This month, Apple published seven security updates resolving around 250 issues. The last patch is arrived yesterday; it addressed Mac OS X 10.6.7.
Adding the CVE IDs (for Common Vulnerabilities and Exposures) listed in each patch does not give us accurate view of the number of vulnerabilities involved. Several appear in more than one patch: For example, CVE-2011-0191 and CVE-2011-0192 are listed in five patches (Apple TV 4.2, iOS 4.3, iTunes 10.2, Mac OS X v10.6.7/Security Update 2011-001, and Safari 5.0.4).
After eliminating multiple entries, we discover that the 256 March issues are linked to 123 CVE references. Taking a look at 2010, we see 468 CVE covering the whole year. And I have not forgotten the one in January 2011.
CVE-2006-7243 is the oldest vulnerability covered by the 2011 patches. All others are from 2010 and 2011. Here’s what we’ve seen in the last 15 months:
- 1 CVE from 2003 (CVE-2003-0063)
- 2 CVE from 2006 (1 in Q1 2011)
- 11 CVE from 2008
- 68 CVE from 2009
- 428 CVE from 2010 (41 in Q1 2011)
- 82 CVE from 2011 (all covered in 2011)
Is it possible to make a comparison between Apple and Microsoft?
During the same period (from January 2010 to March 2011), Microsoft published 123 security bulletins and patched 298 software flaws (CVE).
We can quickly compare by the level of criticality. On the Apple side for 2011, only one vulnerability has a low rating. All the others (123) were named as critical (by Vupen) or highly critical (by Secunia). On the Microsoft side one vulnerability was labeled moderate, 20 important, and eight critical.
Thus in the last 15 months Apple has corrected twice the number of flaws as Microsoft.