Apple tops vulnerability list, but Microsoft still ahead on exploits

Stephen Withers
Monday, 11 August 2008 07:44

Your IT - Home IT

Apple may have disclosed more vulnerabilities than any other vendor during the first half of 2008, but Microsoft and HP are still 'beating' the Cupertino kids when it comes to the number of public exploits. These are among the findings in a report published by IBM's X-Force security R&D team.

Overall, ten vendors were responsible for 81 percent of vulnerability disclosures. They were Apple, Joomla!, Microsoft, IBM, Sun, Oracle, Cisco, Drupal, WordPress and Linux.

It is interesting to note the presence of three open source content management systems in the list. Some advocates claim that open source is inherently more secure than closed source, because of the larger number of eyes that can examine it. The downside is that it's akin to doing your dirty laundry in public.

But that openness doesn't appear to impact on exploits, because when vendors were ranked in terms of the number of public exploits, three vendors were head and shoulders above the rest: Microsoft, HP and Apple.

'Public exploit' is defined as "Any proof-of-concept demonstrative code, partially or fully functional, or malicious mobile agent, such as malware, that is publicly available."

"The public availability of proof-of-concept code increases the likelihood that the vulnerability will face live exploitation either through targeted attempts or through a mass distribution method, like in an exploit toolkit," says the X-Force report. "Common outlets for these public exploits are exploit testing tools like Metasploit and Canvas."

Is there some good news in the report? You'll find some on page two, but there's also more bad news too!