Successive refinement
 
Less than two weeks after shipping a security update that fixed, among other things, recently discovered (but mainly theoretical) security vulnerabilities, Apple has shipped a second security update that fixes, among other things, problems with the previous security update. This type of "successive refinement" is an integral part of the security process.
 
Security companies, including Apple, have to make tradeoffs.  In particular, when a security vulnerability is discovered, we have to trade off fixing the problem quickly versus fixing it carefully and completely.  Obviously you want to do both, but the more careful and complete you are, the more time it's going to take.  Making this tradeoff optimally is part of the "art" (rather than the science) of security.
 
The main thing to realize, both as a security company and as a user, is that security fixes will often be imperfect.  You just have to be prepared for fixes to the fixes (and so on).  If you're doing your job right, each fix makes things better and better, just like successive (and always finer) grades of sandpaper.
 
As with previous security updates, we’ll still stick with our advice from the book on this one (from chapter 5, “Safe Surfing,” the section on Software Update):
 
Wednesday, March 15, 2006