Slashdot Mirror
Microsoft or Apple - Who Is the Faster Patcher?
Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"
it must be apple hate week here at slashdot :p
Now you've done it.
SJW: Someone who has run out of real oppression, and has to fake it.
Microsoft has more practice patching their OS!
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
and no one is around to hear it does it make a sound? That's the excuse I would use if I was Apple.
I read that as "Fastest Pitcher"... I was very confused.
Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.
This guy's the limit!
Microsoft fixes their bugs faster, OK. I agree. I would say it is a result of the large manpower they have. They have a larger team dedicated to fixing bugs.
What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfect example is the recent release of the Vista SP1, which was withdrawn later on. It caused complete devastation, leaving many systems unrepairable, and led to heavy loss of data, for a lot of people I know. With Apple, such mistakes are very, very few. The bugs are mostly small, with less than 2% of them being fatal.
RutSum.com
...if you need to patch your OS 100x more than a competitor, then you'll naturally be faster. If microsoft had an order or magnitude more bugs and was slower to fix them, then they'd be a far crappier tech company than they already are.
I'm not a MS or Apple basher, but this article is pure FUD, again.
The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.
I'm all for trying to analyze the differences between vendors, but studies like this are just shit.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
I've recently noticed that Apples software constantly crash with segmentation faults which practically always means that there's a potential security vulnerability... So to me it seems like Apples code is constantly getting worse. It looks like sales is getting all the attention...
I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.
If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".
The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.
Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.
Bah. This comparison is just Apples to - wait a minute...
A-Bomb
Yeah, the big flaw from Safari 2 that I wanted fixed in Safari 3 was that it always crashed immediately whenever I started it up. Unfortunately, the problem persisted. I can't see how anyone could possibly use a browser that doesn't stay open long enough to load about:blank.
Anecdotal evidence. Serious business.
One can always play with the criteria to get any desired winner.
Going by raw number of anything you lose any distinctions as to the severity or impact of each problem.
In general a buffer-overflow in the Windows kernel is a heck of a lot more dangerous than a similar problem in OSX can ever be.
Of smug self rightous praise.
1. Who cares? 2. No one 3. How many viruses, trojans and other sundry malware attacks are successful against Mac OS X each year? Study THAT. Let's have something newsworthy, folks.
I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
You want to job done well, or you want the job done fast?
I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.
You can't take the sky from me...
Sigs are too short to say anything truly profound so read the above post instead.
...why is it Microsoft products that keep getting pwned?
Quickly, everyone immediately jump to Apple's defense. Microsoft cannot possibly do anything right, and Apple cannot possibly do anything wrong. We must destroy this article like the piece of lying filth that it must be. My prejudices demand it!
I'm not saying anybody did. I'm just saying they could.
It's obvious - Microsoft gets more practice.
The faster patcher? I'm assuming the great bulk of these vulnerabilities are browser issues. So while this study may indeed give an idea of the relative security between the two browsers, I wouldn't exactly bill this as a glowing M$/IE endorsement. Another consideration: market share, if you own >75% of the market, and the great bulk of the business market, you most certainly have an obligation to patch vulnerabilities ASAP. When your market it graphic designers, movie producers, and apple fanboys, and frankly there is a severe lack of coders out there exploiting the issues I'll forgive them if they take an extra month to push a fix out(i suppose i could be wrong here, there could be tons of folks out there writing virus' and trojans and stuff for apple, but they most certainly aren't very successful).
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
But of course, nobody patches faster than Linux. Remember that local root exploit a few months ago? Fixed in less than 48 hours.
Because Apple Mac OSX machines don't require patching. They are secure out of the box because they are built upon the superior Unix which has security designed in from the start. /snark
I could give a rats ass if Microsoft gets the patch out first. Lets see, when I have my heart surgery, I sure hope I get the Doc that does it quickest! I'm no Apple fan boy either but jeeze, cmon... Is this the best we can do for the "Microsoft is great" audience out there?
"Computers are a lot like Air Conditioners" "They both work great until you start opening Windows"
When it comes down to it, it isn't the number of vulnerabilities that matters, it's how much they can affect your computer. When a problem exists on Windows, it can often cause serious damage, simply because of the inherently flawed design of the OS. On the Mac however, the damage is much less, because it has a design model (UNIX) that actually makes sense from a security standpoint. I'm amazed that people still deal with this $#!T from Microsoft when the design of UNIX has been around for so long. It is a sad commentary on our current state of affairs.
So does this mean that Microsoft does more quick-n-dirty patches?
If you mod this up, your slashdot background will turn into a beautiful sunset!
Also, although we can guess at the total number of vulnerabilities per kilo-lines of code, we don't know what insider information either company has on bugs, although the total is likely to be in the thousands for both, as software is complex and fixing is riskier than ignoring minor gremlins.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Another quality study from the recently renamed Swiss Homeland Institute of Technology . . . .
Thanks for validating what the competent people have been saying all along.
So this is an article that doesn't give any answers to the question it poses and references a study presented at blackhat, but which has not yet been published and in fact whose presentation is not even online yet.
Can't we at least wait until we have some sort of data to discuss before embarking on half-assed arguments about how relevant the data is and if the methodology is credible?
> You want to job done well, or you want the job done fast?
:-)
Yes
That link is to a browser view of the PDF at pdfmenot.com which caches the actual PDF, so the poor researcher's personal web site doesn't get hit too hard. You could download the original PDF from there if you really want to.
I was looking for some stats in the article to bring home the point, but you can't cloud the issue with facts.
(phosphor)
Man is it fun watching Slashdot readers be convinced this must be faulty research without having read the research itself. Why not wait a few days until you can verify what the researchers did (should be available later from the blackhat.com website) and provide actual analysis on the research.
You can't fault the conclusions unless you know how that conclusion was reached.
(Of course, if the conclusion had been that Apple was better at 0-day patches, there'd be a lot more, "Well, duh!" responses.)
"All the things I really like to do are either immoral, illegal, or fattening."
- Alexandar Woolcot
Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.
Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.
Or if they are patching a problem in a DRM system or other end-user-inhibitor.
Toronto-area transit rider? Rate your ride.
I'd be interested in knowing how many total vulnerabilities were discovered for each and how severe they are as well. I read an article comparing Microsoft & Linux and guess what - same result. Microsoft patched vulnerabilities faster than Linux did, but if you ask me I'd rather have fewer vulnerabilities in the first place... And that's were I bet Apple and Linux succeed.
...usually xBSD and Linux distros outperforms those two.
...and btw. it is not enough to look who patches first... you must look at the quality of a patch and what potential new problems are caused by a patch.
should be "whose patches need less patching"
speed is meaningless on it's own merits
It's a numbers game.
When you have 314159 bugs (MS), even a monkey can accidentally reduce bugs just by entering random code.
I think the reality is that people have a higher tolerance for Windows bugs. We're desensitized. Here's one: about 20% of the time, when I hit a custom keyboard shortcut in Windows, the whole process freezes for about a minute. That's a bug. Is it counted on some MS bug tracker ? Probably not. Can I reproduce it consistently ? Yeah, give me any XP, 2000 or 2003 box and 10 seconds. It's not a showstopper for Joe Q. Moron, but it's one hell of a nuisance for Bill T. Coder.
Meanwhile the bugs we hear about from the Apple camp are extensive, and cover a zillion things from minor graphics corruption to obscure SSL glitches that are dependent on cosmic rays and the user's gender. It's all over the place.
Bug disclosure policies also come into play. There is no such thing as a 0-day patch, there are only postponed announcements. It takes time to run a fix through semi-adequate testing and get the PR people to do their 5 minutes of weekly effort.
-Billco, Fnarg.com
Apparently, there's a rumor that there's a 0-day in Mac OS X, according to: http://blogs.technet.com/robert_hensing/archive/2008/03/27/and-the-mac-falls-within-10-minutes-on-day-2.aspx (Bias alert: The guy's a security researcher and employee for MS)
I may just be an Apple user and not smart enough to understand what security is...but... My Powerbook is running OS X and no virus protection (or spyware/adware protection) and it also has no problems with viruses, adware, spyware, or any other insecurities. I also practice very unsafe computing and will click on just about any link or email regardless of where it comes from. Still no virus problems? Why? (well...this is a lie...several years ago I was using virtual PC on my mac and got some malware in the windoze...it was fun to have and watch for a while like a pet, but my OS X was unaffected) My company forces me to have a windows machine running on my desk at work (for ArcView). There is a whole IT team with computer science degrees keeping it safe and happy. Virus protection, malware protection, and I have to get the "team" down here to clean it up a few times a year when a bot net takes it over. I'm glad I have a team of people watching my computer and letting me know when I have been hacked. It is way better than having a big security team than an OS that is secure. I just don't understand...This makes no sense. How is security measured? FYI...I was in IT for many years and never had my OS X, Unix, Linux, or OS400 systems hacked...EVER. I have fixed more windoze problems than I can count (or want to think about).
... have bugs!
News at 11.
Seriously, what the hell is this. I don't understand how this can be interesting to anyone. OS's have bugs, plain and simple. The vendor patches them, period. That's all that you should care about.
tagged: whogivesashit
I can chug 1.5 Litres of A&W Root Beer (fountain -- not bottled)
There, now this comment is as irrelevant as the (lack-there-of) story.
Now get off my lawn!!!
(damn... I am only 19)
In case it isn't yet clear to the wankers, nobody gives a damn about exploit counts, and nobody with a brain gives a damn about bug fix turn around times. The only numbers that matter is these: 150 thousand viruses and trojans for MS Windows and counting. None for Mac OS X.
Fiat Homos et Pereat Theos
Minor things like facts do not sway a fan-boys opinion. Another thing I've noticed is after some facts are mentioned, 99% of the fan-boys will not reply to defend the original claim. I believe they truly feel if they ignore a fact was pointed out and they do not publicly acknowledge the fact, they can in their own mind, still pretend that the fact does not exist.
MS-script-kiddies have nothing to do the whole day...
NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
Read on
*dodges Apple fanboys
Microsoft is the catcher?
You assume the locks are built the same way, under the same managment to meet the same criteria.
You also neglect that tools only need to be created ONCE, and then distributed through the internet.
"A break-in through either case is equally devastating,"
Absolutely incorrect.
In one, you get access to the entire house, in the other you ahve a bunch of door with a different lock that you need to get in.
The Kruger Dunning explains most post on
OS X 10.5.2, Mail.app, when accessing some IMAP4 accounts the "Get Mail" button fails to retrieve mail for some accounts. It's a know issue and it has been since the 10.5.2 update. I am not the only one to run into it, I checked the Apple forums and tested Mail from several different networks and two different Macs. I 'fixed' this bug in Mail.app by switching to Thunderbird.
OS X 10.5.2, When printing to a printer connected to an Airport Express the OS fails to connect to the printer. It's a know issue and it has been since the 10.5.2 update. If anybody has this problem see this thread, there is a fix available here.
OS X 10.5.2,Sometimes when putting the computer to sleep the screen stays black after it wakes again. The OS is up and running but the display does not light up. It looks as if this can be temporarily fixed by resetting the System Management Controller (SMC) but the problem will resurface.
OS X Various versions, Windows networking, i.e. Samba functionality is regularly broken by point updates of OS X. Of course this is usually solvable if you are a bit of a nerd. All you have to do is plow through sites like macwindows.com and hit the command line but it's still bloody annoying. And don't try to tell me this issue is all Microsoft's fault because I know this is Apple screwing up with Samba.
Now I know these aren't crashes but they are glaring examples of bugs in applications and system components that Apple is taking forever to fix and for me, as an Apple user, this is pretty galling. I need patches for bugs like this more often than every 2-3 months.
If you want crashes:
Try installing iLife 06 apps: iMove, iDVD or iPhoto that shipped with the 10.4.x version of OS X that your mac shipped with on 10.5.x. On my MacBook Pro they all crash without warning, on a fresh install of Leopard even after upgrade to 10.5.2. The iMovie help still crashes on me 10.5.2 every time I try to access the instructions on how to hook up a camcorder. Of course one could argue that a user should not install iLife 06 on Leopard but I fail to see why I should shell out money for iLife 08 when 06 serves my purposes just fine.
I am a Mac user and have been for years. I am more satisfied with the Mac than I was either as a Windows or Linux user but I wish that Apple would stop swamping me with new cool features and spend a few months concentrating simply on making the OS and especially the iApps more stable. I like new features but I like stability more.
Only to idiots, are orders laws.
-- Henning von Tresckow
Read the Risk report: Three years of Red Hat Enterprise Linux 4 that was published a few weeks ago.
that Apple doesn't have security breaches. Steve says that they're called features exploited by evil-doers. Steve also says that it doesn't matter if they fix their security holes quickly because the hackers don't care about tareting MacOS. Steve assures us that if we just keep buying new Macs that we'll be fine.
What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.
The two statements "X makes secure products" and "X is ahead in patching" are not equivalent. There are whole classes of security problems in Windows that do not even exist in any UNIX-based OS, and there are classes of security problems in Microsoft's HTML control that have never existed in any other browser engine.
Correspondingly, there have been problems in UNIX that have never existed in Windows, like port number and IP-address based security in the rcp/rexec/... suite. But most of these systems have been set aside, but we're still having to deal with 'security zone' exploits in Windows.
So, Microsoft says Microsoft is better.
Can anyone tell me why this is news?
Will we be just as surprised when Apple says Apple is better?
Why is this piece of advertising being treated as news?
Everybody knows 3 people with my name.
OS X: Unpatched 6%; Partial Fix 1%; Vender Patch 93% (Advisories 113)
Windows XP Professional: Unpatched 14%; Partial Fix 1%; Vender Work Around 1%; Vender Patch 85% (Advisories 183)
Windows Vista: Unpatched 8%; Vender Work Around 4%; Vender Patch 88% (Advisories 25)
http://secunia.com/vendor/1/
http://secunia.com/vendor/17/
I run OS X for one simple reason: it got the features I need to do my job quick and smoothly!
:)
When it comes to security, well I don't have any problem running either of them (so far I count 1 virus on windows over 10 years usage). It's more about knowledge about your OS and computers in general.
So to do a final comment on the times for a patch.. well they both suck on updating their software! But patching is far from everything when it comes to computer security, even if it does make life easier
Yes, you said it, but provided nothing to back up any other statements you made. I gave concrete facts on topic, and you said absolutely nothing that was on topic, much less even relevant to anything I discussed. Please, if you are going to bother us with your thoughts at least be considerate enough to be able to hold a discussion on topic. Your emotions don't count, especially considering that your entire point was that WE were being emotional? You get real, and think for once in your life! Wake up and address the world you really live in, not some make-believe place you want us to think we live in. Give us some facts if you want to even be taken seriously! Better yet, be an man and use your real identity! how can we take you seriously if you just cower behind a false identity?
I run xp, vista and fedora8. I have to say that When i boot into fedora8 it automatically updates the OS and ALL software installed automatically. I don't have to do a thing. Its nice not having to surf the web checking for updates for the tons of software I use. I vote Linux
As soon as i read this snippet in one of these customer meetings that i was on, I had to read what the slashdotters say to this. I did that at the risk of losing a customer. But some things are just too juicy to let go............
Apple moved a lot of engineers over to the iPhone project to get it out the door on schedule. Perhaps the increase in unpatched bugs is related to that. It certainly impacted the release of new hardware.
To a shark, you are just another food choice...
The quicker patcher upper!
"When information is power, privacy is freedom" - Jah-Wren Ryel
Me, you insensitive clod!
Didn't I hear not too long ago* that you could see that Windows was more secure than Linux because it didn't have to patch as often?
Now Windows patches more often than OS X and that is also an indicator that it is more secure?
* I remember reading it here on /. and the ensuing "that's not true" conversation, but I can't find it at the moment.