Microsoft today released updates to plug a whopping 123 security holes in Windows and related software, including fixes for a critical, “wormable” flaw in Windows Server versions that Microsoft says is likely to be exploited soon. While this particular weakness mainly affects enterprises, July’s care package from Redmond has a little something for everyone. So…
Every time I read a lede like this, I’m struck with the stark difference between Windows and macOS in terms of security posture. Apple releases patches for their operating system once every couple of months, and they contain a dozen or so patches. Microsoft releases hundreds of fixes every month. Sometimes multiple times a month. HUNDREDS! Every month!
Apples fixes are primarily about local privilege escalation. Microsoft? It seems like every patch note is for a “random interweb haxxor can pwn you”-type of problem. I’m sure I’m being overly generous with Apple, and completely unfair to Microsoft, but the difference in the general nature of the two kinds of problems is also starkly different.
The Microsoft fanboys will say that it’s because Windows is still the majority of the desktop market, but Microsoft has lost a lot of ground lately. macOS is around 15% of the market, making it a perfectly viable hacking target. So that can’t be the reason. I say it comes back to Windows having a DOS heritage, and macOS having a BSD heritage. The foundational assumptions these two systems were built on could not possibly be more different, and the ramifications of those differences are still present 30 years later. One is holding up very well. The other… isn’t.
I bring all of this up because the prevailing wisdom in Fortune 500 companies is that we 1) must run Windows, and 2) load it up with all sorts of first- and third-party software to A) “secure” the system, B) guarantee the integrity of the build, and C) lock it down as tightly as the internal staff can understand and manage. All of this approach is a holdover legacy from the 90’s, where we didn’t have much choice. What were we going to do? Run Linux? As much of a Linux zealot as I was — and continue to be — even I know that’s not workable. Now, it’s become a house of cards, with alternating layers of vulnerability mitigation and policy enforcement.
But macOS has matured. Almost all commercial software runs on it now. (The only things I know of that don’t are high-end CAD/FEA systems, but even AutoCAD does now.) And Apple has grown into a behemoth of a company, in terms of support capability. A truly staggering amount of money is being wasted in the Windows-ecosystem-based approach. It’s time for corporate America to stop — really stop — and think about the situation with a fresh set of assumptions. Do we really need to continue as we have for the past 25 years?
And maybe — just maybe — if we didn’t have to load up the corporate desktop image with layer after layer of software, trying to stem the flow of Windows’ suckage, my work laptop wouldn’t run its fans at full blast all the freaking time…