If only it had market share, it would have Security Vulnerabilities

The revelation that the security flaw exploited to win a hacking competition last week was related to Java applets that used QuickTime is very interesting because of the usual argument that Macs are only seen as less vulnerable because they have a smaller installed base. Well QuickTime doesn't have a "smaller installed base". Its installed base is highly comparable to that of, say, Internet Explorer, Microsoft Office, or Windows Media Player. Indeed, given that Apple is less likely to rev QuickTime randomly (Windows Media Player 11 anyone?) and that iTunes and iPods are highly linked to the latest version, the chances are that its market penetration exceeds any of these products. Is that not interesting?

Here's QuickTime 7's stats from secunia.com (hey, they're biased against Apple*, but then who isn't in the security industry. Until we can get Mac users buying third party firewalls and antivirus software, we're going to keep telling everyone they're an accident waiting to happen). Note that these stats include the vulnerability exploited in the CanSecWest competition.

Here's Internet Explorer 7's stats (note that most folks are probably using Internet Explorer 6 still). IE7 has a similar number of vulnerabilities in a shorter timeframe, but they're more critical and far less likely to have been patched. (And remember, Secunia is the company that treats a trojan you need to download and type an admin password to install on a Mac as highly critical, while a vulnerability that can take over your PC if you just visit the wrong website is not.)

Here's Microsoft Office 2003's stats. Quite a few vulnerabilities, almost all remote, and, oh look, one in six is unpatched.

There are so many versions of Windows Media Player that linking them all would be kind of tedious. Windows Media Player 11 so far has no listed vulnerabilities. Here's WMP 9 and WMP 10 though.

Given that the vulnerability is an interface between code which relatively few people care about (Java) and code that gets a lot of attention (QuickTime), I suspect that it will probably turn out that some previously identified buffer overflow vulnerability that was fixed for QuickTime via more popular and conventional paths (e.g. the browser plugin) was not fixed for the Java QuickTime API.

Conclusion: Apple just writes better software than Microsoft, and doesn't leave critical vulnerabilities unpatched for years. But we knew that already.

Note: * Secunia, biased? Say it isn't so. Here's a vulnerability in IE that can make an arbitrary malicious file appear to be an html file when you "Save As...". Note its criticality. Here's an "extremely critical" vulnerability in Mac OS X (note that Mac OS X is one product, like Windows XP Home Edition). It's listed as partially unpatched because, apparently, you can still execute shell scripts that are placed in an archive manually. OMG really? Gimme Outlook 2000 which won't let me extract .exe's from email attachments even if I sign a release in triplicate. Yeah. That would fix it.

Apparently, the "wow" has been delayed until October

Well, I can predict one of the surprises that will be in Leopard based on this patent filing and a bunch of similar, related patents.

Apple is going to offer procedural desktop pictures (essentually GPU pixel shader programs) that produce pretty animated abstract or image-processed desktop pictures. These will be gorgeous, stylish, and have the following virtues:

• Unlike desktop pictures, they won't take up memory in either system or video -- beyond the images they use. Since many of the options will be purely abstract (think of iTunes visualizations or Motion samples) this will be a significant chunk of RAM freed up.


• Unlike desktop pictures, these can be procedurally animated for free (essentially accessing a static pixel and accessing a computed pixel are pretty much identical operations for modern GPUs).

Just look at the kinds of things Motion does effortlessly and you can be sure this stuff will be gorgeous (quite possibly distractingly so) and make Windows Vista look like the pathetic, obsolete hunk of junk it is, but which its "me too Aqua" graphical wrapper partially conceals.

Incidentally, animated window frames could be done exactly the same way.

The Zeroth Law of Usability

Of course by trying to keep my list short, I either left out a things (we'll get to the most important item in a sec) or left a bunch of stuff as a corollary.

0. Function As Intended

There's no point being usable if you aren't useful. This should be obvious but it needs to be said. Blender obeys the zeroth law (in spades!), and it's free and open source, making it sad that it disobeys laws 1 to 11.

Example corollaries:

Visibility (as stated) implies reduce clutter, organize things sensibly, use visual hierarchies. If I put each of these in as a law in I'd have 50 or more laws and no-one would read to the end of the list. This would make the list less usable.

A classic example of the Visibility law in action is that if you try to say delete something in a good program, the dialog's buttons will be captioned "Delete" and "Cancel" (or similar) rather than "Yes", "No", "Abort", "Retry" or "Fail". Putting the most important information in the first place someone will look is a corollary of the Visibility law.