Secunia ranks Apple first in software insecurity, Safari said to have AutoFill vulnerability
By Donald Melanson 
posted July 22nd 2010 3:31PM
posted July 22nd 2010 3:31PM
Bad news, Oracle. You've slipped to second place for the first time in years. The good news is that it's in Secunia's ranking of the top ten companies with the most software vulnerabilities, which is now topped by Apple -- Microsoft remains in third place, followed by HP and Adobe. According to Secunia, Apple's vulnerabilities are mostly not in OS X, but in Safari, iTunes and other applications. What's important to note, however, is that Secunia's definition of "vulnerability" doesn't simply include dangerous, exploitable vulnerabilities, so the rankings don't necessarily indicate which software is the most insecure from a user's point of view.
One vulnerability that is potentially serious, however, is an issue with Safari's AutoFill feature recently discovered by Jeremiah Grossman of WhiteHat Security. According to Grossman, a malicious website can exploit the feature to pull data from a user's address book without their knowledge, which has been demonstrated to take "mere seconds" by a bit of proof of concept code (you can try out yourself if you're feeling trusting). Grossman also says he's informed Apple of the vulnerability but hasn't received a response, and suggests that the only "fix" in the meantime is to turn off the AutoFill feature completely.
Update: AllThingsD has a statement from Apple on the AutoFill issue -- a spokesperson says "we take security and privacy very seriously," and that, "we're aware of the issue and working on a fix."
One vulnerability that is potentially serious, however, is an issue with Safari's AutoFill feature recently discovered by Jeremiah Grossman of WhiteHat Security. According to Grossman, a malicious website can exploit the feature to pull data from a user's address book without their knowledge, which has been demonstrated to take "mere seconds" by a bit of proof of concept code (you can try out yourself if you're feeling trusting). Grossman also says he's informed Apple of the vulnerability but hasn't received a response, and suggests that the only "fix" in the meantime is to turn off the AutoFill feature completely.
Update: AllThingsD has a statement from Apple on the AutoFill issue -- a spokesperson says "we take security and privacy very seriously," and that, "we're aware of the issue and working on a fix."
Just read on BGR. Interesting to say the least. So what does everyone have to make of this?
@Darkroom
not so sure about all that, Darkroom. But tell us how you really feel....
@VAVA Mk 2
You can call me a fanboy, I've been called worse things
But these stats are meaningless, dee dum dee dum dum... things
Seriously:
"Secunia's definition of "vulnerability" doesn't simply include dangerous, exploitable vulnerabilities"
So the total number doesn't mean squat! One serious vulnerability that enable someone to completely take over you machine is counted the same as the most minor one...
I would rather have 1000 minors to one major... (that sounds wrong!).
@Darkroom
Not the people, BGR, unfortunately. Most of my friends still think Apple makes the most secure and reliable software and hardware.
@Darkroom You're stupid. This article is about FREE software not 'overpriced, insecure junk'.
@VAVA Mk 2, this exploit they found is really easy to implement also. Since it auto fills in the fields all one has to do is grab them with JS and send them on their way.
@VAVA Mk 2
Im shocked that MS is 3rd. Well Apple is stingy with 3rd party software companies...this is what happens.
@Arkv2
Leading cause of hacking and malicious software attacks? I say the judgement of the person using the computer. Whatever OS in question.
@Templarian
Do you think they can address this with Apple Software Update? To me it sounds like an attack on Windows OSs running Apple software like iTunes for Windows or Safari (I rn FF 3.6.6 and Chrome btw)
@Darkroom let it out, let it all out, say what's on your mind. you can kick and scream, and shout and say things that are so unkind.
@Graham Stevens
I would rather have no vulnerbilities at all....
@VAVA Mk 2
I'm just surprised that Microsoft is ranked higher on vulnerabilities than Adobe and HP. I mean, seriously?
@smartmouth Very true! But it's never going to happen...
@Darkroom You are simply an uneducated individual on the subject.
@VAVA Mk 2
That hackers have not yet focused their attention on Apple...but if they did, get ready for a world of hurt.
@Arkv2 you need new friends. jk :)
@VAVA Mk 2
What to make of it? I basically confirms what i think most of us knew, that Apple are not perfect and that Mac users are not invulnerable no matter how many smug ads Apple puts out.
Thankfully with a little common sense nobody should have much to worry about.
@ExplicitFunction
Yeah, why does this surprise anyone?
@Exodite
They have stepped up their game to keep businesses on Windows licenses. Microsoft Security Essentials, btw is free, fast, resource light, and runs up there with AVG, Avast, Avira, and Malwarebytes. Just jeep it up to date and back up once a week or two and you should never have major issues.
@Arkv2 They do
@gerrrg
bag of hurt?
@VAVA Mk 2
I think you misunderstood the intent of my post. I have no issues with Windows, never had really, but things like Flash and Adobe Reader seem to produce critical security vulnerabilities on cue.
Microsoft should, IMO, rank far lover than third on that list. Certainly under Adobe and HP.
Tried Security Essentials at one point, not a bad piece of software though I'm currently running avast! 5 Internet Security on my two rigs and like it. Paid for two years already so I'll stick to it for that time at least I reckon.
@MarkAnderson
Who knows? I've never understood where this myth came from. On the bright side, Mozilla has done some nice work this year.
@Exodite
Lower. *sigh*
WTB edit function.
@Exodite
I dual run AVG and MSE on my nicer laptop and MSE only on my netbook. I agreed with your comments though.
@Exodite I would say you have a point with Adobe Reader. There is another list that showed software product with the most critical vulnerabilities. Adobe Reader and IE where tops on that list (I think is was a list of 20). Safari is on that list also. Flash is not on that list.
@VAVA Mk 2 you do know running 2 anti-viruses at the same time is usually a bad idea, right??
Classic Example: Virus program 1 locks system from accessing system from accessing a file until it scans it, but virus program 2 has also locked the system from accessing the file, but it can't access it because virus program 1 is locking virus program 2 but virus program 2 is locking virus program 1. (seen it happen back when i used to fix computers...maybe AV's have gotten smarter...but i still don't recommend it)
AVG is better then MSE from what I've heard.
NOD32 FTW though.
@SirNoDroin
Both have no issues with each other from my experience so far and that computer runs like butter. Now norton or mcafee (crap) or trend micro and other paid antivirus software usually have issues with other protection software.
@loocas
Lolz
@VAVA Mk 2 interesting to know...
I was just afraid you were one of those poor misinformed souls
"HAHA I GOT 5 ANTIVIRUSES AND 10 FIREWALLS, NO ONE CAN HACK ME"
@SirNoDroin
LOL no def not. Also have Malwarebytes free but that does not run in the background in real time. Best anti malware ever! I read a lot of NeoWin.net besides here btw so I stay informed (I hope lol).
@Arkv2
I was just explaining the Apple security "advantage" to someone yesterday. When I said Macs aren't really more secure, she was actually a bit incredulous.
Amazing what cute commercials will do.
@Darkroom
That's what I got.
@ExplicitFunction
Is it just me or has no one not noticed how Mozilla has jumped down 4 positions to get to 10th?
Mozilla, FTW!!!
@Darkroom
"that macs are outdated, overpriced, insecure junk and people are finally starting to see past steve job's bullshit?"
The iDiots are still too dimwitted to see that.
Apple: "we take security and privacy very seriously"
Haha. Privacy, yes. Security, no.
Hacker no longer interesting hacking windows, now they all eyes at apple.
@techlord
Yeah - it's a good thing those smarmy "I'm a Mac" commercials are no longer on the air...
@techlord
As annoying as Apple's claims have been over the years with misleading ads claiming or implying Macs don't get malicious software, hacking goes after dollars and I am sure they will continue to target marketshare and go after computers with Windows. As delusional as Engadget is, the truth still remains desktop sales for Windows PCs absolutely kill OSX and this can in large be seen in the business to business sector of computer sales. Even after the upswing in Mac in the last few years it is at best ~90% Windows and ~10% OSX. Not saying one is better than the other at all here but just saying it doesn't make sense to see hacking target Mac more now than it has.
@VAVA Mk 2
hacking indeed goes after dollars, which is why it's interesting that despite hackers being offered $10,000 to hack into a Mac at cansecwest, none of them could do it.
Not one. Not even for $10,000. $10,000 does count as "dollars", right? So how do you explain that?
@Jack
umm you are on crack http://www.macworld.com/article/132733/2008/03/hack.html
@Seven2k
LOL @Jack.
@Jack
Safari gets hacked every year at Pwn to Own (I believe that is the competition's name) faster than any other browser, IE included. My point, however, is, keeping in trend with hacking, common sense, and malicious software, the news seems to be referring to iTunes and Safari on WINDOWS based machines which keeps in line with the notion that hackers benefit effort and cost wise by focusing on the marketshare leader. Was being logical.
@Jack
http://news.cnet.com/8301-27080_3-20001126-245.html
Always fun to feed the trolls. And I will have to say Jack, you are by far the worst troll here. Not in terms of actual trolling but in the quality of the troll. If I were you I would sit down..........play some WoW.......sit in Trade Chat........get on some forums.......and learn to troll better! Right you you are just sad........but it is really enjoyable to watch at work!
@Jack Reading the comment below you, yes, $10,000 does count as dollars.
@VAVA Mk 2
I feel what jack is saying. I was with the fruit company when this happened. We werent very happy with it. Thats when all the updates came out like crazy. Also dont forget about the person that did the bluetooth keyboard hack. I give him props for that.
@Jack pwned! enjoy oblivion, I hear they have free bingo.
@Jack lol FAIL.
@Seven2k
Do you idiots just not understand what "hack" means? A hack is remotely breaking into a system. Nobody at cansecwest was able to do that. And yes, that is specifically why I mentioned cansecwest FIRST, before you linked to it. Which you did anyway.
The whole "2 minute" thing was actually 6 months and 2 minutes, and it was the same type of thing. Safari had to be directed to a malicious web site in order for anything to happen. You know how they did that? They had somebody PHYSICALLY sitting in front of a Mac, who had to enter the ADMIN PASSWORD before Safari would do anything or go anywhere.
That is why I said it's more about how to GET to the vulnerability, not that there IS one. Please fucking educate yourself. Tell me how this vulnerability is exploitable by any method either than manipulating the user, otherwise known as a trojan or phishing. Which every platform is vulnerable to.
@Jack
You should of kept quiet jack.
Your insults are like sweat on my balls......just rolls off.