A new report shows that the number of reported vulnerabilities in major commercial software products is accelerating, and that Apple’s products now have more vulnerabilities than those of any other major vendor. Perhaps more importantly, though, is the fact that third-party applications now account for the vast majority of flaws on most computers.
The report, by security firm Secunia, which tracks and publishes information on security flaws, covers the first half of 2010 and shows that while Apple has the highest number of vulnerabilities in its products, Microsoft, Adobe, Mozilla and Oracle are right in the mix, as well. Secunia doesn’t break out the exact number of vulnerabilities reported in each of the vendors’ products, but instead simply ranks them by volume of CVEs. A quick search of the CVE database shows about 189 CVEs involving Apple so far in 2010 and about 146 involving Microsoft.
For the last three years, Apple has ranked second, behind Oracle, in the number of CVEs submitted regarding its products, with Microsoft in third place. But so far in 2010, Apple has taken over the top spot in the ranking. However, vulnerability counts are not seen as an entirely accurate measurement of product security.
As Secunia notes in the report, “The above graph is not an indication of the individual vendors’ security, as it is not possible to compare the vendors based on number of vulnerabilities alone. To assess the ‘performance’ of vendors in terms of vulnerabilities one should rather look at the changes in the type of vulnerabilities, code quality, handling of vulnerability reports, ability to update users, quality of patches, ability to communicate to end users, number of products, complexity of product portfolio, and other factors which cannot be read out of mere aggregate numbers.”
Also, reports like Secunia’s only measure reported vulnerabilities. There’s simply no way of knowing how many un-reported vulnerabilities there are in a given product.
Perhaps more interesting than the raw vulnerability data is the finding that third-party applications are now the main source of vulnerabilities on most PCs. That number has been increasing steadily in the last three years and is the result of an increased focus by both researchers and attackers on finding flaws in applications beyond the operating system and browser.
“Today we are facing a much more challenging and complicated problem that is likely to take years to solve; patching of 3rd party software. Looking at the Top-50 programs installed by Secunia PSI users we see that the programs come from 14 different vendors, it is also worth considering that all the programs covered by Secunia PSI is spanning a total of 3,000 vendors. Only recently have we seen significant initiatives from Adobe, the most prevalent ‘3rd party’ vendor due to Adobe Flash Player and Adobe Reader, to start updating all their users in a more efficient and rapid manner than earlier. This seems to be a response to the increased exploitation of Adobe Reader vulnerabilities in 2009,” the report said.
[block:block=47]
Secunia’s findings support the anecdotal evidence that’s been accumulating in recent years as attackers and offensive security researchers alike have concentrated their efforts on finding and exploiting weaknesses in non-core components such as Adobe Flash, JavaScript and third-party browser add-ons and plug-ins. Some of the more critical vulnerabilities identified in the last couple of years, such as the critical Java exploit identified earlier this year, are perfect examples.