On Monday Apple released Mac OS X update 10.6.3. This monster update weighed in at up to 719MB (depending on current configuration) and patched a whopping 92 vulnerabilities, some third of which were rated as critical. Is it time for Apple to adopt a "Patch Tuesday" for the Mac OS in order to drip-feed patches to users and plug up vulnerabilities in a more timely fashion? Is Apple putting good PR ahead of keeping users safe?
Apple release Mac OS X 10.6 "Snow Leopard" on August 28th, 2009. Over that time the OS has seen three updates:
- 10.6.1 - Released September 10, 2009. This update primarily consisted of bug fixes but it did upgrade the vulnerable Flash Player that was shipped on the original Snow Leopard install disc. Download size: 71MB.
- 10.6.2 - Released November 9, 2009. Bug fixes and security updates. 67 vulnerabilities patched. Download size: 496MB.
- 10.6.3 - Released March 29, 2010. Bug fixes and security updates. 92 vulnerabilities patched. Download size: 719MB.
As you can see, the file sizes are growing rapidly (a ten fold increase between 10.6.1 and 10.6.3), and the gap between updates increasing.
What's more worrying is that this latest monster update doesn't even address all the known vulnerabilities currently known in Mac OS X. For example, according to security researcher Charlie Miller, the vulnerability that he used to crack OS X at this year's Pwn2Own remains unpatched:
New patch doesn't fix pwn2own bug. Sorry suckers, gonna have to wait for the next patch :p
Apple is a company that loves "big reveals," but I'm not so sure that this format works well for security updates. Sure, it's a damage limitation exercise, after all, Apple has enjoyed almost five patch free months of Mac OS X media coverage, whereas Microsoft has been releasing patches on a monthly schedule (along with out-of-band updates for really serious issues). But an update that's getting close to 1GB is size and which is patching close to triple digit numbers of vulnerabilities seems to me to be taking things too far. And how long will Mac OS X users have to wait for patches to currently known vulnerabilities? Days? Weeks? Months?
Note: Interesting aside - During 2009 Microsoft issued 74 security bulletins. Contained within those bulletins were 133 OS-related vulnerabilities.
A regular distribution schedule for patches means that people are protected sooner, business users have a heads-up on releases and can better coordinate patch roll-out, and everyone enjoys smaller, more manageable downloads.
There's a point at which putting PR ahead of security is counterproductive.