Is Apple putting good PR ahead of keeping users safe?
Summary: On Monday Apple released Mac OS X update 10.6.3. This monster update weighed in at up to 719MB (depending on current configuration) and patched a whopping 92 vulnerabilities, some third of which were rated as critical. Is it time for Apple to adopt a "Patch Tuesday" for the Mac OS in order to drip-feed patches to users and plug up vulnerabilities in a more timely fashion? Is Apple putting good PR ahead of keeping users safe?
On Monday Apple released Mac OS X update 10.6.3. This monster update weighed in at up to 719MB (depending on current configuration) and patched a whopping 92 vulnerabilities, some third of which were rated as critical. Is it time for Apple to adopt a "Patch Tuesday" for the Mac OS in order to drip-feed patches to users and plug up vulnerabilities in a more timely fashion? Is Apple putting good PR ahead of keeping users safe?
Apple release Mac OS X 10.6 "Snow Leopard" on August 28th, 2009. Over that time the OS has seen three updates:
- 10.6.1 - Released September 10, 2009. This update primarily consisted of bug fixes but it did upgrade the vulnerable Flash Player that was shipped on the original Snow Leopard install disc. Download size: 71MB.
- 10.6.2 - Released November 9, 2009. Bug fixes and security updates. 67 vulnerabilities patched. Download size: 496MB.
- 10.6.3 - Released March 29, 2010. Bug fixes and security updates. 92 vulnerabilities patched. Download size: 719MB.
As you can see, the file sizes are growing rapidly (a ten fold increase between 10.6.1 and 10.6.3), and the gap between updates increasing.
[poll id="516"]
What's more worrying is that this latest monster update doesn't even address all the known vulnerabilities currently known in Mac OS X. For example, according to security researcher Charlie Miller, the vulnerability that he used to crack OS X at this year's Pwn2Own remains unpatched:
New patch doesn't fix pwn2own bug. Sorry suckers, gonna have to wait for the next patch :p
Apple is a company that loves "big reveals," but I'm not so sure that this format works well for security updates. Sure, it's a damage limitation exercise, after all, Apple has enjoyed almost five patch free months of Mac OS X media coverage, whereas Microsoft has been releasing patches on a monthly schedule (along with out-of-band updates for really serious issues). But an update that's getting close to 1GB is size and which is patching close to triple digit numbers of vulnerabilities seems to me to be taking things too far. And how long will Mac OS X users have to wait for patches to currently known vulnerabilities? Days? Weeks? Months?
Note: Interesting aside - During 2009 Microsoft issued 74 security bulletins. Contained within those bulletins were 133 OS-related vulnerabilities.
A regular distribution schedule for patches means that people are protected sooner, business users have a heads-up on releases and can better coordinate patch roll-out, and everyone enjoys smaller, more manageable downloads.
[poll id="517"]
There's a point at which putting PR ahead of security is counterproductive.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
nightmare
management. The number of possible
configuration with n patches issued beeing n!
It is almost impossible to manage except by
deciding to keep up to date. The editor however
cannot simply support only up to date OSes, it
must support all possible hardware-software
configurations, something a company like
microsoft with tens of thousands can pretend to
do, but that apple cannot do.
I'd rather have them not drop old hardware
configuration when upgrading the OS rather than
have them patch every second day...
agreed, modern OS = Frankensteins monster
I think a better solution is not to have patches at all, just OS versions. So I've got Windows 7.0 and it has vulnerabilities. So I just upgrade to the latest version: Windows 7.1. I can state with a single number what version I've got just as I can say my car is a Ford Focus 1.6 5 doors etc.
Once I've installed an OS version it should stay the same until I upgrade to the next version. That way I have control over my computer.
There is...
There <i>is</i> a better way. Rather than getting OS patches every
30 days on an artificial schedule and not knowing if it will cause you a
BSOD or other conflict, Apple releases well tested, integrated, OS
updates as a bundle. All the components that come in that kit have all
been tested together and are known to work. Rarely -- and I mean
<b>rarely</b>, esp. compared to the Windows environment -- are
incompatibility issues found within the update that will prevent the
system from being accessible.
Restoring a system is far easier, also. Install your original OS release
(e.g., 10.6) and download ONE update (e.g., 10.6.3). Contrast that
with installing Windows, then spending a day downloading, installing,
rebooting, downloading, installing, rebooting, ... ad infinitum...
One other important note is that on the Mac platform, the web
browser is NOT an integral part of the OS (side rant: one of the
stupidest design decisions Microsoft ever foisted on the buying
public.) Therefore, when a security patch for the most likely intrusion
vector is required, it is shipped separately and "out of band" from any
OS patch, as a regular application update.
This give Apple <i>far</i> more flexibility to respond to problems,
and gives the end user a <i>far</i> more stable operating system.
No, I do NOT want Apple to patch every 30 days. That's crazy-talk.
Are you sure about that?
platform, the web browser is NOT an integral
part of the OS"
Maybe you meant to say that the Safari web
browser GUI is not an integral part of the OS.
From webkit.org:
"WebKit is an open source web browser engine.
WebKit is also the name of the Mac OS X system
framework version of the engine that's used by
Safari, Dashboard, Mail, and many other OS X
applications."
Well, if you knew what a system framework is, you might have been right.
system, but rather a framework for applications to tie into the
system. The system would work just fine without the framework,
but any apps that rely on that framework wouldn't run. As such,
the web browser is NOT an integral part of the OS, as IE has been
in Windows for the last 10 years.
I am right
You're only half-right
is required for the OS to run, but rather a framework shared between
different applications (Mail, Safari, iTunes, and Help, for example) so it
doesn't have to be installed more than once.
The frameworks behind Internet Explorer (Trident), on the other hand,
have to be installed or Windows doesn't work properly. This level of
integration started with Windows 95 and Internet Explorer 4 (though it
could be uninstalled), and tightened with each progressive version of
Windows. Without Trident, Windows Explorer's functionality in
Windows XP. Vista, and 7 would be nearly lost.
Show me where Finder requires WebKit, and I'll let you have your
vindication. Otherwise, you're only half-right.
At least it doesn't use Trident (IE) like Windows does.
Safari.. yeah... wow...
Also, the OS itself doesn't rely on any.
just because there are less patch releases doesn't mean its more secure
know if MacOSX is more secure, but it would
make sense since Mac is engineered top to
bottom under the control of one company. The
point, if you had read the article, was that
releasing fewer updates allows more time for
exploits to be utilized. Just because a piece
of code is updated often does not make it more
than one that is not updated. If you understood
the manpower and codebase behind these OSs, I
imagine you'd understand the grandiose task of
shoring up every bug and security hole.
I do think Microsoft would do a LOT better by acquiring and holding onto GREAT programmers
instead of temping so much of their work. I
think it would be worth it to Microsoft to find
and retain these few geniuses by whatever fiscal means required.
Sure, everything in OSX isn't fixed instantly, but at least..
Oh, please...
If you're going to make an argument, at least try to make it based on fact instead of myth and hearsay.
In fact, since Win98, the only things that have caused BSODs on any system I've used or managed are flaky graphics or external hard drive drivers and, in case you're uniformed about who's responsible for those, too, I'll remind you that the individual hardware manufacturers are the ones to blame there.
And you obviously have zero experience running systems updates on a Windows system. You do not spend "a day downloading, installing,
rebooting, downloading, installing, rebooting, ... ad infinitum...". Just like on the Mac, Windows tells you there are updates, then you choose whether or not to have the computer install the updates now, and afterward it reboots, once.
You're entirely naive if you think that Apple takes their time with patches because they're looking out for their users.
You're also naive if you believe that IE has actually been an integral part of the Windows OS in a technical respect. MS chose to make it integral for marketing reasons, not for technical ones. Had the issue been solely technical (and a problem in that respect), they would have undone it years ago.
What?
What OS are you running? I see Windows Update once a month and my machine is always on.
Yup.
get a tiny indicator that there are updates available for my Win7.
Now, I'll admit that not all of these updates are anywhere near
critical, but enough of them come through claiming "Important" or
better as to make little difference. Of course, if you have Windows
Update set to Automatic Updating, naturally you don't notice them
until they require you to reboot.
Microsoft Security Essentials updates
What's so different than other vendor's anti-virus out there?
Oh, but I forgot, Apple Macintosh are immune to viruses since the urban myth perpetuates this 'zero virus in the wild' fallacy. Ahh, but Apple Macs are not immune to other malware like trojans and rootkits?
Google: http://www.google.com/search?q=rootkit+mac+os+x
Results 1 - 10 of about 519,000 for rootkit mac os x. (0.35 seconds)
BTW the term rootkit originated under Unix, yes, it's a Unix thing that affects all Unix look-alike as well. It's engineered that way, right into the system.
Now don't get me started onto Mac Trojans...
Anyway, there must be a valid reason for Apple to release this monstrous patch bundle? In so little time?
Apple users, it's what you don't know you should be worried about...
Probably because UNIX existed a few decades before Windows.
[i]Despite[/i] them all having way more users than they did back then.
Also, do you even look at the results of those random links you keep posting everywhere? None of them are about rootkits being spread in the wild.
You are simply wrong
Is that...
Has it been back for any safety recalls?
Has it been back for the current "winter fire" fault? 30,000 cars affected.
Until 2002, Ford had 9 recalls and 5 safety investigations on the Focus...
Are you sure your Focus is fully "patched"? ;-)
(And no, I'm not picking on Ford, I had a Ford Mondeo Turnier 2L TDCi and now have a Toyota Verso, which were also recently recalled. ;-) )
Snow Leopard 10.6.3
or January this year.
It is more than security patches, it's more like the Windows
Vista to 7 service pack except free.