Get on-the-go access to the latest insights featured on our Trustworthy Computing blogs.
You've probably already read Brian Krebs article A Time to Patch III: Apple, but if you haven't, I encourage you to read it and read the various responses he received - the responses run the gamut of
and many, many more. Good reading and entertaining at the same time. Brian even provides spreadsheets with his data and links to sources.
When I read this, I thought to myself "What if this article was about Microsoft?" - would the responses have been different? "What if the article was about Linux?" Sun? Oracle? I think it is clear from the emotional responses that the data matters less to some people than their belief system - and that's not good for security!
Here's the question I ask myself. If I had one system that housed my critical business information (say customer credit cards) and I believed there were attackers who might target me to get that information, then wouldn't I want to know how many vulnerabilities there are and how long a vendor might leave them unpatched? I would. If I was basing a 5-10 year business decision in part on security criteria, I certainly would (among many other things...).
Of course, I would also consider the threat of a virus and the threat of a targeted attack as two discrete risk issues and not muddle them together... but that's for another day.