Report: Apple had the most vulnerabilities throughout 2005-2010

Report: Apple had the most vulnerabilities throughout 2005-2010

Summary: Which vendor has the most reported security vulnerabilities? According to Secunia's recently released report, between 2005 and 2010 that's Apple Inc. followed by Oracle and Microsoft. Does this mean Apple's products are more insecure than those of Oracle and Microsoft?

SHARE:

Which vendor has the most reported security vulnerabilities?

According to Secunia's recently released report, between 2005 and 2010 that's Apple Inc. followed by Oracle and Microsoft. Moreover, based on the company's data, ten vendors are responsible for 38% of the total number of vulnerabilities, and seven of the vendors on the top 10 list back in 2005, still occupy the top positions in 2010.

However, interpreting this data through the prism of the current threat landscape, results in some pretty interesting findings. For instance, although Apple visibly tops the graph, excluding social engineering driven malware attacks targeting Mac OS X users, there are no known widespread campaigns utilizing any of these vulnerabilities -- targeted attacks and cyber espionage attacks excluded.

Moreover, although Adobe is on the 5th position, in 2009 malicious PDFs represented 80 percent of all exploits, followed by active exploitation of Flash taking into consideration the fact that millions of users continue browsing the Web using outdated versions of Adobe's products.

Related posts:

Even though Microsoft's Windows remains the top target due to its market share, which through the eyes of the cybercriminal means solid ROI (return on investment) given the modest investment, it's worth pointing out that 3rd party apps and plugins in particular, compared to Microsoft OS/Microsoft product specific vulnerabilities, is what the cybercriminals continue using as their primary means of exploitation.

On a large scale, the shift from vendor/application specific, to "target them all" exploitation tactics, is pretty evident. Thanks to the growth of web malware exploitation kits, literally exploiting whatever is exploitable on a targeted host, through the diverse set of (outdated/already patched) exploits they come with, cybercriminals no longer shoot in the dark. They shoot at everything that hits they malicious, or compromised legitimate sites.

Being the vendor with the most reported security vulnerabilities, doesn't necessarily mean being the most  insecure one, as it all comes down to "prevention is better than the cure" processes, defense in depth strategies, and patch management strategies. That's of course if end uses and companies are aware, and are actually patching, something which is clearly not happening.

Does Apple's position on the top of graph mean its products are more insecure than those of Oracle and Microsoft? Does the vulnerability count for a particular company really matter, given the fact that the growth of cybercrime in 2010 is largely driven by outdated vulnerabilities -- meaning users just don't care? Is Microsoft feeling all the heat thanks to the millions of end users running outdated 3rd party applications and plugins on the top of its OSs?

What do you think? Talkback.

Topics: Apple, Malware, Microsoft, Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

11 comments
Log in or register to join the discussion
  • Run for cover. Incoming!

    ;)
    Dietrich T. Schmitz, ~ Your Linux Advocate
    • RE: Report: Apple had the most vulnerabilities throughout 2005-2010

      @Dietrich T. Schmitz, Your Linux Advocate ,
      My thoughts exactly. This isn't going to sit well with a few people.
      The one and only, Cylon Centurion
  • Does this mean that installing Apple software is dangerous?

    Thanks Dancho, I was about to install Safari on my Windows machine but now I won't.
    NonZealot
    • Apple software is no more dangerous that the user at the keyboard.

      @NonZealot: Bull! You know you weren't, so quit telling tales.
      Vulpinemac
  • Security statistics are still statistics. We know what that means.

    Most reported vulnerabilities? Thats a pretty broad and open ended category.

    First off, it ends up telling you little to nothing about the security of the system in question unless there is at least some assurance that the reported security issues are at least close to ALL the security issues, meaning no significant unreported issues.

    Even if the reported security issues do reflect accurately ALL security issues, that only indicates a certain level of sloppiness in the original design of the program in question. It simply means that the product out of the box (so to speak) had more potential vulnerabilities then others, but it obviously dosnt end there.

    These were potential vulnerabilities so the question becomes how were they dealt with? Was a quick relatively preemptive fix provided? Were these almost impossible vulnerabilities to exploit? If these vulnerabilities were to be exploited whats the damage? Significant or insignificant?

    The list goes on. Everyone should know by now that statistics on their own seldom tell much of a story without the appropriate context added in to see just what the facts and figures are applying to.

    That goes for OSX, Windows and pretty much any program out there, so people should take it easy with pounding on any OS without mercy when they read something like this.
    Cayble
  • RE: Report: Apple had the most vulnerabilities throughout 2005-2010

    How many of these vulnerabilities still exist? What was each companies' response?

    Was the number of updates included in the study? For example if company x releases a product with 2 vulnerabilities in 2005 and never releases an update it still only has 2 vulnerabilities. While company z released updates every year and has 5 vulnerabilities in 2010 but all the previous holes have been plugged. Certainly some further clarification is needed to make an accurate assessment of each of the program/os security flaws.
    SpikeP67
  • RE: Report: Apple had the most vulnerabilities throughout 2005-2010

    That's some pretty transparent "reporting" there. Vulnerabilities are meaningless when they're zapped instantly, instead of existing in the wild for years, as they often do on Window's machines.

    Let's see now, a company whom has an obvious crush on MS publishing an article trying to convince other MS users that OS X is just as bad as Windows is in the security world ? Pretty amusing really, considering that anyone whom knows how OS X operates, isn't actually buying into the fear mongering. Try hocking AV software to your usual crowd, because the OS X users aren't going for it.
    dgrb
    • RE: Report: Apple had the most vulnerabilities throughout 2005-2010

      @dgrb
      If you don't know the difference between "who" and "whom," you would do best to stick with who. FTR, not a single instance of "whom" above was correct.
      SpiritusInMachina
  • Maybe the most vulnerabilities--by their accounting...

    ... but the fewest attacks. There was not one viable attack against Apple in all that time that did not specifically require the victim to download and install it himself. And in those two cases, they came in 'cracked' software that normally carries a high price tag.
    Vulpinemac
  • RE: Report: Apple had the most vulnerabilities throughout 2005-2010

    I guess all the fanbois/fangirls will be complaining that the Secunnia was paid by Microsoft or someone. :-)

    Interesting to note that Linux isn't mentioned much in the report and yet those OSs [however "fractured"] have had issues as well.

    Wouldn't touch Google's Chrome for sure. So why are they listed below Sun Java RE when they have the same number of CVEs but more events?
    Gis Bun
  • The table in the report: Google Chrome->Vendor: Adobe

    Some premonition i guess as mentioned above:
    Google Chrome-> Vendor: Adobe
    Martmarty