Microsoft or Apple - Who Is the Faster Patcher?

Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"

heh

[ionix5891 (1228718)]

it must be apple hate week here at slashdot :p

Re:heh

[Vitriol+Angst (458300)]

You don't have to just remain cool in modern terms -- you have to consider your cool creds in the Google Cache and way-back machine. Good cache lends credence to your cache.

>> I've thought Bush sucked since 1999. And, since that family has their fingers in everything, it is way more on topic than say, talking about computers. I definitely wasn't cool at the time. It's like not liking Adolph in 1930 -- too soon. /could not resist flame bait.

Well, duh...

[SirGarlon (845873)]

Microsoft has more practice patching their OS!

Re:Well, duh...

[by Anonymous Coward]

That's exactly right. Microsoft batch their updates once a month. Apple do it less regularly and less frequently, and they are frequently *unbelievably* slow to patch issues in the Free software they ship that's also in Linux or BSD distributions (trust me, I track this stuff for my employer.) God only knows how bad they are about patches in their own code. They didn't even manage to fix a typo in the Safari / win32 port EULA right first time. [channelregister.co.uk]

Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types who've switched for, basically, teh shiny. It's Freedom that counts folks, not features or functions or shiney... Freedom.

Re:Well, duh...

[bladesjester (774793)]

It's Freedom that counts folks, not features or functions or shiney... Freedom.

Sorry, kiddo, but I'm going to have to disagree.

The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.

Not all software has to be "free" (and not everything *should* be).

what day of the week is it?

[gEvil (beta) (945888)]

Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

Of course!

[shadow349 (1034412)]

So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.

That explains all those zombie Mac OS X machines.

Apple's shortcomings

[rubeng (1263328)]

I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.

If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".

Re:Apple's shortcomings

[truthsearch (249536)]

Apple tells you what's fixed with every security update. Here's the document for the most recent: http://support.apple.com/kb/HT1249 [apple.com].

It's specific enough for me, listing every application / library, impact, and description.

Re:Apple's shortcomings

[truthsearch (249536)]

Laptops, phones, and portable audio players are niches created by Apple?

As for software, they use plenty of open source and contribute back to the community. What they don't want outside involvement with is their core hardware.

Re:Apple's shortcomings

[betterunixthanunix (980855)]

Laptops, phones, and portable audio players are not Apple inventions. There is a market for Apple products, which Apple has worked extremely hard to keep separate from the rest of the computer world. The specific types of computers Apple sells is not the niche, any more than a vehicle with four wheels is the "niche" market of tractor manufacturers.

No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.

Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.

Re:Apple's shortcomings

[truthsearch (249536)]

You're correct about iPods and iPhones, but completely wrong about OS X. If there were no third parties developing software for OS X there would be no Apple computers. OS X has very thorough developer documentation and free tools. Apple sells 3rd party OS X software on their web site and stores, so to say they don't want 3rd party development is obviously false.

You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.

Article Lacks Important Information

[Revotron (1115029)]

The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.

Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.

How is this a valid test?

[Fallen Kell (165468)]

I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.

quick! patch it! FASTER! QUICK!

[Scrameustache (459504)]

You want to job done well, or you want the job done fast?

I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.

meh

[wizardforce (1005805)]

They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate

yaah and how many security flaws have been sitting un-patched for months, years even at microsoft? let us take a look at how many security holes remain un-patched shall we?

Thats because M$ just has more 'features'

[hAckz0r (989977)]

Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.

Re:Look at it my way

[by Anonymous Coward]

I would look at it your way, if your way was more than just hypothesis and conjecture.

From your post: "What affects [sic?] me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft."

You're sure, huh? Hmmmmm...I'm not sure if you're an Apple fanboi or a Microsoft hater, but either way, you can never be sure about anything (except death and taxes). So, as soon as you said that line, everything else you said became a non-argument, argument.

Re:Look at it my way

[Kelbear (870538)]

In addition to the parent's comment regarding frequency of attack, I'd like to point out that this is a reasonable characteristic to take into account when judging the OS.

One of the major features of Windows, and one of the most powerful, is that it is widely adopted and incumbent for the majority of the market. This provides them with the network effect that increases the value of this OS. It's only fair that the same penalty that is partnered with this popularity is taken into consideration when comparing operating systems.

Re:Just more FUD

[d34thm0nk3y (653414)]

The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.

The study speaks of things that can be known. Your response speaks of things that can't be known. You seem to be slinging the uncertainty and doubt part yourself.

Re:Just more FUD

[failedlogic (627314)]

NO, no, no. We know that knowledge of these bugs can be known. Implying otherwise, means that we can't know what is not known which is untrue, because eventually we will know it. To really know, what's not yet known on this subject, I suggest we wait until an updated study is released. Then we will know.

On your second point, uncertainty & doubt, I don't know what to think as once we know what needs to be known these will disappear.

What was the study about again?

Re:Just more FUD

[UnknowingFool (672806)]

It kinda makes sense that Apple would have more bugs. Apple uses a lot of open source software as OS X is Unix underneath the GUI. Open source software is better at disclosing bugs so their vulnerabilities are known. If you look at Apple's last security patch, it included patches for Apache, CUPS, emacs, Kerberos, libc, OpenSSH, PHP, X11, etc. That is contrasted with MS as many of their vulnerabilities are not disclosed until MS or a 3rd party discloses it. Many 3rd parties have independently disclosed because of their frustration with MS response and/or lack of acknowledgement.

Re:Just more FUD

[dhavleak (912889)]

If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit.

TFA states that the study "looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database". Generally, the service being on by default (exposure), and exploitability are taken into consideration when assigning a risk-level to an exploit. Plus, TFA did not make the general statement that you quoted!!

It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.

This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..

Apples to ...

[Bombula (670389)]

Bah. This comparison is just Apples to - wait a minute...

Re:yes, and if grandma had wheels.....

[betterunixthanunix (980855)]

In general, a buffer overflow in the kernel is dangerous. What is it about Apple fans who think that because there are fewer viruses written for their OS, it is not a problem if Apple releases buggy code?