Saturday, August 20, 2005

The time that it takes Apple to release patches for some publicly disclosed vulnerabilities in open source components of their operating systems is nothing less than abysmal, and it's only a matter of time before continued evolution of their security practices can be preemptive, and not reactionary.

Unfortunately, there's a big difference between Apple and Microsoft when it comes to bugs in their operating system. I would argue that Microsoft is in a far more advantageous position, oddly enough, because their operating system doesn't contain so much open source software.

The closed source and un-shared nature of the Microsoft Windows code base gives Microsoft the luxury of taking ... a long time to patch vulnerabilities that are reported to them. They can spend a year developing, testing, and rolling out patches.

Apple, on the other hand, is in a different boat. Many of the vulnerabilities that affect OS X are open source, and as such, technical information regarding the issue is publicly disclosed on a different timeline, and more importantly, a timeline that's completely out of Apple's control.
This situation is a virtual gold mine for attackers. When important vulnerabilities are publicly released on one timeline, and then patched on another, a window of opportunity is created where attackers can develop exploits for OS X using publicly announced vulnerabilities, for which no vendor-supplied patch is available. Attackers are handed the vulnerabilities on a silver platter, and the open source nature of the affected components takes all of the guess work out of the vulnerability itself.

The one thing that OS X does have going for it is a solid foundation, so we can be reasonably sure that it won't face the quantity and severity of vulnerabilities that we've seen littered within Windows. But there will be vulnerabilities, and some of them will be severe, and with the current patching speed for OS X, this paints a pretty scary picture.