14 DAY TRIAL // Recently, I had the chance to do an interview with Stephen Toulouse, senior program manager for the Trustworthy Computing Group. By the way, keep you eye on Softpedia, the complete, mile-long interview drops by the end of this week. Here is Toulouse's take on code quality: "when it comes to software vulnerabilities it's important to understand that no one is going to get the code 100% correct. Software is a human endeavor and as such will always contain a certain amount of error to it." So yes. Although Apple is applauding the security of Mac OS X as a leitmotiv of the superiority of its operating system over Windows, the Mac OS X has a security hole too.
But at this level, an important distinction separates the two companies. Microsoft sticks to a scheduled approach, and only rarely delivers an out of band security patch while Apple offers security updates on an "as-need" basis. In this regard, Bud Trimble, VP of Software Technology at Apple explained why Apple is not a big fan of the scheduled security updates, at Apple's World Wide Developer Conference in 2006. And of course that Trimble took a swing at Microsoft.
"There is some controversy in IT shops asking 'Wouldn't it be easier if Apple could have their security updates scheduled on a monthly basis?' We think it's better to get those security updates out as soon as we can get them out and not wait for the next month to roll around," Trimble said.
I asked Toulouse if Microsoft would consider more frequent patch releases in order to reduce the attack exposure of its customers? He explained that Microsoft's patch strategy is correlated with the needs of the customers.
"For a long time, that was exactly our policy. Up until 2003, security updates either came out the moment they were ready, or once a week on Wednesdays. Feedback from customers made it clear that system did not represent the best method for combining the delivery of software updates with customers ability to roll them out efficiently. It is specifically the job of the Microsoft Security Response Center to deliver improved satisfaction for customers around security updates and incidents and based on that feedback from customers we moved to a monthly release cycle," Toulouse explained.
Microsoft's current approach does not mean that the Redmond Company isn't looking to improve security for its customers. "We will continue to look for ways to improve our processes and offerings to ensure we are communicating with customers with authoritative and clear information as quickly as we can," Toulouse added.