Preston Gralla

Four things Apple can learn from Microsoft about security

May 13, 2009 9:58 AM EDT
Yesterday, both Apple and Microsoft issued whopper security patches. The way they were handled shows that Apple has a lot to learn from Microsoft about security. Here are the four most important ones.

Patch it faster

As this latest patch shows, Apple is very slow at fixing security problems with Mac OS X. Two of the security problems were big ones, uncovered in March at the "Pwn2Own" annual hacking contest sponsored by 3Com's TippingPoint. Waiting two months to fix the problems is simply too long. On March 27, Mozilla fixed the security problem found with Firefox. And it turns out that the version of Internet Explorer 8 hacked at the conference wasn't final, and the final version of IE 8 wasn't vulnerable.

The Apple patch fixed a total of 67 bugs. The Microsoft one fixed only 14. The reason? Microsoft issues these patches regularly, so they're out the door as quickly as possible. Apple waits far longer, and issues them in a bigger batch.

According to Computerworld, many of the patches were related to Open Source applications or components integrated with Mac OS X, such as Apache Web server and the WebKit browser rendering engine. Andrew Storms, director of security operations at nCircle Network Security, said that he had seen patches for those security holes issued for Linux nearly half a year ago in December. Yet Apple waited until May to fix them.

Storms also said that Apple should follow the way that Microsoft issues patches more frequently. Here's what he told Computerworld about Apple waiting longer than Microsoft to issue patches:

"Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities. And Apple comes out with [an update with] 67 bugs, It's a 'I coulda had a V8' moment, where you slap your forehead. It's like history changed in front of my eyes."
Be transparent

Microsoft assigns a threat ranking to security bugs. So does Oracle. Apple doesn't. One of the most important tools in the fight for computer safety is knowledge. As long as Apple refuses to embrace that, it won't be helping as much as it should to keep its users safe. It should follow the lead of Microsoft and other companies, and start ranking security bugs.

Offer enterprise security tools

Computerworld notes that Storms complained about "the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches." He told the newspaper that because of that:

"Macs really still aren't an enterprise tool, even though Apple's marketing likes to say that they are, and that they're used in enterprises."

Take security seriously

For a long time, there's been a myth that Macs are invulnerable to hacks, Trojans, and other dangers. That's certainly not the case. Recently, for example, a Trojan was found to infect Macs and created a botnet. In addition, several security researchers have said that Macs are less secure than Windows or Linux.

Apple likes to use the myth of Mac invulnerability as a selling point, which is why it doesn't take security as seriously as it should. It's time for Apple to follow the lead of Microsoft, and finally focus more seriously on security.