Sunday, June 1, 2008

Microsoft's and Apple's Approaches To Security Disclosures - The Carpet Bomb Case, Microsoft Says Stop Using Safari


This shows how 2 companies can be very different in approaching dilemmas. I guess it's company culture combined with executive decisiveness.

I do not criticize Apple for being the way they are. It's great to come clean about a problem and say, "Yes we have a problem and yes we have the solution." But it doesn't help in the interim if it takes 3 months to find the answers.

I also see Microsoft's point of coming forward early in the game and calling out the competition. We all know something is wrong with Safari and they have acknowledged that Safari coupled with Windows poses a very vulnerable spot for users versus hackers.

This article in Computer World quotes nCircle's Storms, "Microsoft has really embraced the enterprise, and decided that disclosure and a regular patch schedule is what the enterprise needs to support and maintain its products.

"Apple, on the other hand, appeals to consumers, and believes that for the majority of consumers, issuing an advisory without a patch would probably just create FUD [fear, uncertainty and doubt]," Storms concluded.

As Storms noted, Apple has remained silent on the Safari carpet bomb problem. Last week, it did not respond to a request for comment on its security team's decision against adding a user-approval option to Safari. The company was not available Saturday.

Microsoft did say that it was working with its rival, however. "[We] are working with our colleagues at Apple to investigate the issue," said Tim Rains, a product manager in Microsoft's malware protection center, in a post to the MSRC blog.

No timetable has been set by Microsoft for patching its software to block combined Safari-IE attacks. As it often does in security advisories, the company only said that it may issue a patch.

Well now I'm glad I'm using Mozilla Firefox instead of the reportedly bugged Safari and Internet Explorer.

No comments: