Slashdot Mirror
Microsoft or Apple - Who Is the Faster Patcher?
Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"
Microsoft fixes their bugs faster, OK. I agree. I would say it is a result of the large manpower they have. They have a larger team dedicated to fixing bugs.
What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfect example is the recent release of the Vista SP1, which was withdrawn later on. It caused complete devastation, leaving many systems unrepairable, and led to heavy loss of data, for a lot of people I know. With Apple, such mistakes are very, very few. The bugs are mostly small, with less than 2% of them being fatal.
RutSum.com
The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.
Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.
The article completely lacks any discussion of methodology nor does it include actual data, as well. If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit. Another OS with the exact same package might run it by default in an easily exploitable configuration, yet have exactly the same "seriousness" rating.
Now that Apple has nontrivial market share, especially in the US non-business markets, security researchers are going to have to come up with some reason besides "obscurity" that there's not a single virus in the wild for MacOS X... despite articles like these claiming Apple has more serious vulnerabilities that they patch slower.
E pluribus unum
I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
You want to job done well, or you want the job done fast?
I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.
You can't take the sky from me...
In general, a buffer overflow in the kernel is dangerous. What is it about Apple fans who think that because there are fewer viruses written for their OS, it is not a problem if Apple releases buggy code?
Palm trees and 8
I'm not saying anybody did. I'm just saying they could.
Laptops, phones, and portable audio players are niches created by Apple?
As for software, they use plenty of open source and contribute back to the community. What they don't want outside involvement with is their core hardware.
Developers: We can use your help.
No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.
Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.
Palm trees and 8
Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.
You're correct about iPods and iPhones, but completely wrong about OS X. If there were no third parties developing software for OS X there would be no Apple computers. OS X has very thorough developer documentation and free tools. Apple sells 3rd party OS X software on their web site and stores, so to say they don't want 3rd party development is obviously false.
You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.
Developers: We can use your help.
It's Freedom that counts folks, not features or functions or shiney... Freedom.
Sorry, kiddo, but I'm going to have to disagree.
The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.
Not all software has to be "free" (and not everything *should* be).
Everything I need to know I learned by killing smart people and eating their brains.
It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.
This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..
Minor things like facts do not sway a fan-boys opinion. Another thing I've noticed is after some facts are mentioned, 99% of the fan-boys will not reply to defend the original claim. I believe they truly feel if they ignore a fact was pointed out and they do not publicly acknowledge the fact, they can in their own mind, still pretend that the fact does not exist.
For example, I'm sure you can do any of the editing iPhoto allows on Linux using nothing but free command line utilities. In fact, I'm sure those command line utilities can actually do much more than iPhoto can. However, those utilities, however technically superior they are, are absolutely worthless to the vast majority of users.
Of course, on Linux there are GUI photo editors, but they still suffer from UI and usability issues, as well as general aesthetics, when it comes to most users.
Freedom, just like usability and aesthetics, is nothing more than a type of feature. To turn the tables on you:
"True, without needed freedoms you don't have jack. But once you get the needed freedom the rest is fluff."
Most Mac software provides all the freedom most people need. So, with Mac OS X, for most people, they get all the freedom they need and want, all the usability they need and want, and all the aesthetics they need and want. With Linux, they get all the freedom they need and want, a lot of the usability they need, and some of the aesthetics they want.
There are, of course, plenty of Linux users for whom Linux's usability and aesthetics not only match what they want, but match it better than OS X does, and there are those for whom the freedom afforded by OS X is insufficient. These users are a small minority, but fortunately for them, Linux (and *BSD, etc.) exist.
You appear to be in that minority, which is fine, but you seem to be overreaching with regards to the extent to which your experience applies to the computer using populace as a whole.
I can't think of any good reason why some software shouldn't be free. Care to elaborate?
Time to join me in the real world. People are required in order to create software. People need to be paid. Most software would be unable to make money if it is "free" as it would also end up being free as in sale price (as I have explained earlier in this thread).
Sounds like a pretty good reason to me.
To paraphrase a statement someone made on here ages ago which I happen to agree with - "Information wants to be free. Programmers want to be paid. You just want to be cheap."
Everything I need to know I learned by killing smart people and eating their brains.
I'll start off by saying that I don't have any particular axe to grind. I don't love Microsoft, I don't hate Apple. A PC is just a tool, and if it does what I want it's a good tool. What I want might be different than what you want, so we'll use different tools and I'm fine with that. Competition and diversity are good things. I'm surprised I came off like some kind of Microsoft fanboi.
I was actually responding to the assertion that Apple's market share is no longer trivial, and provided some evidence to support my statement. Gartner is a fairly well-respected source of information in the IT world.
I'm not certain of what market Apple's products are available in. Are you saying that they only sell in the US? That would surprise me.
You've made a number of interesting claims. I'll summarize how I read them below.
1) Retail laptop sales a portion of total laptop sales, which in turn is a portion of the total worldwide PC market. I agree completely. I'd say that tends to support a position that most attacks are directed at the widest possible array of targets, which do not presently include Apple to a great extent, but maybe I'm not understanding you correctly.
2) You imply that spyware and viruses are not targeted at corporate servers. There are, of course, many examples that disprove this, among them Nimda and Code Red to name two that immediately come to mind. Excluding the server market, you seem to imply but don't outright state that Apple has 10-25% of the laptop market? I think this is simply exaggerated. Apple is growing, but not fast enough to have captured that much market share that quickly, even in the US alone. Maybe in three or four years if things keep going well for them.
3) The most interesting claim you make is that Apple users make more money than non-Apple users, thus making them prime targets for attacks, thus proving that they are more secure. There are a number of problems with this assertion.
There's no evidence that Apple users are more affluent. Perhaps that Apple's target market demographic is, but that isn't the same thing at all.
Still, let's assume a couple of your points, then. Let's assume Apple has, say, 20% market share, and those 20% of users, they have 20% more income than the rest. I'm not suggesting those numbers are in any way accurate, I think they're way too high, but I'm using them to make a point. It still wouldn't make financial sense to write something targeted at those users. This isn't statistical bullshit, just straight math.
You also make an assumption that keystroke loggers and the ilk are the majority of the attacks in the wild, aimed at stealing financial data from individual users, which is also incorrect. Zombies are far more prolific than anything else. Most people will never even know they've been attacked (which is the biggest part of the problem).
Lastly, there were a lot of Linux users who used to say the same thing, about ten or so years ago. I was one of them. As the popularity of Linux grew, the number of discovered vulnerabilities also grew, because they became more interesting targets with their popularity. You know what they say about those not learning from history being doomed to repeat it?
Eagles may soar, but weasels don't get sucked into jet engines.
Are you kidding me?
/. right now is an article about how, for the second year in a row, the Mac is the only OS in the cansecwest contest to get owned.
On the front page of
The person took complete control of the mac box by having the user click on a link in safari.
The rules of this contest state that only non-published attacks can be used. This guy just happened to have this one sitting around to use.