Subscribe to Wired
  • Wired Home
  • Subscribe
    Subscribe to Wired
  • Sections
    • Cars 2.0
    • Culture
    • Entertainment
    • Gadgets
    • Gaming
    • How-To
    • Med Tech
    • Multimedia
    • Politics
    • Product Reviews
    • Science
    • Software
    • Tech Biz
    • Tech Jobs
    • Wired Biz
    • Inspired by You
    • Wired Insider
  • Blogs
    • Autopia
    • Danger Room
    • Epicenter
    • Gadget Lab
    • Game | Life
    • GeekDad
    • Playbook
    • Raw File
    • This Day in Tech
    • Threat Level
    • Underwire
    • Webmonkey
    • Wired Science
    • All Blogs
  • Reviews
    • Automotive
    • Camcorders
    • Desktops
    • Digital Cameras
    • Gaming Gear
    • Home Audio/Video
    • Household
    • Mobile Phones
    • Notebooks
    • Media Players
    • Sports/Outdoors
    • Televisions
    • All Reviews
  • Video
  • How To
  • Magazine
  • iPad
  • RSS Feeds RSS Feeds
Epicenter Mind Our Tech Business
Previous post
Next post

Apple: The New World Leader in Software Insecurity

  • By Peter Bright, ars technica Email Author
  • July 22, 2010  | 
  • 11:56 am  | 
  • Categories: Enterprise

On the iPad's release date, April 3, 2010, a line extends around Apple's Fifth Avenue store. Many buyers had camped overnight to stake their spots in line.

Apple has displaced Oracle as the company with the most security vulnerabilities in its software, according to security company Secunia.

Over the first half of 2010, Apple had more reported flaws than any other vendor. Microsoft retains its third-place spot. Secunia has tracked security vulnerabilities and issues advisories since 2002, producing periodic reports on the state of software. Together, the top 10 vendors account for some 38 percent of all flaws reported.

Though this does not necessarily mean that Apple’s software is the most insecure in practice — the report takes no consideration of the severity of the flaws — it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple’s flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.

To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft’s other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by 2 to 1.

Secunia also makes a case that effectively updating this third-party software is much harder to do; whereas Microsoft’s Windows Update and Microsoft Update systems will provide protection for around 35 percent of reported vulnerabilities, patching the remainder requires the use of 13 or more updating systems. Some vendors — Apple, Mozilla and Google, for example — do have decent automatic update systems, but others require manual intervention by the user.

Follow us for disruptive tech news: John C. Abell and Epicenter on Twitter.

See Also:

  • Apple Patches iPhone SMS Security Hole With Software Update
  • Apple’s iPhone Security Gets Better, But Still Not BlackBerry Strong
  • Apple Makes Its Case for Security
  • Apple’s Snow Leopard Is Less Secure Than Windows, But Safer
  • Apple Goes on Safari With Hostile Security Researchers
  • Mac ‘Security Threat’ Evaporates in 24 Hours
  • Apple Admits iPhone Security Flaw, Says Fix Coming in September
  • AT&T Exposes Data on 100000 iPad 3G Owners
  • New Apple Trojan Means Mac Hunting Season Is Open
  • Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses
  • iPhone Jailbreaking Could Crash Cellphone Towers, Apple Claims

Tags: Apple
  • Post Comment  | 
  • Permalink
Tweet
  • Digg
  • Stumble Upon
  • Delicious
  • Reddit

Comments (18)

Sign in to comment

You can now use your email address to login.

Forgot your sign in information?
Sign In Loading
Not a member?

If you're not yet registered with Wired.com, join now so you can share your thoughts and opinions.

It's fast and free.

Join Now
Registration

Display name will be used as your online identity for commenting.

Password must be at least 6 characters.

Please send me occasional email updates about new features and special offers from Wired.

Yes No

Please send occasional email offers from Wired affiliated websites and publications and carefully selected companies.

Yes No

I understand and agree that registration on or use of this site constitutes agreement to it's User Agreement and Privacy Policy.

Join Now Loading

Already registered? Click here to sign in.

Retrieve sign-in

Please enter your email address or display name below and we will send you a link and instructions to reset your password.

or

Submit Loading
Close
  • Posted by: BillySaysThings | 07/22/10 | 12:17 pm |

    Oh boy, good thing Apple’s iphone doesn’t have Flash, because it’s insecure, right? Yeah, keep that buggy insecure software off your platform! You want to be the biggest screw up all on your own! So, Jobs, if Adobe is “lazy”, just how goddamn lazy is Apple?

  • Posted by: LarryJ | 07/22/10 | 1:06 pm |

    I don’t get it. I’m a Mac user (many hours/day, multiple machines) and still don’t see these things in real life, either on my computer or in the several discussion lists to which I subscribe. Oh, and by the way, the content of your story doesn’t match the headline.

  • Posted by: samagon | 07/22/10 | 1:16 pm |

    Hey LarryJ,
    .
    Being a windows user myself, I haven’t seen any of the multiple viruses and malicious software on my PC, so it must not exist, right?
    .
    Rest assured, just because I haven’t seen any of the security risks affect me in real life, but it does exist. the same is true for apple and their OS.
    .
    To smugly state that you have no security issues (as I often see from Mac users) does not mean you are not in any danger. do not trust the marketing machines that say you are safe, we are all at risk. the more users that have a Mac, or iOS device the more people will exploit the risks inherent in those systems.

  • Posted by: Figurative | 07/22/10 | 1:28 pm |

    What a bunch of hooey. Nothing based in reality, just a bunch of theoretical assertions designed to get media attention (i.e. page hits, money, wealth). Move along…there’s nothing to see here.

  • Posted by: Xylenz | 07/22/10 | 1:31 pm |

    Hillarious. So much for the “it just works” bullshit.

  • Posted by: Ricotta | 07/22/10 | 1:37 pm |

    Larryj

    Apple just became the most valuable software company, as long as it continues to be the standard for mobile devices, it will be the standard for malicious software. I wouldn’t go so far as to say they’ve become the “leader” in malicious content, there are other parameters such a severity, but i would say that commanding a majority market share should bring them attention: both good and bad.

  • Posted by: lukebunger | 07/22/10 | 2:02 pm |

    Insecure is such a loaded term.

    As the report says, it does not take into account severity of the vulnerabilities, or even more significantly, the likelihood of the vulnerabilities to be exploited. Similarly, it doesn’t readily identify patched vs unpatched vulnerabilities, (just a total number discovered per year) nor does it account for the amount of time that vulnerabilities remain unpatched.

    Apple does have more vulnerabilities, however, in general, most studies show that they are less serious, and much less likely to be exploited, (basically, none have been exploited in such a way which achieves wide penetration), and are patched quickly, before being exploited, even in spite of the fact that they could actually be a lot more relaxed over it.

    Microsoft and Adobe, conversely, are generally much more severe in nature, exploited regularly, and patched relatively slowly, in many cases not before thousands, if not millions of computers are infected.

    I also challenge people like samagon when they claim they have not ever seen Viruses or Malicious software. Regardless of how well protected you were, malware like Conficker was still able to penetrate some of the most secure systems, because it took advantage of a previously unknown vulnerability.

    Secondly, even if people were able to avoid malware like Conficker (by luck, not because of anything you did, I assure you) roughly 6% of users are still infected.

    Given that there are still at least 75 million mac users (as at WWDC 09, certainly many more now) if, a you claim, the threat does exist, why have we yet to se exploits that get further than even a few hundred users, not the 4.5 million, or more, that we should be seeing based on similar percentages.

  • Posted by: C0nnected | 07/22/10 | 2:12 pm |

    Apple is the world leader in software insecurity, and yet we still spend 90% of our time supporting the 20% of our company computers that run Windows.

    Forget flaws. Show me exploits. According to the same security company Adobe Reader is responsible for 28% of the exploits that happened in the first quarter of 2010. I’ve been supporting Windows and Macs since ‘93 and have yet to see a compromised Mac.

    No OS is totally secure, and a Mac exploit is just a matter of time. But for now, Windows is the low hanging fruit and is likely to remain so.

    Perhaps I’m too cynical but most of these “macs are in trouble” stories have their sources in companies that are being squeezed by Microsoft Security Essentials on one side, and the “we don’t need antivirus yet” Macintosh computers on the other.

  • Posted by: captnemo | 07/22/10 | 2:15 pm |

    My observations, as a small rural wireless ISP trying to keep a handle on this for 27 years:
    .
    *ALL* OS’s can have security holes blown through them & exploited.
    .
    Nothing is truly ’secure’ while connected online – even with a firewalled system.
    .
    You can only do the best you can with the info you have, and I know for a fact there are *WAY* too many clueless Grandmas online today, who could care less until they can no longer play cards online with their neighbor.
    .
    Most of this incoming infectious crap is polymorphic encrypted, so the majority of the AV detection systems simply wont see it coming through the door. Today it looks like a bird, tomorrow it looks like a dog.
    .
    I see ‘tested clean’ systems absolutely loaded with this junk, but only after the drive is actually pulled from the infected machine and subjectively scanned with our shop systems running several detection/removal packages.
    .
    It takes multiple scans to remove layer upon layer of this junk, and a final scan once the drive is reconnected to the host chassis to remove the embedded trigger mechanism… Or it *WILL* re-spawn ASAP.
    .
    Experience talking here… Listen up kiddies.

  • Posted by: kibbles | 07/22/10 | 2:17 pm |

    @Xylenz – except that it, well, does. so much for windoze not sucking, eh?
    .
    curious — when did WIRED start farming out its web content to competitors gizmodo, ars technica, and pals? isnt tech writing the *entire point* of WIRED? or is it now just a brand slapped onto a portal?

  • Posted by: Sandy99 | 07/22/10 | 2:47 pm |

    Another anti-Apple rant full of innuendo and crap.

  • Posted by: BrazilianReader | 07/22/10 | 5:34 pm |

    @kibbles | 07/22/10 | 2:17 pm |

    It’s simple: it is a political thing. A non assumed form of cyber guerrilla to grilled Apple day by day in a system of kinship. Undoubtably it will last until Apple close the litigation case against one of their compadres a.k.a Jason Chen. How cute! At FastCompany for example they “interviewed” Brian Lam of Gizmodo canonically.

  • Posted by: pritchet1 | 07/22/10 | 6:39 pm |

    Apple Vulnerabilities or Exploits? Answer: ClamXav. Simple. Secunia still can’t sell an av app for Macs. Mac users are not that gullible.

    Or read this: http://forums.cnet.com/5208-6126_102-0.html?threadID=175789

  • Posted by: DevastatingLogic | 07/22/10 | 7:22 pm |

    Critical Thinking Test:

    A company called Secunia claims to have counted the security flaws in Apple and Windows OS’s. So they know what all the security flaws are, right? So all the flaws are known by Secunia because they counted them. So either Secunia is the most valuable software company in the world……. or this is a PR release based on guesswork and you just remembered their name.

  • Posted by: dazweeja | 07/22/10 | 8:14 pm |

    @DevastatingLogic, how about the critical thinking test of going to secunia.com and reading about every one of these vulnerabilities in detail? Because that’s the test you appeared to have failed.

  • Posted by: John C Abell | 07/22/10 | 8:14 pm |

    @kibbles We have a number of content-sharing deals, and have for some time. They use our stuff, too. We used to use AP. We dropped them and now use Reuters occasionally. This disturbs you why, exactly?
    .
    And, really, do you find it necessary to frame your questions in such an insulting tone every time you speak up? Boldface, even? Is this how you are at work? At home? Or do you only feel free to be so tiresomely aggressive in someone else’s domain?

  • Posted by: dazweeja | 07/22/10 | 8:15 pm |

    And I just ‘appeared’ to fail English grammar.

  • Posted by: number3assassin | 07/23/10 | 6:32 am |

    Seems like “Secunia” made a really professional report. Or not. Apple Insider has a pretty good article about it and I suggest that Ars Technica read it and learn something about journalism. This spin article make them look like fools.
    http://www.appleinsider.com/articles/10/07/22/secunia_issues_contradictory_vulnerability_report_assailing_apple.html

Subscribe to Wired Magazine


Subscribe to WIRED

Renew

Give a gift

Customer Service

Most Recent Entries

  • Spotify Coming to Windows 7 Phone
  • Skype Comes to Android (Really, This Time). But You Will Pay In Other Ways
  • Twitter CEO Evan Williams Steps Aside, To ‘Product Strategy’ Role
  • Investing Goes Touch Screen With Kapitall iPad App
  • The ‘Legal Blackmail’ Business: Inside a P2P-Settlement Factory
  • Love Google. Hate Facebook. Here’s Why
  • Digg in Decline? Here’s Some Data
  • Microsoft Sues Motorola Over Android
  • Meet WebP, Google’s New Image Format
  • iPad Owners Bugged Less By Ads Than Other Device Owners
  • Epicenter RSS feed

Recent Comments

  • reconi on Google’s ‘Don’t Be Evil’ Mantra Is ‘Bullshit,’ Adobe Is Lazy: Apple’s Steve Jobs (Update 2)
  • reconi on Facebook’s Gone Rogue; It’s Time for an Open Alternative
  • jadestar on Skype Comes to Android (Really, This Time). But You Will Pay In Other Ways
  • artie5trong on Love Google. Hate Facebook. Here’s Why
  • peabody3000 on Love Google. Hate Facebook. Here’s Why
  • Win on The Dogs of War: Apple vs. Google vs. Microsoft
  • Evan Hansen on Microsoft Sues Motorola Over Android
  • JVC on Love Google. Hate Facebook. Here’s Why
  • FireyFate on Love Google. Hate Facebook. Here’s Why
  • eMacPaul on The ‘Legal Blackmail’ Business: Inside a P2P-Settlement Factory
  • leeHunter on Love Google. Hate Facebook. Here’s Why
  • ayemahnuhrd on Microsoft Sues Motorola Over Android
  • LandShark on The ‘Legal Blackmail’ Business: Inside a P2P-Settlement Factory
  • bobnjersey on Love Google. Hate Facebook. Here’s Why
  • Anonymous27192 on Love Google. Hate Facebook. Here’s Why

Popular Tags

Apple AT&T Books Browsers Conferences Copyright Current Affairs Deals ebay Facebook FCC Funding Google Hardware Hype iPad iPhone iTunes Legal MicroHoo Microsoft Mobile Music MySpace Netflix Newspapers Portfolio Steve Jobs Stocks Telecom Television TV Twitter Venture Web/Tech Web Apps Wireless Work Yahoo YouTube

Editorial Team

  • Editor:
    John C Abell |
    E-mail |
    IM |
    Twitter
  • Staff Writer:
    Ryan Singel |
    E-mail
  • Contributor:
    Jim Hopkinson |
    E-mail
  • Contributor:
    Jeff Howe |
    E-mail
  • Contributor:
    Frank Rose |
    E-mail
  • Contributor:
    Fred Vogelstein |
    E-mail
Send us a tip

Categories

  • Advertising
  • Broadband
  • Commerce
  • Crowdsourcing
  • Economy
  • Enterprise
  • Finance
  • Future Shock
  • Green Tech Biz
  • Intellectual Property
  • Internet Culture & Etiquette
  • Internet Diplomacy
  • Letter from Silicon Valley
  • Letter From the UK
  • Media
  • Media Hit
  • Miscellaneous
  • Mobile Internet
  • Net Neutrality
  • People
  • Search
  • Silicon Valley
  • Social Media
  • Spectrum
  • Startups
  • TED
  • Telecommunications
  • The Cloud
  • Venture Capital
  • Vevo Watch
  • Video
  • Virtual Worlds
  • Web Tech
  • Wired-o-Nomics
  • WiredBiz
  • Wireless

Advertisement

Services

  • Subscription:
    Subscribe |
    Give a Gift |
    Renew |
    International |
    Questions |
    Change Address
  • Quick Links:
    Contact Us |
    Sign In/Register Sign Out |
    Newsletter |
    RSS Feeds |
    Tech Jobs |
    Wired Mobile |
    FAQ |
    Site Map
NetworkedBlogs
Blog:
Epicenter
Topics:
media, disruption, business
 
Follow my blog
Corrections | Sitemap | FAQ | Contact Us | Wired Staff | Advertising | Press Center | Subscription Services | Newsletter | RSS Feeds Text Size:
Condé Nast Web Sites:
Webmonkey | Reddit | ArsTechnica | Details | Golf Digest | GQ | New Yorker

Registration on or use of this site constitutes acceptance of our User Agreement (Revised 4/1/2009) and Privacy Policy (Revised 4/1/2009).

Wired.com © 2010 Condé Nast Digital. All rights reserved.

The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast Digital.