On June 9, I posted the first article that seemingly went unnoticed called: Apple Mac Arrogance or Pure Stupidity?
However, on June 25, a reader Matthew left the following comment:
This sounds like the typical advice of a ’security expert’ (read - antivirus software consultant). Can you tell me what the actual incidence (percentage) of Mac OS X users who, despite keeping their system fulling updated have been hit with a virus?
Well, I answered Matthew with a link to a site where he could check out the stats himself and closed with the comment, “How many viruses or vulnerabilities does it take to bring down a Mac? Only one.”
As fate would have it, evidence has been called to my attention that supports what I said back on June 9th. The funny thing is, it was written on March 28th by Gunter Ollmann on IBM’s Frequency X Blog. (Our marketing director found it while getting some statistics for our anniversary project.)
Gunter is reporting on the BlackHat Amsterdam conference that was going on at the time, and rather than summarize what he says, I’ll just quote him directly because he put it so eloquently!
In essence, with their “0-day Patch” metrics, they managed to show just how far Apple is trailing Microsoft in security patch responsiveness – in fact, after inspecting their graphs, Apple appears to be trending entirely in the wrong direction; more vulnerabilities, longer patching times, more 0-days, etc. – not the sort of thing we expect from a well known software vendor.
While I think that there are quite a few reasons why this is probably so, I’d be inclined to say that Apple’s biggest problem appears to be that they treat every new vulnerability as a potential PR disaster rather than an opportunity to visibly reinforce their work in securing their customers. In recent times this has most critically been reflected in the way Apple works with security researchers (e.g. I’m yet to find a single security researcher that has had any positive things to say about their dealings with Apple’s security team).” (Source: http://blogs.iss.net/archive/AppleCrumble.html)
Gunther also includes earlier in the post a link to the full report given that day by Stefan Frei and Bernard Tellenback titled “0-day Patch – Exposing Vendors (In)Security Performance” which turns out to be a BIG eye opener!
So for all the arrogant Mac users, and those who might just be oblivious to all this, I suggest you take a time out during your next “forced reset” (or in Windows terms, Crash) and give that a read!
And so I add to my previous comment to Matthew, “How many vulnerabilities does it take to bring down a Mac? Just one. And it looks like the ones are adding up!”
I rest my case.
Debbie Mahler,
Antivrus Software Consultant and Security Professional
PS A thank you to Gunter Ollmann, Stefan Frei and Bernard Tellenback for their information!
And a special PS to Matthew: Your statement in your comment that read, ‘This sounds like the typical advice of a ’security expert’ (read - antivirus software consultant).’ is slightly in error. Despite the garbage you find out on the web from affiliate marketers posing as “wanna be” security professionals on blogs trying to hawk their wares to the unsuspecting public, I really am a Security Professional. We are not affiliates with Trend Micro nor Symantec, we are Partners. A fact I guess I need to be more vocal about in the future. So thank you for pointing out where my marketing weaknesses are! You’re an angel!
Do you enjoy this blog? Then buy me a coffee or send me a tip! May I suggest $3 for a Venti (extra-large) cup of Starbucks Carmel Macchiato? You can also choose any amount you wish.
Recent Comments