Monday, March 31, 2008

Apple Lags Microsoft in Security Response

Via The Register UK -

Apple is trailing way behind Microsoft in security patch responsiveness, according to a study by security researchers.

Stefan Frei and Bernard Tellenback of the Computer Engineering and Networks Laboratory (TIK) at the Swiss Federal Institute of Technology, analysed several years of vulnerability disclosures and patching processes from various vendors.

They found that Apple is getting worse at dealing with security problems while Microsoft is improving. Apple is experiencing more vulnerabilities, longer patching times, and more attacks on unpatched vulnerabilities, according to the duo.

Frei and Tellenback presented their findings at a presentation entitled 0-day Patch – Exposing Vendors (In)Security Performance at last week's Black Hat conference in Amsterdam. A copy of the presentation can be found here.

Colleagues of the duo reckon Apple's antagonistic attitude with security researchers is one of the reasons for its poor response.

"While I think that there are quite a few reasons why this is probably so, I’d be inclined to say that Apple’s biggest problem appears to be that they treat every new vulnerability as a potential PR disaster rather than an opportunity to visibly reinforce their work in securing their customers," writes Gunter Ollman of IBM's X-Force.

"In recent times this has most critically been reflected in the way Apple works with security researchers."

---------------------

This research reinforces what I have been saying for quite sometime - readers of this blog won't be shocked by this research either.

I have been pretty critical of Apple's lack of disclosure and patch process over the years:
http://djtechnocrat.blogspot.com/2008/03/apple-megapatch-includes-long-lost.html
http://djtechnocrat.blogspot.com/2007/12/apple-fails-to-properly-inform-public.html
http://djtechnocrat.blogspot.com/2007/12/apple-finally-fixes-quicktime.html
http://djtechnocrat.blogspot.com/2007/03/apple-issues-megapatch.html
http://djtechnocrat.blogspot.com/2006/10/apple-sliently-hurts-its-users.html
http://djtechnocrat.blogspot.com/2006/05/apple-releases-whopping-43-security.html

Apple needs to realize that vulnerabilities aren't a PR problem - everyone has vulnerabilities. Microsoft, Cisco, Sun, Dell, HP, Linux, everyone.

Not dealing with vulnerabilities in an open and timely manner is the real PR problem.

Remaining silent in the face of active internet exploitation is just stupid, in my view.

Throwing your customers under the exploit bus just so you don't have to talk about vulnerabilities is proof to me that Apple isn't serious about protecting their customers (not yet anyways).

No comments:

Post a Comment