Monday, December 06, 2004

Last week, Apple announced the availability of a mega patch that addressed seventeen security vulnerabilities. Some of the vulnerabilities affected open-source components of Mac OS X such as Apache while other vulnerabilities affected Apple’s in-house code. Ironically, Microsoft IIS 6.0 which is at the butt of many jokes in the IT industry has never had a confirmed flaw in almost 2 years of existence while I’ve had to patch my Apache servers on a quarterly bases [sic]! The response to Apple’s mega patch has been along the usual Mac evangelist lines of "we don’t need to patch it" or "Apple is doing a good job patching it". The truth of the matter is, the Mac platform is simply too small for anyone to care. However, if the Mac community continues to flaunt it, someone will take them up on the challenge.

The Mac platform is too sparse for the spread of conventional Mac based worms ... it is entirely conceivable that a Windows based worm can be designed to attack Mac based vulnerabilities along with UNIX ones. Mac OS is now essentially UNIX since it’s based on FreeBSD. The worm in this case could be particularly vicious against the Mac or UNIX machine since it wouldn’t rely on it as a host for reproduction. Using Windows as a vehicle for replication and a launch pad for an all out assult, the worm can be harmless to Windows while leaving a wake of destruction for Mac and UNIX boxes with formatted hard disks ... Ultimately, there is no substitute for vigilance and good security practices no matter who’s software you use.