×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Microsoft or Apple - Who Is the Faster Patcher?

Zonk posted about 6 years ago | from the go-speed-patcher-gooo dept.

252

Amy Bennett writes "And the answer is... Microsoft. Researchers from the Swiss Federal Institute of Technology analyzed 658 high-risk and medium-risk vulnerabilities affecting Microsoft products and 738 affecting Apple. They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate. What they found: 'Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005,' said Stefan Frei, one of the researchers involved in the study. 'Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

252 comments

heh (5, Funny)

ionix5891 (1228718) | about 6 years ago | (#22886176)

it must be apple hate week here at slashdot :p

Re:heh (1)

ionix5891 (1228718) | about 6 years ago | (#22886244)

i kid i kid, no need mark me troll hence the :p

Re:heh (1)

sm62704 (957197) | about 6 years ago | (#22886326)

Tough room. A comment I made yesterday [slashdot.org] went back and forth, it made it to +4 interesting before winding up as 0 Flamebait.

Re:heh (0)

Anonymous Coward | about 6 years ago | (#22886398)

At least you reached +4. I always start with +2 and go to -1 sooner than BoC goes out on Woot!

Re:heh (0, Troll)

mapsjanhere (1130359) | about 6 years ago | (#22886564)

Well, your description of Bush as "traitor in chief" probably did you in. What was an unnecessary flame bait since it didn't really add to your otherwise well stated post.

Re:heh (3, Funny)

Vitriol+Angst (458300) | about 6 years ago | (#22886634)

You don't have to just remain cool in modern terms -- you have to consider your cool creds in the Google Cache and way-back machine. Good cache lends credence to your cache.

>> I've thought Bush sucked since 1999. And, since that family has their fingers in everything, it is way more on topic than say, talking about computers. I definitely wasn't cool at the time. It's like not liking Adolph in 1930 -- too soon. /could not resist flame bait.

Re:heh (-1, Flamebait)

Anonymous Coward | about 6 years ago | (#22886676)

thats probably because most of your posts suck

It's to make up for the other 51 weeks (0, Troll)

Anonymous Coward | about 6 years ago | (#22886420)

Of smug self rightous praise.

Oh Boy (2, Funny)

elrous0 (869638) | about 6 years ago | (#22886188)

Now you've done it.

Well, duh... (5, Funny)

SirGarlon (845873) | about 6 years ago | (#22886192)

Microsoft has more practice patching their OS!

Re:Well, duh... (0)

Anonymous Coward | about 6 years ago | (#22886274)

I wonder what the patch failure rate is for Microsoft? My own anecdotal evidence suggests that Apple's patches actually work where Microsoft's tend to cause instability or opens other holes.

Re:Well, duh... (5, Informative)

Anonymous Coward | about 6 years ago | (#22886482)

That's exactly right. Microsoft batch their updates once a month. Apple do it less regularly and less frequently, and they are frequently *unbelievably* slow to patch issues in the Free software they ship that's also in Linux or BSD distributions (trust me, I track this stuff for my employer.) God only knows how bad they are about patches in their own code. They didn't even manage to fix a typo in the Safari / win32 port EULA right first time. [channelregister.co.uk]

Personally as a certified Free software I'm rubbing my hands & looking forward to the Linux types who've switched for, basically, teh shiny. It's Freedom that counts folks, not features or functions or shiney... Freedom.

Re:Well, duh... (2, Interesting)

Vitriol+Angst (458300) | about 6 years ago | (#22886798)

I think there are a few statistical problems here that must be addressed in order for this survey to make sense;

Microsoft is at least 10 times bigger than Apple at the moment, and so is their OS development. How does Apple have MORE unpatched errors when the Mac OS is not the one getting riddled with trojan horses, spyware, viruses and stolen data bases? So, one unpatched error does not equate to another.

The time of Knowing about the flaw to the time it is patched -- does this just mean a different reporting standard?

Of these errors from Apple -- how many of them are from the OS? Python, the Apache web browser -- a lot of open source and third party apps are bundled in the Mac UNIX system. I've heard reports that most of Apple's unpatched problems are actually these third-party apps. Without actually RTFA (I can't be bothered with that), I'd say, that's how Apple is getting a higher number.

IF Apple does bundle them -- then they kind of do have to deal with the problems -- it's the whole widget they give to the customer, so as an Apple customer -- my user experience is affected wether or not it was Python or Applescript that screwed up my iCal alarm. However, that said. it is pretty cool that Apple is pushing these third-party apps and improving them. The net result is that you have a synergistically powerful and useful computer. As a developer, I have a well installed suite of development tools for web solutions and even standard computing. I can send my python script to another Mac user, and they can run it if they have the latest OS update. You can't count on that on other systems == not even LINUX (as far as I know but I didn't RTFA), has a reliable bundled suite of development tools or apps.

This is probably just another security firm, trying to glom on some attention for itself, by basically making up a problem that doesn't exist. Yes, Apple has take its time on fixing a lot of known errors. I'd much rather they fix Leopard for stability right now, rather than chase down some buffer overflow in Python. They are both important however, but having better uptime with Tiger seems like a bigger improvement, rather than all the more up to date and patched third party applications in Leopard.

By net results alone, Apple is far ahead of Microsoft. Whether app problems are patched or unpatched, the User experience is what matters most. That's why Microsoft has had a lot of issues converting XP users to Vista.

Oh Noes! Somebody said something good about MS! (1)

s20451 (410424) | about 6 years ago | (#22887190)

Yes, the Swiss Federal Institute of Technology [www.eth.ch], one of Europe's most prestigious engineering schools, is just another security firm trying to glom on some attention for itself. Also, if you had read the article, you would have read the following:

... the study proved to be such a glowing affirmation of Microsoft's increased focus on security in the past few years that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"

"This is independent academic research," Frei replied.

If a tree falls ... (3, Funny)

arteas (1002034) | about 6 years ago | (#22886194)

and no one is around to hear it does it make a sound? That's the excuse I would use if I was Apple.

what day of the week is it? (5, Funny)

gEvil (beta) (945888) | about 6 years ago | (#22886224)

Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

or (2, Funny)

Anonymous Coward | about 6 years ago | (#22887148)

Microsoft is the faster patcher, but only if it happens to be the second Tuesday of the month.

Or if they are patching a problem in a DRM system or other end-user-inhibitor.

Look at it my way (2, Insightful)

Apoorv Khatreja (1263418) | about 6 years ago | (#22886226)

Microsoft fixes their bugs faster, OK. I agree. I would say it is a result of the large manpower they have. They have a larger team dedicated to fixing bugs.

What affects me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft. Moreover, the bugs at Microsoft would be more severe, and a lot of patches are released in a hurry without testing properly. A perfect example is the recent release of the Vista SP1, which was withdrawn later on. It caused complete devastation, leaving many systems unrepairable, and led to heavy loss of data, for a lot of people I know. With Apple, such mistakes are very, very few. The bugs are mostly small, with less than 2% of them being fatal.

Re:Look at it my way (4, Insightful)

Anonymous Coward | about 6 years ago | (#22886322)

I would look at it your way, if your way was more than just hypothesis and conjecture.

From your post: "What affects [sic?] me, is the severity of these bugs that need to be fixed. If that is analysed, I'm sure that Apple prioritises it's bugs better, and fixes the more important bugs earlier and more efficiently than Microsoft."

You're sure, huh? Hmmmmm...I'm not sure if you're an Apple fanboi or a Microsoft hater, but either way, you can never be sure about anything (except death and taxes). So, as soon as you said that line, everything else you said became a non-argument, argument.

Re:Look at it my way (1)

Apoorv Khatreja (1263418) | about 6 years ago | (#22886440)

That is past experience speaking, and general observation too. Probably I'm not dead sure (the phrase itself says that I'm sure of death), but I do know that this does not change the fact that people will continue to hate Microsoft, and love Apple.

Also, you cannot ignore the last point. Do you have any examples of bugs from Apple which totally destroyed your operating system? Then you can start counting the endless number of times Microsoft has done that.

And I am not on any of the sides.


I use Linux.

Re:Look at it my way (2, Insightful)

CaptainPatent (1087643) | about 6 years ago | (#22886384)

Exactly on the mark.

I was going to mention how many of Microsoft's patches have induced later zero-day bugs but more or less, you beat me to that point.

I also wanted to mention though how much more frequently Microsoft vulnerabilities are taken advantage of. I know this is simply a metric of Microsoft's percent market share with the likelihood of a computer running a Microsoft product, and not with the programming ability level at Microsoft, but it still means that if left unpatched for a fraction of the time, a Microsoft vulnerability is hundreds of times more devastating even if the same level of access is granted through it.

While the article is a good start, it is by no means a say-all in internet security.

Re:Look at it my way (3, Insightful)

Kelbear (870538) | about 6 years ago | (#22886558)

In addition to the parent's comment regarding frequency of attack, I'd like to point out that this is a reasonable characteristic to take into account when judging the OS.

One of the major features of Windows, and one of the most powerful, is that it is widely adopted and incumbent for the majority of the market. This provides them with the network effect that increases the value of this OS. It's only fair that the same penalty that is partnered with this popularity is taken into consideration when comparing operating systems.

Re:Look at it my way (3, Insightful)

Zondar (32904) | about 6 years ago | (#22886940)

So to use an analogy...

If there was a car that had a critical flaw and exploded into flames if you hit it from behind hard enough.... BUT only 0.03% of Americans drove the car... then the NHTSA shouldn't really consider that a 'critical' flaw, it shouldn't be viewed as 'badly' as the same type of flaw in a Honda Accord (driven by far more people)...

All because the market share of this explosion-prone car is low?

That's some whacked-out thinking right there. Just because the company can't get market share doesn't lessen the potential (or real) impact of the vulnerability. I don't care if that's Apple or Nortel or Mythic Entertainment.

Re:Look at it my way (2, Interesting)

CaptainPatent (1087643) | about 6 years ago | (#22887140)

Way off the mark...
More like there are two types of locks for your front door, we'll assign these locks random brands: Capple and Spikrosoft. Capple has a very small percentage of the market and Spikrosoft has a very large percentage.

Let's say there is a vulnerability that will allow access, but you need to order a specific sets of tools to gain access to each individual brand of lock. Because Spikrosoft has a much larger market share, the tools specific to breaking into that lock will much more heavily be ordered because much more stuff (inside the doorway) can be had by the sheer number of doors. This lends the doorway more likely to immediate break-in simply by popularity.

A break-in through either case is equally devastating, but as I mentioned it's a factor of total number effected by the vulnerability and not quality of product individually.

Re:Look at it my way (1)

Zondar (32904) | about 6 years ago | (#22887222)

You're still trying to weasel in some "lessened severity" argument completely based on having a lower market share. A piece of crap code is a piece of crap code, whether 20 people or 20 million people run it. Especially if the one with 20 people is trying to tout itself as being more secure.

Lower Market Share = Less Vulnerable is a nice sidestepping attempt, but isn't rooted in the reality of the actual severity of the System A Bug A vs System B Bug B analysis.

"Oh, but when our stuff breaks (just as badly as BigCorp's stuff), it's better... because it doesn't affect as many people. Why? Because we suck and can't sell as many as BigCorp. But remember: We're Better."

Re:Look at it my way (1)

jellie (949898) | about 6 years ago | (#22886550)

The Slashdot headline is misleading -- the study did not compare which company was faster, but compared the rate at which they released zero-day patches. While these numbers are highly skewed by the number of unknown (or undiscovered) vulnerabilities, they're still interesting nonetheless. I doubt either company releases a patch the same day they find out about a vulnerability, and shows the relationships the companies have with security companies (as mentioned in the article). Of course, all of this depends on whether the vulnerabilities are published or not.

Re:Look at it my way (1)

mapsjanhere (1130359) | about 6 years ago | (#22886630)

There are three potential reasons why MS looks better in this statistic:
- MS patches faster (unlikely since they very rarely patch outside the Tuesday schedule)
- MS finds more vulnerabilities internally first, so they don't become public knowledge
- MS somehow has found a better way to deal with "security researchers" to keep their findings under wraps until they can fix it
Now, lots of time we hear here that "MS has known about this for months and isn't doing anything until forced to". But is Apple any better at it? It would be interesting to hear from people who have dealt with Apple's response to private communications on security issues.

Re:Look at it my way (1, Flamebait)

cheater512 (783349) | about 6 years ago | (#22886996)

Well I have to give Microsoft for the award for the longest bug ever.
Excel still thinks 1900 is a leap year.

I cant see any other company with the arrogance and stupidity not to fix such a simple flaw.

Re:Look at it my way (1)

harryjohnston (1118069) | about 6 years ago | (#22887172)

I guess that another factor is that Mac OS X shares a lot of code with other products/projects. Many (perhaps most) of those projects are probably unwilling to postpone releasing security updates until Apple are ready. Microsoft don't have that problem, or at least not to the same extent.

Re:Look at it my way (2, Informative)

Drakin020 (980931) | about 6 years ago | (#22887094)

Dude that SP1 patch was not an official release for the public. More like a leak.

The official release has worked great for everyone I know.

Troll somewhere else please.

this is no surprise... (0, Troll)

thekm (622569) | about 6 years ago | (#22886234)

...if you need to patch your OS 100x more than a competitor, then you'll naturally be faster. If microsoft had an order or magnitude more bugs and was slower to fix them, then they'd be a far crappier tech company than they already are.

Re:this is no surprise... (2, Informative)

Yokaze (70883) | about 6 years ago | (#22886296)

From the summary:
> 658 [...] affecting Microsoft products and 738 affecting Apple

Re:this is no surprise... (1)

thekm (622569) | about 6 years ago | (#22886716)

yup, read that part. no part of the article says that these were the totals of all bugs raised, it's just an expression of their sampling data. Do you honestly believe that there was only a total of around 700 bugs for either company!?... surely you jest.

Of course! (5, Funny)

shadow349 (1034412) | about 6 years ago | (#22886238)

So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple.
That explains all those zombie Mac OS X machines.

Just more FUD (0)

Samalie (1016193) | about 6 years ago | (#22886258)

I'm not a MS or Apple basher, but this article is pure FUD, again.

The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.

I'm all for trying to analyze the differences between vendors, but studies like this are just shit.

Re:Just more FUD (5, Interesting)

d34thm0nk3y (653414) | about 6 years ago | (#22886364)

The main reason - this only deals with known vulnerabilities and the time it takes to patch. Nowhere is discussed vulnerabilities that either vendor knows exists, but releases no information and no patch to fix it.

The study speaks of things that can be known. Your response speaks of things that can't be known. You seem to be slinging the uncertainty and doubt part yourself.

Re:Just more FUD (1)

truthsearch (249536) | about 6 years ago | (#22886474)

His argument is that 0-day patch response rate is only one factor. This information has little value when it's impossible to know how many vulnerabilities actually exist.

Re:Just more FUD (0)

Anonymous Coward | about 6 years ago | (#22887020)

Your response speaks of things that can't be known.

I think MS and Apple know about the non public vulnerabilities that they know about. If we define what you don't know as what can't be known you may have a point.

God, this is like having a conversation with Donald Rumsfeld.

Re:Just more FUD (1)

UnknowingFool (672806) | about 6 years ago | (#22887074)

I think the OP is referring to vulnerabilities known by the vendor but not disclosed to the public. The study seemingly only counts disclosed variety.

Re:Just more FUD (2, Insightful)

samkass (174571) | about 6 years ago | (#22886452)

The article completely lacks any discussion of methodology nor does it include actual data, as well. If you make a blanket statement like "any buffer overrun bug in an included package is a 'serious' vulnerability", which I suspect is likely, but Apple doesn't run the service by default and/or has another layer of protection behind it then it's unlikely that the vulnerability would turn into an actual exploit. Another OS with the exact same package might run it by default in an easily exploitable configuration, yet have exactly the same "seriousness" rating.

Now that Apple has nontrivial market share, especially in the US non-business markets, security researchers are going to have to come up with some reason besides "obscurity" that there's not a single virus in the wild for MacOS X... despite articles like these claiming Apple has more serious vulnerabilities that they patch slower.

Re:Just more FUD (1)

catwh0re (540371) | about 6 years ago | (#22886606)

I agree that it's FUD, it's easily seen by the rather narrow scope for this outcome to be "factual". (You can get any result you want if you're incredibly specific with the scope - hence the MS Windows TCO vs the Linux TCO reports a while ago.)

But that is not what is interesting and I could only think of one thing from seeing this article: Is MS now funding anti-apple "research" (similar to all the anti-open source research.) After last months high market share readings do MS now see Apple as a threat?

Re:Just more FUD (4, Interesting)

UnknowingFool (672806) | about 6 years ago | (#22886718)

It kinda makes sense that Apple would have more bugs. Apple uses a lot of open source software as OS X is Unix underneath the GUI. Open source software is better at disclosing bugs so their vulnerabilities are known. If you look at Apple's last security patch, it included patches for Apache, CUPS, emacs, Kerberos, libc, OpenSSH, PHP, X11, etc. That is contrasted with MS as many of their vulnerabilities are not disclosed until MS or a 3rd party discloses it. Many 3rd parties have independently disclosed because of their frustration with MS response and/or lack of acknowledgement.

I think we're saying the same thing here... (1)

jd (1658) | about 6 years ago | (#22886770)

Vulnerabilities aren't disclosed on being discovered, so we don't know how long either vendor knew about the bug in advance; if Microsoft only ever allows disclosure at time of patch release, they will always have a zero delay. If Apple always notifies at the time the bug is considered serious, their delays would automatically be longer.

Also, although we can guess at the total number of vulnerabilities per kilo-lines of code, we don't know what insider information either company has on bugs, although the total is likely to be in the thousands for both, as software is complex and fixing is riskier than ignoring minor gremlins.

Apple seems to put out more and more crap (0, Troll)

Anonymous Coward | about 6 years ago | (#22886280)

I've recently noticed that Apples software constantly crash with segmentation faults which practically always means that there's a potential security vulnerability... So to me it seems like Apples code is constantly getting worse. It looks like sales is getting all the attention...

I love anecdotes! (0)

Anonymous Coward | about 6 years ago | (#22886392)

Yeah, the big flaw from Safari 2 that I wanted fixed in Safari 3 was that it always crashed immediately whenever I started it up. Unfortunately, the problem persisted. I can't see how anyone could possibly use a browser that doesn't stay open long enough to load about:blank.

Anecdotal evidence. Serious business.

Re:Apple seems to put out more and more crap (1)

gilesjuk (604902) | about 6 years ago | (#22886776)

Name the applications, version of the OS and the hardware you're using.

Have you ever thought you might have a hardware issue like faulty memory or bad blocks on the hard disk? it is likely on an unstable computer.

Re:Apple seems to put out more and more crap (0)

Anonymous Coward | about 6 years ago | (#22887158)

Lately? It has always had problems.

Between software that's really no better than anything and substandard quality hardware* then I have to give Apple thumbs down.

* Apple hardware has a nice look and a fancy design but the actually physical quality seems slightly worse than normal products. My Apples (I own both laptops and iMacs) have had hardware problems more often than any other computers I own.

Apple's shortcomings (5, Interesting)

rubeng (1263328) | about 6 years ago | (#22886314)

I love my Mac, and have been happy with OSX, but Apple's secretiveness is really annoying when it comes to patches - generally they don't tell you what was fixed, or do so only in really vague terms. There are frequent reports of Apple deleting threads in their forums talking about bugs they don't seem to want to admit to.

If they really want to be taken more seriously in the enterprise market, they're going to have to step up and treat these things a bit more professionally, instead of just basically saying "trust us and don't ask too many questions".

Re:Apple's shortcomings (1)

betterunixthanunix (980855) | about 6 years ago | (#22886544)

This has always been a problem with Apple, and it is what cost them the market to begin with. They don't want the rest of the world involved with their OS, their hardware, or anything with an Apple logo on it. They begrudgingly accept the idea that SOME outside software is necessary for them to survive, but if they could, they would lock everyone else out of their platform. I don't have any idea why -- Apple fans I've met claim it is because no one else can get it "right" the way Apple does, and detractors claim that it is because Apple has no respect for its users or developers.

In a business sense, though, Apple isn't so bad off, as a niche company. That they created a niche to fill is an act of marketing genius, of course.

Re:Apple's shortcomings (3, Insightful)

truthsearch (249536) | about 6 years ago | (#22886818)

Laptops, phones, and portable audio players are niches created by Apple?

As for software, they use plenty of open source and contribute back to the community. What they don't want outside involvement with is their core hardware.

Re:Apple's shortcomings (4, Insightful)

betterunixthanunix (980855) | about 6 years ago | (#22887038)

Laptops, phones, and portable audio players are not Apple inventions. There is a market for Apple products, which Apple has worked extremely hard to keep separate from the rest of the computer world. The specific types of computers Apple sells is not the niche, any more than a vehicle with four wheels is the "niche" market of tractor manufacturers.

No, Apple does not want outside involvement in their products, and has not been friendly to the open source projects it draws on for some of its products. If by "give back to the community," you meant, "begrudgingly provide some code to the Konqueror team but never really get it right with OpenDarwin," I guess you would be right. They actively work against third party software syncing with the iPod, and have overly restrictive terms for developing software for the iPhone.

Apple only accepted interoperability and broad third party software because it was on the verge of bankruptcy, not because it is a company that sits on a moral high ground. Apple's strategy, originally, was to keep themselves completely separate, so that buying one Apple computer required you to change your whole infrastructure. This was and remains a failing strategy, and so they modified it so that just enough third party development was possible to keep their systems relevant, but nothing more. iPods only support those formats that Apple chooses (and many iPods cannot be reflashed, because they were designed to only be capable of running Apple's software). iPhones only support some third party development, and developers are required not to step too far from where Apple wants them to be. I cannot build a computer that runs Mac OS X on my own, and it is not likely that Apple will ever allow for this. Like I said, you can construct any number of reasons for these things, but there is no denying that Apple does not want third parties developing software for Apple's platforms.

Re:Apple's shortcomings (4, Insightful)

truthsearch (249536) | about 6 years ago | (#22887198)

You're correct about iPods and iPhones, but completely wrong about OS X. If there were no third parties developing software for OS X there would be no Apple computers. OS X has very thorough developer documentation and free tools. Apple sells 3rd party OS X software on their web site and stores, so to say they don't want 3rd party development is obviously false.

You're also combining the lack of customizable hardware with a lack of customizable software. What they want to retain control of is the hardware and the software platforms. 3rd parties can easily build on top of that. The intent is to manage the user experience. Otherwise they feel users will end up with a mess, like on the Windows platform.

Re:Apple's shortcomings (1)

UnknowingFool (672806) | about 6 years ago | (#22887018)

For the most part Apple tells you that they are patching the OS. They don't go into detail because they assume most consumers don't want to know the details. But if you want to know, you can get it by clicking the link that takes you Apple's website. I think that they are right that most consumers don't want to know/don't care the whether they were patching X11 or CUPS.

This might be just a different style than say MS because MS deals with more technical people, they give out lots of information. But really does the average consumer need to know that they fixed a buffer overflow in the mscomm.dll file that led to Word crashing when imbedding an Excel file? No, most consumers need to know that Word won't crash when imbedding an Excel file.

Article Lacks Important Information (5, Insightful)

Revotron (1115029) | about 6 years ago | (#22886318)

The article in question lacks a significant amount of information - hell, it didn't even give a number for Microsoft. It just said that Apple was "below 20" and then got better.

Until I see an article that doesn't throw out one number and then fill the rest of the page with useless fluff and speculation, I'm putting my money on Apple.

Re:Article Lacks Important Information (1)

ThePhilips (752041) | about 6 years ago | (#22886916)

Actually it reads like deja vu.

Last time debunking was pretty quick: Apple also patches BSD sub-system with all the usual Unix apps.

Since for M$ only Windows patches were counted, then for fair comparison one has to exclude all the patches for all the command line utilities and Unix services (all of which are disabled by default) Apple does repackage and ship with OS just for our convenience.

Egg McMuffin Inventor Dead at 89 (-1, Offtopic)

Anonymous Coward | about 6 years ago | (#22886334)

TRULY AN AMERICAN ICON.

yes, and if grandma had wheels..... (2, Funny)

Ancient_Hacker (751168) | about 6 years ago | (#22886396)

Yes, and the Houndai Arthritic is the best selling 3-wheeled SUV in it's class!

One can always play with the criteria to get any desired winner.

Going by raw number of anything you lose any distinctions as to the severity or impact of each problem.

In general a buffer-overflow in the Windows kernel is a heck of a lot more dangerous than a similar problem in OSX can ever be.

Re:yes, and if grandma had wheels..... (4, Insightful)

betterunixthanunix (980855) | about 6 years ago | (#22886616)

In general, a buffer overflow in the kernel is dangerous. What is it about Apple fans who think that because there are fewer viruses written for their OS, it is not a problem if Apple releases buggy code?

*Yawn* (0, Troll)

nikin (638522) | about 6 years ago | (#22886498)

1. Who cares? 2. No one 3. How many viruses, trojans and other sundry malware attacks are successful against Mac OS X each year? Study THAT. Let's have something newsworthy, folks.

How is this a valid test? (4, Insightful)

Fallen Kell (165468) | about 6 years ago | (#22886506)

I am just wondering, what percentage of the "patch available on the day the vulnerability is made public" were first disclosed to Microsoft or Apple months in advance from researchers and other sources and simply NOT posted on the "public" notification sites? We see stories all the time of security researchers making public vulnerabilities MONTHS if not YEARS after disclosing them to Microsoft because Microsoft still had not patched the issue, and the only way the researcher could get anyone to even look at the problem or admit it is a problem is to put it on the public notification sites. But those things are not being counted here, but we know many times these researchers will give the company a heads up before posting the vulnerability and make a promise not to disclose until a fix is ready (many times for a fee). We also know that there are vulnerabilities that are "public" to the hackers, but not the general "public". Are those being counted? To me you can't make a claim such as one company being the fastest in patching without taking into account when the company was notified of the issue and measuring when it was fixed from that time, and not the time that the quote, unquote public was made aware of the problem.

Re:How is this a valid test? (1)

bjourne (1034822) | about 6 years ago | (#22886980)

When I worked for Sony Ericsson there where some German security researcher (probably students had done the real work) privately let us know that there was a critical security flaw in the firmware. Something that, according to his email, could compromise the whole platform, make IMEI spoofing possible, steal credit card numbers and what not. He gave us three months to come up with a fix before going public with his findings. The only problem was that the only technical information he provided us with was that "the problem is in the filesystem." So.. uuuh.. great. So somewhere in those millions of lines of C code there is a problem? No description on how to reproduce whatsoever.

Naturally, we still tried to find out what the hell this critical security flaw was before he would go public and raise doomsday upon us. We failed of course. Turns out there was a problem, but not in the file system, but in the Java layer which runs in a protected environment so basically nothing harmful could be done with the exploit. Except maybe unlocking some operator locked down j2me features. The bug was fixed though, but I don't think it was even backported to the maintenance branches.

I'd assume a much more high-profile company like Microsoft is approached by such security researchers on a daily basis. They are no holy Samaritans and the best way for a researcher to make a name for himself is to make a security flaw public. There are probably those too that are driven to make the world a safer place, but I'll bet those are the minority...

quick! patch it! FASTER! QUICK! (4, Insightful)

Scrameustache (459504) | about 6 years ago | (#22886524)

You want to job done well, or you want the job done fast?

I've seen programmers churn out patches really, really fast, and create 3 new bugs for every one they "fix".
Don't encourage them.

Re:quick! patch it! FASTER! QUICK! (0, Flamebait)

Anonymous Coward | about 6 years ago | (#22886626)

And how many times can you cite that happening with MS patches? I can only think of a couple out of the hundreds of patches. No Apple update has every broken something? Sure they have and you know it.

Damn apologist self rigtheous zealots. It's really sad when otherwise smart people act with blind loyalty to a brand.

There's only one correct answer here... (0)

Anonymous Coward | about 6 years ago | (#22886938)

> You want to job done well, or you want the job done fast?

Yes :-)

meh (3, Informative)

wizardforce (1005805) | about 6 years ago | (#22886534)

They measured how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate
yaah and how many security flaws have been sitting un-patched for months, years even at microsoft? let us take a look at how many security holes remain un-patched shall we?

Re:meh (1)

truthsearch (249536) | about 6 years ago | (#22886702)

My personal favorite is this simple buffer overflow [microsoft.com] that existed in the Windows help system for 7 years (all the way back to NT 4). By browsing to a web page the Windows Help system could be exploited to take control of a user's computer. It took them 5 months to release a patch.

Aroooo? (-1, Troll)

Ralph Spoilsport (673134) | about 6 years ago | (#22886618)

So, like, Scoob, lemme get this straight, I put a naked Windows box on the net, and it's pwned in seconds. But, I've like left naked macintosh machines on the web for like months on end, and no one can get in, no one messes with it, and somehow, this article says that like Microsoft is better at patching vulnerabilities.

Scooby! Tell me what's going on here! Like, I don't get it!

Rit's ralled FUD Raggie! FUD yeah!!! Rrrreeeeeeheeehehehee!!!

RS

Wow, such FUD (1, Flamebait)

The End Of Days (1243248) | about 6 years ago | (#22886628)

Quickly, everyone immediately jump to Apple's defense. Microsoft cannot possibly do anything right, and Apple cannot possibly do anything wrong. We must destroy this article like the piece of lying filth that it must be. My prejudices demand it!

Re:Wow, such FUD (0)

Anonymous Coward | about 6 years ago | (#22886786)

Quickly, everyone immediately jump into hyperbole! Microsoft fans cannot possibly say anything skewed, and Apple cannot possibly say anything objective. We must destroy the critical thinking questions like the piece of lying fanboiism that it must be. My prejudices demand it!

odd ... (2, Insightful)

Aaron_Pike (528044) | about 6 years ago | (#22886650)

It occurs to me that a company could improve their score by releasing software with (secretly) known bugs, and then "fixing" them with zero-day patches.

I'm not saying anybody did. I'm just saying they could.

Like Apples and uh... bananas? (1)

Gat0r30y (957941) | about 6 years ago | (#22886698)

The faster patcher? I'm assuming the great bulk of these vulnerabilities are browser issues. So while this study may indeed give an idea of the relative security between the two browsers, I wouldn't exactly bill this as a glowing M$/IE endorsement. Another consideration: market share, if you own >75% of the market, and the great bulk of the business market, you most certainly have an obligation to patch vulnerabilities ASAP. When your market it graphic designers, movie producers, and apple fanboys, and frankly there is a severe lack of coders out there exploiting the issues I'll forgive them if they take an extra month to push a fix out(i suppose i could be wrong here, there could be tons of folks out there writing virus' and trojans and stuff for apple, but they most certainly aren't very successful).

The fastest patcher. (1)

tmcfulton (1245028) | about 6 years ago | (#22886708)

But of course, nobody patches faster than Linux. Remember that local root exploit a few months ago? Fixed in less than 48 hours.

None of this matters (0, Flamebait)

sheldon (2322) | about 6 years ago | (#22886742)

Because Apple Mac OSX machines don't require patching. They are secure out of the box because they are built upon the superior Unix which has security designed in from the start. /snark

Relate this to any other venue (1)

gearloos (816828) | about 6 years ago | (#22886746)

I could give a rats ass if Microsoft gets the patch out first. Lets see, when I have my heart surgery, I sure hope I get the Doc that does it quickest! I'm no Apple fan boy either but jeeze, cmon... Is this the best we can do for the "Microsoft is great" audience out there?

When will it stop? (1)

Breconides (253014) | about 6 years ago | (#22886758)

When it comes down to it, it isn't the number of vulnerabilities that matters, it's how much they can affect your computer. When a problem exists on Windows, it can often cause serious damage, simply because of the inherently flawed design of the OS. On the Mac however, the damage is much less, because it has a design model (UNIX) that actually makes sense from a security standpoint. I'm amazed that people still deal with this $#!T from Microsoft when the design of UNIX has been around for so long. It is a sad commentary on our current state of affairs.

Re:When will it stop? (1)

harryjohnston (1118069) | about 6 years ago | (#22887104)

The underlying design of Windows is bad from a security standpoint, but that of Unix isn't really any better, IMO.

It's slightly easier for exploit code to elevate itself to kernel privilege on Windows, but I'm not convinced the distinction is significant; I don't think a cleverly written Mac exploit would have too much trouble getting the admin password out of the user sooner or later.

(A well-designed OS would authorize the activities of a process based on what role said process is playing, not on what account it is attached to. So, for example, a word processor would only be allowed to write to the document the user opened, not to any other file.)

Here we go . . . (0)

Anonymous Coward | about 6 years ago | (#22886790)

Another quality study from the recently renamed Swiss Homeland Institute of Technology . . . .

Where's the Beef? (3, Informative)

99BottlesOfBeerInMyF (813746) | about 6 years ago | (#22886856)

So this is an article that doesn't give any answers to the question it poses and references a study presented at blackhat, but which has not yet been published and in fact whose presentation is not even online yet.

Can't we at least wait until we have some sort of data to discuss before embarking on half-assed arguments about how relevant the data is and if the methodology is credible?

Here's a link to the original research paper (3, Informative)

sidney (95068) | about 6 years ago | (#22886978)

There is of course a lot more information in the actual research paper [pdfmenot.com].

That link is to a browser view of the PDF at pdfmenot.com which caches the actual PDF, so the poor researcher's personal web site doesn't get hit too hard. You could download the original PDF from there if you really want to.

now real stats? (0)

Anonymous Coward | about 6 years ago | (#22886988)

I was looking for some stats in the article to bring home the point, but you can't cloud the issue with facts.
(phosphor)

Wait for the research paper (1)

freakinPsycho (23459) | about 6 years ago | (#22887008)

Man is it fun watching Slashdot readers be convinced this must be faulty research without having read the research itself. Why not wait a few days until you can verify what the researchers did (should be available later from the blackhat.com website) and provide actual analysis on the research.

You can't fault the conclusions unless you know how that conclusion was reached.

(Of course, if the conclusion had been that Apple was better at 0-day patches, there'd be a lot more, "Well, duh!" responses.)

Thats because M$ just has more 'features' (5, Insightful)

hAckz0r (989977) | about 6 years ago | (#22887044)

Mocrosloth doesn't even say they have a problem, much less announce it until they have a patch ready (or nearly ready). Take a look at the "shatter attack" privilege elevation exploit that just got fixed in Vista, it started with Win NT 4.0, and when was that out? What YEAR was that? And now with have the wonderful Fire-Wire exploit, which they were aware of in 2004, reminded again in 2006, and the exploit finally published in 2007 because they refused to do anything! The only reason why MS is coming out on top is because they own the kitchen and cook their own numbers to order.
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...