Apple patched both vulnerabilities today, nearly two months after the contest. Mozilla, in comparison, patched its Firefox browser -- which Nils also hacked at the CanSecWest security conference on the same day he broke Internet Explorer 8 and Safari -- on March 27.
Storms was struck by the contrast between Apple's update and the one that Microsoft unveiled earlier today. "Microsoft, which historically has had the view of producing the less-secure operating system, puts out one bulletin today, with 14 vulnerabilities. And Apple comes out with [an update with] 67 bugs," he noted. "It's a 'I coulda had a V8' moment, where you slap your forehead," Storms continued. "It's like history changed in front of my eyes."
Critical of Apple's security practices in the past, Storms didn't let up today. "Who really knew that OS X was this insecure?" he said. "This has to be a wake-up call for somebody."
He did not, however, hit the quality of Apple's patches. "The quality on both sides is good," he said. "I don't see a difference in quality between the two [Apple and Microsoft]." Instead, he focused on the lack of business-grade management tools and the paucity of information that Apple provides about the bugs and the ensuing patches.
"Macs really still aren't an enterprise tool," he said, "even though Apple's marketing likes to say that they are, and that they're used in enterprises."
Safari also was patched today. Apple issued separate security updates for Safari 3.0 and the beta of Safari 4.0; both updates patched three vulnerabilities in the Mac and Windows versions of the browser. Mac users can apply the updates separately, but the patches are included in the 67 that make up 2009-002.
The security update can be downloaded from the Apple site or installed using Mac OS X's integrated update service. Leopard users, however, won't see the security update separately, since the patches were rolled into the Mac OS X 10.5.7 upgrade also released today.