Apple Most Vulnerable Platform: Report


Apple leads the pack when it comes to the number of security vulnerabilities, leaving both Microsoft and Adobe in its wake, according to a Secunia report Thursday, contradicting perceptions that Apple products are inherently more secure than Windows and other platforms.

According to the "Secunia Half Year Report 2010," Apple leads pack of Top 10 vendors with the most vulnerabilities in their products, which included giants such as Oracle, Microsoft, Adobe Systems and Google.

Apple was followed by Oracle, Microsoft, HP, Adobe System, IBM, VMware, Cisco, Google and Mozilla Organization, ranked sequentially downward for the number of security vulnerabilities.

Since 2005, a group of Top 10 vendors are responsible for about 38 percent of the total vulnerabilities in any given year, representing 16 percent of the total Secunia Advisories per year, the report found.

"Despite increased investment into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products," Secunia researchers wrote.

All in all, the report indicated a decisive upward trend in security vulnerabilities. During the first six months of 2010, Secunia researchers have thus far detected 380 vulnerabilities, representing 89 percent of the total number for all of 2009.

Secunia researchers estimate that there will likely be a total somewhere in the neighborhood of 760 security vulnerabilities in 2010, if the number of vulnerabilities continues with the same velocity.

The report also indicated that there was a direct correlation between a product's high market share and the number of vulnerabilities it contained. In Apple's case, the buggiest products included iTunes, and Quicktime. SunMicrosystems, now a part of Oracle, sported the most vulnerabilities in its Java products, while Windows and Internet Explorer topped Microsoft's charts for the most flaws. Adobe's Flash, Acrobat and Reader products were the most vulnerable.

The most prevalent attack vector was via remote code execution, meaning that hackers could exploit the majority of security flaws remotely with little or no user intervention required. Vendors typically rate vulnerabilities that allow remote code execution attacks with the highest severity rating of "critical."

In addition, the report found that Mozilla's Firefox and Apple's Safari ranked No. 1 and No. 2 respectively as the most vulnerable third party applications. Mozilla Firefox contained a total of 96 vulnerabilities while Apple's Safari thus far had 84.

Both Web browsers outranked a bevy of Adobe products including Reader and Acrobat, which each contained 61 vulnerabilities as well as Flash Player and AIR, which each contained 51 security flaws.

Secunia researchers attribute the preponderance of third-party application vulnerabilities, in part, to ineffective or inadequate security update mechanisms.

"The overall picture of all vendors, including most of the more popular vendors, is that updating of the programs on end-user PCs is largely neglected and left to the end-user," the report stated. "It appears that most vendors do not take significant steps to secure their users and customers before active exploitation takes place on a larger scale where it starts to threaten the overall reputation of the business."

Among other things, the report's findings are contrary to popular conceptions that Apple products are inherently secure, or don't require security updates.

Meanwhile, a Secunia advisory released Thursday warned users of an AutoFill vulnerability in Apple Safari 5.0 and possibly other versions, which could be exploited by hackers to launch attacks that would access sensitive information.

The AutoFill flaw enables the feature to display information from a user's personal address book card by default. Hackers could exploit the vulnerability with malware after enticing users to visit a malicious Web page.