March 10, 2006

Math-Impaired Mac Security Advocates

I was reading through Security Focus "Triple Threat to Macs Largely Academic" article this morning, since it is a topic of interest to me. The article was interesting, and I found it worthwhile that the author addressed the PR aspects of the recent security issues. All in all, an interesting read. But, being a glutton for punishment, I decided to read the comments as well. I figured there were probably some Mac owners "baitin' for bear" that might have something to say about the security of OS X. There were. Some excerpts:

- ...I suspect that people have been focusing on OSX ever since version 10.1, just that it took some real skills to do it until now, keeping the task of popping an OSX box way out of script kiddie reach.

- due to the *nix-like internal structure of OSX. This alone will prevent anything near the ungodly flood of crap that the typical Windows XP user has to deal with on a daily basis.

- think that OSX has been targeted the whole time, just that it took this long for anyone to actually find anything useful to crack it with, thanks to the ease with which Windows could be cracked and the higher skillset required to actually pop an OSX box from the outside.

Of course. For those who read this blog on a (semi) regular basis, you may remember that time that I did a comparison of when patches came out for a vulnerability in libRuby to see how Apple compared to other vendors (read: not so well). Well, just to further underscore my point, I did the same exercise again, this time using a larger sample set. This time I used four vulnerabilities common to most Unix-based OS vendors (CVE-2005-1689, CVE-2005-2969, CVE-2005-0710, CVE-2005-3185.) I then calculated the number of days that elapsed between the vulnerability announcement and when an OS patch was released (all this data is freely available with a bit of digging by following the reference links in the CVE entry.) Want to see what I found?

So, here's my question: if Mac is so much more secure than other systems, why is it that it takes Apple on average 100 percent longer to patch vulnerabilities than other vendors? Or isn't it just more likely that it isn't worth an attacker's time to go after it?

Posted by Ed at March 10, 2006 09:42 AM
Comments
Post a comment









Remember personal info?