Apple dropped a ton of security updates this week and since everybody loves vulnerability metrics, I’m going to join in on the fun also. But unlike seemingly everyone else, I’m not going to compare MacOS X to another operating system and tally up which system had the most critical vulnerabilities this month. I’m going to compare bug hunters: Apple vs. external researchers vs. upstream packages and draw a (hopefully) interesting conclusion.
I have always been fascinated by the number of unattributed vulnerabilities in Apple’s security update notices, which I am assuming are internally identified vulnerabilities (Apple Product Security, perhaps?). Apple is pretty unique in this regard, most closed-source software vendors don’t issue security updates for internally identified vulnerabilities in shipping products. So we have to either assume that everyone else is only fixing the vulnerabilities in the development branch of their next release or they aren’t even looking. Software, especially critical software connected to the Internet, is not the Ronco Showtime Rotisserie: You can’t just “set it and forget it.”
So let’s see how they stack up for the year so far. My methodology is simple. Count vulnerabilities by CVEs, eliminate duplicates, and tally up which vulnerabilities were: unattributed, credited to an external researcher, or fixed as part of Apple updating an externally developed part of MacOS X to a newer version. Although WebKit is an open source project, I considered it Apple code so vulnerabilities fixed in it are counted as either internally or externally found vulnerabilities.
The 2008-003 update had 41 security updates: 12 of which were internally identified, 10 reported by external researchers, and 19 vulnerabilities fixed in upstream software packages. The 2008-002 update was a whopper with 20 internally identified vulnerabilities, 8 externally reported, and 62 (!) in upstream packages. The relatively petite 2008-001 update had 3 internally identified vulnerabilities, 5 externally reported, and 3 from upstream packages.
I counted up all of the Apple Security Updates (including iPhone, AirPort, etc) for the year and the grand totals were:
- Internal: 44
- External: 53
- Upstream: 84
This brings me to my guess as to what Apple is doing and my advice to software vendors: You should be finding and fixing at least as many vulnerabilities in your shipping products as external researchers are. There is no reason that you can’t keep up, you have the source code and they don’t. Only finding and fixing vulnerabilities in development for future releases and treating external vulnerability reports like other bug reports (customers X have issue Y w/ product Z) is a bad model for security vulnerability response when “customers X” are 98% of Internet users, “issue Y” is remote code execution, and “product Z” is Flash.