Apple leads the pack for ballooning bug count
Being in the lead is not always a good thing. Apple takes number one stop for the most bugs found in all of its products during the first half of 2010, ahead of Oracle, and Microsoft, according to Secunia [PDF].
Secunia is also seeing a big shift in security threats, with the emphasis moving from the operating system to vulnerabilities in third-party applications. One example that Secunia cites is that a typical end-user PC with 50 programs installed will be faced with 3.5 times more security bugs in the 24 third party programs running on their systems than in the 26 Microsoft programs installed. Secunia expects this ratio to increase to 4.4 in 2010.
Patching is also getting more complex, with 13 software update mechanisms running on each PC.
But back to Apple, and how it has taken the top spot from Oracle.
Figure 2 visualizes the dynamics in the Top-10 group and indicates that popular vendors are also subject to more scrutiny by the security community/researchers than less popular vendors; Oracle (including Sun Microsystems and BEA Logic) ranked #1 in four out of five years overtaken by Apple in the first half of 2010, with Apple consistently ranking higher than Microsoft. Despite increased investments into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products. On the contrary, the vulnerability count of each of these seven vendors has increased to reach in 2009 between 136% and 440% of the 2005 count.
In other words, they all get a "could do better" on their report card.
The culprits are as follows:
- Apple - (iTunes, Quicktime)
- Microsoft - (Windows, Internet Explorer)
- Sun Microsystems - (Java, now part of Oracle)
- Adobe - (Acrobat Reader, Flash)
And if you're not already thoroughly depressed, here are some more stats. Between 2007 to 2009 the number of vulnerabilities affecting a typical PC nearly doubled, going from 220 to 420. But it's set to get worse, with Secunia predicting that the number will almost double again to reach 760 for 2010 as a whole.