Apple: The New World Leader in Software Insecurity
-
By Peter Bright, ars technica
- July 22, 2010 |
- 11:56 am |
- Categories: Enterprise
On the iPad's release date, April 3, 2010, a line extends around Apple's Fifth Avenue store. Many buyers had camped overnight to stake their spots in line.
Apple has displaced Oracle as the company with the most security vulnerabilities in its software, according to security company Secunia.
Over the first half of 2010, Apple had more reported flaws than any other vendor. Microsoft retains its third-place spot. Secunia has tracked security vulnerabilities and issues advisories since 2002, producing periodic reports on the state of software. Together, the top 10 vendors account for some 38 percent of all flaws reported.
Though this does not necessarily mean that Apple’s software is the most insecure in practice — the report takes no consideration of the severity of the flaws — it points at a growing trend in the world of security flaws: the role of third-party software. Many of Apple’s flaws are not in its operating system, Mac OS X, but rather in software like Safari, QuickTime and iTunes. Vendors like Adobe (with Flash and Adobe Reader) and Oracle (with Java) are similarly responsible for many of the flaws being reported.
To illustrate this point, the report includes cumulative figures for the number of vulnerabilities found on a Windows PC with the 50 most widely used programs. Five years ago, there were more first-party flaws (in Windows and Microsoft’s other software) than third-party. Since about 2007, the balance shifted towards third-party programs. This year, third-party flaws are predicted to outnumber first-party flaws by 2 to 1.
Secunia also makes a case that effectively updating this third-party software is much harder to do; whereas Microsoft’s Windows Update and Microsoft Update systems will provide protection for around 35 percent of reported vulnerabilities, patching the remainder requires the use of 13 or more updating systems. Some vendors — Apple, Mozilla and Google, for example — do have decent automatic update systems, but others require manual intervention by the user.
Follow us for disruptive tech news: John C. Abell and Epicenter on Twitter.
See Also:
- Apple Patches iPhone SMS Security Hole With Software Update
- Apple’s iPhone Security Gets Better, But Still Not BlackBerry Strong
- Apple Makes Its Case for Security
- Apple’s Snow Leopard Is Less Secure Than Windows, But Safer
- Apple Goes on Safari With Hostile Security Researchers
- Mac ‘Security Threat’ Evaporates in 24 Hours
- Apple Admits iPhone Security Flaw, Says Fix Coming in September
- AT&T Exposes Data on 100000 iPad 3G Owners
- New Apple Trojan Means Mac Hunting Season Is Open
- Hacker Says iPhone 3GS Encryption Is ‘Useless’ for Businesses
- iPhone Jailbreaking Could Crash Cellphone Towers, Apple Claims
Oh boy, good thing Apple’s iphone doesn’t have Flash, because it’s insecure, right? Yeah, keep that buggy insecure software off your platform! You want to be the biggest screw up all on your own! So, Jobs, if Adobe is “lazy”, just how goddamn lazy is Apple?
I don’t get it. I’m a Mac user (many hours/day, multiple machines) and still don’t see these things in real life, either on my computer or in the several discussion lists to which I subscribe. Oh, and by the way, the content of your story doesn’t match the headline.
Hey LarryJ,
.
Being a windows user myself, I haven’t seen any of the multiple viruses and malicious software on my PC, so it must not exist, right?
.
Rest assured, just because I haven’t seen any of the security risks affect me in real life, but it does exist. the same is true for apple and their OS.
.
To smugly state that you have no security issues (as I often see from Mac users) does not mean you are not in any danger. do not trust the marketing machines that say you are safe, we are all at risk. the more users that have a Mac, or iOS device the more people will exploit the risks inherent in those systems.
What a bunch of hooey. Nothing based in reality, just a bunch of theoretical assertions designed to get media attention (i.e. page hits, money, wealth). Move along…there’s nothing to see here.
Hillarious. So much for the “it just works” bullshit.
Larryj
Apple just became the most valuable software company, as long as it continues to be the standard for mobile devices, it will be the standard for malicious software. I wouldn’t go so far as to say they’ve become the “leader” in malicious content, there are other parameters such a severity, but i would say that commanding a majority market share should bring them attention: both good and bad.
Insecure is such a loaded term.
As the report says, it does not take into account severity of the vulnerabilities, or even more significantly, the likelihood of the vulnerabilities to be exploited. Similarly, it doesn’t readily identify patched vs unpatched vulnerabilities, (just a total number discovered per year) nor does it account for the amount of time that vulnerabilities remain unpatched.
Apple does have more vulnerabilities, however, in general, most studies show that they are less serious, and much less likely to be exploited, (basically, none have been exploited in such a way which achieves wide penetration), and are patched quickly, before being exploited, even in spite of the fact that they could actually be a lot more relaxed over it.
Microsoft and Adobe, conversely, are generally much more severe in nature, exploited regularly, and patched relatively slowly, in many cases not before thousands, if not millions of computers are infected.
I also challenge people like samagon when they claim they have not ever seen Viruses or Malicious software. Regardless of how well protected you were, malware like Conficker was still able to penetrate some of the most secure systems, because it took advantage of a previously unknown vulnerability.
Secondly, even if people were able to avoid malware like Conficker (by luck, not because of anything you did, I assure you) roughly 6% of users are still infected.
Given that there are still at least 75 million mac users (as at WWDC 09, certainly many more now) if, a you claim, the threat does exist, why have we yet to se exploits that get further than even a few hundred users, not the 4.5 million, or more, that we should be seeing based on similar percentages.
Apple is the world leader in software insecurity, and yet we still spend 90% of our time supporting the 20% of our company computers that run Windows.
Forget flaws. Show me exploits. According to the same security company Adobe Reader is responsible for 28% of the exploits that happened in the first quarter of 2010. I’ve been supporting Windows and Macs since ‘93 and have yet to see a compromised Mac.
No OS is totally secure, and a Mac exploit is just a matter of time. But for now, Windows is the low hanging fruit and is likely to remain so.
Perhaps I’m too cynical but most of these “macs are in trouble” stories have their sources in companies that are being squeezed by Microsoft Security Essentials on one side, and the “we don’t need antivirus yet” Macintosh computers on the other.
My observations, as a small rural wireless ISP trying to keep a handle on this for 27 years:
.
*ALL* OS’s can have security holes blown through them & exploited.
.
Nothing is truly ’secure’ while connected online – even with a firewalled system.
.
You can only do the best you can with the info you have, and I know for a fact there are *WAY* too many clueless Grandmas online today, who could care less until they can no longer play cards online with their neighbor.
.
Most of this incoming infectious crap is polymorphic encrypted, so the majority of the AV detection systems simply wont see it coming through the door. Today it looks like a bird, tomorrow it looks like a dog.
.
I see ‘tested clean’ systems absolutely loaded with this junk, but only after the drive is actually pulled from the infected machine and subjectively scanned with our shop systems running several detection/removal packages.
.
It takes multiple scans to remove layer upon layer of this junk, and a final scan once the drive is reconnected to the host chassis to remove the embedded trigger mechanism… Or it *WILL* re-spawn ASAP.
.
Experience talking here… Listen up kiddies.
@Xylenz – except that it, well, does. so much for windoze not sucking, eh?
.
curious — when did WIRED start farming out its web content to competitors gizmodo, ars technica, and pals? isnt tech writing the *entire point* of WIRED? or is it now just a brand slapped onto a portal?
Another anti-Apple rant full of innuendo and crap.
@kibbles | 07/22/10 | 2:17 pm |
It’s simple: it is a political thing. A non assumed form of cyber guerrilla to grilled Apple day by day in a system of kinship. Undoubtably it will last until Apple close the litigation case against one of their compadres a.k.a Jason Chen. How cute! At FastCompany for example they “interviewed” Brian Lam of Gizmodo canonically.
Apple Vulnerabilities or Exploits? Answer: ClamXav. Simple. Secunia still can’t sell an av app for Macs. Mac users are not that gullible.
Or read this: http://forums.cnet.com/5208-6126_102-0.html?threadID=175789
Critical Thinking Test:
A company called Secunia claims to have counted the security flaws in Apple and Windows OS’s. So they know what all the security flaws are, right? So all the flaws are known by Secunia because they counted them. So either Secunia is the most valuable software company in the world……. or this is a PR release based on guesswork and you just remembered their name.
@DevastatingLogic, how about the critical thinking test of going to secunia.com and reading about every one of these vulnerabilities in detail? Because that’s the test you appeared to have failed.
@kibbles We have a number of content-sharing deals, and have for some time. They use our stuff, too. We used to use AP. We dropped them and now use Reuters occasionally. This disturbs you why, exactly?
.
And, really, do you find it necessary to frame your questions in such an insulting tone every time you speak up? Boldface, even? Is this how you are at work? At home? Or do you only feel free to be so tiresomely aggressive in someone else’s domain?
And I just ‘appeared’ to fail English grammar.
Seems like “Secunia” made a really professional report. Or not. Apple Insider has a pretty good article about it and I suggest that Ars Technica read it and learn something about journalism. This spin article make them look like fools.
http://www.appleinsider.com/articles/10/07/22/secunia_issues_contradictory_vulnerability_report_assailing_apple.html