Seventeen vulnerabilities patched but it's not for Windows?

Last week, Apple announced the availability of a mega patch that addressed 17 security vulnerabilities. Some of the vulnerabilities affected open-source components of Mac OS X such as Apache, while other vulnerabilities affected Apple's in-house code. Ironically, Microsoft IIS 6.0, the butt of many jokes in the IT industry, has never had a confirmed flaw in almost two years of existence, while I've had to patch my Apache servers on a quarterly basis The response to Apple's mega patch has been along the usual Mac evangelist lines of "we don't need to patch it" or "Apple is doing a good job patching it." The truth of the matter is that the Mac platform is simply too small for anyone to care. However, if the Mac community continues to flaunt it, someone will take them up on the challenge. I would suspect that many Mac users don't patch their software because there really isn't much fear out there.

Even though the Mac platform is too sparse for the spread of conventional Mac-based worms, it is entirely conceivable that a Windows-based worm can be designed to attack Mac-based vulnerabilities along with UNIX ones. Mac OS is now essentially UNIX since it's based on FreeBSD. The worm in this case could be particularly vicious against the Mac or UNIX machine since it wouldn't rely on it as a host for reproduction. Using Windows as a vehicle for replication and a launchpad for an all out assult, a worm could be harmless to Windows while leaving a wake of destruction for Mac and UNIX boxes with formatted hard disks.

As a consultant who does vulnerability assessments from time to time, I can attest that most internal LANs are full of unpatched UNIX machines. The Windows machines, on the other hand, are usually all patched since they literally won't survive for 30 minutes on a large network without their patches. Because of the worm-free peace the Mac and UNIX platforms enjoy, there is a tendency to be complacent. Either the UNIX and Mac community have just been lucky that they haven't been attacked by a hybrid worm or worse, the attacker is a professional who cares more about theft than bragging rights. I think it's probably a combination of the two. If such a cross platform attack ever were to happen (and there is no reason why it couldn't), you can pretty much throw the monoculture theory out the window. Ultimately, there is no substitute for vigilance and good security practices, no matter whose software you use.