Charles Miller, a computer security researcher who's worked with the NSA, is planning to reveal 20 zero-day security holes in Mac OS X at CanSecWest, a digital security conference, in Vancouver BC next week. A zero-day security hole is a weakness in software that neither the makers of the software nor other individuals have any knowledge of. Hackers then take advantage of the exploit on the day it becomes general knowledge. Miller revealing that Mac OS X has twenty of them makes Apple look like they didn't do the job right the first time and also suggests Apple needs glasses to see what they've missed – and he's not wrong.
"Mac OS X is like living in a farmhouse in the country with no locks, and Windows is living in a house with bars on the windows in the bad part of town," Miller said, suggesting that while both OSes have their security flaws, the Mac OS is safer because of the lack of people threatening to exploit it.
But software is software, and no matter how much more secure Mac OS X is than Windows, it's still bound to have some security issues. I'm all for Charles Miller digging around the OS to find flaws, but come on, if you find them, why announce them to the world and open up a potential new round of attacks? Wouldn't it be better to report them to Apple instead of to the host of hackers that pay attention to CanSecWest? There's no question about it, Apple should have caught these holes in the first place and Miller is right in calling them out on it. But while I understand that public outings go a long way to ensuring that people or companies don't make the same mistakes again, you can call Apple out without showing people – especially the wrong people – the specific cracks in the system.