You’ve probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven’t, I encourage you to read it and read the various responses he received – the responses run the gamut of
- Linux advocates (“You do understand that Mac OS X is not a version of Linux, and is not an open source OS in the usual sense of the word?”),
- conspiracy theorists (“…This sounds much more like Microsoft propaganda…”),
- open source advocates (“… finally pointing out that Apple is a company that’s even more protective of its intellecual property than Microsoft …”)
- existentialists (“… In fact, I have been using Macintoshes heavily since 1984 and I’ve never had a single security problem.”)
- allegoricists (“…Potentially, an envelope I lick to seal could have LSD on it.”)
- poor analogies (“…Over the years in a far away country, fires have increasingly ravaged …”)
- better analogies (“…Imagine someone traveling to a small town and learning …”)
and many, many more. Good reading and entertaining at the same time. Brian even provides spreadsheets with his data and links to sources.
When I read this, I thought to myself “What if this article was about Microsoft?” – would the responses have been different? “What if the article was about Linux?” Sun? Oracle? I think it is clear from the emotional responses that the data matters less to some people than their belief system – and that’s not good for security!
Here’s the question I ask myself. If I had one system that housed my critical business information (say customer credit cards) and I believed there were attackers who might target me to get that information, then wouldn’t I want to know how many vulnerabilities there are and how long a vendor might leave them unpatched? I would. If I was basing a 5-10 year business decision in part on security criteria, I certainly would (among many other things…).
Of course, I would also consider the threat of a virus and the threat of a targeted attack as two discrete risk issues and not muddle them together… but that’s for another day.