Secunia ranks Apple first in software insecurity, Safari said to have AutoFill vulnerability
By Donald Melanson 
posted July 22nd 2010 3:31PM
posted July 22nd 2010 3:31PM
Bad news, Oracle. You've slipped to second place for the first time in years. The good news is that it's in Secunia's ranking of the top ten companies with the most software vulnerabilities, which is now topped by Apple -- Microsoft remains in third place, followed by HP and Adobe. According to Secunia, Apple's vulnerabilities are mostly not in OS X, but in Safari, iTunes and other applications. What's important to note, however, is that Secunia's definition of "vulnerability" doesn't simply include dangerous, exploitable vulnerabilities, so the rankings don't necessarily indicate which software is the most insecure from a user's point of view.
One vulnerability that is potentially serious, however, is an issue with Safari's AutoFill feature recently discovered by Jeremiah Grossman of WhiteHat Security. According to Grossman, a malicious website can exploit the feature to pull data from a user's address book without their knowledge, which has been demonstrated to take "mere seconds" by a bit of proof of concept code (you can try out yourself if you're feeling trusting). Grossman also says he's informed Apple of the vulnerability but hasn't received a response, and suggests that the only "fix" in the meantime is to turn off the AutoFill feature completely.
Update: AllThingsD has a statement from Apple on the AutoFill issue -- a spokesperson says "we take security and privacy very seriously," and that, "we're aware of the issue and working on a fix."
One vulnerability that is potentially serious, however, is an issue with Safari's AutoFill feature recently discovered by Jeremiah Grossman of WhiteHat Security. According to Grossman, a malicious website can exploit the feature to pull data from a user's address book without their knowledge, which has been demonstrated to take "mere seconds" by a bit of proof of concept code (you can try out yourself if you're feeling trusting). Grossman also says he's informed Apple of the vulnerability but hasn't received a response, and suggests that the only "fix" in the meantime is to turn off the AutoFill feature completely.
Update: AllThingsD has a statement from Apple on the AutoFill issue -- a spokesperson says "we take security and privacy very seriously," and that, "we're aware of the issue and working on a fix."
That's why I use Chrome as my main browser and Safari for my pr0n on my Mac.
Apple insecure? Nah, surely Apple must be one of the safest products to use. After all they give you a free rubber with every new iPhone
Whatevs, most Mac users I know, mysefl included hate Safari with a passion and avoid it for other more capable and better-featured browsers like Firefox or Opera.
its funny y how people get downranked only for explaining people what the article means... i guess they want something wrong with apple so they can feel better about what they have.
What? Apple sucks at something?.... What else is new!?
A few weeks back i commented about how there were viruses, vulnerabilities, and spy-ware on macs and a huge rash of ifanboys attacked me. claiming that i had no idea what i was talking about and that Macs are by far the safest OS out there. one person even said i was a techy loser because i was talking about reformatting and re-imaging OS's instead of backing them up.
whose laughing now? me. thats who. i love it.
Reporting this to Apple is pointless.
It has been over two years now, and they still haven't fixed the carpet bombing exploit in Safari.
I came here for news.
Maybe I missed something buy why is Google only represented as a dot at the end?
All Secunia does is issue press releases and scare people into buying their security services. Bullshit. Tell me when they actually do things; and do things reputably. They list each OSX and Linux vulnerability multiple times for the single bug over several versions and in Linux's case distributions. Bulllshiiiiit.
As far as security goes...
Call me when OSX copy/paste breaks when you disable an externally facing RPC service.
Call me when OSX decides to let 3rd party software eat it's own TCP/IP stack.
Call me when OSX requires a firewall to browse when connected straight through to an internet connection.
It doesn't? Great. Windows is still shitware and will always *be* shitware. I wouldn't trust Microsoft with a game console, I certainly wouldn't trust them with a desktop OS, and I certainly wouldn't trust them with a server OS.
@taiki
Finally, somebody who knows their ass from a hole in the ground.
@taiki
it does you just dont see it.
http://www.apple.com/macosx/security/
@Seven2k
Actually I do see it. I disable it the second I get a new OSX install. The bigger question is, "What port's open to the Internet on Windows that facilitates the need for a firewall? WTF."
@taiki
depending in the environment you are in. They are many programs that require some port(s) to open.
http://www.wholly-mac.com/mac-virus.html
@Seven2k
Windows generates a list that long every day.
Big whoop.
I know that various apps may need externally facing ports, but my big question was, what on the OS level needs externally opened ports facing the internet?
I guarantee you even most power users aren't running Apache, SSH or bind. Maybe if they're running a game server. Maybe.
@Jack Instead of trying to defend (make yourself look childish) why it has topped this "chart," why don't you directly get information about how they test for vulnerabilities within each piece of said software. No piece of software is 100% secure, none, ever, so get over it.
I suppose its a good thing I use Opera then, lol.
Looking at the report, skimming over it I have to say it looks as if the entire thing is based on windows. It's got nothing to do with OS X.
Let me see here...
So Apple has maybe one or two (or three) malware problems, along with a few vulnerabilities - which usually get fixed rather quickly...
Compared to Windows, there's no competition, as far as security goes.
However, I doubt it can stay that way forever. I dread the thought of that day's arrival. Hopefully it won't, Windows's popularity will keep people from shifting to one side of the levels.
"Apple's vulnerabilities are mostly not in OS X, but in Safari, iTunes and other applications" that was desperate, i get it, its an impulsive reaction to defend apple but damn..
@JayQ330
They may well but when thats Apple software on windows... I don't think you'll find many rabid fanboys caring all that much about it.
@JayQ330 - Heh, seriously, are you insane?
Apple actually makes Safari, iTunes and other applications ... so the sentence is not really defending them, hey.
Also, you quoted out of context. Here is the FULL quote - "According to Secunia, Apple's vulnerabilities are mostly not in OS X, but in Safari, iTunes and other applications."
Now, note that "According to Secunia" bit. See how it was Secunia and not Engadget who is making the claim about where Apple's vulnerabilities lie?
That's the problem with quoting out of context ... it ends up making you look like a complete and utter idiot because you attributed the quote to the wrong person.
@Gooney i dont understand what you mean its like your babbling because osx is really the "barnyard" so if its a barnyard with doors open and no protection does that make you the hillbilly farmer lol! go buy an iphart 3.0. or dual scratch resistant sctreen covers to spend double your money plus a cute little bandaid to say oh apple made a big booboo but its okay cause now i have cute little stickers i can buy. eat it all up you sheep,
@JayQ330 Talking about babbling....
Okay, surely I cannot be the only one wondering the following things:
This graph shows "rank" i.e. who is first, second, third, etc - it does not show absolute numbers. For example, does Apple have only a few more vulnerabilities than Oracle, or twice as many, or ten times as many?
Who was in positions 1, 2 and 6 in 2005?
From 2005-2010, the only year in which MS was ranked higher than Apple was 2006. Hmmm ... this does not mesh with my memories of 2005-2008. But that isn't a criticism, my memory is hardly a record of fact. Quite the opposite, probably.
Why would anyone take this graph seriously (see first page of comments for some serious taking of this graph) when the definition of vulnerability used is pretty wide and definitely includes bugs that most people would refuse to classify as a "vulnerability" ?
Lastly, and most importantly, what measures are performed to account for the vastly different numbers of products the companies each produce? MS and Apple make a lot more products than Cisco! And HP - what the hell are they doing on the list, and placed so high? I am really trying hard to think of any widely-deployed HP software!
This graph means nothing. 1 bad bug is all it takes to overtake a system. 1 buffer overflow = system p0wned!. Number of vulnerabilities is a joke. They should be talking how many zero day bugs are there. Adobe and MS are the first ones to get those. Of course you are just smug, pseudo-geeks who probably hasn't written a single line of code in your life. Why else would anyone choose to use an operating system that needs a freaking registry and infinite boots to do anything. Just keep hating.... I will be smiling all the way to the bank with my Apple stock.