Apple's security assertions seem like so much spin

I think it’s time to stop promoting Apple as a more secure choice. I think all OSes have vulnerabilities, and they all get fixed fairly quickly once found.


I do not think companies fix as soon as they know. Look at Microsoft. Their exchange vulnerabilities went unfixed for months. I think apple may have the end user a little more in mind than other companies.

It depends. The Java zero day on Macs was patched on all other platforms 6 months earlier and Oracle gave Apple the patches along with all the other platforms, but Apple sat on them for six months, before there was a public outcry over the situation. (2009)

With the Exchange problem earlier this year, that affected all versions of exchange, including versions no longer in support, but still in use. That is a lot of versions and configurations to patch and test. It takes time to ensure you have patched the hole fully and you have to test each version individually. You can’t just rush out a patch, which could cause a majority of business email servers to keel over and die, if you get it wrong.

Steve Gibson really annoyed me over this, with his throw away comments on how Google were patching Chrome in days and it took Microsoft months.

That is like saying, I changed the chain on my pushbike, why is it taking you months to rebuild a V12 engine from the ground up?

A better example would be the Exim attack. Another (this time Linux) email server. The flaw was reported in October last year and the researchers that found the problem worked on it with the Exim team until around Easter, when they finally announced the problem and that a fix was coming a couple of days later.

Again, Steve misreported that as only a few days (public announcement to patch release). The team had worked feverishly for over 6 months behind the scenes to get the patch finished, before they announced the bug.

I’m not saying Microsoft didn’t sit on it, just that it isn’t so clear cut as it looks at first glance.

And the recent printer driver disaster is certainly a big failing in Microsoft’s part.

Without knowing how deep the problem went and how many resources and when Microsoft threw at the problem, I’m actually willing to give them some slack on that particular patch. (And that is as someone who switched away from Windows to Linux recently, but with around 40 years experience in software development.)


The other thing is that you don’t always have the team that wrote the code still around to fix the code. So the group that is formed to fix the code is trying to understand it, to understand the vulnerability, and to fix the problem with the least risk possible. (There is always the risk when changing code that you introduce a new problem as an unintended consequence.) Apple may have it easier because they lack the reputation of keeping old code running, but most software companies are unwilling to piss off their customers by breaking something important… maybe something that is necessary for the running of a business.

I think the MS printer code is VERY old, and probably no one at Microsoft will admit to knowing anything about it. Accordingly, the fix was a bit half-assed because the team fixing it didn’t get it right in the beginning (they fixed A problem, but not THE problem(s.)) And in the end the necessary fix was to remove (a) feature(s) from the system, which of course Microsoft is usually very loathe to do.