Which vendor has the most reported security vulnerabilities?
According to Secunia's recently released report, between 2005 and 2010 that's Apple Inc. followed by Oracle and Microsoft. Moreover, based on the company's data, ten vendors are responsible for 38% of the total number of vulnerabilities, and seven of the vendors on the top 10 list back in 2005, still occupy the top positions in 2010.
However, interpreting this data through the prism of the current threat landscape, results in some pretty interesting findings. For instance, although Apple visibly tops the graph, excluding social engineering driven malware attacks targeting Mac OS X users, there are no known widespread campaigns utilizing any of these vulnerabilities -- targeted attacks and cyber espionage attacks excluded.
Moreover, although Adobe is on the 5th position, in 2009 malicious PDFs represented 80 percent of all exploits, followed by active exploitation of Flash taking into consideration the fact that millions of users continue browsing the Web using outdated versions of Adobe's products.
- Secunia: Average insecure program per PC rate remains high
- Report: 48% of 22 million scanned computers infected with malware
- Report: 64% of all Microsoft vulnerabilities for 2009 mitigated by Least Privilege accounts
- Report: Malicious PDF files comprised 80 percent of all exploits for 2009
- Research: 80% of Web users running unpatched versions of Flash/Acrobat
Even though Microsoft's Windows remains the top target due to its market share, which through the eyes of the cybercriminal means solid ROI (return on investment) given the modest investment, it's worth pointing out that 3rd party apps and plugins in particular, compared to Microsoft OS/Microsoft product specific vulnerabilities, is what the cybercriminals continue using as their primary means of exploitation.
On a large scale, the shift from vendor/application specific, to "target them all" exploitation tactics, is pretty evident. Thanks to the growth of web malware exploitation kits, literally exploiting whatever is exploitable on a targeted host, through the diverse set of (outdated/already patched) exploits they come with, cybercriminals no longer shoot in the dark. They shoot at everything that hits they malicious, or compromised legitimate sites.
Being the vendor with the most reported security vulnerabilities, doesn't necessarily mean being the most insecure one, as it all comes down to "prevention is better than the cure" processes, defense in depth strategies, and patch management strategies. That's of course if end uses and companies are aware, and are actually patching, something which is clearly not happening.
Does Apple's position on the top of graph mean its products are more insecure than those of Oracle and Microsoft? Does the vulnerability count for a particular company really matter, given the fact that the growth of cybercrime in 2010 is largely driven by outdated vulnerabilities -- meaning users just don't care? Is Microsoft feeling all the heat thanks to the millions of end users running outdated 3rd party applications and plugins on the top of its OSs?
What do you think? Talkback.