Threat Center Security News Patches - Who Fares Better?
Patches - Who Fares Better? Print E-mail
Written by Rebecca Mints   
Thursday, 27 March 2008 18:00
Some new research unveiled at the Black Hat conference last Thursday suggests that the Apple commercials that tease consumers into thinking that Macs are safer than machines running Microsoft's Windows could be a bunch of malarkey. The research, conducted by the Swiss Federal Institute of Technology, examined the 0day patch rate for each of the companies. The results were interesting to say the least.

The researchers analyzed vulnerabilities and patches for 658 Microsoft bugs and 738 Apple. They were only interested in high and medium risk bugs per the classification provided by the National Vulnerability Database, according to Stefan Frei who was one of the researchers.

The results of the study showed that Apple lags behind Microsoft in their patching abilities, which goes against the idea that Apple makes the more secure product. According to Frei "Apple was below 20 [unpatched vulnerabilities at disclosure] consistently before 2005. Since then, they are very often above. So if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities are higher at Apple."

The best practice is for a vendor to have a patch available when a vulnerability becomes public so hackers do not have the opportunity to exploit the problem first. In order for this to happen, a vendor must have a heads up its own security analysts or from external sources. This avoids having to hurry to create a patch, which can be a lengthy process because of the rigorous testing needed to be certain the patch does not conflict with any other software.

Frei said that Apple has only been patching 0day vulnerabilities since late 2003 and that "We think that Apple had fewer vulnerabilities early on, and they were just surprised or not as ready or not as attentive. It looks like Microsoft had good relationships earlier with the security community."

Microsoft has made a good effort to establish relationships with the security community, encouraging them to give Microsoft notice about software issues. Unfortunately for Apple they have not cultivated these types of relationships and "based on our findings, this is hurting them," according to Frei.

It has been noted that both vendors struggle to come up with 0day patches in the six month period before a major product release. This is most likely due to resources being taken away from software engineering in the midst of a big software release.

Director of Microsoft's Security and Research group Andrew Cushman said that he's not certain what causes the trend. In 2004 and 2005 Microsoft Office products were susceptible to a rash of exploits that they did not get notice of. This likely contributed to more unpatched publicly disclosed bugs.

The study conducted by the Swiss Federal Institute of Technology did put a great spin on Microsoft and their security, so much so that it prompted Cushman to ask Frei, "Did Microsoft fund this research?"

"This is independent academic research," Frei replied.

Microsoft vs. Apple: Who patches zero-days faster? Cupertino fanatics, start your chainsaws

pdf of Findings from Swiss Federal Institute of Technology Research

WTW Threat Level