What Apple’s security response can learn from Microsoft

  • Article

A couple of days ago, Ed Bott posted an article on ZDNet entitled What Microsoft can teach Apple about security response.  This is in response to how Microsoft deals with security vulnerabilities and applies updates, vs how Apple does it (did it) with the Flashback malware.  Some highlights:

  • Microsoft updates its OS with critical security updates on the second Tuesday of each month, called “Patch Tuesday” (soon to be renamed Update Tuesday).  Microsoft also delivers out-of-band security updates when it feels it necessary.

  • Each update contains announcements about the vulnerability and its security risks, which products they affect.  This level of transparency is stunning.

  • Each vulnerability is rated on a scale of 1 to 5 about how it is to be exploited.

  • Microsoft has also published blog posts from time to time about the vulnerability as well as deployment guides on how to patch your computer.

You may be an “I hate Microsoft” type but there’s no denying that this is a good process and absolutely benefits consumers and IT pros alike.

Contrast with Apple:

  • In February, Oracle issued a security path to fix a Java vulnerability.  Apple didn’t release their version of the patch for another 6 weeks.

  • During that time, several hundred thousand (?) Mac users fell victim to the vulnerability through the Flashback malware.  Apple did not explain how the malware works (do they know?) nor how to remove it if one is running MacOS X 10.5.

  • A second issue occurred on Feb 1 when Apple released update 10.7.3 to OS X but a flaw in the update code would result in a clear-text record of login usernames and passwords in a file (see article for more details).

    • Apple kept silent on this vulnerability (did they know?) and has not (yet?) acknowledged the issue, nor offered advice on how to tell if they are a victim of this bug.

The contrast is striking.  Of course, Apple is still trying to maintain its polish and image as a system that is resistant to malware (and many users will happily endorse that fact).  Still, we live in a world where malware writers don’t care what OS you are using; if they can break into it, and it’s popular, that’s what they will do.

You may be an “I hate Microsoft” type, but Microsoft definitely gets the edge year by a wide margin.  Their processes are far more mature than Apple’s.