Twenty-four days after the rest of the industry mobilized to patch a serious flaw in the domain name system (DNS) protocol that’s core to the functioning of the Internet, Apple has at long last released Security Update 2008-005, which includes its fix for the regular and server flavors of Mac OS X 10.4 Tiger and 10.5 Leopard. If 24 days doesn’t sound like a long time, note that Apple was notified privately on 05-May-08, nearly 3 months ago, and this is for a vulnerability with significant exposure that had the potential to be disastrous for Apple’s business and hosting customers, as amply described in an opinion piece for Macworld by Mac system administrator John Welch.
In the face of theoretical zero-day exploits, the question had
remained: can Apple produce a zero-day patch if a real exploit
shows up? Now we have the answer: no. The company’s deliberative
and opaque security process can benefit customers by not rushing
ill-considered patches out the door that might need subsequent
patches a day or two later. Yet when a real zero-day exploit
arrives, Apple has shown it has no mechanism for dealing with it.