Apple lacks Microsoft's security investment

Bill Gates has been taking some flak lately in the Apple circles for some comments he made on the state of security in Mac OS. He was being interviewed for Newsweek:

In many of the Vista reviews, even the positive ones, people note that some Vista features are already in the Mac operating system.

Bill Gates: You can go through and look at who showed any of these things first, if you care about the facts. If you just want to say, "Steve Jobs invented the world, and then the rest of us came along," that's fine. If you're interested, [Vista development chief] Jim Allchin will be glad to educate you feature by feature what the truth is. I mean, it's fascinating, maybe we shouldn't have showed so publicly the stuff we were doing, because we knew how long the new security base was going to take us to get done. Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine. So, yes, it took us longer, and they had what we were doing, user interface-wise. Let's be realistic, who came up with [the] file, edit, view, help [menu bar]? Do you want to go back to the original Mac and think about where those interface concepts came from?

OK so Bill Gates is basically saying because Microsoft invested so much in security for Windows Vista, Apple was able to copy interface features that Microsoft already developed and release them first, and as a result of that more vulnerabilities are being discovered on Mac OS than Windows.

At first I didn't buy the every single day thing and assumed he was exaggerating by quite a large degree. But after doing a bit of research I stumbled into this. They list a new vulnerability discovered on Mac OS every day, in many cases with code ready to exploit it. So Bill Gates wasn't far off the mark at all in his comments. Let's just quote a few examples:

1st of January:

A vulnerability in the handling of the rtsp:// URL handler allows remote arbitrary code execution.

3rd of January:

A vulnerability in the handling of the HREFTrack field allows to perform cross-zone scripting, leading to potential remote arbitrary code execution.

5th of January:

A vulnerability in the handling of BOM files by DiskManagement/diskutil allows to set rogue permissions on the filesystem. This can be used to execute arbitrary code and escalate privileges.

The list just goes on and on, a new one for every day of the month. Microsoft has made the investment in security, and it shows with fewer and fewer exploits being discovered. The media which you can imagine would love to throw out something about security on the Vista launch had to resort to using speech recognition, apparently the fact it responds to voice commands is a "hole" because it can be used to delete documents by issuing a delete command. Right, that's the best you've got?

I'm confident in saying that Windows Vista in its first year will have fewer security vulnerabilities than any other client release of Windows of the past and doing even better than their best server release, Windows Server 2003 wouldn't surprise me at all.

5 comments

Comment from: Erik van Luxzenburg [Visitor] · http://www.luxzenburg.org/

It's obvious, reading all mr. Smith's postings here that he is either employed by Microsoft, or he has some stock-options in Microsoft.

I'm not against M$, I just say they are expensive and for long have been neglecting security. Mr. Smith refers to the MOAB..... a project to discover bugs in Apple OS X, fine they found some bugs..... maybe some 20 or 30 in a month, and then they stopped. M$ releases everymonth 10s of bug fixes and some they can't even resolve.

If you're trying to piss on Apple coz you have some grunch against them, do it at least without claiming M$ is more secure. It is not!

p.s. if you wanna know: I use Ubuntu Linux and M$ Windows XP in a dual boot pc!

8th February 2007 @ 13:42

Comment from: Paul Smith [Member] · http://www.dasmirnov.net/

I didn't say that. Where did I claim "M$" (what are you 12?) was more secure? I said Apple lacked Microsoft's security investment.

Microsoft retrained their developers, re-organised their entire development process all for security.

8th February 2007 @ 13:45

Comment from: Erik van Luxzenburg [Visitor] · http://www.luxzenburg.org/

hahaha rant about my way of abreviate Microsoft to M$. I was suprised to see someone claiming to be socialist and bitching on capitalist paying him huge checks, while being totally fan of a company so capitalistic as Microsoft.

8th February 2007 @ 13:59

Comment from: Paul Smith [Member] · http://www.dasmirnov.net/

Of course Microsoft is capitalistic under capitalism, under socialism however it would be nationalised and would play an important role in increasing productiveity, the same thing that its done for the last 30 years, and this time the majority would profit, not the minority.

Nationalising Microsoft would also shut up all the open source zealots. Because Windows would belong to everybody and so everybody has access to the source code.

It would also bring everyone together, so instead of wasting time trying to compete they just co-operate to make the best operating system possible.

So if you're a fan of the GPL, join the revolution comrade. Stop wasting your time trying to hammer together a lower-quality operating system trying to compete with the corporations. You don't compete with them (that's captialistic), you nationalise them and then they are yours.

8th February 2007 @ 14:59

Comment from: ibbeep [Visitor]

LOL

Paul works for microsoft. LOL

My friend you fail to realize in a world market a "capitalistic society" all companies and countries are capitist. Paul is just pointing out the natural progression from capitalism is to socialism.

And Erik you speak as though apple is not capitalistic and as though they two are not big buisness. They are both big buisness and they are competing to give us a better product what is wrong with that?

8th February 2007 @ 19:36

Comment feed for this post