Tuesday, January 23, 2007

A test of Apple’s security response versus Microsoft

Microsoft:
http://archive.cert.uni-stuttgart.de/archive/bugtraq/2005/12/msg00309.html
A vulnerability was announced being exploited in the wild on a website on Dec 27th, 2005. It was quickly added to Metaploit. A 1 hour and 14 minute turnaround time is why people love Metaploit. Microsoft issused a patch on Jan 5th.
http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx

Exposure time: 10 days

Apple:
The Month of Apple Bugs released a Quicktime vulnerability, MoAB #1, on January 1st, 2007.
http://applefun.blogspot.com/2007/01/moab-01-01-2007-apple-quicktime-rtsp.html
A fixed was then released on January 23rd, 2007.
http://docs.info.apple.com/article.html?artnum=304989

Exposure time: 23 days

Now I am not advocating one over the other, these are just simple facts. Microsoft was almost 2 and a half times faster than Apple in patching a similar bug that was in the wild and could be triggered via webbrowsers.

5 comments:

Thomas Ptacek said...

Isn't this kind of silly? You can point to several recent Microsoft findings that took longer than 10 days to break to the public.

David Maynor said...

Sure, I can also point to many Apple bugs that took longer to patch. It’s an arbitrary comparison of two very similar bugs, read into it what you want.

Thomas Ptacek said...

These aren't similar vulnerabilities (WMF isn't an overflow, and WMF was more exposed than RTSP). WMF was also being exploited in the wild. And MS06-001 was Microsoft's most controversial patch that year.

Eric Hacker said...

An appropriate response to a vulnerability is based on overall risk, and not on the vulnerability alone. Due to the much larger installed base for Microsoft, the threat is much higher for Microsoft than for Apple. I say 2 1/2 times is too low for Microsoft.

That doesn't help if your Mac has been hacked because patches were not available. So buy something different; demand an OS where Mac means Mandatory Access Control and not a fruit.

Ultimately all security boils down to economics in a corporate world.

butlimous said...

Thanks for the nice comparison....Mac ROCKS!!

Free PS3