A familiar icon appeared in my system tray a few hours ago and it got me thinking. Now that’s always dangerous, me thinking.
The icon was the “New updates are available” notification icon. So I started thinking about a conversation I had over the weekend with a new friend of mine, Sean. Sean is an avid Macintosh user. I am not. In the many conversations I have had with avid Macintosh users, the common theme seems to be that a Mac is largely flawless and invulnerable to attack whereas Windows computers are always being attacked because they are horribly vulnerable because of security holes. My personal experience with Windows over the last twenty years is quite the opposite, I have never (knocking on wood here) had a virus or trojan or spyware on any of my Windows based computers. And I have owned or used several dozen such computers over that span and for the last fifteen years they’ve all had constant connections to the Internet.
I thought I should check on the situation from a neutral party. I found a paper from the Computer Engineering and Networks Laboratory – Swiss Federal Institute of Technology titled “0-Day Patch – Exposing Vendors (In)security Performance.” In the paper the writers compare the speed of response to published vulnerabilities in Microsoft’s Windows and Apple’s Macintosh operating systems. The concept of a “zero day” patch is that the company releases the patch for a vulnerability on the same day it is publicly disclosed. I was surprised by two things: it turns out that Macs and Windows PCs have had about the same number of high and medium vulnerabilities over the study period from January 2002 to December 2007, with Macs having 738 to Windows’ 658; and Microsoft has been much better at releasing 0-day patches over that period with over a 60% average rate of 0-day patches vs Apple’s under 40% average.
Patches are an important feature of any software package and they are often critical in operating systems. At South River Technologies we recently began using our own Windows Server Update Services server to better manage how and when updates are installed. And all of our software packages also have a “Check for Updates” feature. Our new Webdrive for Mac, which is currently in beta testing, also has this feature. I’m amazed when one of our support engineers tells me that a customer is using version 6 of Webdrive (the current one is 9.0) or version 5 of Titan FTP (the current one is 7.11). Like most software companies, we don’t provide support for older versions of the software. The reason is that it can’t be patched. So if you’re using software: PATCH IT!