A common taunt from the Apple faithful is that the Mac OS is more secure than Windows, but a new report by the Flemish security firm Secunia finds that Apple products have more vulnerabilities than any other vendor.

Secunia's study (PDF) covers reported vulnerabilities in the first half of 2010, and comes with the caveat that it's a report based on pure numbers. That's not the best measure of threat assessment, of course, since it doesn't look at the severity of the vulnerabilities. 

Secunia also notes the problems are not with the operating systems themselves; they are primarily found in the third-party apps written for those operating systems. The authors of the report rightly acknowledge that despite Apple topping the list of most vulnerable companies, the MacOS has been relatively untouched by malware. On the Windows side, Secunia reports that a typical PC with 50 programs installed -- 26 Microsoft apps, 24 third-party apps -- had 3.5 times more vulnerabilities than a system with just the 26 Microsoft programs.

What it all means

"Users and businesses must change their perception that Microsoft products pose the largest threat in order to allocate security resources effectively. General awareness on the risk of third-party programs must be established," Secunia wrote in its report.

Secunia, of course, is not a purely objective observer; its business is evaluating the security of third-party applications. Secunia's software inspector utilities monitor a system and check to see if apps on the system are out-of-date, if new versions are available, and if there is a known bug in the app.

Finding the weak link

Secunia said that the focus by malware writers has shifted from Microsoft to third-party developers because they are typically slower to update their software than Microsoft. Microsoft has a monthly patch cycle known as "Patch Tuesday," where fixes are issued on the second Tuesday of every month. Other vendors are not as consistent.

Also, many apps require the user to manually check for updates. One notable exception is the Firefox browser (from Mozilla, which ranked tenth in the list of most vulnerable vendors), which alerts users when a new version is available for download.

The report said the top ten most vulnerable vendors--which includes (in order) Apple, Oracle, Microsoft, HP, Adobe, IBM, VMware, Cisco, Google, and Mozilla--account for 38 percent of all vulnerabilities disclosed in the last year. Oracle includes Sun Microsystems, and therefore, Java, as well as BEA logic bugs. 

Since 2006, Oracle has been the leader in vulnerabilities, with Apple coming second since 2007. This year, the two swapped positions. Microsoft has consistently held its third-place ranking since 2006.

Changing strategies

According to Secunia, from 2007 to 2009, the number of vulnerabilities affecting a typical end-user almost doubled, from 220 to 420, and, the company predicts, that number could double again this year. The report also found that remote attacks -- usually by malware implanted on the computer -- remain the most common form of attack, more than 80 percent of the time.

It also found that remote system access and cross-site scripting have dipped as the most prevalent forms of attacks, while accessing sensitive information has grown. Essentially, this means more keyloggers and information stealers are being used than before.

Andy Patrizio is a senior editor at InternetNews.com, the news service of Internet.com, the network for technology professionals.