Apple's patch process a mess, say researchers

Constant updating shows Mac OS X isn't ready for the enterprise

Another researcher, Swa Frantzen of the SANS Institute's Internet Storm Center, however, disagreed with Storms and Miller. Frantzen argued that it was, no pun intended, an apples-and-oranges comparison to pit Apple's patching procedure against Microsoft's.

"If Apple should be compared with other vendors, take the other Unix vendors," Frantzen urged. "Sun, HP, FreeBSD, OpenBSD, the different Linux distributions -- very few of them group together patches in a monthly cycle."

In fact, argued Frantzen, Apple's process of patching when the patch is ready reduces the window of vulnerability for users. "[Microsoft's] monthly cycle adds an average of half a month of unnecessary vulnerability while the patch is fully finished and not being offered to customers," said Frantzen said. "It's like Ford would know your Explorer will have trouble and has a solution to prevent your tire from blowing up, but decides for the ease of the dealers not to tell you or give you the solution for another few weeks."

"I think Apple is actually in a tough spot," offered Miller, who blamed Apple's patching problem on its having to maintain aging code and the company's late start in following Microsoft's lead in applying secure code development practices. "They are so far behind on that," Miller said. "They're doing things, but even on some of the basic stuff, they're lagging behind Microsoft."

If Miller had his way, Apple would invest in a Microsoft-like secure code process -- which its Redmond, Wash., rival calls its "Security Development Lifecycle" -- to make its operating system more competitive in the enterprise. "I think they should do that, but I doubt they will be forced to do that," Miller said.

"Anyway, who am I to tell them what to do? Even if I'm right."

Tags security patch

Show Comments