What's the best way for vendors to patch an enterprise operating system?
On a business level, it's a tricky question to answer. On the one hand, security problems are bad PR; on the other hand, being seen doing something about those problems is good PR.
Back in 2003, Microsoft tacitly admitted its desktop and server operating systems were fundamentally insecure when it introduced "patch Tuesday" -- the second Tuesday of every month when it releases all the security updates it has finalized during the previous four weeks. Having a regular patching schedule lets Microsoft show it acknowledges its problems and wants to be seen doing something about them. It also gives administrators a way to plan and prepare for operating system updates.
Apple has quite another way of dealing with the far less numerous security vulnerabilities that affect its OS X operating system. Basically, the company doesn't advertise the problems and sneaks in security updates on an ad-hoc basis, hoping that as few people as possible will ever know there was a problem that needed attention in the first place. It certainly doesn't go into the specifics of the vulnerability being addressed. The company's approach is thus the opposite of Microsoft's: It believes that appearing to have no security problems is of key importance, and if it can pull that one off, then it doesn't have to worry about being seen to fix any.
There are obvious problems with both of these approaches. Last week, Apple slipped in a security update to protect OS X machines against a particularly nasty backdoor Trojan called HellRTS that can take screenshots of Mac users' machines, access their files and send out spam email. Commenting on the update Graham Cluley, a security wonk at Sophos, said:
Unfortunately, many Mac users seem oblivious to security threats which can run on their computers. And that isn't helped when Apple issues an anti-malware security update like this by stealth, rather than informing the public what it has done. You have to wonder whether their keeping quiet about an anti-malware security update like this was for marketing reasons. 'Shh! Don't tell folks that we have to protect against malware on Mac OS X!,'
So is Microsoft's approach much better? Not necessarily. Because security patches are released only once a month (except in exceptional circumstances, when Microsoft will rush out an out-of-cycle patch), smart hackers can, in theory, time the release of exploits for previously unknown vulnerabilities for the day after patch Tuesday -- sometimes known as Exploit Wednesday -- to give themselves a minimum of four weeks before the vulnerability can be patched. It also lets hackers get organized to check the vulnerabilities that have been patched each month and attempt to exploit them over the next few days on any machines that may not have been updated in a timely fashion on Patch Tuesday.
But the overriding objection to Apple's approach is that by hiding the security problems that OS X has for marketing reasons -- and despite what Apple may like its users to believe it certainly does have its fair share of security problems -- the company hinders users from making an accurate assessment of the security measures they should be taking. Most OS X users are probably quite unaware that Mac Trojans like HellRTS even exist.
It's always easy to dismiss security warnings that come from employees of anti-virus vendors by saying that they are simply trying to sell something that you don't need. And in many cases you'd probably be right. But to manage risks, users must know what's out there.
By keeping users in the dark, Apple is putting its customers at risk unnecessarily by lulling them in to a false sense of security. David Harley, another security wonk from anti-virus vendor ESET puts it like this: "Any computer user who believes a system is so safe that they don't have to care about security is prime material for exploitation by social engineering."
Paul Rubens is a journalist based in Marlow on Thames, England. He has been programming, tinkering and generally sitting in front of computer screens since his first encounter with a DEC PDP-11 in 1979.