Bad news, Oracle. You've slipped to second place for the first time in years. The good news is that it's in Secunia's ranking of the top ten companies with the most software vulnerabilities, which is now topped by Apple -- Microsoft remains in third place, followed by HP and Adobe. According to Secunia, Apple's vulnerabilities are mostly not in OS X, but in Safari, iTunes and other applications. What's important to note, however, is that Secunia's definition of "vulnerability" doesn't simply include dangerous, exploitable vulnerabilities, so the rankings don't necessarily indicate which software is the most insecure from a user's point of view.

One vulnerability that is potentially serious, however, is an issue with Safari's AutoFill feature recently discovered by Jeremiah Grossman of WhiteHat Security. According to Grossman, a malicious website can exploit the feature to pull data from a user's address book without their knowledge, which has been demonstrated to take "mere seconds" by a bit of proof of concept code (you can try out yourself if you're feeling trusting). Grossman also says he's informed Apple of the vulnerability but hasn't received a response, and suggests that the only "fix" in the meantime is to turn off the AutoFill feature completely.

Update: AllThingsD has a statement from Apple on the AutoFill issue -- a spokesperson says "we take security and privacy very seriously," and that, "we're aware of the issue and working on a fix."

0 Comments

Secunia ranks Apple first in software insecurity, Safari said to have AutoFill vulnerability