- Kindle back orders stretch 3 months at Amazon
- Cisco shutting down between holidays
- Smartphone smackdown: Storm vs. iPhone
- 12 myths about how the Internet works
- Google layoffs: 10,000 jobs being cut
Apple's teasing commercials that imply its software is safer than Microsoft's may not quite match the facts, according to new research revealed at the Black Hat conference on Thursday.
Researchers from the Swiss Federal Institute of Technology looked at how many times over the past six years the two vendors were able to have a patch available on the day a vulnerability became publicly known, which they call the 0-day patch rate.
They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting Apple. They looked at only high- and medium-risk bugs, according to the classification used by the National Vulnerability Database, said Stefan Frei, one of the researchers involved in the study.
What they found is that, contrary to popular belief that Apple makes more secure products, Apple lags behind in patching.
"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005," Frei said. "Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."
It's generally good for vendors to have a software fix available when a vulnerability is disclosed, since hackers often try to find out where the problem is in order to write malicious software to hack a machine.
For a vendor to have a patch ready when the bug is detailed in public, it needs to get prior information from either its security analysts or external ones. Otherwise the vendor has to hurry to create a patch, but that process can be lengthy, given the rigorous testing needed to test the patch to ensure it does not conflict with other software.
Apple only started patching 0-day vulnerabilities in late 2003, Frei said.
"We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive," Frei said. "It looks like Microsoft had good relationships earlier with the security community."
Over the past few years, Microsoft has tried to cultivate a closer relationship with the security community in order to encourage researchers to give it a heads-up about software problems. Apple, however, doesn't appear to have that same sort of engagement yet, and, "based on our findings, this is hurting them," Frei said.
| NetworkWorld, Inc. | About Network World, Inc. | Advertise | Careers | Contact us | Terms of Service/Privacy | Reprints and links | Partnerships | Press room | Subscribe to NW |
| IDG, Inc. | CIO | Computerworld | CSO | Demo | GamePro | Games.net | IDGconnect.com | IDG World Expo | Infoworld | JavaWorld.com | LinuxWorld.com | MacUser | Macworld | PC World | Playlistmag.com | The Industry Standard | IDG List Services | IDG TechNetwork |
 The Leader in Network Knowledge© 1994-2008 Network World, Inc. All rights reserved. |
Partner Content
Brilliantly simple security and control solutions for email, web and endpoint
www.sophos.com
Stopping data leakage
Learn how to exploit your current security investment to control the information that flows into, through and out of your network.
Download the white paper.
Why detection rates aren't enough
Evaluating endpoint security products is a time-consuming and daunting task. Learn the six critical questions you need to ask prospective vendors to get the right endpoint solution.
Download the white paper.
Applications: taking back control
Employees installing unauthorized applications is a growing threat to business security and productivity. Cost-effectively reduce this threat by integrating control into your malware protection.
Learn more today.
Comments (6)
The problem isn't thatBy Anonymous on April 9, 2008, 1:04 pmThe problem isn't that Microsoft has more market share they are just more exposed to many simple attacks. Apple patches their stuff, they separate user and system...
Reply | Read entire comment
MS vs. AppleBy JMo on April 7, 2008, 1:43 pmOne of the big reasons that there tend to be fewer Apple based attacks than Microsoft based attacks is the fact that it tends to be more profitable to create one...
Reply | Read entire comment
MS vs Aple 0 day patchingBy DaWolf on April 2, 2008, 10:06 amListen to yourself "the need for 0-day patching is therefore not necessarily as great" are you out of your tree? Security in any aspect is PRIORITY...
Reply | Read entire comment
Another Apple zealotBy PH on March 28, 2008, 2:34 pmI guess the sum of your comment is: Damn the facts, I say Apple is better no matter what. Spoken like a true cultist.
Reply | Read entire comment
MS vs Apple 0-day patchingBy Anonymous on March 28, 2008, 9:16 amI don't care what Mr. Frei says, I have lived with MS OS products since DOS, beta tested the Lisa and more recently personally owned both Tiger and Leopard on Intel...
Reply | Read entire comment
View all comments