Post examines Apple's time to patch security holes


An article from the Washington Post's Security Fix blog (by Brian Krebs) today indicates that Apple's mean time to fix a security flaw considered severe is about 90 days from the time of the report to the delivery of patches to customers via Software Update. [Note: a similar article about Windows found MTTP of 135 days earlier this year].

The article contains raw data, downloadable in HTML and Excel formats, which is cool, an appears to provide a pretty neutral analysis of the data. He does have one odd section where he complains that he "fail[s] to see the reasoning" behind Apple not releasing more information about the inception date of certain internally-discovered security problems and then muses "unless Apple thought the information would skew its time-to-patch numbers in the wrong direction", which I think is a bit irresponsible on his part. Basically, it's a method of attempting to intimidate Apple (good luck) by putting his own unsubstantiated conjecture into the otherwise pretty clean article—at least about the time to patch.

He spoke with Bud Tribble (VP Software Technology at Apple) and got his opinion on things and compared Apple's performance to that of most of the linux distributions as an example of relative performance, although he left out any of the BSD derivatives, which are closer in code to OS X.

After dealing with the time-to-patch issue, he went down what I will call the "OS X Security de-mythifying" route and spent a lot of time trying to convince people that OS X is, or at least will be, every bit as susceptible to problems as Windows. Further, he shows a certain lack of understanding when he discusses things like having Boot Camp infect OS X partitions. Although it's certainly possible, it would take a pretty sophisticated virus on the Windows side to go and access the hardware enough to read the other partition and write HFS data in such a manner as not to cause problems with the rather touchy file system. However, he is right that it's not impossible.

It does, however, still lead to the same conclusion that many of us have been saying about running XP on your Mac. If you have to do it, only do it when and where you have to. If you can get away with virtualization, use Parallels. It's a great product and you can run anything that isn't graphics intensive on it. If you need to run Boot Camp, feel free, but don't do things that Windows is bad at... in other words, play your games in Boot Camp and don't surf the web.

He finishes off the article with a completely unsubstantiated claim about mac users not using Software Update. I hope Apple at some point in time gives us an idea of how many people do, but that's pretty hard, since some of us either run our own SoftwareUpdate servers (many corporations using Macs do now) or download the patches manually.