IBM’s X-Force research and development team has issued its mid-year Threat Report on security vulnerabilities for the first half of 2010, a report with good and bad news for Apple. According to the report, Apple was the only major vendor that has patched all critical security flaws in its operating systems, but the company also took the top spot for most vulnerabilities reported (Microsoft, however, is way on top for most critical vulnerabilities reported).
“The number of new vulnerability disclosures in the first half of the year is at the highest level ever recorded,” IBM wrote in its report. “This is in stark contrast to the 2009 mid-year report when new vulnerability disclosures were at the lowest level in the previous four years.”
Of those vulnerabilities, Apple accounted for 4% of all vulnerabilities reported for all of its products, including Mac OS X, iOS, Safari, and Apple’s other software products. While 4% may not sound like much, it was enough to move Apple past Microsoft into the top spot for most vulnerabilities reported.
IBM also broke down its data in another way: When looking only at operating systems and counting vulnerability disclosures that effect multiple versions of an operating system only once, we get a different ranking, as seen in the chart below. When this method was used, Linux had more than 30% of all OS vulnerability disclosures, while Apple was #2 at 28%, and Microsoft was close behind at #3 with 27% of all the OS disclosures.
However, when IBM broke out data for “Critical and High Vulnerability” disclosures, Microsoft is king of the heap, with 73% of disclosures involving Windows. Linux was #216%, and Apple was #3 with 9%, as you can see in the figure below.
2010 Mid-year highlights
• The number of new vulnerability disclosures in the first half of the year is at the highest level ever recorded. This is in stark contrast to the 2009 mid-year report when new vulnerability disclosures were at the lowest level in the previous four years. Web application vulnerabilities—particularly cross-site scripting and SQL injection—continue to dominate the threat landscape.
• Apple is maintaining the top spot of vendor with the most vulnerability disclosures accounting for a full four percent of all disclosures. After three years of holding the number one position of vendor with the most vulnerability disclosures, Microsoft has dropped to number two. Adobe is in third place, due to the noteworthy increase in reported PDF and Flash-based vulnerability disclosures.
However, there was one more chart that colors this information, too. According to IBM, of all the vulnerabilities reported in the first half of the year, Apple has the fourth worst record in patching them, with 13% left unpatched (Sun is #1 with 24%, Microsoft #2 with 23%, and Mozilla #4 with 21%), as you can see in the figure below.
That same table, however, shows that Apple is the only vendor with zero Critical and High Vulnerability disclosures left unpatched. Microsoft, who had 73% of such vulnerabilities reported in the first place, has 11% of them that remain unpatched. The Linux community has left 20% of its Critical and High Vulnerability disclosures unpatched.
All in all, Apple had mixed results in IBM’s report, with a growing number of vulnerabilities, but a shrinking number of Critical and High Vulnerability disclosures. In addition, Apple is doing a better job at patching those vulnerabilities than other companies, including Microsoft, Google, Sun…and, well everybody.