Slashdot Mirror
Microsoft or Apple - Who Is the Faster Patcher?
Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"
it must be apple hate week here at slashdot :p
Now you've done it.
SJW: Someone who has run out of real oppression, and has to fake it.
Microsoft has more practice patching their OS!
[Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
and no one is around to hear it does it make a sound? That's the excuse I would use if I was Apple.
Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.
This guy's the limit!
Microsoft fixes their bugs faster, OK. I agree. I would say it is a result of the large manpower they have. They have a larger team dedicated to fixing bugs.
What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfect example is the recent release of the Vista SP1, which was withdrawn later on. It caused complete devastation, leaving many systems unrepairable, and led to heavy loss of data, for a lot of people I know. With Apple, such mistakes are very, very few. The bugs are mostly small, with less than 2% of them being fatal.
RutSum.com
From the summary:
> 658 [...] affecting Microsoft products and 738 affecting Apple
"Between strong and weak, between rich and poor [...], it is freedom which oppresses and the law which sets free"
I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.
If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".
The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.
Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.
The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.
The study speaks of things that can be known. Your response speaks of things that can't be known. You seem to be slinging the uncertainty and doubt part yourself.
Bah. This comparison is just Apples to - wait a minute...
A-Bomb
One can always play with the criteria to get any desired winner.
Going by raw number of anything you lose any distinctions as to the severity or impact of each problem.
In general a buffer-overflow in the Windows kernel is a heck of a lot more dangerous than a similar problem in OSX can ever be.
The article completely lacks any discussion of methodology nor does it include actual data, as well. If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit. Another OS with the exact same package might run it by default in an easily exploitable configuration, yet have exactly the same "seriousness" rating.
Now that Apple has nontrivial market share, especially in the US non-business markets, security researchers are going to have to come up with some reason besides "obscurity" that there's not a single virus in the wild for MacOS X... despite articles like these claiming Apple has more serious vulnerabilities that they patch slower.
E pluribus unum
I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.
We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
You want to job done well, or you want the job done fast?
I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.
You can't take the sky from me...
Sigs are too short to say anything truly profound so read the above post instead.
I'm not saying anybody did. I'm just saying they could.
It kinda makes sense that Apple would have more bugs. Apple uses a lot of open source software as OS X is Unix underneath the GUI. Open source software is better at disclosing bugs so their vulnerabilities are known. If you look at Apple's last security patch, it included patches for Apache, CUPS, emacs, Kerberos, libc, OpenSSH, PHP, X11, etc. That is contrasted with MS as many of their vulnerabilities are not disclosed until MS or a 3rd party discloses it. Many 3rd parties have independently disclosed because of their frustration with MS response and/or lack of acknowledgement.
Well, there's spam egg sausage and spam, that's not got much spam in it.
So this is an article that doesn't give any answers to the question it poses and references a study presented at blackhat, but which has not yet been published and in fact whose presentation is not even online yet.
Can't we at least wait until we have some sort of data to discuss before embarking on half-assed arguments about how relevant the data is and if the methodology is credible?
That link is to a browser view of the PDF at pdfmenot.com which caches the actual PDF, so the poor researcher's personal web site doesn't get hit too hard. You could download the original PDF from there if you really want to.
Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.
Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.
Or if they are patching a problem in a DRM system or other end-user-inhibitor.
"Apple did not rank in Gartner's top 5 worldwide PC vendors, No. 5 of which was Toshiba with a 4.4 percent share."
http://www.appleinsider.com/articles/07/10/17/apples_u_s_mac_market_share_rises_to_8_1_percent_in_q3.html
Eagles may soar, but weasels don't get sucked into jet engines.
NO, no, no. We know that knowledge of these bugs can be known. Implying otherwise, means that we can't know what is not known which is untrue, because eventually we will know it. To really know, what's not yet known on this subject, I suggest we wait until an updated study is released. Then we will know.
On your second point, uncertainty & doubt, I don't know what to think as once we know what needs to be known these will disappear.
What was the study about again?
It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.
This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..
OS X 10.5.2, Mail.app, when accessing some IMAP4 accounts the "Get Mail" button fails to retrieve mail for some accounts. It's a know issue and it has been since the 10.5.2 update. I am not the only one to run into it, I checked the Apple forums and tested Mail from several different networks and two different Macs. I 'fixed' this bug in Mail.app by switching to Thunderbird.
OS X 10.5.2, When printing to a printer connected to an Airport Express the OS fails to connect to the printer. It's a know issue and it has been since the 10.5.2 update. If anybody has this problem see this thread, there is a fix available here.
OS X 10.5.2,Sometimes when putting the computer to sleep the screen stays black after it wakes again. The OS is up and running but the display does not light up. It looks as if this can be temporarily fixed by resetting the System Management Controller (SMC) but the problem will resurface.
OS X Various versions, Windows networking, i.e. Samba functionality is regularly broken by point updates of OS X. Of course this is usually solvable if you are a bit of a nerd. All you have to do is plow through sites like macwindows.com and hit the command line but it's still bloody annoying. And don't try to tell me this issue is all Microsoft's fault because I know this is Apple screwing up with Samba.
Now I know these aren't crashes but they are glaring examples of bugs in applications and system components that Apple is taking forever to fix and for me, as an Apple user, this is pretty galling. I need patches for bugs like this more often than every 2-3 months.
If you want crashes:
Try installing iLife 06 apps: iMove, iDVD or iPhoto that shipped with the 10.4.x version of OS X that your mac shipped with on 10.5.x. On my MacBook Pro they all crash without warning, on a fresh install of Leopard even after upgrade to 10.5.2. The iMovie help still crashes on me 10.5.2 every time I try to access the instructions on how to hook up a camcorder. Of course one could argue that a user should not install iLife 06 on Leopard but I fail to see why I should shell out money for iLife 08 when 06 serves my purposes just fine.
I am a Mac user and have been for years. I am more satisfied with the Mac than I was either as a Windows or Linux user but I wish that Apple would stop swamping me with new cool features and spend a few months concentrating simply on making the OS and especially the iApps more stable. I like new features but I like stability more.
Only to idiots, are orders laws.
-- Henning von Tresckow
I'll start off by saying that I don't have any particular axe to grind. I don't love Microsoft, I don't hate Apple. A PC is just a tool, and if it does what I want it's a good tool. What I want might be different than what you want, so we'll use different tools and I'm fine with that. Competition and diversity are good things. I'm surprised I came off like some kind of Microsoft fanboi.
I was actually responding to the assertion that Apple's market share is no longer trivial, and provided some evidence to support my statement. Gartner is a fairly well-respected source of information in the IT world.
I'm not certain of what market Apple's products are available in. Are you saying that they only sell in the US? That would surprise me.
You've made a number of interesting claims. I'll summarize how I read them below.
1) Retail laptop sales a portion of total laptop sales, which in turn is a portion of the total worldwide PC market. I agree completely. I'd say that tends to support a position that most attacks are directed at the widest possible array of targets, which do not presently include Apple to a great extent, but maybe I'm not understanding you correctly.
2) You imply that spyware and viruses are not targeted at corporate servers. There are, of course, many examples that disprove this, among them Nimda and Code Red to name two that immediately come to mind. Excluding the server market, you seem to imply but don't outright state that Apple has 10-25% of the laptop market? I think this is simply exaggerated. Apple is growing, but not fast enough to have captured that much market share that quickly, even in the US alone. Maybe in three or four years if things keep going well for them.
3) The most interesting claim you make is that Apple users make more money than non-Apple users, thus making them prime targets for attacks, thus proving that they are more secure. There are a number of problems with this assertion.
There's no evidence that Apple users are more affluent. Perhaps that Apple's target market demographic is, but that isn't the same thing at all.
Still, let's assume a couple of your points, then. Let's assume Apple has, say, 20% market share, and those 20% of users, they have 20% more income than the rest. I'm not suggesting those numbers are in any way accurate, I think they're way too high, but I'm using them to make a point. It still wouldn't make financial sense to write something targeted at those users. This isn't statistical bullshit, just straight math.
You also make an assumption that keystroke loggers and the ilk are the majority of the attacks in the wild, aimed at stealing financial data from individual users, which is also incorrect. Zombies are far more prolific than anything else. Most people will never even know they've been attacked (which is the biggest part of the problem).
Lastly, there were a lot of Linux users who used to say the same thing, about ten or so years ago. I was one of them. As the popularity of Linux grew, the number of discovered vulnerabilities also grew, because they became more interesting targets with their popularity. You know what they say about those not learning from history being doomed to repeat it?
Eagles may soar, but weasels don't get sucked into jet engines.