Different rules for different folks

There's a lot of flack that's started yesterday and today, mostly over the amount of holes that may/may not exist in Mac OSX that aren't being exploited, but that isn't really what worries me.

This is the type of article that really worries me, and is something I've mentioned before, here and other places.

Excerpt:

"They are not characterizing the issue so that people can make a security decision about it," said Chris Wysopal, vice president of research and development at @Stake... "It seems they think that everyone will update their computers all the time, and that is not the way the world works." ...Most security companies normally classify a remotely exploitable software flaw as a "critical" vulnerability.

You know, depending upon your position in the market, you can't necessarily play by the same rules as other companies. IE, what might be acceptable for one company isn't going to fly for a convicted monopolist. And when you have a very small share, and are trying to build credibility in certain markets, you prolly can't play by the same rules that others (or you used to be able to) can get away with.

Apple's shifting user base (*nix geeks), and where their machines are starting to be used, may end up causing them more consternation than they bargained for in some ways. Which would take too long to go into detail now, but we'll just touch on this aspect: *nix geeks are not going to be satisfied with "there was a sort of a security problem here, but we took care of it so don't worry" and the enterprise is not going to be satisfied with "Sure, trust us, we wouldn't leave you hanging by not patching that" without really having a clue as to how long releases will see back patches, etc.

Apple can't afford this stuff, and really needs to create and push some set policies. Even if they're unpopular (IE, we only promise to release security fixes until the next major release"), it's at least a known variable that can be planned for and worked around.