Even Mac users have to patch

If you have a Macintosh you have likely received notice of the 10.5.

If you have a Macintosh you have likely received notice of the 10.5.5 update that arrived yesterday. The update includes multiple security fixes that should not be ignored, including vulnerabilities in common file parsers. Mac users and Windows users alike should patch their desktops as soon as possible when new patches arrive.  When a Windows vulnerability is announced and patched, you can be reasonably sure that an exploit will be discovered in the wild in a short period of time. This was certainly the case for the MS08-053 vulnerability that was announced earlier this month and is currently being exploited in the wild. Unlike Windows users, Mac users can be reasonably certain that they have some breathing room before exploits appear for the newly announced vulnerabilities. Mac users would like to believe this has to do with their platform being more secure, but really it comes down to a question of market share and attacker effort.

Like all other limited resources, people try to allocate their time to whatever endeavor they believe will generate the greatest utility at that point in their lives. This rule obviously holds true for attack authors in our world of monetized malware. When faced with the opportunity to write an attack against Windows or an attack against OSX, they almost always choose the former. It is not because writing Windows malware is less difficult, but rather because they are guaranteed to generate more revenue from a novel Microsoft vulnerability than they will from a novel Apple vulnerability.

For now, Mac users can be relatively confident that they can hold off patching for a few days without being attacked. This will no longer hold true as Apple's market share improves. It is possible to show using game theory that a tipping point exists where Mac users will start facing the same patch pressure experienced by Windows users, assuming that current purchasing trends continue. While it is difficult to name a specific day and time, there will be a point where Mac users, like today's Windows users, will regret not rapidly applying security updates.