Blackhat: Is Apple lacking in the security department?
by Steve Ragan - Apr 1 2008, 15:00
Apple vs. Microsoft who offers more 0-Day protection? (IMG: J.Anderson)
Researchers Stefan Frei and Bernard Tellenback of the Computer Engineering and Networks Laboratory (TIK) at the Swiss Federal Institute of Technology studied the patch performance of Microsoft and Apple from January 2002 to January 2008 and presented their findings at Blackhat this week. The results offer some bad news for Apple.
The talk explained that Apple is falling far behind Microsoft when it comes to 0-Day patching. One of the likely causes is attitude, the research points out. That is likely only one reason, but most security researchers and experts agree, Apple has a reactive stance and general “it isn’t our problem” attitude when dealing with vulnerabilities on their systems.
"To archive a high 0-day patch rate requires a vendor to receive ahead notification of vulnerabilities affecting his products. A sustainable way to achieved this is a cooperative relationship with the security community. Independent researchers will only collaborate with a vendor when they are being treated fairly and when their efforts are honored in the security advisory of the patch release,” the research states.
“Apple only exceeded a 20% 0-day patch rate starting 2004 while Microsoft is well above that rate since the beginning of our observation on January 2002. It so appears that Microsoft is ahead of Apple with respect to their vulnerability handling processes and the relation to the security community. Apple seams to have started implementing vulnerability handling processes only after 2003," it adds.
“While I think that there are quite a few reasons why this is probably so, I’d be inclined to say that Apple’s biggest problem appears to be that they treat every new vulnerability as a potential PR disaster rather than an opportunity to visibly reinforce their work in securing their customers. In recent times, this has most critically been reflected in the way Apple works with security researchers (e.g. I’m yet to find a single security researcher that has had any positive things to say about their dealings with Apple’s security team),” Gunter Ollman of IBM's X-Force wrote in a blog posting.
So is apple lacking on security? Is Gunter correct? Does the Apple PR department hinder the work of Apple’s security team? Weigh in with a comment below.
Read the research here:
http://www.techzoom.net/papers/blackhat_0day_patch_2008.pdf
Comment on this Story