A new report from security software provider Secunia shows that despite considerable security investments, the software industry at large is unable to produce software with substantially fewer vulnerabilities.
The latest data shows that Apple has surpassed Oracle and even Microsoft with accounting for the most software vulnerabilities, though the No. 1 ranking is related only to the number of vulnerabilities--not to how risky they are or how fast they get patched.
This analysis also supports the general perception that a high market share correlates with a high number of vulnerabilities--with Apple (maker of iTunes and QuickTime), Microsoft (Windows, Internet Explorer), and Oracle's Sun Microsystems (Java) consistently occupying the top ranks during the last five years, along with Adobe Systems (Acrobat Reader, Flash), which joined the group in 2008.
Mac OS has remained relatively untouched by major viruses and hacking efforts in the past, as most ne'er-do-wells may have considered the operating system's market share and thus potential for private information less enticing than those of Microsoft's Windows. With the rise of Mac market share and the popularity of the iPhone, however, there is little doubt that Apple platforms will become major malware targets in the near future.
Highlights from the report:
- Ten vendors, including Microsoft, Apple, Oracle, IBM, Adobe, and Cisco Systems, account, on average, for 38 percent of all vulnerabilities disclosed per year.
- In the two years from 2007 to 2009, the number of vulnerabilities affecting a typical end-user PC almost doubled from 220 to 420, and based on the data of the first six months of 2010, the number is expected to almost double again in 2010, to 760.
- During the first six months of 2010, 380 vulnerabilities, or 89 percent of the figures for all of 2009, has already been reported.
- A typical end-user PC with 50 programs installed had 3.5 times more vulnerabilities in the 24 third-party programs installed than in the 26 Microsoft programs installed. It is expected that this ratio will increase to 4.4 in 2010.
While not particularly surprising, it's a bit depressing to think that the multibillion-dollar security software industry continues to be so easily thwarted by bad guys. If there is one positive takeaway from the report, it's that since 2005, there has been no significant upward or downward trend in the total number of vulnerabilities in the more than 29,000 products monitored by Secunia.
Maybe flat is the best we can hope for?