OS X vs. Windows: A Tale of Two Security Strategies
The days are gone when Mac OS X security could be taken for granted. As Apple has increased its share of the computer market, hackers have become more interested in developing exploits for its software vulnerabilities. Like Microsoft, Apple must issue security patches from time to time, but the two companies have very different distribution approaches for their security fixes.
"Software update" is common parlance among regular computer users.
More than likely, an "update" is a "patch" -- a code modification designed to protect against the latest virus, worm or other security threat.
Patches are all in a day's work for Microsoft and Apple engineers. Indeed, the second Tuesday of every month has become known in tech circles as "Patch Tuesday." That's when Microsoft issues its latest updates for its operating systems and applications.
Apple disseminates patches on a less-predictable schedule.
Does Apple need to adopt a more regular routine as its platform becomes more popular among consumers, or is Patch Tuesday more about enterprise users -- an area in which Apple's business has not grown as substantially?
Or is a more flexible, whenever-it's-needed strategy a better idea, regardless of who's using the OS?
Clockwork vs. As-Needed
The distribution systems are different, but the results are equally effective, said Michael Cherry, lead analyst for Windows and mobile for Directions on Microsoft.
"I am not sure that one works better than the other," Cherry told MacNewsWorld. "Both companies essentially provide software that allows the user to control when their computer looks for updates."
It's just a matter of a different approach, Cherry said.
"I think that Microsoft went to the Patch Tuesday (once-a-month) approach because it wanted to show that it was working to improve the perception around the security of its products, and to assist large companies that have to coordinate the installation of the patches on large numbers of Windows-based computers," Cherry said.
The irregularity of Apple's updates doesn't indicate the company is any less concerned about security issues than Microsoft is, in Cherry's view.
With Apple updates, long dry spells can be punctuated by periods when updates seem to come in swarms. In September, for example, the company patched numerous potential vulnerabilities in its iTunes, QuickTime player, Bonjour software for Windows and iPod touch software.
Earlier this year, Apple had addressed other problems with QuickTime.
The key in dealing with security threats is adaptability, Cherry said.
"From time-to-time, there will be threats that occur suddenly and require immediate action. At other times, there will be problems found that take a while to analyze and remediate. So the best thing is that neither [Microsoft nor Apple] get locked into any one approach, but continually analyze the threat landscape."
Vigilance, rather than regularity, is what matters in fighting security gaps, Roger Kay, president of Endpoint Technologies Associates, told MacNewsWorld.
"Microsoft started gathering its patches into Tuesdays to reduce the number of disruptions to IT managers and end users," Kay said. "Apple has fewer patch events and just sends them out. It doesn't much matter from a security standpoint how this is done. Both companies try to keep the specifics of patches out of the public eye until they're patched so as to minimize exploits. The ratio of exploits to vulnerabilities is very low."
Each company takes a different approach because their customer bases differ, said Rob Enderle, principal analyst for the Enderle Group.
"Microsoft is largely guided by corporate customers who can't deal with a lot of complexity and like things to be planned out so they can allocate resources," Enderle told MacNewsWorld. "Apple is still largely a consumer/small business vendor, and they don't seem to care -- and might actually prefer to get the patches sooner and be better-protected than in bulk. So, it really is the nature of the customer and their particular needs that drive the process."
An IT Tool
The Patch Tuesday concept also lends itself to IT needs, Enderle said.
"If IT didn't feel they had to test the patches and validate them first, they might actually prefer Apple's method," Enderle said. "But they can't afford to take the risk of having a patch take the company down, so it is doubtful Microsoft could, for the foreseeable future, shift to Apple's method."
Never say never, though, particularly in an era of increased cloud computing, Enderle noted. "There is a possibility this could change. The real cause for the IT concern is that they currently have a large percentage of custom applications that Microsoft can't test a patch against, but these applications are moving to the cloud. Once they are mostly all migrated, it is possible this patch requirement will evaporate. It'll take awhile, though -- I'm guessing not before 2020."
Microsoft's regular patching schedule makes sense for the way it operates, said Charles King, principal analyst with Pund-IT.
"I'd say that the most important issue to consider is how best their patching strategies serve their respective customers," King told MacNewsWorld. "Windows has been a target of hackers for years, so I believe that issuing patches on a fixed schedule enforces the point that the company is staying on top of security issues and addressing them proactively."
Enterprise users, in particular, benefit from concepts like Patch Tuesday, King said.
"Businesses tend to be more aggressive about ensuring the safety and stability of their PCs and notebooks," he pointed out. "In part, that's because they have a lot more to fear and lose from potential problems than do individual consumers. But I think it's fair to say that Microsoft's broader approach to managing and securing Windows desktops has been influenced, or even shaped, to address the discreet needs of business users."
Limits to Predictability
"Unless Microsoft issued regular announcements about what patches it planned for release -- a situation that typically occurs only if the company is addressing a serious, widespread problem -- I doubt hackers are getting many benefits from scheduled Tuesday releases," he said.
Indeed, Apple might consider following suit at some point.
"Apple's approach seemed reasonable enough when its platform was virtually ignored by hackers, but I don't think such a laissez-faire attitude will cut it with the Mac OS gaining market share and hackers' attention," he said.