Microsoft or Apple - Who Is the Faster Patcher?

Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"

heh

[ionix5891]

it must be apple hate week here at slashdot :p

Re:

[sm62704]

Tough room. A comment I made yesterday [slashdot.org] went back and forth, it made it to +4 interesting before winding up as 0 Flamebait.

Re:heh

[Vitriol+Angst]

You don't have to just remain cool in modern terms -- you have to consider your cool creds in the Google Cache and way-back machine. Good cache lends credence to your cache.

>> I've thought Bush sucked since 1999. And, since that family has their fingers in everything, it is way more on topic than say, talking about computers. I definitely wasn't cool at the time. It's like not liking Adolph in 1930 -- too soon. /could not resist flame bait.

Oh Boy

[elrous0]

Now you've done it.

Apples to ...

[Bombula]

Bah. This comparison is just Apples to - wait a minute...

Re:

[CaptainPatent]

Go ahead... say it:
Orange [microsoft.com]

Re:

[CastrTroy]

I was thinking more about this orange [wikipedia.org]

Well, duh...

[SirGarlon]

Microsoft has more practice patching their OS!

Re:Well, duh...

[Anonymous Coward]

That's exactly right. Microsoft batch their updates once a month. Apple do it less regularly and less frequently, and they are frequently *unbelievably* slow to patch issues in the Free software they ship that's also in Linux or BSD distributions (trust me, I track this stuff for my employer.) God only knows how bad they are about patches in their own code. They didn't even manage to fix a typo in the Safari / win32 port EULA right first time. [channelregister.co.uk]

Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types who've switched for, basically, teh shiny. It's Freedom that counts folks, not features or functions or shiney... Freedom.

Re:Well, duh...

[bladesjester]

It's Freedom that counts folks, not features or functions or shiney... Freedom.

Sorry, kiddo, but I'm going to have to disagree.

The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.

Not all software has to be "free" (and not everything *should* be).

Re:

[pintpusher]

without needed features or functions, you don't have jack

emphasis mine. True, without needed features/functions you don't have jack. But once you get needed features and functions the rest is fluff. GP is right, it really is about the freedom. I routinely throw away all sorts of glitz for pure functionality. When it comes down to it, most of teh shiny just gets in the way. I want the freedom to eliminate the extra crap and focus on my work. If I don't have the freedom to throw that stuff away, then I don't have freedom at all and I suffer. .02

Re:

[node 3]

True, without needed features/functions you don't have jack. But once you get needed features and functions the rest is fluff.

The thing is, though, for most people, Linux does not have the needed features. Both usability as well as aesthetics are features which Linux come up short on.

For example, I'm sure you can do any of the editing iPhoto allows on Linux using nothing but free command line utilities. In fact, I'm sure those command line utilities can actually do much more than iPhoto can. However, those utilities, however technically superior they are, are absolutely worthless to the vast majority of users.

Of course, on Linux

Re:

[pintpusher]

But freedom as a feature is the only feature that allows all the other features too (except non-freedom, if that's a feature, maybe it's a bug? ;-P).

I have no doubts that my sensibilities do not extend to the general populace. But I view a computer as a tool and nothing more. A fun tool, but a tool.

Once you get the features and functions you *need* then the rest is crap. period. that is, of course, just my opinion.

To imply, as I think GGP did, that freedom somehow prevents one from having needed features an

Re:

[PitaBred]

The "freedom" isn't freedom from having to pay, or from having to do work for free. It's the freedom to not have to reinvent the wheel every time you want to do something that someone else has done before.

Reproduction of the product is "free", so the marginal cost should trend to zero, especially over a long enough time period.

Re:

[bladesjester]

The "freedom" isn't freedom from having to pay, or from having to do work for free. It's the freedom to not have to reinvent the wheel every time you want to do something that someone else has done before.

You may not have realized this, but in the real world, the "freedom" you are talking about generally causes the end result to be "free" as in price.

You see, in the real world, not every piece of software can be profitable as open source. In fact, a lot of it can't. The ways to make money off of it are pr

Re:

[webmaster404]

The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.

Today though, for most computer users, free software wins, while some doesn't have as many features most are as feature rich or have more features, and the few that don't have as much are slowly getting them in there. 5-6 years ago you might have had a point, but today, most people really only need a a) relatively stable OS (Linux) b) Decent GUI (KDE/XFCE/GNOME) c) Secure/fast browser (Firefox) d) easy install of new software (apt-get or similar) e) Secure e-mail client (Thunderbird) f) Decent word pro

Re:

[Whiney Mac Fanboy]

Not all software has to be "free" (and not everything *should* be).

I can't think of any good reason why some software shouldn't be free. Care to elaborate?

Re:

[bladesjester]

I can't think of any good reason why some software shouldn't be free. Care to elaborate?

Time to join me in the real world. People are required in order to create software. People need to be paid. Most software would be unable to make money if it is "free" as it would also end up being free as in sale price (as I have explained earlier in this thread).

Sounds like a pretty good reason to me.

To paraphrase a statement someone made on here ages ago which I happen to agree with - "Information wants to be free.

Re:

[bladesjester]

Actually, it is both a reason why it shouldn't and won't. However, it seems you're too slow to realize that.

If you want a reason that *only* falls on the *shouldn't* side, here's one for you -

It should be up to the person who writes it (or company who commissions it) to decide what they want to do with it. Or are you advocating that *their* freedom of choice to do with *their* creation what they want within legal bounds be taken away to give you a "freedom" that is actually a privilege granted by the peop

Re:

[Yahweh Doesn't Exist]

>Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types

AIs are posting on slashdot!? better than nuking us I s'pose...

Re:

[Vitriol+Angst]

I think there are a few statistical problems here that must be addressed in order for this survey to make sense;

Microsoft is at least 10 times bigger than Apple at the moment, and so is their OS development. How does Apple have MORE unpatched errors when the Mac OS is not the one getting riddled with trojan horses, spyware, viruses and stolen data bases? So, one unpatched error does not equate to another.

The time of Knowing about the flaw to the time it is patched -- does this just mean a different reportin

Oh Noes! Somebody said something good about MS!

[s20451]

Yes, the Swiss Federal Institute of Technology [www.eth.ch], one of Europe's most prestigious engineering schools, is just another security firm trying to glom on some attention for itself. Also, if you had read the article, you would have read the following:

... the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"

"This is independent academic research," Frei replied.

Re:

[mjwx]

Microsoft is only faster if we don't count the legions of Mac fanboys sending death threats as a patch.

If a tree falls ...

[arteas]

and no one is around to hear it does it make a sound? That's the excuse I would use if I was Apple.

what day of the week is it?

[gEvil (beta)]

Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

or

[Anonymous Coward]

Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

Or if they are patching a problem in a DRM system or other end-user-inhibitor.

Look at it my way

[Apoorv Khatreja]

Microsoft fixes their bugs faster, OK. I agree. I would say it is a result of the large manpower they have. They have a larger team dedicated to fixing bugs.

What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfe

Re:Look at it my way

[Anonymous Coward]

I would look at it your way, if your way was more than just hypothesis and conjecture.

From your post: "What affects [sic?] me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft."

You're sure, huh? Hmmmmm...I'm not sure if you're an Apple fanboi or a Microsoft hater, but either way, you can never be sure about anything (except death and taxes). So, as soon as you said that line, everything else you said became a non-argument, argument.

Re:Look at it my way

[LeafOnTheWind]

"What affects [sic?] me, is the severity of these bugs that need to be fixed. That was the correct usage of "affect" - please refrain from being a grammar Nazi if you are unable to judge correct grammar.

Re:

[CaptainPatent]

Exactly on the mark.

I was going to mention how many of Microsoft's patches have induced later zero-day bugs but more or less, you beat me to that point.

I also wanted to mention though how much more frequently Microsoft vulnerabilities are taken advantage of. I know this is simply a metric of Microsoft's percent market share with the likelihood of a computer running a Microsoft product, and not with the programming ability level at Microsoft, but it still means that if left unpatched for a fraction of th

Re:Look at it my way

[Kelbear]

In addition to the parent's comment regarding frequency of attack, I'd like to point out that this is a reasonable characteristic to take into account when judging the OS.

One of the major features of Windows, and one of the most powerful, is that it is widely adopted and incumbent for the majority of the market. This provides them with the network effect that increases the value of this OS. It's only fair that the same penalty that is partnered with this popularity is taken into consideration when comparing operating systems.

Re:Look at it my way

[Zondar]

So to use an analogy...

If there was a car that had a critical flaw and exploded into flames if you hit it from behind hard enough.... BUT only 0.03% of Americans drove the car... then the NHTSA shouldn't really consider that a 'critical' flaw, it shouldn't be viewed as 'badly' as the same type of flaw in a Honda Accord (driven by far more people)...

All because the market share of this explosion-prone car is low?

That's some whacked-out thinking right there. Just because the company can't get market share doesn't lessen the potential (or real) impact of the vulnerability. I don't care if that's Apple or Nortel or Mythic Entertainment.

Re:

[CaptainPatent]

Way off the mark...
More like there are two types of locks for your front door, we'll assign these locks random brands: Capple and Spikrosoft. Capple has a very small percentage of the market and Spikrosoft has a very large percentage.

Let's say there is a vulnerability that will allow access, but you need to order a specific sets of tools to gain access to each individual brand of lock. Because Spikrosoft has a much larger market share, the tools specific to breaking into that lock will much more heavil

Re:

[Zondar]

You're still trying to weasel in some "lessened severity" argument completely based on having a lower market share. A piece of crap code is a piece of crap code, whether 20 people or 20 million people run it. Especially if the one with 20 people is trying to tout itself as being more secure.

Lower Market Share = Less Vulnerable is a nice sidestepping attempt, but isn't rooted in the reality of the actual severity of the System A Bug A vs System B Bug B analysis.

"Oh, but when our stuff breaks (just as badly a

Re:

[CaptainPatent]

Let me start my response by quoting myself from earlier:

I know this is simply a metric of Microsoft's percent market share with the likelihood of a computer running a Microsoft product, and not with the programming ability level at Microsoft

and:

A break-in through either case is equally devastating, but as I mentioned it's a factor of total number effected by the vulnerability and not quality of product individually.

With that being said, I am not sidestepping anything. I agree that crap code is exactly that and I am purposely placing the severity of the exploit on the exact same level. As a hacker though, if I have the choice of writing code that can break into three computers versus 300 Million and it will take the same amount of effort... I go for the 300 million. This is the simple fact that Microsoft, being the market leader has to deal with.

Re:

[UncleTogie]

As a hacker though, if I have the choice of writing code that can break into three computers versus 300 Million and it will take the same amount of effort... I go for the 300 million.

I'm not too sure 'bout that... If the folks with the 3 computers basically tell you they're unhackable, where the 300-million-user system is KNOWN to be insecure, wouldn't you find the three-system-hack more challenging?

ah no.

[geekoid]

You assume the locks are built the same way, under the same managment to meet the same criteria.
You also neglect that tools only need to be created ONCE, and then distributed through the internet.

"A break-in through either case is equally devastating,"
Absolutely incorrect.
In one, you get access to the entire house, in the other you ahve a bunch of door with a different lock that you need to get in.

Re:

[jellie]

The Slashdot headline is misleading -- the study did not compare which company was faster, but compared the rate at which they released zero-day patches. While these numbers are highly skewed by the number of unknown (or undiscovered) vulnerabilities, they're still interesting nonetheless. I doubt either company releases a patch the same day they find out about a vulnerability, and shows the relationships the companies have with security companies (as mentioned in the article). Of course, all of this depend

Re:

[mapsjanhere]

There are three potential reasons why MS looks better in this statistic:
- MS patches faster (unlikely since they very rarely patch outside the Tuesday schedule)
- MS finds more vulnerabilities internally first, so they don't become public knowledge
- MS somehow has found a better way to deal with "security researchers" to keep their findings under wraps until they can fix it
Now, lots of time we hear here that "MS has known about this for months and isn't doing anything until forced to". But is Apple any bett

Re:

[cheater512]

Well I have to give Microsoft for the award for the longest bug ever.
Excel still thinks 1900 is a leap year.

I cant see any other company with the arrogance and stupidity not to fix such a simple flaw.

Re:

[Drakin020]

Dude that SP1 patch was not an official release for the public. More like a leak.

The official release has worked great for everyone I know.

Troll somewhere else please.

Of course!

[shadow349]

So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.

That explains all those zombie Mac OS X machines.

Re:

[edwardpickman]

That explains all those zombie Mac OS X machines.

Sound like a new video game.

Apple's shortcomings

[rubeng]

I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.

If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".

Re:Apple's shortcomings

[truthsearch]

Apple tells you what's fixed with every security update. Here's the document for the most recent: http://support.apple.com/kb/HT1249 [apple.com].

It's specific enough for me, listing every application / library, impact, and description.

Re:

[betterunixthanunix]

This has always been a problem with Apple, and it is what cost them the market to begin with. They don't want the rest of the world involved with their OS, their hardware, or anything with an Apple logo on it. They begrudgingly accept the idea that SOME outside software is necessary for them to survive, but if they could, they would lock everyone else out of their platform. I don't have any idea why -- Apple fans I've met claim it is because no one else can get it "right" the way Apple does, and detracto

Re:Apple's shortcomings

[truthsearch]

Laptops, phones, and portable audio players are niches created by Apple?

As for software, they use plenty of open source and contribute back to the community. What they don't want outside involvement with is their core hardware.

Re:Apple's shortcomings

[betterunixthanunix]

Laptops, phones, and portable audio players are not Apple inventions. There is a market for Apple products, which Apple has worked extremely hard to keep separate from the rest of the computer world. The specific types of computers Apple sells is not the niche, any more than a vehicle with four wheels is the "niche" market of tractor manufacturers.

No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.

Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.

Re:Apple's shortcomings

[truthsearch]

You're correct about iPods and iPhones, but completely wrong about OS X. If there were no third parties developing software for OS X there would be no Apple computers. OS X has very thorough developer documentation and free tools. Apple sells 3rd party OS X software on their web site and stores, so to say they don't want 3rd party development is obviously false.

You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.

Re:

[UnknowingFool]

For the most part Apple tells you that they are patching the OS. They don't go into detail because they assume most consumers don't want to know the details. But if you want to know, you can get it by clicking the link that takes you Apple's website. I think that they are right that most consumers don't want to know/don't care the whether they were patching X11 or CUPS.

This might be just a different style than say MS because MS deals with more technical people, they give out lots of information. But r

Article Lacks Important Information

[Revotron]

The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.

Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.

Re:

[ThePhilips]

Actually it reads like deja vu.

Last time debunking was pretty quick: Apple also patches BSD sub-system with all the usual Unix apps.

Since for M$ only Windows patches were counted, then for fair comparison one has to exclude all the patches for all the command line utilities and Unix services (all of which are disabled by default) Apple does repackage and ship with OS just for our convenience.

yes, and if grandma had wheels.....

[Ancient_Hacker]

Yes, and the Houndai Arthritic is the best selling 3-wheeled SUV in it's class!

One can always play with the criteria to get any desired winner.

Going by raw number of anything you lose any distinctions as to the severity or impact of each problem.

In general a buffer-overflow in the Windows kernel is a heck of a lot more dangerous than a similar problem in OSX can ever be.

Re:yes, and if grandma had wheels.....

[betterunixthanunix]

In general, a buffer overflow in the kernel is dangerous. What is it about Apple fans who think that because there are fewer viruses written for their OS, it is not a problem if Apple releases buggy code?

Re:

[betterunixthanunix]

Zero exploits in the wild? The why does this website exist: http://www.securemac.com/ [securemac.com] ? And why does it list trojans in the wild as recently as January 2008? Secunia lists numerous unpatched vulnerabilities for OS X as of this writing, some of which can be used for privilege escalation in a trojan horse. In fact, the only OS that comes to mind that has literally never had an exploit in the wild (or any really exploitable vulnerabilities in a real-world setup) is z/VM, IBM's mainframe OS.

Re:

[Allador]

Are you kidding me?

On the front page of /. right now is an article about how, for the second year in a row, the Mac is the only OS in the cansecwest contest to get owned.

The person took complete control of the mac box by having the user click on a link in safari.

The rules of this contest state that only non-published attacks can be used. This guy just happened to have this one sitting around to use.

Re:

[Dekortage]

One can always play with the criteria to get any desired winner.

Or, as the saying goes, "if you torture statistics long enough, they will confess to anything."

How is this a valid test?

[Fallen Kell]

I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.

Re:

[bjourne]

When I worked for Sony Ericsson there where some German security researcher (probably students had done the real work) privately let us know that there was a critical security flaw in the firmware. Something that, according to his email, could compromise the whole platform, make IMEI spoofing possible, steal credit card numbers and what not. He gave us three months to come up with a fix before going public with his findings. The only problem was that the only technical information he provided us with was th

quick! patch it! FASTER! QUICK!

[Scrameustache]

You want to job done well, or you want the job done fast?

I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.

Re:

[Scrameustache]

And how many times can you cite that happening with MS patches? I can only think of a couple out of the hundreds of patches. No Apple update has every broken something? Sure they have and you know it.

Damn apologist self rigtheous zealots. It's really sad when otherwise smart people act with blind loyalty to a brand.

What brand did I favor in my assessment that "faster != better"?

It seems a coward is projecting his zealotry onto others.

meh

[wizardforce]

They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate

yaah and how many security flaws have been sitting un-patched for months, years even at microsoft? let us take a look at how many security holes remain un-patched shall we?

Re:

[truthsearch]

My personal favorite is this simple buffer overflow [microsoft.com] that existed in the Windows help system for 7 years (all the way back to NT 4). By browsing to a web page the Windows Help system could be exploited to take control of a user's computer. It took them 5 months to release a patch.

odd ...

[Aaron_Pike]

It occurs to me that a company could improve their score by releasing software with (secretly) known bugs, and then "fixing" them with zero-day patches.

I'm not saying anybody did. I'm just saying they could.

Like Apples and uh... bananas?

[Gat0r30y]

The faster patcher? I'm assuming the great bulk of these vulnerabilities are browser issues. So while this study may indeed give an idea of the relative security between the two browsers, I wouldn't exactly bill this as a glowing M$/IE endorsement. Another consideration: market share, if you own >75% of the market, and the great bulk of the business market, you most certainly have an obligation to patch vulnerabilities ASAP. When your market it graphic designers, movie producers, and apple fanboys, a

So does this mean ...

[Tribbin]

So does this mean that Microsoft does more quick-n-dirty patches?

Thanks

[DigitalisAkujin]

Thanks for validating what the competent people have been saying all along.

Re:

[2nd Post!]

I agree. Macs are by far the safer system to use on the internet :)

Where's the Beef?

[99BottlesOfBeerInMyF]

So this is an article that doesn't give any answers to the question it poses and references a study presented at blackhat, but which has not yet been published and in fact whose presentation is not even online yet.

Can't we at least wait until we have some sort of data to discuss before embarking on half-assed arguments about how relevant the data is and if the methodology is credible?

Here's a link to the original research paper

[sidney]

There is of course a lot more information in the actual research paper [pdfmenot.com].

That link is to a browser view of the PDF at pdfmenot.com which caches the actual PDF, so the poor researcher's personal web site doesn't get hit too hard. You could download the original PDF from there if you really want to.

Wait for the research paper

[freakinPsycho]

Man is it fun watching Slashdot readers be convinced this must be faulty research without having read the research itself. Why not wait a few days until you can verify what the researchers did (should be available later from the blackhat.com website) and provide actual analysis on the research.

You can't fault the conclusions unless you know how that conclusion was reached.

(Of course, if the conclusion had been that Apple was better at 0-day patches, there'd be a lot more, "Well, duh!" responses.)

Re:

[geekoid]

Not from me, the study seems flawed.
The security types are difficult to compare on these system. As it would be on any two system with different architectures and management philosophies.

Is it complete root access? are these vulnerabilities exploitable by a network, or do you have to be there?
The category used is so broad to be useless.

Thats because M$ just has more 'features'

[hAckz0r]

Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.

Re:

[illumin8]

The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.

Exactly. MS intentionally sits on vulnerabilities and doesn't announce them publicly until the patch is available. Apple, on the other hand, uses a lot of free and open-source software where full disclosure is considered important enough to notify all users through normal mailing lists, newsgroups, and other channels.

This study is intentionally biased to make MS look good and Apple look bad. Wh

Operating Systems

[corychristison]

... have bugs!

News at 11.

Seriously, what the hell is this. I don't understand how this can be interesting to anyone. OS's have bugs, plain and simple. The vendor patches them, period. That's all that you should care about.

tagged: whogivesashit

I can chug 1.5 Litres of A&W Root Beer (fountain -- not bottled)

There, now this comment is as irrelevant as the (lack-there-of) story.

Now get off my lawn!!!
(damn... I am only 19)

So that would mean

[Kelz]

Microsoft is the catcher?

Red Hat is faster still

[Alain Williams]

Read the Risk report: Three years of Red Hat Enterprise Linux 4 [redhatmagazine.com] that was published a few weeks ago.

Steve says....

[notaprguy]

that Apple doesn't have security breaches. Steve says that they're called features exploited by evil-doers. Steve also says that it doesn't matter if they fix their security holes quickly because the hackers don't care about tareting MacOS. Steve assures us that if we just keep buying new Macs that we'll be fine.

Lies, damned lies, statistics, and red herrings...

[argent]

What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.

The two statements "X makes secure products" and "X is ahead in patching" are not equivalent. There are whole classes of security problems in Windows that do not even exist in any UNIX-based OS, and there are classes of security problems in Microsoft's HTML control that have never existed in any other browser engine.

Correspondingly, there have been problems in UNIX that have never existed

Microsoft says Microsoft is better

[YetAnotherBob]

So, Microsoft says Microsoft is better.

Can anyone tell me why this is news?

Will we be just as surprised when Apple says Apple is better?

Why is this piece of advertising being treated as news?

Re:

[Yokaze]

From the summary:
> 658 [...] affecting Microsoft products and 738 affecting Apple

Re:Just more FUD

[d34thm0nk3y]

The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.

The study speaks of things that can be known. Your response speaks of things that can't be known. You seem to be slinging the uncertainty and doubt part yourself.

Re:

[truthsearch]

His argument is that 0-day patch response rate is only one factor. This information has little value when it's impossible to know how many vulnerabilities actually exist.

Re:

[UnknowingFool]

I think the OP is referring to vulnerabilities known by the vendor but not disclosed to the public. The study seemingly only counts disclosed variety.

Re:Just more FUD

[failedlogic]

NO, no, no. We know that knowledge of these bugs can be known. Implying otherwise, means that we can't know what is not known which is untrue, because eventually we will know it. To really know, what's not yet known on this subject, I suggest we wait until an updated study is released. Then we will know.

On your second point, uncertainty & doubt, I don't know what to think as once we know what needs to be known these will disappear.

What was the study about again?

Re:

[nine-times]

So are those known unknowns, or unknown unknowns?

Re:

[samkass]

The article completely lacks any discussion of methodology nor does it include actual data, as well. If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit. Another OS with the exact same package might run it by default in an easily exploitable configur

Re:

[Anonymous Psychopath]

Now that Apple has nontrivial market share...

While Apple is growing rapidly, market share is still trivial overall.

"Apple did not rank in Gartner's top 5 worldwide PC vendors, No. 5 of which was Toshiba with a 4.4 percent share."

http://www.appleinsider.com/articles/07/10/17/apples_u_s_mac_market_share_rises_to_8_1_percent_in_q3.html [appleinsider.com]

Re:

[Anonymous Psychopath]

I'll start off by saying that I don't have any particular axe to grind. I don't love Microsoft, I don't hate Apple. A PC is just a tool, and if it does what I want it's a good tool. What I want might be different than what you want, so we'll use different tools and I'm fine with that. Competition and diversity are good things. I'm surprised I came off like some kind of Microsoft fanboi.

I was actually responding to the assertion that Apple's market share is no longer trivial, and provided some evidence to su

Re:Just more FUD

[dhavleak]

If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit.

TFA states that the study "looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database". Generally, the service being on by default (exposure), and exploitability are taken into consideration when assigning a risk-level to an exploit. Plus, TFA did not make the general statement that you quoted!!

It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.

This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..

Re:

[dhavleak]

But until that moment (which is always "later"), it's pure FUD

If you choose to see it that way, there's not much anybody can do to convince you otherwise.

If you choose though, it could be somebody just presenting the results of their study.

In fact, you could choose to see it this way too -- using the FUD label on any article that suggests Apple (or someone other than MS) might have a security problem, is FUD -- it's just being flung in the other direction.

So while FUD definitely gets flung around a lot, this article certainly didn't seem to have any, and we certainly

Re:

[catwh0re]

I agree that it's FUD, it's easily seen by the rather narrow scope for this outcome to be "factual". (You can get any result you want if you're incredibly specific with the scope - hence the MS Windows TCO vs the Linux TCO reports a while ago.)

But that is not what is interesting and I could only think of one thing from seeing this article: Is MS now funding anti-apple "research" (similar to all the anti-open source research.) After last months high market share readings do MS now see Apple as a threat?

Re:

[Chabil Ha']

You mean, like, comparing Apple's to oranges?

Re:Just more FUD

[UnknowingFool]

It kinda makes sense that Apple would have more bugs. Apple uses a lot of open source software as OS X is Unix underneath the GUI. Open source software is better at disclosing bugs so their vulnerabilities are known. If you look at Apple's last security patch, it included patches for Apache, CUPS, emacs, Kerberos, libc, OpenSSH, PHP, X11, etc. That is contrasted with MS as many of their vulnerabilities are not disclosed until MS or a 3rd party discloses it. Many 3rd parties have independently disclosed because of their frustration with MS response and/or lack of acknowledgement.

I think we're saying the same thing here...

[jd]

Vulnerabilities aren't disclosed on being discovered, so we don't know how long either vendor knew about the bug in advance; if Microsoft only ever allows disclosure at time of patch release, they will always have a zero delay. If Apple always notifies at the time the bug is considered serious, their delays would automatically be longer.

Also, although we can guess at the total number of vulnerabilities per kilo-lines of code, we don't know what insider information either company has on bugs, although the

Re:

[gilesjuk]

Name the applications, version of the OS and the hardware you're using.

Have you ever thought you might have a hardware issue like faulty memory or bad blocks on the hard disk? it is likely on an unstable computer.

A few OS X and iApp bugs and crashes..

[Savage-Rabbit]

Name the applications, version of the OS and the hardware you're using.

First a few annoying bugs Apple has taken way to long to fix:
OS X 10.5.2, Mail.app, when accessing some IMAP4 accounts the "Get Mail" button fails to retrieve mail for some accounts. It's a know issue and it has been since the 10.5.2 update. I am not the only one to run into it, I checked the Apple forums and tested Mail from several different networks and two different Macs. I 'fixed' this bug in Mail.app by switching to Thunderbird.

OS X 10.5.2, When printing to a printer connected to an Airport Express

Re:

[0racle]

Nope, can't say that I have.

Re:

[SoupIsGoodFood_42]

With the exception of a rushed Leopard release, and perhaps a couple of Safari issues, Mac OS X seems to get better each time, not worse.

Re:

[2nd Post!]

Well, what is your contribution to the discussion?

Apple currently has no live vulnerabilities, no Mac botnets, nor wild trojans despite besting 6% market share in the US.