Microsoft or Apple - Who Is the Faster Patcher? 252
Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"
Look at it my way (Score:2, Insightful)
What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfect example is the recent release of the Vista SP1, which was withdrawn later on. It caused complete devastation, leaving many systems unrepairable, and led to heavy loss of data, for a lot of people I know. With Apple, such mistakes are very, very few. The bugs are mostly small, with less than 2% of them being fatal.
Article Lacks Important Information (Score:5, Insightful)
Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.
Re:Look at it my way (Score:4, Insightful)
From your post: "What affects [sic?] me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft."
You're sure, huh? Hmmmmm...I'm not sure if you're an Apple fanboi or a Microsoft hater, but either way, you can never be sure about anything (except death and taxes). So, as soon as you said that line, everything else you said became a non-argument, argument.
Re:Look at it my way (Score:3, Insightful)
I was going to mention how many of Microsoft's patches have induced later zero-day bugs but more or less, you beat me to that point.
I also wanted to mention though how much more frequently Microsoft vulnerabilities are taken advantage of. I know this is simply a metric of Microsoft's percent market share with the likelihood of a computer running a Microsoft product, and not with the programming ability level at Microsoft, but it still means that if left unpatched for a fraction of the time, a Microsoft vulnerability is hundreds of times more devastating even if the same level of access is granted through it.
While the article is a good start, it is by no means a say-all in internet security.
Re:Just more FUD (Score:2, Insightful)
Now that Apple has nontrivial market share, especially in the US non-business markets, security researchers are going to have to come up with some reason besides "obscurity" that there's not a single virus in the wild for MacOS X... despite articles like these claiming Apple has more serious vulnerabilities that they patch slower.
How is this a valid test? (Score:5, Insightful)
quick! patch it! FASTER! QUICK! (Score:5, Insightful)
I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.
Re:Look at it my way (Score:4, Insightful)
One of the major features of Windows, and one of the most powerful, is that it is widely adopted and incumbent for the majority of the market. This provides them with the network effect that increases the value of this OS. It's only fair that the same penalty that is partnered with this popularity is taken into consideration when comparing operating systems.
Re:yes, and if grandma had wheels..... (Score:5, Insightful)
odd ... (Score:2, Insightful)
I'm not saying anybody did. I'm just saying they could.
Re:Apple's shortcomings (Score:4, Insightful)
As for software, they use plenty of open source and contribute back to the community. What they don't want outside involvement with is their core hardware.
Re:Look at it my way (Score:4, Insightful)
If there was a car that had a critical flaw and exploded into flames if you hit it from behind hard enough.... BUT only 0.03% of Americans drove the car... then the NHTSA shouldn't really consider that a 'critical' flaw, it shouldn't be viewed as 'badly' as the same type of flaw in a Honda Accord (driven by far more people)...
All because the market share of this explosion-prone car is low?
That's some whacked-out thinking right there. Just because the company can't get market share doesn't lessen the potential (or real) impact of the vulnerability. I don't care if that's Apple or Nortel or Mythic Entertainment.
Re:Apple's shortcomings (Score:5, Insightful)
No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.
Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.
Thats because M$ just has more 'features' (Score:5, Insightful)
Re:Apple's shortcomings (Score:5, Insightful)
You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.
Re:Well, duh... (Score:5, Insightful)
Sorry, kiddo, but I'm going to have to disagree.
The "freedom" aspects are nice and everything, but without needed features or functions, you don't have jack.
Not all software has to be "free" (and not everything *should* be).
Re:Just more FUD (Score:5, Insightful)
It's early days still in Apple's second-coming. There's no denying that their market share will only increase for the next few years. There's also no denying that at the moment their installed base is still trivial. Mind share for people making exploits will also take time to get to the same level on the Mac as what it is for PCs.
This is fairly obvious stuff -- history has shown that no software developer takes security seriously unless they have absolutely no option. MS crossed that threshold a long time ago and really got their shit together. Apple hasn't reached the threshold yet, but all indications are that its just a matter of time. There's a world of AJAX apps out there waiting for their trial by fire too..
Re:Oh Noes! Somebody said something good about MS! (Score:1, Insightful)
Re:Well, duh... (Score:3, Insightful)
For example, I'm sure you can do any of the editing iPhoto allows on Linux using nothing but free command line utilities. In fact, I'm sure those command line utilities can actually do much more than iPhoto can. However, those utilities, however technically superior they are, are absolutely worthless to the vast majority of users.
Of course, on Linux there are GUI photo editors, but they still suffer from UI and usability issues, as well as general aesthetics, when it comes to most users.
Freedom, just like usability and aesthetics, is nothing more than a type of feature. To turn the tables on you:
"True, without needed freedoms you don't have jack. But once you get the needed freedom the rest is fluff."
Most Mac software provides all the freedom most people need. So, with Mac OS X, for most people, they get all the freedom they need and want, all the usability they need and want, and all the aesthetics they need and want. With Linux, they get all the freedom they need and want, a lot of the usability they need, and some of the aesthetics they want.
There are, of course, plenty of Linux users for whom Linux's usability and aesthetics not only match what they want, but match it better than OS X does, and there are those for whom the freedom afforded by OS X is insufficient. These users are a small minority, but fortunately for them, Linux (and *BSD, etc.) exist.
You appear to be in that minority, which is fine, but you seem to be overreaching with regards to the extent to which your experience applies to the computer using populace as a whole.
Re:Well, duh... (Score:3, Insightful)
Time to join me in the real world. People are required in order to create software. People need to be paid. Most software would be unable to make money if it is "free" as it would also end up being free as in sale price (as I have explained earlier in this thread).
Sounds like a pretty good reason to me.
To paraphrase a statement someone made on here ages ago which I happen to agree with - "Information wants to be free. Programmers want to be paid. You just want to be cheap."
Re:Look at it my way (Score:4, Insightful)
Re:Just more FUD (Score:3, Insightful)
I was actually responding to the assertion that Apple's market share is no longer trivial, and provided some evidence to support my statement. Gartner is a fairly well-respected source of information in the IT world.
I'm not certain of what market Apple's products are available in. Are you saying that they only sell in the US? That would surprise me.
You've made a number of interesting claims. I'll summarize how I read them below.
1) Retail laptop sales a portion of total laptop sales, which in turn is a portion of the total worldwide PC market. I agree completely. I'd say that tends to support a position that most attacks are directed at the widest possible array of targets, which do not presently include Apple to a great extent, but maybe I'm not understanding you correctly.
2) You imply that spyware and viruses are not targeted at corporate servers. There are, of course, many examples that disprove this, among them Nimda and Code Red to name two that immediately come to mind. Excluding the server market, you seem to imply but don't outright state that Apple has 10-25% of the laptop market? I think this is simply exaggerated. Apple is growing, but not fast enough to have captured that much market share that quickly, even in the US alone. Maybe in three or four years if things keep going well for them.
3) The most interesting claim you make is that Apple users make more money than non-Apple users, thus making them prime targets for attacks, thus proving that they are more secure. There are a number of problems with this assertion.
There's no evidence that Apple users are more affluent. Perhaps that Apple's target market demographic is, but that isn't the same thing at all.
Still, let's assume a couple of your points, then. Let's assume Apple has, say, 20% market share, and those 20% of users, they have 20% more income than the rest. I'm not suggesting those numbers are in any way accurate, I think they're way too high, but I'm using them to make a point. It still wouldn't make financial sense to write something targeted at those users. This isn't statistical bullshit, just straight math.
You also make an assumption that keystroke loggers and the ilk are the majority of the attacks in the wild, aimed at stealing financial data from individual users, which is also incorrect. Zombies are far more prolific than anything else. Most people will never even know they've been attacked (which is the biggest part of the problem).
Lastly, there were a lot of Linux users who used to say the same thing, about ten or so years ago. I was one of them. As the popularity of Linux grew, the number of discovered vulnerabilities also grew, because they became more interesting targets with their popularity. You know what they say about those not learning from history being doomed to repeat it?
Re:Look at it my way (Score:2, Insightful)
Riddle me this Batman, what is the big reason behind why Microsoft has so much manpower dedicated to fixing patches? They have told us that it is because back in the day when they took it about as seriously as Apple does presently, people on
This is important because perhaps your conjecture is enabling Steve to skate by with weak security responses, the Windows release of Safari was a joke, clearly Apple didn't care about sexy or cool when they passed that turd. Perhaps instead of sucking up to Steve Jobs, Apple lovers should objectively review Apple's patch performance and then call them out when they realize Apple is as bad as Micrsoft was back in the later 90s.
If you make excuses Apple will continue to slide, but if you call them out, perhaps they would fix the problem. It appears to have worked with their 180 on the issue of an iPhone SDK after people bitched. Perhaps if you really want to light a firer under Steve's ass, write a program or addon that patches Apples with 3rd party fixes. Then he'll get moving as he hates people touching his "art". Just my two cents.
This was written on a CentOS system so I have no horse in this race
Re:yes, and if grandma had wheels..... (Score:3, Insightful)
On the front page of
The person took complete control of the mac box by having the user click on a link in safari.
The rules of this contest state that only non-published attacks can be used. This guy just happened to have this one sitting around to use.