back to article Apple lags MS in security response

Apple is trailing way behind Microsoft in security patch responsiveness, according to a study by security researchers. Stefan Frei and Bernard Tellenback of the Computer Engineering and Networks Laboratory (TIK) at the Swiss Federal Institute of Technology, analysed several years of vulnerability disclosures and patching …

COMMENTS

This topic is closed for new posts.
  1. NB
    Coat

    wait for it....

    I'm sure the Apple Fanboi's and other worshippers of Steve Jobs' phallus will be out in force to criticise this article... just wait for it.

    Mine's the black leather one with 'FLAMEBAIT' written across the back in metal studs.

  2. Jonathan
    Happy

    Say it aint so...

    Apple cares more about the public relations impact of security vulnerabilities than the risk said vulnerabilities pose to their customers?

    Next you are going to tell me that the Apple machine was the first to fall in the Pwn2Own contest and that Apple sells its products on image first and functionality second.

  3. John
    Jobs Horns

    Smell the Coffee Mr Jobs!

    I love my Mac. But it should be obvious to Mr Jobs that the key selling points of the mac ease-of-use and productivity suites (in my case being iWorks, iLife, & Aperture) will be fundamentaly undermined WHEN that productivity is stolen, corrupted, or otherwise held hostage by hackers spawning malware.

    Steve Jobs, if you want to send me and others back to Linux or worse (oh dear god) Windows, then keep going as you are, don't change a thing.

  4. Jamie Davis
    Go

    Go on...

    Really... you're just goading us now aren't you? I think I'll set up my deckchair here and watch the flame wars.

    GAME ON!

  5. Mark Broadhurst
    Jobs Horns

    Crumbling Ivory Tower

    Macs are coming under as much fire as PC's these days. I guess the its safer on a mac stance was basically because they were largely ignored now they are a contender its not just good attention they are getting.

  6. Paul van der Lingen

    @ John

    Me too - I love my macs (all three of them), but I don't take security for granted. Ever.

  7. Calvin Davidson

    You can do anything with statistics.

    "Colleagues of the duo reckon Apple's antagonistic attitude with security researchers is one of the reasons for its poor response."

    Shouldn't that be:

    "Colleagues of the duo reckon Apple's antagonistic attitude with security researchers is one of the reasons they're so desperate to find a stick to beat it with.

  8. jai

    apple fanbois

    odd though, that it's always the anti-apple crowd that respond first to these stories

  9. Mark Broadhurst
    Gates Halo

    @jai

    Didn't you read the story MS people get to security before apple so of course the MS people get to the story before the Apple Crowd.

  10. JC
    Flame

    @ Jai

    It starts....

  11. Joey
    Jobs Halo

    according to...

    ...a study by security researchers from IBM

    Isn't that the company that lost Apple's processor business to INTEL?

    Nuff said.

  12. Mike Crawshaw
    Happy

    @jai

    "odd though, that it's always the anti-apple crowd that respond first to these stories"

    - just as odd that it's always the Apple crowd that respond first to stories about any other OS's flaws...

  13. Anonymous Coward
    Stop

    Re: according to...

    Joey: "...a study by security researchers from IBM. Isn't that the company that lost Apple's processor business to INTEL?"

    Fanboy excuse rating: 2/10

    Report to your nearest Apple store immediately for an RDF 'upgrade'.

  14. Anonymous Coward
    Joke

    They're here

    Was going to post with idle speculation on how long it would take before the Apple apologists turned up - but I see they beat me to it.

    Expect the legions of the brain washed to fill this column with how great Apple are and how willing they are to keep emptying their wallets for them. If they can show up as a positive comments on search results, maybe this report won't damage the Apple 'image' as much as it should!

  15. Lozzyho
    Paris Hilton

    @Joey

    >> Isn't that the company that lost Apple's processor business to INTEL?

    >>Nuff said.

    A case of shooting the messenger if ever I saw one! Wake up, Fanbois, the best thing that could happen to the Mac's reputation is that it slips back into obscurity so the hackers stop targeting it.

    Paris would understand PR disasters.

  16. Anonymous Coward
    Anonymous Coward

    Hmmm

    No Webster yet. Is he dead?

  17. Jack Moxley
    Paris Hilton

    Paris would understand PR disasters.

    <quote> Paris would understand PR disasters. </quote>

    She would need to view them as disasters to understand them.

  18. Tom Turck
    Gates Halo

    Ubuntu

    Since Apple switched to an intel platform at least it is possible for them to switch to Ubuntu as well...Maybe we can see some Apple commercials with the smug, emo, arty

    Apple dude getting owned by some hacker geeks, while the chubby windoze dudes watches with MrT. or Chug Norris as a bodyguard....

  19. Anonymous Coward
    Dead Vulture

    Level and balance?

    There is a big difference between a vulnerability that exists, but for which there is no exploit, and a vulnerability for which there IS an exploit "in the wild".

    I have yet to receive the kind of funds to research this sort of matter extensively, but I would be willing to bet a box of brand new floppy disks that a relatively large number of the Microsoft vulnerabilities has actually been exploited, whereas there have been relatively few succesful exploits of same on the Mac platform.

    One thing that would have been interesting to include in this research, is how many of the pulbished vulnerabilities were actually in software written by Apple Inc. themselves and how many were in bundled Open Source packages such as Apache. In the case of bundled Open Source software, Apple would have to rely on the developer community for that specific package to come up with a fix.

    Alas I can't say much about the (un?)timeliness of the release of patches to Open Source packages. In the case of Microsoft; they only release proprietary software for which of course they should be able to fix any vulnerabilities very quickly.

    Of course the nature of the vulnerabilities also differs greatly. For example I have heard and seen lots of complaints about QuickTime vulnerabilities of the kind that would require a user to visit shady sites and download even shadier movies in order to take effect. This kind of vulnerability is by no means comparable to the slew of Microsoft critical vulnerabilities which require no user interaction to have your PC join a botnet.

    So on the one hand we have dodgy movies trying to trick you into giving someone access to your machine: on the other hand we have the usual wide open back doors that turn your PC over to the russian Maffia or anyone else who cares to hijack it. As far as I know there has yet to emerge any Mac-based botnet, while the number of Microsoft Windows Based PC's involved in botnets has risen over a million.

    Of course Apple should work on their act, but they have not left the kind of backdoors open that Microsoft seem to include as a courtesy with every software release. Cue the millions of PC's sending us spam everyday courtesy of Outlook being a tool molded to hacker's hands.

    Only researching patch time intervals does very little to convey the actual reality of the state of security matters on each platform. One could as well have researched the bytesize of the patches to conclude that bigger patches are more effective, and hence, the firm who has pushed the most bytes in security updates has won the security brownnose of the week prize.

    Dead bird because the research proves nothing.

  20. Anonymous Coward
    Stop

    Re: Level and balance?

    "bla...bla... Only researching patch time intervals does very little to convey the actual reality of the state of security matters on each platform. One could as well have researched the bytesize of the patches to conclude that bigger patches are more effective, and hence, the firm who has pushed the most bytes in security updates has won the security brownnose of the week prize. Dead bird because the research proves nothing."

    Fanboy excuse rating: 7/10

    The iForce is strong in this one, a true believer.

  21. Anonymous Coward
    Anonymous Coward

    A Fanboy speaks

    Right, that explains why my Macs are infested with viruses and associated malware.

    Oh, wait a minute..

  22. Anonymous Coward
    Heart

    Webster baiting

    Is there a contest among El Reg Hacks for Webstr baiting? Do you declare a winner based on how incoherent his responses are? Can I chip in for a prize?

  23. sandiskboy

    I am just a Macboy

    My mac is laden with viruses and security holes. Please help me! I'm at my wits end as I'm just a Maccie and I don't know security and complicated things.

    Should I get Doctor Norton? How do you turn on the firewall? Is there one on my Mac?

  24. Anonymous Coward
    Anonymous Coward

    Let's see....

    There are tens of millions of zombie windows computers out there and no zombie Macs. Which user has more to worry about?

    And, no, I'm not saying that Mac users will never need to worry about security. Even today, if a computer user is stupid enough to click 'ok' repeatedly when asked to install software, ANY computer can be infected. But in practice, Windows users have infinitely more to worry about than Mac users - no matter how many of these sensationalistic stories the Register manages to publish.

  25. Anonymous Coward
    Flame

    Every time...

    ...I venture into another far-flung corner of the Interwebs and read yet another fascinating round of the apparently never-ending, never-changing yet endlessly pointless Mac vs PC flamewar, I can't help but wonder what mighty achievements are left unfulfilled, what life goals ignored, what potential cures for all the world's ills left unfound, how many extra keyboards are sold and how many relationships broken in the pursuit of a victory as Pyrrhic as it is unattainable

  26. David Eddleman

    Geez

    "Macs are coming under as much fire as PC's these days. I guess the its safer on a mac stance was basically because they were largely ignored now they are a contender its not just good attention they are getting."

    WAIT A SECOND!

    ...I made this exact same prediction with the bloody iPhone!

    Maybe, just maybe, it's proving to be true!

    "There are tens of millions of zombie windows computers out there and no zombie Macs. Which user has more to worry about?"

    How do you know there's no zombie Macs? Saying there are no zombie Macs is like saying there are no zombie UNIX/Linux boxes -- just not true, I've seen some myself.

    You fail at argumentum ad populum.

  27. Antidisestablishmentarianist
    Flame

    No Linux Freetards?

    I might have missed it but usually there's some comment along the lines of 'gee if you had linux you wouldn't have these problems, snigger'. Come on people - I'm disappointed.

    And Webster, Webster, whats wrong? I saw on the 'apple is best brand' article you flamed a guy for reading it wrong, but didn't take the opportunity to bag EVIL Apple. Get well soon!

    BTW, I just love the term 'Freetard' and how it's made some of you squirm and get all indignant. Hilarious flame bait.

  28. Nexox Enigma

    Fear of a Black Hat!

    My whole office was laughint at that one. Then again we're probably some of the 38 people on the planet that have seen that movie.

    And did anyone notice the URL for this article? apple_security_response_pants

    Pants, indeed.

  29. Anonymous Coward
    Thumb Up

    RDS in full flow tonight..

    <quote>And did anyone notice the URL for this article? apple_security_response_pants</quote>

    They would be the tastefully styled brown ones I assume.

  30. Doug Petrosky
    Happy

    Ok, I'll step in to be branded a fan boy

    This sounds like sour grapes. Yes, apple has to work with researchers who find bugs and vulnerabilities to patch them. And they may have to stroke their ego's a bit more too but the bottom line is the less anyone knows about specific security flaws in an operating system the better! It is no surprise that the day or week after Microsoft issues a patch that a slew of new attacks come out to try to take advantage of these newly documented bugs.

    Also, I have to say the basic idea behind this article is flawed. Apple has responded very quickly to all actual threats to it's users (which admittedly have been few so far). It has done so well, that even the couple of trojans that exist for the Mac have gotten huge press but caught very few victims.

    So, here is analogy. This is like a teacher with two students. One spends 10 minutes a night on homework and Aces all the tests and the other spends 3 hours a night but can get better than a C. This article praises the C student predicts that once the work gets harder the A student will obviously fail.

    All I'm saying is that I see no facts to support the C student over the A student.

  31. Webster Phreaky
    Jobs Horns

    Apple Droids defend being MacIntel "PC Clones" now

    Just enjoy this thought ...... MacTards are proud of being Intel PC CLONES now and all the wonderful advantages, like being a Virus target!

    Hey remember the days of your Emperors claims of G3's / G4's / G5's are Sooooo much better and faster than Intels??? Hypocrites!

    Every day you Apple FUDs prove you are MacTards.

  32. Marko Alat

    @ Doug Petrosky re: OK, I'll step in to be branded a fanbbbboiiii

    Doug did sed:

    > the bottom line is the less anyone knows about specific security flaws in an operating system the better!

    What you refer to goes by the stage-name of "security through obscurity", and it's

    1.) Been discredited since long before the first time someone who hid their house keys under their doormat came home to find they've been burgled, and

    2.) As realistic as belief in the healing power of crystals when it comes to OS security.

    If Apple want people to develop software for their platform, they can't keep the inner workings of their OS secret. They have to let non-Apple people know how they map memory, how they prioritise the stack, how they write to the pattern buffer and assorted other garble. This is the information on which exploits are built, and it's out there for anyone with enough of an aversion to sunlight to use to haXOR an Apple box (crate?), and boast about it afterwards. As soon as one person knows, everyone knows.

    Time was, IBM and M$ would respond to reports of exploits with cease-and-desist orders from their legal departments, and their customers would learn about the discovered hack when they got pwned months later. They largely learned their lesson. It's Apple's turn now.

This topic is closed for new posts.