Inspired by the MacWorld Expo and Apple's security marketing claims (not to mention that ad campaign from last year), I've decided to add Mac OS X to the list of products that I monitor for "perception versus reality."

First, let's review what Apple has to say about their security:

Freedom’s not just another word for nothing left to lose. Strong security ensures your ability to conduct your business unhampered. Mac OS X delivers the highest level of security through the adoption of industry standards, open software development and wise architectural decisions. Combined, this intelligent design prevents the swarms of viruses and spyware that plague PCs these days.

Mac OS X v10 Vulnerabilities in 2006

First, let's hop over to the "Apple Security Updates" web page at http://docs.info.apple.com/article.html?artnum=61798, and see what we find.  Immediately, I notice that the highest numbered Security Update for 2006 is Security Update 2006-008.  Well, that seems pretty good, only 8 security updates during 2006.  Clicking on #8, I find that it addresses just a single vulnerability, CVE-2006-5681.  Still good.  Click into #7 - whoops - that one seems to address 22 vulnerabilities in November.  I'm going to have to take a deeper look.

Fast forward [Next, I went through every Security Update, creating a spreadsheet of each vulnerability and noting which products they apply to, which CVEs/vulns, when they were released and other information.  Please feel free to duplicate that work and validate what I came up with.]

It turns out that the Apple Security Updates and associated patches addressed 161 unique vulnerabilities in Mac OS X v10 during 2006.  Now, if this were an Enterprise Linux distro, one might argue that you have to filter out non-applicable "extra" applications included in the release, such as either Gnome or KDE or some of the server applicatoins.  That doesn't apply to Mac OS X, which is simply a rich workstation environment, so they all count.

I can't help thinking to myself that if Microsoft issued only 8 security updates that addressed 161 vulnerabilities, the conspiracy theorists would be crawling out of the woodwork to assert that we were "bundling them" to "hide" the numbers.  My guess?  We probably won't hear that theory about Apple...

Comparison with 2005

161 - wow!  Is this a fluke?  How does this compare with 2005?  Earlier this year, I observed that the Trend for vulnerability disclosures was up across the industry - is it hitting Mac OS X as well?

Adding the 2005 data to my spreadsheet and doing a bit of simple addition, I found that Apple's highest numbered Security Update in 2005 was Security Update 2005-009.  Wow, if one wasn't careful, one might leap to the assumption that 2006 was an improvement, since they stopped 1 short of 2006-009.  Tallying up the vulnerabilities, though, I found that they fixed 132 vulnerabilities in Mac OS X v10 in 2005 - lower than 2006, though still fairly high.

I think I'll stop there, though I do plan to include Mac OS X in my other Workstation analysis throughout the year.  In summary, my brief research found that Apple Mac OS X does not have few security bugs.  In fact, with 161 in 2006, up over 20% from 132 in 2005, they have had to fix quite a lot of security bugs.