securityfocus.com · Domains · Slashdot Mirror

And one more example.... by masonbrown · 2003-10-31 09:16 · Score: 1 · on Apple to Fix Security Holes in Jaguar

One more example where @stake allows time to fix the issue before going public.....

This @stake advisory was published on July 12, 2002. Under the section "Vendor Response", it states that: "Vendor was notified of these issues on May 28, 2002."

That's pretty much a month and a half advanced notice before going public. Again, it appears that since Pingtel acknowledged their "accomplishment" with "a point by point response to the @stake advisory" they held off with the announcement. Granted, this is a completely different platform, different security implications, etc. But still, the signs point to someone throwing a temper tantrum and going very public very early, with subtle yet noticable allegations that the Apple security fix would require a $129 purchase.

Let's be fair and balanced (no, really) here... by gr · 2003-10-31 08:57 · Score: 4, Informative · on Apple to Fix Security Holes in Jaguar

The initial security advisories did include a "vendor response" section. Across the board that said "upgrade to 10.3", without any mention of a forthcoming patch for earlier releases.

That's the only thing that had Bugtraq up in arms: the lack of assurance that earlier versions would see a patch. And most of the people worried about that were worried because they want Apple to suceed as a Unix vendor, not because they want to see it crash and burn. (I don't know about the Slashdot comments, because I only read more than the highest rated couple of comments when I've got moderator points, but I'd guess that at least some of them were along the same lines.)

I don't know if it was merely a typographical oversight, or if Apple really didn't have any plans to release patches for earlier releases. In the first case they should have been more clear initially (and now they will), in the latter case they were making a huge mistake. I'm inclined to believe it's the former.

This is not the first time that Apple's security PR has been less than impeccable. They've rebounded pretty well each time, and I haven't seen them make the same mistake twice.

It's only reasonable to expect them to get harshly criticized, especially with Mac OS X: they're jumping from a very soft, easy-going market (desktop publishing and education) into an insanely security-conscious market (Unix enterprise servers). They're actually doing quite well, but there are still more entrance pains to come. The security community is, to an extent, xenophobic, and certainly disinclined to believe that a vendor with a relatively small amount of experience in the market can be relied upon to do the right thing. So Apple has to prove themselves a bit. So far, they're doing pretty well. It doesn't matter if you make mistakes like this, as long as you admit to them, patch things up, and then don't keep making them (hey Microsoft, you listening here?).

And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't matter, because Red Hat doesn't support them commercially).

Interesting.... by lcde · 2003-10-31 06:21 · Score: 2, Insightful · on Gates: 'You don't need perfect code' for Security

That sounds like a Microsoft way of thinking. Leave the code we have the same, just have add-ons to protect that and add-ons to protect that.....

The core of Windows is so bloated by patches or quick fixes I was confused on the column on Linux Hacks. Maybe it was ment as not to go down the same path. But the code that seems to be quick fixes rarely breaks anything, only makes it better.

No code is perfectly secure and I don't expect worms and such to stop on any OS, IMHO I feel that security needs to be a vital part of Windows' thinking, if they want to keep their market share.

Re:For those who don't want to do this on the serv by ivan.ristic · 2003-10-31 04:39 · Score: 1 · on New Apache Module For Web Intrusion Detection

I have recently written an article for SecurityFocus on how mod_security can be used as part of a Apache reverse proxy: Web Security Appliance With Apache and mod_security

Re:Apple is Fine (even if Linux is Better :-)) by Danta · 2003-10-30 12:04 · Score: 2, Informative · on Apple Forcing Panther Upgrade for Security Patch

As others have pointed out, the security flaw is only applicable to OS X 10.3. 10.1 and 10.2 are not vulnerable, so no patch is required.

I hate to sound rude but that is just pure BS. A shame to slashdot that you could achieve a +5 for that cr*p. Instead of your generalized disinformation here are the facts: Take a look at CAN-2003-0877. To quote:

Recommendation:

1) Upgrade to Panther (Mac OS X 10.3).

Now if the vulnerability only existed in 10.3, how come you are supposed to update to 10.3 in order to fix it?

Now take a look at the Apple Security Updates page. Is the fix for CAN-2003-0877 listed under 10.2.8? No. It's only under 10.3.

Take a look at this comment for more links to vulnerabilities that exist under 10.2 but are only fixed for 10.3.

To all the mods who modded the parent up: Shame on you! It contains not one link to any evidence. A statement like "As others have pointed out..." without any further specification is a generalization and stinks of disinformation.

Re:Apple is Fine (even if Linux is Better :-)) by zurab · 2003-10-30 10:24 · Score: 2, Informative · on Apple Forcing Panther Upgrade for Security Patch

Let me repeat. OS X 10.1 and 10.2 are not vulnerable

[...]

Indeed, the spin and dishonesty in the article is so severe, and the pro-Micorosoft bias in the (mis)reporting of the facts so obvious, that I'm surprised even Intel zealots would buy it outright, hook-line-and-sinker, without even a thought to the contrary.

[snip bunch of Apple-ologist stuff]

Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here, here and here.

Re:Apple is Fine (even if Linux is Better :-)) by zurab · 2003-10-30 10:24 · Score: 2, Informative · on Apple Forcing Panther Upgrade for Security Patch

Let me repeat. OS X 10.1 and 10.2 are not vulnerable

[...]

Indeed, the spin and dishonesty in the article is so severe, and the pro-Micorosoft bias in the (mis)reporting of the facts so obvious, that I'm surprised even Intel zealots would buy it outright, hook-line-and-sinker, without even a thought to the contrary.

[snip bunch of Apple-ologist stuff]

Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here, here and here.

Re:Apple is Fine (even if Linux is Better :-)) by zurab · 2003-10-30 10:24 · Score: 2, Informative · on Apple Forcing Panther Upgrade for Security Patch

Let me repeat. OS X 10.1 and 10.2 are not vulnerable

[...]

Indeed, the spin and dishonesty in the article is so severe, and the pro-Micorosoft bias in the (mis)reporting of the facts so obvious, that I'm surprised even Intel zealots would buy it outright, hook-line-and-sinker, without even a thought to the contrary.

[snip bunch of Apple-ologist stuff]

Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here, here and here.

Re:Tech Report by nutshell42 · 2003-10-30 08:31 · Score: 1 · on Apple Forcing Panther Upgrade for Security Patch

Then read the bugtraq links that are mentioned above. Also interesting would be this one

Actually you're claiming that tech report and CNET are lying without any prove or plausibility-argument and don't contribute anything to much more specific postings above which discuss Apple's policy and the probability of a patch for =10.2

Re:FUD by Genghis+Troll · 2003-10-30 07:33 · Score: 0, Insightful · on Apple Forcing Panther Upgrade for Security Patch

No, these problems are already fixed in 10.3 . It's 10.2 (and maybe 10.1, I don't know) that are vulnerable.

That fact should speak to those saying "just give them a week, the bug was only found yesterday", too. The bugs were found quite some time ago if they are already fixed in 10.3. It's just that the group that found the bugs withheld them from public disclosure to give Apple some time to fix them.

Bugtraq links by chennes · 2003-10-30 06:56 · Score: 5, Informative · on Apple Forcing Panther Upgrade for Security Patch

Here are the bugtraq links to the specific vulnerabilities:

Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow

If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.

Bugtraq links by chennes · 2003-10-30 06:56 · Score: 5, Informative · on Apple Forcing Panther Upgrade for Security Patch

Here are the bugtraq links to the specific vulnerabilities:

Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow

If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.

Bugtraq links by chennes · 2003-10-30 06:56 · Score: 5, Informative · on Apple Forcing Panther Upgrade for Security Patch

Here are the bugtraq links to the specific vulnerabilities:

Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow

If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.

Re:That's a goal? by pc486 · 2003-10-29 09:11 · Score: 1 · on Microsoft Officially Shows Longhorn, WinFX

Right now I just browse through packet storm and SecurityFocus. You'll see all sorts of expolits, some are patched and others not. Be creative with some of them and you'll see how a cracker/hacker can easily use them to break a system.

As a side note, I used to keep a track of just IE exploits at the Unpatched IE Vulnerabilities place but they closed for business.

Re:That's a goal? by Anonymous Coward · 2003-10-27 22:35 · Score: 0 · on Microsoft Officially Shows Longhorn, WinFX

and it can't possibly be harmful, like a PDF

Viewing a PDF isn't necessarily harmless.

Re:That's a goal? by Anonymous Coward · 2003-10-27 22:35 · Score: 0 · on Microsoft Officially Shows Longhorn, WinFX

and it can't possibly be harmful, like a PDF

Viewing a PDF isn't necessarily harmless.

Honeypot pages = Honeytokens by Anonymous Coward · 2003-10-27 09:51 · Score: 0 · on White House Website Limits Iraq-Related Crawling

"I wouldn't be surprised if there aren't a few honeypot pages in there too."

Just for reference, I believe the term is "Honeytoken." Slashdot has discussed them, if you are interested.

Re:I wait until... by turambar386 · 2003-10-21 04:40 · Score: 1 · on Patching Paranoia - How Fast Do You Patch?

Security hole hits patched Internet Explorer
Microsoft Recalls Botched Browser Security Patch
MS security patch slows XP systems to a crawl
Microsoft withdraws faulty server patch
Microsoft replaces, broadens faulty Exchange patch
Microsoft fixes another faulty patch
Faulty Patch Leaves IE Open to Attack
More patching problems for Microsoft
Minor glitch in Win2K patch

RPC vulnerability returns. AGAIN!!! by FreeLinux · 2003-10-16 11:46 · Score: 2, Interesting · on Bill Gates: Windows Patched Faster than Linux

There were 7 updates yesterday!

And none of those updates covered the RPC vulnerability, again! That's right the Microsoft RPC vulnerability that has already been patched twice is STILL vulnerable and an exploit exists. Word is that Microsoft has been informed but, as usual, no word from Microsoft yet. The notification was sent 10 days ago.

So much for 24 hour patches. On the other hand, I must admit that I have no desire to reboot my servers every 24 hours so, it's just as well that Bill isn't as fast as he says he is.

I wonder if they will actually fix RPC on the third attempt.

Re:Virus FUD Everywhere! by stanmann · 2003-10-16 06:32 · Score: 1 · on First Napster 2.0 Review

Security focus article on MP3 vuln

Wired article on the same...

No biased opinions here! by Anonymous Coward · 2003-10-16 01:26 · Score: 0 · on Yet Another Critical Windows Flaw

http://www.securityfocus.com/bid

How many times in that list of recent vulnerabilities do you see Microsoft?

Not that I'm a Microsoft supporter in a major way, but still, what gives?

Re:True costs of Linux by bmj · 2003-10-15 07:47 · Score: 1 · on Wired Interview with Linus Torvalds

MOD PARENT UP!!!!

Actually, the first link should really point here.

Re:True costs of Linux by stienman · 2003-10-15 07:32 · Score: 3, Informative · on Wired Interview with Linus Torvalds

Ripped from here and here and some mandrake forums. Earliest post appears in February of this year, but it may be earlier.

-Adam

Mod parent troll^h^h^h comment up! by heironymouscoward · 2003-10-15 07:05 · Score: 1 · on Wired Interview with Linus Torvalds

Yes, my experience exactly! My VBScript kernel runs perfectly on a cluster of Windows 98 boxes, which are so stable that I'm using them as a support for the desk.

Linux is obviously a sham, written by weekend hackers, and frankly I'm surprised that the Apache team dared to steal the Microsoft-developed HTTP protocol for their IIS-alike so-called "web server". ... HEY!

IHTB!!

They still don't get it by evenprime · 2003-10-10 09:01 · Score: 2, Informative · on Ballmer Touts Focus on Security

Back in 2001, Microsoft's Steve Lipner said that code "Review is boring and time consuming, and it's hard,". They don't seem to understand that many people get a lot of satisfaction in doing that. Many people look for things to post to bugtraq because doing so is *fun* for them.

Steve Balmer's recent statement about vulnerability researchers - 'I wish those people just would be quiet' - is downright silly. They are the biggest company on the block right now, and there's always going to be someone who wants to make the big corporation look silly. Microsoft needs to wake up to the fact that there will *always* be someone who is a) bored, and b) wants to make them look bad.

Re:Why make your own? by hrbrmstr · 2003-10-08 13:43 · Score: 3, Informative · on Good PDA Wi-Fi Signal Strength Locator?

because the Kensington is a piece of garbage.

If you're going "headless" then the WFS-1 by Smart ID is the better way. Check out this SecurityFocus article to see why.

Give me a Linux PDA with kismet, wavemon and a Lucent gold PCMCIA card anyday (for 802.11b anyway).

Re:Some messed up scoring here. by jmo_jon · 2003-10-08 09:35 · Score: 1 · on New SANS/FBI Top 20 List

Here is one. Just search for bind on securityfocus and you'll find more

Re:Some messed up scoring here. by jmo_jon · 2003-10-08 09:35 · Score: 1 · on New SANS/FBI Top 20 List

Here is one. Just search for bind on securityfocus and you'll find more