Skip to main content
Microsoft Security

Washington Post – A Time to Patch III: Apple

You’ve probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven’t, I encourage you to read it and read the various responses he received – the responses run the gamut of

and many, many more.  Good reading and entertaining at the same time.  Brian even provides spreadsheets with his data and links to sources.

When I read this, I thought to myself “What if this article was about Microsoft?” – would the responses have been different?  “What if the article was about Linux?”  Sun?  Oracle?  I think it is clear from the emotional responses that the data matters less to some people than their belief system – and that’s not good for security!

Here’s the question I ask myself.  If I had one system that housed my critical business information (say customer credit cards) and I believed there were attackers who might target me to get that information, then wouldn’t I want to know how many vulnerabilities there are and how long a vendor might leave them unpatched?  I would.  If I was basing a 5-10 year business decision in part on security criteria, I certainly would (among many other things…). 

Of course, I would also consider the threat of a virus and the threat of a targeted attack as two discrete risk issues and not muddle them together… but that’s for another day.