Microsoft or Apple - Who Is the Faster Patcher?

Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"

heh

[ionix5891 (1228718)]

it must be apple hate week here at slashdot :p

Re:

[sm62704 (957197)]

Tough room. A comment I made yesterday [slashdot.org] went back and forth, it made it to +4 interesting before winding up as 0 Flamebait.

Re:heh

[Vitriol+Angst (458300)]

You don't have to just remain cool in modern terms -- you have to consider your cool creds in the Google Cache and way-back machine. Good cache lends credence to your cache.

>> I've thought Bush sucked since 1999. And, since that family has their fingers in everything, it is way more on topic than say, talking about computers. I definitely wasn't cool at the time. It's like not liking Adolph in 1930 -- too soon. /could not resist flame bait.

Oh Boy

[elrous0 (869638)]

Now you've done it.

Apples to ...

[Bombula (670389)]

Bah. This comparison is just Apples to - wait a minute...

Re:

[CaptainPatent (1087643)]

Go ahead... say it:
Orange [microsoft.com]

Well, duh...

[SirGarlon (845873)]

Microsoft has more practice patching their OS!

Re:Well, duh...

[by Anonymous Coward]

That's exactly right. Microsoft batch their updates once a month. Apple do it less regularly and less frequently, and they are frequently *unbelievably* slow to patch issues in the Free software they ship that's also in Linux or BSD distributions (trust me, I track this stuff for my employer.) God only knows how bad they are about patches in their own code. They didn't even manage to fix a typo in the Safari / win32 port EULA right first time. [channelregister.co.uk]

Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types who've switched for, basically, teh shiny. It's Freedom that counts folks, not features or functions or shiney... Freedom.

Re:Well, duh...

[bladesjester (774793)]

It's Freedom that counts folks, not features or functions or shiney... Freedom.

Sorry, kiddo, but I'm going to have to disagree.

The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.

Not all software has to be "free" (and not everything *should* be).

Re:

[node 3 (115640)]

True, without needed features/functions you don't have jack. But once you get needed features and functions the rest is fluff.

The thing is, though, for most people, Linux does not have the needed features. Both usability as well as aesthetics are features which Linux come up short on.

For example, I'm sure you can do any of the editing iPhoto allows on Linux using nothing but free command line utilities. In fact, I'm sure those command line utilities can actually do much more than iPhoto can. However, those utilities, however technically superior they are, are absolutely worthless to the vast majority of users.

Of course, on Linux

Re:

[bladesjester (774793)]

I can't think of any good reason why some software shouldn't be free. Care to elaborate?

Time to join me in the real world. People are required in order to create software. People need to be paid. Most software would be unable to make money if it is "free" as it would also end up being free as in sale price (as I have explained earlier in this thread).

Sounds like a pretty good reason to me.

To paraphrase a statement someone made on here ages ago which I happen to agree with - "Information wants to be free.

Re:

[bladesjester (774793)]

Actually, it is both a reason why it shouldn't and won't. However, it seems you're too slow to realize that.

If you want a reason that *only* falls on the *shouldn't* side, here's one for you -

It should be up to the person who writes it (or company who commissions it) to decide what they want to do with it. Or are you advocating that *their* freedom of choice to do with *their* creation what they want within legal bounds be taken away to give you a "freedom" that is actually a privilege granted by the peop

Re:

[Yahweh Doesn't Exist (906833)]

>Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types

AIs are posting on slashdot!? better than nuking us I s'pose...

If a tree falls ...

[arteas (1002034)]

and no one is around to hear it does it make a sound? That's the excuse I would use if I was Apple.

what day of the week is it?

[gEvil (beta) (945888)]

Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

Look at it my way

[Apoorv Khatreja (1263418)]

Microsoft fixes their bugs faster, OK. I agree. I would say it is a result of the large manpower they have. They have a larger team dedicated to fixing bugs.

What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfe

Re:Look at it my way

[by Anonymous Coward]

I would look at it your way, if your way was more than just hypothesis and conjecture.

From your post: "What affects [sic?] me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft."

You're sure, huh? Hmmmmm...I'm not sure if you're an Apple fanboi or a Microsoft hater, but either way, you can never be sure about anything (except death and taxes). So, as soon as you said that line, everything else you said became a non-argument, argument.

Re:Look at it my way

[LeafOnTheWind (1066228)]

"What affects [sic?] me, is the severity of these bugs that need to be fixed. That was the correct usage of "affect" - please refrain from being a grammar Nazi if you are unable to judge correct grammar.

Re:

[CaptainPatent (1087643)]

Exactly on the mark.

I was going to mention how many of Microsoft's patches have induced later zero-day bugs but more or less, you beat me to that point.

I also wanted to mention though how much more frequently Microsoft vulnerabilities are taken advantage of. I know this is simply a metric of Microsoft's percent market share with the likelihood of a computer running a Microsoft product, and not with the programming ability level at Microsoft, but it still means that if left unpatched for a fraction of th

Re:Look at it my way

[Kelbear (870538)]

In addition to the parent's comment regarding frequency of attack, I'd like to point out that this is a reasonable characteristic to take into account when judging the OS.

One of the major features of Windows, and one of the most powerful, is that it is widely adopted and incumbent for the majority of the market. This provides them with the network effect that increases the value of this OS. It's only fair that the same penalty that is partnered with this popularity is taken into consideration when comparing operating systems.

Re:Look at it my way

[Zondar (32904)]

So to use an analogy...

If there was a car that had a critical flaw and exploded into flames if you hit it from behind hard enough.... BUT only 0.03% of Americans drove the car... then the NHTSA shouldn't really consider that a 'critical' flaw, it shouldn't be viewed as 'badly' as the same type of flaw in a Honda Accord (driven by far more people)...

All because the market share of this explosion-prone car is low?

That's some whacked-out thinking right there. Just because the company can't get market share doesn't lessen the potential (or real) impact of the vulnerability. I don't care if that's Apple or Nortel or Mythic Entertainment.

Re:

[CaptainPatent (1087643)]

Way off the mark...
More like there are two types of locks for your front door, we'll assign these locks random brands: Capple and Spikrosoft. Capple has a very small percentage of the market and Spikrosoft has a very large percentage.

Let's say there is a vulnerability that will allow access, but you need to order a specific sets of tools to gain access to each individual brand of lock. Because Spikrosoft has a much larger market share, the tools specific to breaking into that lock will much more heavil

Of course!

[shadow349 (1034412)]

So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.

That explains all those zombie Mac OS X machines.

Apple's shortcomings

[rubeng (1263328)]

I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.

If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".

Re:Apple's shortcomings

[truthsearch (249536)]

Apple tells you what's fixed with every security update. Here's the document for the most recent: http://support.apple.com/kb/HT1249 [apple.com].

It's specific enough for me, listing every application / library, impact, and description.

Re:

[betterunixthanunix (980855)]

This has always been a problem with Apple, and it is what cost them the market to begin with. They don't want the rest of the world involved with their OS, their hardware, or anything with an Apple logo on it. They begrudgingly accept the idea that SOME outside software is necessary for them to survive, but if they could, they would lock everyone else out of their platform. I don't have any idea why -- Apple fans I've met claim it is because no one else can get it "right" the way Apple does, and detracto

Re:Apple's shortcomings

[truthsearch (249536)]

Laptops, phones, and portable audio players are niches created by Apple?

As for software, they use plenty of open source and contribute back to the community. What they don't want outside involvement with is their core hardware.

Re:Apple's shortcomings

[betterunixthanunix (980855)]

Laptops, phones, and portable audio players are not Apple inventions. There is a market for Apple products, which Apple has worked extremely hard to keep separate from the rest of the computer world. The specific types of computers Apple sells is not the niche, any more than a vehicle with four wheels is the "niche" market of tractor manufacturers.

No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.

Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.

Re:Apple's shortcomings

[truthsearch (249536)]

You're correct about iPods and iPhones, but completely wrong about OS X. If there were no third parties developing software for OS X there would be no Apple computers. OS X has very thorough developer documentation and free tools. Apple sells 3rd party OS X software on their web site and stores, so to say they don't want 3rd party development is obviously false.

You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.

Article Lacks Important Information

[Revotron (1115029)]

The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.

Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.

yes, and if grandma had wheels.....

[Ancient_Hacker (751168)]

Yes, and the Houndai Arthritic is the best selling 3-wheeled SUV in it's class!

One can always play with the criteria to get any desired winner.

Going by raw number of anything you lose any distinctions as to the severity or impact of each problem.

In general a buffer-overflow in the Windows kernel is a heck of a lot more dangerous than a similar problem in OSX can ever be.

Re:yes, and if grandma had wheels.....

[betterunixthanunix (980855)]

In general, a buffer overflow in the kernel is dangerous. What is it about Apple fans who think that because there are fewer viruses written for their OS, it is not a problem if Apple releases buggy code?

Re:

[Allador (537449)]

Are you kidding me?

On the front page of /. right now is an article about how, for the second year in a row, the Mac is the only OS in the cansecwest contest to get owned.

The person took complete control of the mac box by having the user click on a link in safari.

The rules of this contest state that only non-published attacks can be used. This guy just happened to have this one sitting around to use.

How is this a valid test?

[Fallen Kell (165468)]

I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.

quick! patch it! FASTER! QUICK!

[Scrameustache (459504)]

You want to job done well, or you want the job done fast?

I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.

meh

[wizardforce (1005805)]

They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate

yaah and how many security flaws have been sitting un-patched for months, years even at microsoft? let us take a look at how many security holes remain un-patched shall we?

Where's the Beef?

[99BottlesOfBeerInMyF (813746)]

So this is an article that doesn't give any answers to the question it poses and references a study presented at blackhat, but which has not yet been published and in fact whose presentation is not even online yet.

Can't we at least wait until we have some sort of data to discuss before embarking on half-assed arguments about how relevant the data is and if the methodology is credible?

Here's a link to the original research paper

[sidney (95068)]

There is of course a lot more information in the actual research paper [pdfmenot.com].

That link is to a browser view of the PDF at pdfmenot.com which caches the actual PDF, so the poor researcher's personal web site doesn't get hit too hard. You could download the original PDF from there if you really want to.

Thats because M$ just has more 'features'

[hAckz0r (989977)]

Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.

Re:

[illumin8 (148082)]

The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.

Exactly. MS intentionally sits on vulnerabilities and doesn't announce them publicly until the patch is available. Apple, on the other hand, uses a lot of free and open-source software where full disclosure is considered important enough to notify all users through normal mailing lists, newsgroups, and other channels.

This study is intentionally biased to make MS look good and Apple look bad. Wh

Re:

[Yokaze (70883)]

From the summary:
> 658 [...] affecting Microsoft products and 738 affecting Apple

Re:Just more FUD

[d34thm0nk3y (653414)]

The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.

The study speaks of things that can be known. Your response speaks of things that can't be known. You seem to be slinging the uncertainty and doubt part yourself.

Re:

[truthsearch (249536)]

His argument is that 0-day patch response rate is only one factor. This information has little value when it's impossible to know how many vulnerabilities actually exist.

Re:Just more FUD

[failedlogic (627314)]

NO, no, no. We know that knowledge of these bugs can be known. Implying otherwise, means that we can't know what is not known which is untrue, because eventually we will know it. To really know, what's not yet known on this subject, I suggest we wait until an updated study is released. Then we will know.

On your second point, uncertainty & doubt, I don't know what to think as once we know what needs to be known these will disappear.

What was the study about again?

Re:

[samkass (174571)]

The article completely lacks any discussion of methodology nor does it include actual data, as well. If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit. Another OS with the exact same package might run it by default in an easily exploitable configur

Re:

[Anonymous Psychopath (18031)]

Now that Apple has nontrivial market share...

While Apple is growing rapidly, market share is still trivial overall.

"Apple did not rank in Gartner's top 5 worldwide PC vendors, No. 5 of which was Toshiba with a 4.4 percent share."

http://www.appleinsider.com/articles/07/10/17/apples_u_s_mac_market_share_rises_to_8_1_percent_in_q3.html [appleinsider.com]

Re:

[Anonymous Psychopath (18031)]

I'll start off by saying that I don't have any particular axe to grind. I don't love Microsoft, I don't hate Apple. A PC is just a tool, and if it does what I want it's a good tool. What I want might be different than what you want, so we'll use different tools and I'm fine with that. Competition and diversity are good things. I'm surprised I came off like some kind of Microsoft fanboi.

I was actually responding to the assertion that Apple's market share is no longer trivial, and provided some evidence to su

Re:Just more FUD

[dhavleak (912889)]

If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit.

TFA states that the study "looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database". Generally, the service being on by default (exposure), and exploitability are taken into consideration when assigning a risk-level to an exploit. Plus, TFA did not make the general statement that you quoted!!

It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.

This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..

Re:Just more FUD

[UnknowingFool (672806)]

It kinda makes sense that Apple would have more bugs. Apple uses a lot of open source software as OS X is Unix underneath the GUI. Open source software is better at disclosing bugs so their vulnerabilities are known. If you look at Apple's last security patch, it included patches for Apache, CUPS, emacs, Kerberos, libc, OpenSSH, PHP, X11, etc. That is contrasted with MS as many of their vulnerabilities are not disclosed until MS or a 3rd party discloses it. Many 3rd parties have independently disclosed because of their frustration with MS response and/or lack of acknowledgement.

A few OS X and iApp bugs and crashes..

[Savage-Rabbit (308260)]

Name the applications, version of the OS and the hardware you're using.

First a few annoying bugs Apple has taken way to long to fix:
OS X 10.5.2, Mail.app, when accessing some IMAP4 accounts the "Get Mail" button fails to retrieve mail for some accounts. It's a know issue and it has been since the 10.5.2 update. I am not the only one to run into it, I checked the Apple forums and tested Mail from several different networks and two different Macs. I 'fixed' this bug in Mail.app by switching to Thunderbird.

OS X 10.5.2, When printing to a printer connected to an Airport Express