Sean Collins

sean [at] seanmcollins [dot] com

GPG Key ID: 0xf60f564978913931

sean [at] coreitpro [dot] com

GPG Key ID: 0xA1D7E590

profile for Sean at Stack Overflow, Q&A for professional and enthusiast programmers

Timely Quotes

Recent bits of news have been filtering down into the mainstream computing environment about Apple’s lax patching practices. Many pundits will invent excuses and convoluted logic in order to defend their platform of choice. Any way you slice it the numbers that Brian Krebs came up with are irrefutable. For example, Apple took 307 days to release a patch for CVE-2005-2340 which by their own admission, is a 1 (most serious) on a 4 point scale.

What is amusing is that many of these figures were published long ago, yet it’s only after the news that Charlie Miller found problems in Apple’s WebKit engine that the community even takes notice.

Brian Krebs: A Time to Patch III: Apple
Here's what I found: Over the past two years, after being notified about serious security flaws in its products, it took Apple about 91 days on average to issue patches to correct those vulnerabilities. I also found that almost without exception, open-source Linux vendors were months ahead of Apple in fixing the same flaws.
Apple's TTP (Time To Patch)David Maynor
The other interesting thing about the updates is something I like to call the "window of owning". I advise our clients on this: Apple bundles open-source, but patches it late. It takes them weeks to as long as a year to patch their version of the code after it was patched in open-source. It's fairly straightforward to keep track of the open-source (and other 3rd party) code that Apple uses it, and when a vulnerability is announced for the open-source version, write exploits for the Mac version.

For our sideshow:

Roughly Drafted
The easy answer is that nobody had any political reason to attack Windows at an event sponsored by Microsoft.