Print 65 comment(s) - last by djtechsupport.. on Aug 6 at 2:05 PM

A recent Secunia study indicated that Apple had the most vulnerabilities of the major tech companies  (Source: Secunia)

Apple's Safari browser happily will fill in your personal info to malicious web forms. This glaring flaw can lead to an unacceptable breach of privacy.  (Source: Jeremiah Grossman)
"It just works." -- Apple slogan

Apple is known for its tendency to deny problems with its popular gadgets, making life miserable for customers when such problems occur.  While Apple's iPhone 4 antenna issues are currently stealing the show, there's perhaps no better example overall than Apple's spotty track record on security.

Security research firm Secunia just released a list of vulnerabilities and Apple for the first has come out on top as the most vulnerable.  Secunia warns, "[The] graph is not an indication of the individual vendors’ security, as it is not possible to compare the vendors based on number of vulnerabilities alone."

Apple's supporters were quick to attack the report.  
AppleInsider writes:

Not all vulnerabilities are equal: Secunia outlines five levels of criticality ranging from minor "not critical" issues to "extremely critical" problems that can result in remote exploits without any interaction from the user, and for which active exploits are already known to exist. Yet Secunia's vulnerability report totals throw all these various types of flaws together into sums that are frequently used for meaningless comparison purposes. 

It's ironic that almost simultaneous to the report another significant security flaw in Safari aired.  Safari -- Apple's browser software -- has oft seen releases so buggy to the point that they were unusable.  Safari 5 certainly offered some improvements in that department, but it apparently doesn't fair particularly better in the security department than past releases, including Safari 4 which had a flaw so severe it prompted a Department Homeland Security warning.

While the latest Safari bug isn't as bad an exploit as some go, considering it's not a route to installing malware, it can result in the theft of your personal info.  It all starts with one of Apple's features in Safari -- autofill.  Different from the standard browser's autofill, which remembers users names and passwords for certain sites, Safari has an even more ambitious autofill which maintains info about a user in their address book card and offers up these details when needed.

Unfortunately, Apple didn't appear to realize that it was necessary to screen what it allows to access this data.  Security researchers revealed that a simple web form can grab much of this data -- first name, last name, work place, city, state, and email address -- no questions asked.

Such info could be used in phishing schemes.  It could also be used in blackmail schemes if the users were visiting naughty websites.  Ultimately, it represents a gross threat to privacy that easily surpasses Apple's recent loss of iPad buyers' email addresses (a problem that was largely carrier AT&T's fault).  Apple was informed of the problem on June 17, 2010, but since has done nothing.

The flaw was discovered by Jeremiah Grossman, founder of WhiteHat Security.

Security problems are hardly something new for Apple though.  The iPhone has increasingly been attacked.  One security researcher suggested its security was so poor that it was "useless" to businesses.  Apple has made some improvements with each release of its iPhone OS, but they didn't stop malicious worms from cropping up in the iPhone 3GS generation.

On the computer side, Apple also has had numerous past issues.  Its weak memory protections in its past two operating systems -- Tiger and Snow Leopard -- have spawned a number of successful attacks.  Worse yet Apple's latest OS -- Snow Leopard -- shipped with an outdated vulnerable version of Adobe Flash.

Apple has made some gains -- its new OS does come with mild antivirus protections (though Apple quietly recommends users purchase dedicated AV software).  And the OS does offer working DEP (data execution prevention), though it ships with a virtually broken address space layout randomization (ASLR) implementation (which rival Microsoft's Windows 7 flawlessly implements).

Ultimately, though what is really killing Apple is its slow patch time.  Apple's "there is no problem" mentality has made it the slowest company at patching, according to recent surveys.  It took it a year to finally last year (June) patch a major Java hole.  Unfortunately, such performance is more the rule than the exception to it.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

Yes we know
By Ristogod on 7/23/2010 9:48:24 AM , Rating: 5
For most of us tech savvy, all this about Apple was already known to us. It's nice to see articles finally talking about what has already seemed so apparent however. Hopefully people can become more aware of Apple's shady tactics and see through the impression they are trying convey to everyone and instead see the truth. Denying and ignoring issues is no way to run a business.

RE: Yes we know
By Redwin on 7/23/2010 10:30:37 AM , Rating: 5
I wonder if Apple misses the good old days when nobody knew their products were vulnerable because not enough people used them to make it worth the hackers' trouble.

Security through obscurity is less and less viable when you get to be the largest technology company in the world by market cap.

RE: Yes we know
By dragonbif on 7/23/2010 11:27:57 AM , Rating: 5
You are holding your browser wrong!

RE: Yes we know
By Dorkyman on 7/23/2010 11:44:36 AM , Rating: 2
Dang! That's what I was going to say!

Also, be careful, Jason. Articles like this one will REALLY piss off You-Know-Who.

RE: Yes we know
By Pirks on 7/23/10, Rating: -1
RE: Yes we know
By JonnyBlaze on 7/23/2010 5:00:02 PM , Rating: 5
It's not his fault Apple removed the link.

You can find other sites posting about it back when it was live.

Apple didn't want all that attention I guess.

RE: Yes we know
By Pirks on 7/23/10, Rating: -1
RE: Yes we know
By borismkv on 7/23/2010 7:56:30 PM , Rating: 2
Backpedal some more, Pirks. The article was posted and notes *Mac* versions of AntiVirus software for OSX 10.5, so it's at least as recent as that. So
Apple probably meant catching Windows virii, not OS X ones since those for OS X still are virtually non-existent.
is wrong. And an Apple Marketing flunky is blowing smoke with this statement:
We have removed the KnowledgeBase article because it was old and inaccurate
and it's inaccurate, not because Apples need no additional protection, but because having "multiple antivirus utilities" will *break everything*.

RE: Yes we know
By Pirks on 7/26/10, Rating: -1
RE: Yes we know
By damianrobertjones on 7/25/2010 3:44:14 PM , Rating: 1
RE: Yes we know
By Pirks on 7/26/10, Rating: -1
RE: Yes we know
By croc on 7/23/2010 8:58:50 PM , Rating: 3
Pirks must be using Safari.... Link works just fine in Opera, Explorer, FF.... Gee, Pirks, maybe YOU should do a bit of testing before you go off on a wild, flaming, tangent. I'd say more, but I am trying to be polite.

RE: Yes we know
By chick0n on 7/23/2010 11:18:08 PM , Rating: 2
You wanna talk crap about Mac? Come on its PIRKS the Jerk ! He is about the same as reader1 !

RE: Yes we know
By Pirks on 7/26/10, Rating: 0
RE: Yes we know
By drycrust3 on 7/23/2010 4:52:14 PM , Rating: 3
Huh? Am I going the way of Van Gogh? Everything is yellow.

RE: Yes we know
By Treckin on 7/24/2010 12:43:54 AM , Rating: 3
Give this man a 6 for Khrists sake

RE: Yes we know
By FoxFour on 7/23/2010 2:29:12 PM , Rating: 5
Denying and ignoring issues is no way to run a business.

It is, however, an excellent way to run a government . Hmmm...

*conspiratorial glance from side to side*

RE: Yes we know
By B3an on 7/23/2010 4:36:17 PM , Rating: 3
I'd argue it's clearly a good way to run a business actually. Look at how well Apple do even with all the lying, denying, suing, dirty tactics and so on. And still growing.

The problem is how retarded and sheepish people are just as much as Apple themself.

RE: Yes we know
By qkool on 7/23/2010 6:33:43 PM , Rating: 2
It's the best way to run a company while you're running it. It's the worse way for anyone not making money off of the company.

RE: Yes we know
By TomZ on 7/23/2010 3:50:46 PM , Rating: 2
Denying and ignoring issues is no way to run a business.
Obviously you missed the news the other day of their record-breaking quarterly report.

Maybe it is the way to run a business after all!

RE: Yes we know
By mstrmac on 7/25/10, Rating: -1
RE: Yes we know
By dark matter on 7/25/2010 9:53:03 AM , Rating: 3
Nice dialogue, doesn't excuse Apple though.

"Let's face it, we're not changing the world. We're building a product that helps people buy more crap - and watch porn." -- Seagate CEO Bill Watkins

Most Popular ArticlesSmartphone Screen Protectors – What To Look For
September 21, 2016, 9:33 AM
UN Meeting to Tackle Antimicrobial Resistance
September 21, 2016, 9:52 AM
Walmart may get "Robot Shopping Carts?"
September 17, 2016, 6:01 AM
5 Cases for iPhone 7 and 7 iPhone Plus
September 18, 2016, 10:08 AM
Update: Problem-Free Galaxy Note7s CPSC Approved
September 22, 2016, 5:30 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki