Slashdot Mirror

← Back to Stories (view on slashdot.org)

Microsoft or Apple - Who Is the Faster Patcher?

Posted by ryuzaki0 on from the go-speed-patcher-gooo dept.

Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"

22 of 252 comments (clear)

  1. heh by ionix5891 · · Score: 5, Funny

    it must be apple hate week here at slashdot :p

  2. Well, duh... by SirGarlon · · Score: 5, Funny

    Microsoft has more practice patching their OS!

    --
    [Sir Garlon] is the marvellest knight that is now living, for he destroyeth many good knights, for he goeth invisible.
    1. Re:Well, duh... by Anonymous Coward · · Score: 5, Informative
      That's exactly right. Microsoft batch their updates once a month. Apple do it less regularly and less frequently, and they are frequently *unbelievably* slow to patch issues in the Free software they ship that's also in Linux or BSD distributions (trust me, I track this stuff for my employer.) God only knows how bad they are about patches in their own code. They didn't even manage to fix a typo in the Safari / win32 port EULA right first time.

      Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types who've switched for, basically, teh shiny. It's Freedom that counts folks, not features or functions or shiney... Freedom.

    2. Re:Well, duh... by bladesjester · · Score: 4, Insightful

      It's Freedom that counts folks, not features or functions or shiney... Freedom.

      Sorry, kiddo, but I'm going to have to disagree.

      The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.

      Not all software has to be "free" (and not everything *should* be).

      --
      Everything I need to know I learned by killing smart people and eating their brains.
  3. what day of the week is it? by gEvil+(beta) · · Score: 5, Funny

    Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

    --
    This guy's the limit!
  4. Of course! by shadow349 · · Score: 5, Funny

    So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.
    That explains all those zombie Mac OS X machines.
  5. Apple's shortcomings by rubeng · · Score: 5, Interesting

    I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.

    If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".

    1. Re:Apple's shortcomings by truthsearch · · Score: 4, Informative

      Apple tells you what's fixed with every security update. Here's the document for the most recent: http://support.apple.com/kb/HT1249.

      It's specific enough for me, listing every application / library, impact, and description.

      --
      Developers: We can use your help.
    2. Re:Apple's shortcomings by betterunixthanunix · · Score: 4, Insightful
      Laptops, phones, and portable audio players are not Apple inventions. There is a market for Apple products, which Apple has worked extremely hard to keep separate from the rest of the computer world. The specific types of computers Apple sells is not the niche, any more than a vehicle with four wheels is the "niche" market of tractor manufacturers.

      No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.

      Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.

      --
      Palm trees and 8
    3. Re:Apple's shortcomings by truthsearch · · Score: 4, Insightful

      You're correct about iPods and iPhones, but completely wrong about OS X. If there were no third parties developing software for OS X there would be no Apple computers. OS X has very thorough developer documentation and free tools. Apple sells 3rd party OS X software on their web site and stores, so to say they don't want 3rd party development is obviously false.

      You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.

      --
      Developers: We can use your help.
  6. Article Lacks Important Information by Revotron · · Score: 5, Insightful

    The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.

    Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.

  7. Re:Look at it my way by Anonymous Coward · · Score: 4, Insightful

    I would look at it your way, if your way was more than just hypothesis and conjecture.

    From your post: "What affects [sic?] me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft."

    You're sure, huh? Hmmmmm...I'm not sure if you're an Apple fanboi or a Microsoft hater, but either way, you can never be sure about anything (except death and taxes). So, as soon as you said that line, everything else you said became a non-argument, argument.

  8. Re:Just more FUD by d34thm0nk3y · · Score: 5, Interesting

    The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.

    The study speaks of things that can be known. Your response speaks of things that can't be known. You seem to be slinging the uncertainty and doubt part yourself.

  9. Apples to ... by Bombula · · Score: 5, Funny

    Bah. This comparison is just Apples to - wait a minute...

    --
    A-Bomb
  10. How is this a valid test? by Fallen+Kell · · Score: 4, Insightful

    I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.

    --
    We were all warned a long time ago that MS products sucked, remember the Magic 8 Ball said, "Outlook not so good"
  11. quick! patch it! FASTER! QUICK! by Scrameustache · · Score: 4, Insightful

    You want to job done well, or you want the job done fast?

    I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
    Don't encourage them.

    --

    You can't take the sky from me...

  12. Re:yes, and if grandma had wheels..... by betterunixthanunix · · Score: 4, Insightful

    In general, a buffer overflow in the kernel is dangerous. What is it about Apple fans who think that because there are fewer viruses written for their OS, it is not a problem if Apple releases buggy code?

    --
    Palm trees and 8
  13. Re:Just more FUD by UnknowingFool · · Score: 4, Interesting

    It kinda makes sense that Apple would have more bugs. Apple uses a lot of open source software as OS X is Unix underneath the GUI. Open source software is better at disclosing bugs so their vulnerabilities are known. If you look at Apple's last security patch, it included patches for Apache, CUPS, emacs, Kerberos, libc, OpenSSH, PHP, X11, etc. That is contrasted with MS as many of their vulnerabilities are not disclosed until MS or a 3rd party discloses it. Many 3rd parties have independently disclosed because of their frustration with MS response and/or lack of acknowledgement.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  14. Thats because M$ just has more 'features' by hAckz0r · · Score: 5, Insightful

    Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.

  15. Re:Just more FUD by failedlogic · · Score: 4, Funny

    NO, no, no. We know that knowledge of these bugs can be known. Implying otherwise, means that we can't know what is not known which is untrue, because eventually we will know it. To really know, what's not yet known on this subject, I suggest we wait until an updated study is released. Then we will know.

    On your second point, uncertainty & doubt, I don't know what to think as once we know what needs to be known these will disappear.

    What was the study about again?

  16. Re:Just more FUD by dhavleak · · Score: 4, Insightful

    If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit. TFA states that the study "looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database". Generally, the service being on by default (exposure), and exploitability are taken into consideration when assigning a risk-level to an exploit. Plus, TFA did not make the general statement that you quoted!!

    It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.

    This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..

  17. Re:Look at it my way by LeafOnTheWind · · Score: 4, Insightful

    "What affects [sic?] me, is the severity of these bugs that need to be fixed. That was the correct usage of "affect" - please refrain from being a grammar Nazi if you are unable to judge correct grammar.