About | Buy Stuff | News | Products | Rants | Search | Security
Home » News » Roundups

A Time to Patch

Apple's security scorecard for 2006 now online.

Get It

Try It

Apple were on an average nine days faster plugging security leaks compared to 2005. But the number of 'severe' security holes more than doubled. And a great part of the increase is due to the Cupertino company's offerings for the Windows platform.

If OS X can't garner the interest of hackerdom iTunes QuickTime and Safari can.

The Washington Post's Security Fix today published an exhaustive table of Apple security response behaviour for 2006. On the whole things seem to have improved but there are still areas of concern.

On average Apple took about 82 days to fix the most serious vulnerabilities in their software products last year - this represents a measurable improvement over 2004 and 2005 when they needed on average 91 days.

Apple also closed security holes a lot faster when said holes had already been disclosed: for such alerts the time to patch comes down from 82 days to a mere 23.

Prior to 2006 security researchers more often tried Microsoft's tack of 'responsible disclosure', meaning no one gets any info before the vendor patch the hole. In 2004 and 2005 only four alerts came through full disclosure.

Things changed in 2006 however when over three times as many vulnerabilities went public before being patched. At the same time Apple are growing more responsive with and cooperative towards the security community.

'Their response time has been a lot better for me than it was last year. I'm not getting the old automated response back - I'm actually getting a live person now', said Tom Ferris of Security Protocols whose company found and reported seven of the holes for the annual crop.

Oh They Care All Right

One of the long standing theories about the absence of serious threats to the OS X platform has been that the black hats 'simply don't give a shit': the numbers aren't there to make it interesting.

'The theory holds that plunderable security holes in Windows are so bountiful and lucrative cyber criminals simply can't be bothered to attack a relatively unfamiliar platform to gain a few extra victims', writes Brian Krebs of Security Fix.

But that's OS X - and OS X doesn't have an attractive market share. Apple's cross platform software does.

'Cross platform Apple staples like iTunes, QuickTime, and now Safari for Windows and the iPhone are beginning to blur the definition of market share at least from a security standpoint.'

About 20% of the serious flaws Apple patched last year were due to vulnerabilities in Safari or key Safari components.

'Apple's real platform is media - not the operating system - and that has much more market share or penetration than any other Apple product', says Dino Dai Zovi, the New York based researcher who took home the $10000 MacBook Pro hijack prize.

Apple's QuickTime accounted for 30% of all alerts for 2006. In most cases the vulnerabilities affected users on both Windows and OS X. Together with Safari this accounts for half of all the vulnerabilities reported.

Where the Difference Lies

It's easy to think - after dodging malware hysterically for years on end - that the Windows OS vendor are doing a good enough job, that life on the Internet is just this ripe with danger - that at the end of the day one is probably better off where one already is. This is dangerous thinking.

Like the single hulled Exxon Valdez Windows has but one chance to deter intrusion and should that fail all is lost. That one chance is the impossible dream of 100% flaw free code. Microsoft have invested considerably in developing routines for auditing their code for dangerous flaws and yet the exploits continue - and some would say get only worse. Windows has no inner barriers and the smallest possible chink in the armour results in total annihilation. Microsoft are certainly better in security response today - some would say better than any other company. But the joke is they have to be: they have no other defences.

It's crass and unconscionable to wait 23 or even 82 days to patch a serious flaw when open source regularly do the same in hours but that cannot equate to an insecure system when the same basic code - Unix - is being used.

Apple and Microsoft are both commercial organisations. Both organisations pin security as a priority below top level as security is rarely a strong sales argument. People using commercial operating systems in today's world will suffer. That being said, people foolish enough to still use Windows will suffer a lot more.

See Also
Security Fix: A Time to Patch
Security Fix: Apple Security Scorecard for 2006
Security Protocols (Tom Ferris)

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.