Microsoft:
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2005/12/msg00309.html
A vulnerability was announced being exploited in the wild on a website on Dec 27th, 2005. It was quickly added to Metaploit. A 1 hour and 14 minute turnaround time is why people love Metaploit. Microsoft issused a patch on Jan 5th.
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx
Exposure time: 10 days
Apple:
The Month of Apple Bugs released a Quicktime vulnerability, MoAB #1, on January 1st, 2007.
http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html
A fixed was then released on January 23rd, 2007.
http://docs.info.apple.com/article.html?artnum=304989
Exposure time: 23 days
Now I am not advocating one over the other, these are just simple facts. Microsoft was almost 2 and a half times faster than Apple in patching a similar bug that was in the wild and could be triggered via webbrowsers.
5 comments:
Isn't this kind of silly? You can point to several recent Microsoft findings that took longer than 10 days to break to the public.
Sure, I can also point to many Apple bugs that took longer to patch. It’s an arbitrary comparison of two very similar bugs, read into it what you want.
These aren't similar vulnerabilities (WMF isn't an overflow, and WMF was more exposed than RTSP). WMF was also being exploited in the wild. And MS06-001 was Microsoft's most controversial patch that year.
An appropriate response to a vulnerability is based on overall risk, and not on the vulnerability alone. Due to the much larger installed base for Microsoft, the threat is much higher for Microsoft than for Apple. I say 2 1/2 times is too low for Microsoft.
That doesn't help if your Mac has been hacked because patches were not available. So buy something different; demand an OS where Mac means Mandatory Access Control and not a fruit.
Ultimately all security boils down to economics in a corporate world.
Thanks for the nice comparison....Mac ROCKS!!
Free PS3
Post a Comment