vulnerabilities, and 68 percent of users who had not installed the latest update. iTunes was next, with 40 percent market share, 106 vulnerabilities, and 47 percent unpatched.

QuickTime and iTunes were were also in the top three to five in the other countries monitored in the report -- mainly in Europe, plus Australia and New Zealand. Other highly exposed applications that showed up near the top of many lists were VLC Media Play 2.x, Java JRE, and various versions of Adobe Reader.

Few Microsoft programs made the top 10 list at all, on any country's report. The reason for that may be the ease of the patching process.

As the report explains, on a typical PC in the U.S., users have 76 programs installed, from 27 vendors -- so users have to manage security updates from 27 different sources. However, of all those programs, 31 are from just one vendor: Microsoft. So just one update mechanism can take care of over 40 percent of the applications on a PC, which makes it easier on users.

As for operating systems, 10.7 percent of users in the United States were running unpatched OSes. This was higher than any of the other 13 countries detailed in the Secunia Research reports. The worst offenders were users of Windows 8 (16 percent unpatched) and Windows 10 (15.6 percent unpatched).

The list of "exposed" apps does not include those that have gone past their end-of-life date, and are therefore no longer receiving security updates. Across the board in all countries, between 5 to 6 percent of the applications users are running on their PCs are end-of-life. 

In every country studied, Adobe Flash was the most prevalent end-of-life application. Flash Player 18, which was end-of-life as of Sep. 22, is still operating on 80 percent of machines in the U.S., with comparable market shares across other nations. Windows XP did not make it into the top 20 end-of-life applications, but it was still found on 9.5 percent of machines, according to Secunia researchers.

While Apple software may technically be "most exposed" in this report because of the prevalence of patchable programs that remain unpatched, the prevalence of unsupported Flash is a concern because of the recent flood of Flash zero-vulnerabilities and exploits.

Black Hat Europe returns to the beautiful city of Amsterdam, Netherlands November 12 & 13, 2015. Click here for more information and to register.

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights