Apple update sets new patch record

  • Article

This actually happened a few weeks back, but it’s part of my continuing story on how Microsoft’s whole approach to security, in the era since the Trustworthy Computing Initiative, is a better bet for your business than any other platform, even some that have the advantage of perceptions that they are more secure.  Here’s a Network World article that caught my eye - Apple delivers record monster security update

According to the article by Greg Keizer (Network World, 3/29/10), Apple’s latest update to their Leopard & Snow Leopard OSes contained patches for 92 bugs, however, it did not include a fix for the current Pwn2Own vulnerability.

According to the article, a third of the 92 vulnerabilities were considered critical, and it called out that this is a record update to its Leopard and Snow Leopard operating systems, breaking the previous record that has stood since March 2008.  ([3/19/2008] Apple “issued a record-breaking security update that patched nearly 90 vulnerabilities in both its own code and the third-party applications it bundles with its Tiger and Leopard operating systems.”)  And add to that, as Keizer also points out, this dwarfs an Apple update last year where they patched 67 vulnerabilities.  Wow, I’ll let you do the math on the total number of vulnerabilities addressed in just over 24 months.  But one of the things that I would call out here is that you should note that Apple does not do regular patch releases, but rather they do fewer, but massive, releases.  The fewer numbers of patches perhaps contribute to the misperception that Apple is somehow secure because it doesn’t patch as much, however, as you can clearly see with just these three examples alone, the numbers of actual vulnerabilities are significantly higher over the same length of time than Vista/Windows 7.

You know, I think folks are starting to appreciate that Microsoft stays on top of it’s patch needs on a regular basis and has several mechanisms, e.g. Update Server and published security bulletins, and auto-updates to insure it’s install base is proactively protected to the extent possible. At least I hope this is starting to be the case.

A couple of things mentioned in the article that I think are worthy of note:

  • In this latest patch, users running Leopard will patch 63 vulnerabilities, while Snow Leopard users (the more current OS) face a total of 74 flaws.
  • This update brings Snow Leopard to version 10.6.3, making this the third major update to the OS that Apple just launched in August 2009.
  • More than 40% of the vulnerabilities, 37 out of the 92, were listed as "may lead to arbitrary code execution," which is Apple's way of saying that a flaw is critical and could be used by attackers to hijack a Mac. (Apple does not assign ratings or severity scores to the bugs it patches like Microsoft does).

This follows on the heels of the annual Pwn2Own hacking contest at the CanSecWest security conference in Vancouver, BC, where Charlie Miller, the researcher who cracked Snow Leopard's security defenses to take down Safari, said that Apple had not patched the vulnerability he used; and, I would point out that, if history is any indicator, the fix for that vulnerability may potentially not be published for quite a while.  Particularly in business environments I would suggest that this approach to patching is something less than what you might want to bet your business’ security on.