A security program manager at Microsoft Corp. has scolded rival Apple Computer for claiming that its security updates are just as transparent, informative, and detailed as those that come out of the Redmond, Wash. developer every month.
Stephen Toulouse, a program manager for the Microsoft Security Response Center and often the MSRC's spokesman, has used several entries in his personal blog to take Apple to the woodshed.
Although cynics may wonder by what right Microsoft -- which has seen its share of security problems -- can lecture Apple, Toulouse called on the Cupertino, Calif.-based competitor to appoint a head of security and change how it handles vulnerabilities and updates.
"The only way you can tackle security issues is by getting out ahead of them and clearly communicating to your users the threat, and the clear guidance on how to be safe," wrote Toulouse. "The Apple representative [quoted in the BusinessWeek article] pulls the old 'we don't have a security figurehead because...um, we all care about security!' line.
"That's a little like saying the White House shouldn't have a Department of Homeland Security because, DUH, everyone in the government cares about security!"
Apple has been in the security news more frequently than usual of late, as several worms -- including the first to attack Mac OS X -- and a critical zero-day vulnerability got attention last month.
Toulouse essentially said Apple could learn from Microsoft's security experience. "A lot of the attacks Apple is experiencing today are just like the most prevalent threats on Windows: Attacks that require the user to take an action first," he said. "We've learned the lesson of getting out there fast and providing clear prescriptive guidance."
He also took exception with another Apple official's claim that Apple's security bulletins were "pretty similar" to Microsoft's.
Toulouse ticked off differences. "I note no mitigating factors for customers to assess their risk. I note no frequently asked questions to cover what an attacker could and could not do. I note no workarounds for people who cannot immediately deploy the update. I note no deployment information for enterprises. I note no severity rating for any of the issues."
However, he wrapped up on a positive note.
"As [Apple] talks more and more about the need to update OSX, I imagine some of this will evolve naturally just as it did for us five years ago."
Microsoft's corporate public relations team declined to make Toulouse available for additional comment.