Study: Apple’s Exposure to Net Threats Rises

As part of its current ad campaign, Apple suggests that Macs aren’t vulnerable to the same Internet security problems PCs are.

But according to a new study by security vendor Symantec, the number of vulnerabilities identified in Apple’s Safari browser in the first half of 2006 doubled over the prior six months—and it increased its window of exposure to Net-based exploits from zero days to five.

Microsoft’s Internet Explorer browser still has a longer window of exposure—the time between when code exploiting a vulnerability appears and when a fix is available—and a greater total number of security holes. But Apple “is headed in the opposite direction” with respect to its browser’s vulnerability to Internet-based threats, says Dave Cole, director of Symantec’s Security Response team.

Baseline contacted Apple last week requesting comment on the Symantec study, but the company did not provide a response by our Friday deadline.

The tenth edition of Symantec’s twice-yearly Internet Security Threat Report, to be released Sept. 25, analyzes network-based attacks and known software vulnerabilities for the first six months of 2006.

According to the report, the window of exposure for Apple’s Safari browser increased from zero days in the second half of 2005 to five days in the first half of 2006. The number of vulnerabilities identified for Safari doubled, to 12 in the first half of 2006 compared with six the preceding six months.

Meanwhile, Internet Explorer’s window of exposure declined, from 25 days in the second half of 2005 to nine days in the first half of 2006. Vulnerabilities for IE increased for the most recent period, to 38 from 25. Cole says Microsoft cut IE’s exposure window by issuing several “out-of-cycle” patches this year (Microsoft normally releases software updates on the second Tuesday of each month, so-called Patch Tuesday).

Apple’s marketing campaign implies Macs are not vulnerable to the same kinds of Internet security threats that Windows PCs are. In a recent Apple TV ad, an actor playing the Mac character says to the PC character: “I run Mac OS X, so I don’t have to worry about your spyware and viruses.”

In fact, although unusual, Internet-borne malware has targeted the Mac platform (see the U.S. Computer Emergency Readiness Team’s Apple Mac OS X Safari Command Execution Vulnerability advisory). Apple security updates for the latest vulnerabilities can be downloaded at http://docs.info.apple.com/article.html?artnum=61798.

Symantec’s Cole says it’s a fallacy to claim that any Web browser is inherently safer than another.

“The reality is, Apple has lower market share” than Windows PC makers, he says. “Attackers are driven by money, so they go after the bigger market. If you have lower market share, you’re not more secure—you’re just less interesting [to a hacker].”

He also points to what’s happened with open-source Mozilla browsers, which include Firefox. As their popularity has increased, more security holes have been discovered: For the first six months of 2006, 47 vulnerabilities were found in Mozilla, compared with 17 in the last half of 2005.

Mozilla had a one-day exposure for the first half of 2006. That’s actually an increase over Mozilla’s negative two days of exposure for the previous six months—meaning that fixes were available before exploit code was released by hackers.