Security company Secunia is reporting that Apple (AAPL) software has the most security vulnerabilities. According to the recent Secunia Half Year Report 2010 (PDF) Apple has displaced Oracle as the company with the most security vulnerabilities in its software over the first half of 2010. Microsoft retains its third-place spot.
Wired
points out that this does not necessarily mean that Apple’s software is the most insecure in practice. The report takes no consideration of the severity of the flaws, it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple’s flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime, and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported. The top ten third-party applications, ranked by total number of reported vulnerabilities:
1. Mozilla Firefox
2. Apple Safari
3. Sun Java JRE
4. Google Chrome
5. Adobe Reader
6. Adobe Acrobat
7. Adobe Flash Player
8. Adobe AIR
9. Apple iTunes
10. Mozilla Thunderbird
To illustrate this point, ars technica says the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft’s other software) than third-party. Since about 2007, the balance shifted towards third-party programs. Secunia predicts that third-party flaws will outnumber first-party flaws by two-to-one by the end of 2010.
Secunia also makes a case that effectively updating third-party software is much harder to do; because Microsoft’s Windows Update and Microsoft Update systems will offer protection for around 35% of reported vulnerabilities, patching the rest requires the use of 13 or more updating systems. Some vendors—Apple, Mozilla, and Google, for example—do have decent automatic update systems, but others require manual intervention by the user.
Related articles
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.