A report from Secunia shows that Apple has passed Oracle in the total number of self-reported software security vulnerabilities in its Windows XP and Vista products, such as iTunes and Safari. The report does not rank companies by severity of vulnerabilities, only number, so this does not mean Apple’s software is the highest risk – other sources indicate Adobe Reader may be the most dangerous. The report highlights the lack of improvements made by the software industry as a whole and the difficulties facing IT managers and consumers face in keeping software patched.
The top ten third party applications, ranked by total number of reported vulnerabilities:
1. Mozilla Firefox
2. Apple Safari
3. Sun Java JRE
4. Google Chrome
5. Adobe Reader
6. Adobe Acrobat
7. Adobe Flash Player
8. Adobe AIR
9. Apple iTunes
10. Mozilla Thunderbird
Apple has consistently come in higher than Microsoft, but this is the first year since Secunia started tracking vulnerabilities that Apple has topped Oracle. We’ve previously reported that Apple is beefing up its anti-malware capabilities in OSX.
According to F-Secure, Adobe Acrobat Reader and Microsoft Word were the most commonly attacked applications in 2009. Others report that Reader exploits are on the rise in 2010. This week, Adobe announced it will implement “sandboxing” to make Reader more secure.
According to the report, a typical user has more than 66 programs from more than 22 different vendors installed. The report says 3rd party software is being increasingly targeted, yet most vendors don’t do automatic updating – they leave that to end users. “It appears that most vendors do not take signicant steps to secure their users and customers before active exploitation takes place on a larger scale where it starts to threaten the overall reputation of the business,” the report says.
Secunia plans to update its free personal tool Secunia PSI to actually update software and not just scan for potentially vulnerable software. Meanwhile, IT managers should look into enterprise patch management solutions. Patch management is one of the most time consuming and tedious IT security activities, but enterprises should make patching third party software a high priority.
Hat tip to Matt Asay and Ars Technica