Washington Post – A Time to Patch III: Apple

You’ve probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven’t, I encourage you to read it and read the various responses he received – the responses run the gamut of

  • Linux advocates (“You do understand that Mac OS X is not a version of Linux, and is not an open source OS in the usual sense of the word?”),
  • conspiracy theorists (“…This sounds much more like Microsoft propaganda…”),
  • open source advocates (“… finally pointing out that Apple is a company that’s even more protective of its intellecual property than Microsoft …”)
  • existentialists (“… In fact, I have been using Macintoshes heavily since 1984 and I’ve never had a single security problem.”)
  • allegoricists (“…Potentially, an envelope I lick to seal could have LSD on it.”)
  • poor analogies (“…Over the years in a far away country, fires have increasingly ravaged …”)
  • better analogies (“…Imagine someone traveling to a small town and learning …”)

and many, many more.  Good reading and entertaining at the same time.  Brian even provides spreadsheets with his data and links to sources.

When I read this, I thought to myself “What if this article was about Microsoft?” – would the responses have been different?  “What if the article was about Linux?”  Sun?  Oracle?  I think it is clear from the emotional responses that the data matters less to some people than their belief system – and that’s not good for security!

Here’s the question I ask myself.  If I had one system that housed my critical business information (say customer credit cards) and I believed there were attackers who might target me to get that information, then wouldn’t I want to know how many vulnerabilities there are and how long a vendor might leave them unpatched?  I would.  If I was basing a 5-10 year business decision in part on security criteria, I certainly would (among many other things…). 

Of course, I would also consider the threat of a virus and the threat of a targeted attack as two discrete risk issues and not muddle them together… but that’s for another day.

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »