[Infowarrior] - Who Patches Bugs Faster, Apple or Microsoft?

Sun Mar 30 04:18:17 UTC 2008

 Who Patches Bugs Faster, Apple or Microsoft?

Jeremy Kirk, IDG News ServiceSat Mar 29, 6:00 PM ET

http://news.yahoo.com/s/pcworld/20080329/tc_pcworld/143957&printer=1;_ylt=A0
WTcVVFFO9HijkAzBYRSLMF

Apple's teasing commercials that imply its software is safer than
Microsoft's may not quite match the facts, according to new research
revealed at the Black Hat conference on Thursday.

Researchers from the Swiss Federal Institute of Technology looked at how
many times over the past six years the two vendors were able to have a patch
available on the day a vulnerability became publicly known, which they call
the zero-day patch rate.

They analyzed 658 vulnerabilities affecting Microsoft products and 738
affecting Apple. They looked at only high- and medium-risk bugs, according
to the classification used by the National Vulnerability Database, said
Stefan Frei, one of the researchers involved in the study.

What they found is that, contrary to popular belief that Apple makes more
secure products, Apple lags behind in patching.

"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently
before 2005," Frei said. "Since then, they are very often above. So if you
have Apple and compare it to Microsoft, the number of unpatched
vulnerabilities are higher at Apple."

It's generally good for vendors to have a software fix available when a
vulnerability is disclosed, since hackers often try to find out where the
problem is in order to write malicious software to hack a machine.

For a vendor to have a patch ready when the bug is detailed in public, it
needs to get prior information from either its security analysts or external
ones. Otherwise the vendor has to hurry to create a patch, but that process
can be lengthy, given the rigorous testing needed to test the patch to
ensure it does not conflict with other software.

Apple only started patching zero-day vulnerabilities in late 2003, Frei
said.

"We think that Apple had fewer vulnerabilities early on, and they were just
surprised or not as ready or not as attentive," Frei said. "It looks like
Microsoft had good relationships earlier with the security community."

Over the past few years, Microsoft has tried to cultivate a closer
relationship with the security community in order to encourage researchers
to give it a heads-up about software problems. Apple, however, doesn't
appear to have that same sort of engagement yet, and, "based on our
findings, this is hurting them," Frei said.

Curiously, both vendors' abilities to have zero-day patches ready at
disclosure seemed to dip in the six months before a major product release.
That trend was most pronounced in 2004 and 2005. Frei theorized that the
buildup to big software releases took away software engineering resources.

Andrew Cushman, director of Microsoft's Security and Research, said he
couldn't pinpoint what might cause that trend. But in 2004 and 2005,
Microsoft had a rash of vulnerabilities pop up in its Office products that
it did not get advance notice of, which may have contributed to a higher
percentage of unpatched publicly disclosed bugs.

However, the study proved to be such a glowing affirmation of Microsoft's
increased focus on security in the past few years that it prompted Cushman
to ask Frei, "Did Microsoft fund this research?"

"This is independent academic research," Frei replied.