While you do have a good point with regards to Apple having to change its policies wrt patches, I think that you are missing a very important issue in your analysis.

First of all, not all of OS X is open source, rather, some of the more important parts are not.

Regardless of publication of the vulnerability, there will be a few people knowing about it, as you point out yourself the people who found and reported the issue know about it, and very likely there are a few blackhats out there who know about it.

This is regardless of what is open source and what is not. The difference comes after publication as you correctly point out. In case of open source software in OS X, more people can investigate and get to know the exact issue and exploit it.

The same however gives those users who use this system for some critical tasks the oppertunity to see for themselves what the problem is, if and how it affects them, and fix it if needed without depending on Apple.

I am convinced that for those who really need a high level of security and can afford to spend a bit of money on that, this is a substantially better situation then depending on the producer of the software to release a patch when they feel like it, knowing that there will be blackhats out there who already know how to exploit the vulnerability.

In other words, in case of open source software such as a substantial part of OS X, capable users are empowered to minimize the window of oppertunity )not to mention that they can judge for themselves if the window exists to begin with)

For the rest I agree with your article, Apple needs to minimize the window of oppertunity themselves.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/348/32261#32261