MacOS X Vulnerability Metrics: Apple vs. The World

Apple dropped a ton of security updates this week and since everybody loves vulnerability metrics, I’m going to join in on the fun also. But unlike seemingly everyone else, I’m not going to compare MacOS X to another operating system and tally up which system had the most critical vulnerabilities this month. I’m going to compare bug hunters: Apple vs. external researchers vs. upstream packages and draw a (hopefully) interesting conclusion.

I have always been fascinated by the number of unattributed vulnerabilities in Apple’s security update notices, which I am assuming are internally identified vulnerabilities (Apple Product Security, perhaps?).  Apple is pretty unique in this regard, most closed-source software vendors don’t issue security updates for internally identified vulnerabilities in shipping products. So we have to either assume that everyone else is only fixing the vulnerabilities in the development branch of their next release or they aren’t even looking. Software, especially critical software connected to the Internet, is not the Ronco Showtime Rotisserie: You can’t just “set it and forget it.”

So let’s see how they stack up for the year so far. My methodology is simple. Count vulnerabilities by CVEs, eliminate duplicates, and tally up which vulnerabilities were: unattributed, credited to an external researcher, or fixed as part of Apple updating an externally developed part of MacOS X to a newer version. Although WebKit is an open source project, I considered it Apple code so vulnerabilities fixed in it are counted as either internally or externally found vulnerabilities.

The 2008-003 update had 41 security updates: 12 of which were internally identified, 10 reported by external researchers, and 19 vulnerabilities fixed in upstream software packages. The 2008-002 update was a whopper with 20 internally identified vulnerabilities, 8 externally reported, and 62 (!) in upstream packages. The relatively petite 2008-001 update had 3 internally identified vulnerabilities, 5 externally reported, and 3 from upstream packages.

I counted up all of the Apple Security Updates (including iPhone, AirPort, etc) for the year and the grand totals were:

  • Internal: 44
  • External: 53
  • Upstream: 84

This brings me to my guess as to what Apple is doing and my advice to software vendors: You should be finding and fixing at least as many vulnerabilities in your shipping products as external researchers are. There is no reason that you can’t keep up, you have the source code and they don’t.  Only finding and fixing vulnerabilities in development for future releases and treating external vulnerability reports like other bug reports (customers X have issue Y w/ product Z) is a bad model for security vulnerability response when “customers X” are 98% of Internet users, “issue Y” is remote code execution, and “product Z” is Flash.


  1. Of course, door number three is that external researchers aren’t necessarily always credited… Stranger things have happened, yesno?

    Still, I think Cupertino is turning a corner. Still have a way to go but yes, it seems to me they are making an effort. That said the recent CoreSec iMail disclosure is pretty embarassing. 4 months isn’t that far off from HP / SnoSoft BITD…

    /me loves shiny bits and a Bash prompt with transparent XTerms but is sticking with PaX+GrSec and $LINUX_DISTRO for now.

  2. Dino Dai Zovi says:

    I have heard of external researchers not being credited and other vendors have refused to credit me for reported vulnerabilities before. But it’s hard to believe that all of the unaccredited vulnerabilities are due to denied credit. Another possibility is that those bugs were discovered being exploited in the wild or from found exploits, but that also seems unlikely.

    Custom security patches like PaX and GrSec for Darwin would be pretty darn cool…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 5,896 other followers

%d bloggers like this: