Report: Apple had the most vulnerabilities throughout 2005-2010
Which vendor has the most reported security vulnerabilities? According to Secunia's recently released report, between 2005 and 2010 that's Apple Inc. followed by Oracle and Microsoft. Does this mean Apple's products are more insecure than those of Oracle and Microsoft?
Which vendor has the most reported security vulnerabilities?
According to Secunia's recently released report, between 2005 and 2010 that's Apple Inc. followed by Oracle and Microsoft. Moreover, based on the company's data, ten vendors are responsible for 38% of the total number of vulnerabilities, and seven of the vendors on the top 10 list back in 2005, still occupy the top positions in 2010.
Even though Microsoft's Windows remains the top target due to its market share, which through the eyes of the cybercriminal means solid ROI (return on investment) given the modest investment, it's worth pointing out that 3rd party apps and plugins in particular, compared to Microsoft OS/Microsoft product specific vulnerabilities, is what the cybercriminals continue using as their primary means of exploitation.
On a large scale, the shift from vendor/application specific, to "target them all" exploitation tactics, is pretty evident. Thanks to the growth of web malware exploitation kits, literally exploiting whatever is exploitable on a targeted host, through the diverse set of (outdated/already patched) exploits they come with, cybercriminals no longer shoot in the dark. They shoot at everything that hits they malicious, or compromised legitimate sites.
Being the vendor with the most reported security vulnerabilities, doesn't necessarily mean being the most insecure one, as it all comes down to "prevention is better than the cure" processes, defense in depth strategies, and patch management strategies. That's of course if end uses and companies are aware, and are actually patching, something which is clearly not happening.
Does Apple's position on the top of graph mean its products are more insecure than those of Oracle and Microsoft? Does the vulnerability count for a particular company really matter, given the fact that the growth of cybercrime in 2010 is largely driven by outdated vulnerabilities -- meaning users just don't care? Is Microsoft feeling all the heat thanks to the millions of end users running outdated 3rd party applications and plugins on the top of its OSs?