March 27, 2008, 2:04 PM — Apple's teasing commercials that imply its software is safer than Microsoft's
may not quite match the facts, according to new research revealed at the Black
Hat conference on Thursday.
Researchers from the Swiss Federal Institute of Technology looked at how many
times over the past six years the two vendors were able to have a patch available
on the day a vulnerability became publicly known, which they call the 0-day
patch rate.
They analyzed 658 vulnerabilities affecting Microsoft products and 738 affecting
Apple. They looked at only high- and medium-risk bugs, according to the classification
used by the National Vulnerability Database, said Stefan Frei, one of the researchers
involved in the study.
What they found is that, contrary to popular belief that Apple makes more secure
products, Apple lags behind in patching.
"Apple was below 20 [unpatched vulnerabilities at disclosure] consistently
before 2005," Frei said. "Since then, they are very often above. So
if you have Apple and compare it to Microsoft, the number of unpatched vulnerabilities
are higher at Apple."
It's generally good for vendors to have a software fix available when a vulnerability
is disclosed, since hackers often try to find out where the problem is in order
to write malicious software to hack a machine.
For a vendor to have a patch ready when the bug is detailed in public, it needs
to get prior information from either its security analysts or external ones.
Otherwise the vendor has to hurry to create a patch, but that process can be
lengthy, given the rigorous testing needed to test the patch to ensure it does
not conflict with other software.
Apple only started patching 0-day vulnerabilities in late 2003, Frei said.
"We think that Apple had fewer vulnerabilities early on, and they were
just surprised or not as ready or not as attentive," Frei said. "It
looks like Microsoft had good relationships earlier with the security community."
Over the past few years, Microsoft has tried to cultivate a closer relationship
with the security community in order to encourage researchers to give it a heads-up
about software problems. Apple, however, doesn't appear to have that same sort
of engagement yet, and, "based on our findings, this is hurting them,"
Frei said.
Curiously, both vendors' abilities to have 0-day patches ready at disclosure
seemed to dip in the six months before a major product release. That trend was
most pronounced in 2004 and 2005. Frei theorized that the buildup to big software
releases took away software engineering resources.
Andrew Cushman, director of Microsoft's Security and Research, said he couldn't
pinpoint what might cause that trend. But in 2004 and 2005, Microsoft had a
rash of vulnerabilities pop up in its Office products that it did not get advance
notice of, which may have contributed to a higher percentage of unpatched publicly
disclosed bugs.
However, the study proved to be such a glowing affirmation of Microsoft's increased
focus on security in the past few years that it prompted Cushman to ask Frei,
"Did Microsoft fund this research?"
"This is independent academic research," Frei replied.
