Microsoft's public face of security is offering Apple some friendly advice: be more like Microsoft.
Stephen Toulouse, a programme manager in Microsoft's Security Response Center who often presents the company's guidance on security problems to the public, has been giving his personal opinion about the recent focus on Apple's security policies. In his opinion, expressed in his personal blog Stepto.com, Apple needs to wake up, hire a security chief, and put more information in its advisories. In other words, follow Microsoft's lead.
The comments will seem bitterly ironic to those who criticise Microsoft's software as being riddled with security holes and problematic policies. However, the company has invested a huge amount of money and effort in the past few years to polish its image on security, through better disclosure policies and security-oriented updates such as Windows XP SP2.
As a result, Microsoft now feels comfortable offering advice to others. Toulouse said Apple was unlikely to be able to get by without a head of security for much longer.
"Here's the reality, for the next couple of years the Mac OS will experience increasing security threats and, mark my words, the company will have to seek outside expertise in the form of a head of security communications in the next 12 months," Toulouse wrote in a recent post.
He said the importance of a security chief isn't to downplay problems, but to make sure users know how to avoid problems, something he said Microsoft has become expert at. "We've learned the lesson of getting out there fast and providing clear prescriptive guidance," he wrote.
Toulouse also questioned a recent statement by Apple vice president Bud Tribble where he compared advisories from Apple and Microsoft and said "the actual content is pretty similar". He said Apple's advisories don't contain information such as mitigating factors, frequently asked questions, workarounds, deployment information for enterprises, and severity ratings.
"If they are saying the content is simliar by listing a CVE number, listing the component and impact and saying 'apply the update', well then, yeah, OK, they can be described as 'similar'," Toulouse wrote.
Toulouse criticised Apple for the way it communicates when an update has been itself updated, noting that Apple doesn't have a RSS feed specifically about security updates, and doesn't seem to put information about patched updates in its security mailing list.
"One might argue that you don't need those things if you are using the built-in auto-update functionality of OS X, but I would argue back that the fact there was an update to the update might mean people turn that off to test updates before deployment because of problems like this," Toulouse wrote.
Security vendors say Microsoft has become one of the best software companies around for the way it discloses security problems. "Only a few companies, including the open-source vendor Red Hat, handles vulnerabilities in an equally responsible way," Thomas Kristensen, chief technology officer at Secunia, told Macworld's sister title Techworld. Microsoft should, however, change its practice of not disclosing bugs in its embedded software, Kristensen said.
But he said Apple has also made great improvements to the way it handles security advisories, adding significantly more information than was disclosed a year ago. "Apple is handling security information in a responsible manner," he said. "We would always like more information in the advisories from the vendors, but for most users the information from both Microsoft and Apple is sufficient."
Kristensen's main criticism of Apple is that its patching doesn't always synchronise with that of the open-source components used in the operating system, which he said can leave customers vulnerable to known issues.
Apple did not immediately respond to requests for comment.
Microsoft's policies haven't stopped serious security holes from continuing to appear in its products. Writing about the most recent serious, unpatched hole to appear in Internet Explorer, F-Secure's Mikko Hypponen advised: "Disable IE's active scripting or switch to any other browser. Not necessarily Firefox – just any other browser."