Microsoft: Apple takes the vulnerability crown

Speaking at the Microsoft Worldwide Partner Conference (WPC), COO Kevin Turner told attendees that Microsoft’s archrival Apple is now No. 1 in software vulnerabilities, with database rival Oracle in the No. 2 spot. It’s a tantalizing claim and good marketing for Microsoft, but does it point to deeper truths about the challenges Microsoft faces?

I’m not sure where Turner got his data — the COO sourced his comments as “one of the last surveys that I saw in the marketplace” — but I’d guess it was Danish security research firm Secunia’s Half Year Report for 2010, which ranked Apple No. 1, Oracle No. 2, and Microsoft No. 3 in its list of the top 10 sources of software vulnerabilities. Not surprisingly, a close read of that report yields some data points that didn’t make it into Turner’s speech.

First, Apple’s ascendancy to the top of the reported vulnerabilities list isn’t really news. Measured by MITRE’s list of Common Vulnerabilities and Exposures, Apple has surpassed Microsoft in vulnerabilities for at least the last four years, but has only recently overtaken software giant Oracle, which takes the rap for vulnerabilities across a broad portfolio, including BEA and Sun products. In fact, Microsoft’s ranking has held steady at No. 3 since mid-2006 — which may be due to the company’s embrace of SDL (secure development lifecycle) in the last five years.

So how might Apple’s top rank be bad news for Microsoft? As the Secunia report points out, the discovery of software vulnerabilities correlates closely with the popularity of the platform itself. In other words, researchers and hackers are finding more holes in Apple’s operating system and applications because they’re paying more attention to an increasingly successful platform.

The other point, of course, is that the number of vulnerabilities is a very crude measuring stick. For example, how critical are those software holes? Was the vendor able to respond quickly with patches? Microsoft is recognized as an industry leader in its efforts to respond to vulnerabilities in its products; security researchers generally give Apple and Oracle lower marks in their response times.

The connection between researchers’ “interest” levels and the numbers of vulnerabilities they find limits any effort to derive meaning from these numbers — beyond the indisputable fact that all the major software vendors that Secunia tracks have been unable to reduce the number of holes discovered in software. In fact, as Secunia notes in its report, the number of vulnerabilities found in the products of the top-ranked vendors increased between 136 percent and 440 percent between 2005 and 2010. That’s a statistic that nobody will be bragging about any time soon.

Paul F. Roberts is a Senior Analyst at The 451 Group.

This article, “Microsoft: Apple takes the vulnerability crown,” was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog.