According to Secunia's Half Year Security Report 2010, 10 technology vendors account for 38% of all vulnerabilities disclosed over the past five years, a percentage that has remained relatively stable during this period. Yet, the number of vulnerabilities affecting PC users has been rising rapidly, thanks largely to increasingly vulnerable third-party applications. If the trend continues, Secunia predicts 760 vulnerabilities by the end of the year, almost double the 420 vulnerabilities detected in 2009, and approaching four times as many as the 220 vulnerabilities detected in 2007.
In the ranking of the ten vendors with the most vulnerabilities in their products, Apple overtook Oracle during the first six months of the year. Oracle dropped to second place, followed by Microsoft, HP, Adobe, IBM, VMware, Cisco, Google, and Mozilla.
Secunia says that the security of these vendors' products cannot be judged by vulnerability counts alone and that one must consider changes in the types of vulnerabilities reported, code quality, handling of vulnerability reports, update mechanisms, and other factors to fully assess security.
Indeed, one need only to look at vast amount of malware targeting the Windows platform to see that while users of Apple software may face largely theoretical risk, users of Windows (some of whom may be running Apple's iTunes or Safari) software face clearly demonstrated risk.
Secunia says that its report supports the perception that high market share correlates with a high number of vulnerabilities.
At the same time, the report notes that the security efforts by the top vendors haven't had much success in reducing vulnerability counts.
"Despite increased investments into the security of their products, none of the seven vendors who occupied the Top-10 group in 2005 as well as in 2010 managed to decrease the number of vulnerabilities discovered in their products," the report states. "On the contrary, the vulnerability count of each of these seven vendors has increased to reach in 2009 between 136% and 440% of the 2005 count."
But if the major vendors aren't seeing a reduction in vulnerabilities as a result of their efforts, at least they're doing better than third-party vendors.
According Secunia, third-party programs are almost exclusively to blame for the increased risk to end-users when using the Internet. The firm says that a typical PC with 50 applications installed had 3.5x more vulnerabilities in 24 third-party programs than in 26 Microsoft programs installed. And that ratio is expected to shift to 4.4x by the end of 2010.
The report calls for wider deployment of automated patching mechanisms, something Secunia just happens to be working on, in the form of its Personal Software Inspector (PSI) 2.0.