IBM report> Apple takes top Spot in numbers of disclosed vulnerabilities

[clevin]

disclosed vulnerabilities of Apple products is 3.2% of total disclosed in first half of 2008. M$ was number 1 last year. It falls to #3, behind Apple and Joomla!.

report (pdf) is here http://www-935.ibm.com/services/us/iss/xforce/midyearreport/xforce-midyear-report-2008.pdf

Vendors affected by highest numbers of PUBLIC disclosures are M$ (#1), HP (#2) and Apple (#3).

Web application vulnerabilities are 51% of all vulnerabilities.

Top 5 Most prevalent web browser exploits (2006-2008) includes 4 ActiveX and 1 QuickTime vulnerabilities.

Phishing is 0.2-0.8 % of total SPAM in first half of 08, Six US banks are most common target, followed by UK Banks.

Good Luck people.

 

[gnasher729]

Any statistics about actual exploits? Like how many Macs are part of some bot farm, how many are infected by viruses, how many have keyloggers installed without knowledge of the owner?

 

[clevin]

Any statistics about actual exploits? Like how many Macs are part of some bot farm, how many are infected by viruses, how many have keyloggers installed without knowledge of the owner?

lol, you can't even get that type of numbers for windows vista.....

But yeah, that would be very nice numbers to know.

PS> the report did say that public disclosed vulnerabilities are general exploited in 24-hrs upon release.

 

[ohforfckssake!]

How commonplace are exploits like keyloggers, worms and trojans on a Mac? How do they get on the Mac in the first place, given its different security architecture? Through downloading warez or other dodgy programs?

I've never understood how vulnerable Macs really are. Is it a security through obscurity thing or are Macs just exceedingly difficult to compromise?

 

[clevin]

I've never understood how vulnerable Macs really are. Is it a security through obscurity thing or are Macs just exceedingly difficult to compromise?

I think its a little bit both, but not sure how each one weighs.

 

[yellow]

Interesting notes..

the client-side public exploits of the OS has dropped significantly since mid-2006. Far more focused on browser now. But I wondered how Apple got into this mix as top dog..

Given this:

These statistics do not balance vulnerability disclosures with market share, number of products, or the lines of code that each vendor produces. In general, mass-produced and highly distributed or accessible software is likely to have more vulnerability disclosures.

Quicktime and iTunes? Seeing as they're bundled together for Win32 and iTunes accounts for such a significant portion of the (online music) market share, I think it likely that this is the reason for Apple's top rank.

Of course, public exploits don't necessarily turn into used exploits, as evidenced by the top 10 malware (and subsequent categories of malware examples) being for exclusively for Win32 devices.
I'm sure that shear numbers of Windows boxes account for that, but it's also not time to panic and say that Apples are totally unsafe.

Funny, Firefox taking on 8 reported vulnerabilities, more than IE!

The USA accounts for 53% of the world's porn. Nice.

 

[clevin]

yes indeed, for apple's market shares, panic is not necessary currently.

But the trend is not promising, isn't it?

Firefox might have 1 or 2 more vulnerabilities in the report than IE, but Mozilla does patch it quickly so lower the number of users who are exposed to it.

On the other hand, Apple's security patches are not that fast, combined with the not so promising trend of Apple's security problems..

I would like apple to take some actions improving the patches,, improving the communications, and give more honest and specific directions to end users.

Panic? NO, blindly dreaming in lala land? Better not neither.

 

[IJ Reilly]

How commonplace are exploits like keyloggers, worms and trojans on a Mac? How do they get on the Mac in the first place, given its different security architecture? Through downloading warez or other dodgy programs?

I've never understood how vulnerable Macs really are. Is it a security through obscurity thing or are Macs just exceedingly difficult to compromise?

Uncommon to the point of not existing in the wild. Trojans are possible on any platform because they are fundamentally social engineering exploits but although we have seen a few proof-of-concept trojans for the Mac, I believe none have become even remotely common.

Not being tremendously technical I can't answer the question about OSX's security model in any detailed way, but I do know OSX requires more user intervention than Windows before code is inserted at the root level. This makes it more difficult for bad things to happen. Microsoft has also created some relatively easy methods for authoring and distributing malware, such as Virtual Basic.

 

[yellow]

such as Virtual Basic.

For which there was an exploit coming in at spicy number 3 on one of the lists.

 

[clevin]

Microsoft has also created some relatively easy methods for authoring and distributing malware, such as Virtual Basic.

For which there was an exploit coming in at spicy number 3 on one of the lists.

...mmmmm... you guys sure? I only heard about Visual Basic, never heard about Virtual Basic.

PS. codes being inserted into root level is not only, nor is it prevalent security problem facing computer users today. Honestly taking action, thats what I would like to see from apple.

 

[IJ Reilly]

...mmmmm... you guys sure? I only heard about Visual Basic, never heard about Virtual Basic.

My mistake. Visual Basic is correct.

 

[yellow]

My mistake. Visual Basic is correct.

Chicken. I'm sticking with Virtual Basic.

 

[IJ Reilly]

Chicken. I'm sticking with Virtual Basic.

Oh now you're just picking on me. Cut it out.