Slashdot Mirror
Mac OS X 10.2.8 Update, Take Two
javaxman writes "OS X users will find Mac OS X Update version 10.2.8 is available via 'Software Update'. If you did not install the previous 10.2.8 update, the size of the new update is 40.6MB. If you installed the previous update, the size of the new update is small, ~680K... if you can connect to the network, that is. Clearly you get different downloads depending on what you did with the previous 10.2.8 update. Apple Knowledge Base article 25524 has the details. It looks very familiar. I'm installing mine right away, how about you?"
Apple, I expect better of you --- even the OS X server people had to remove the system-installed version and compile their own to not be vulnerable to Denial of Service attacks. I suggest people post feedback for this issue.
I had the "pulled" 10.2.8 update installed and downloaded this small fix. I had not experienced any problems with the "former" 10.2.8 update. And everything is working fine with this Mac OS X 10.2.8 (6R73) update. OK, I admit to fixing permissions as a precaution. So go ahead and download!
It's a little unclear whether the new problems in OpenSSL have been patched. According to the CERT page, Apple is reporting the vulnerability as fixed in 10.2.8. On the other hand, I have a 10.2.8 machine that still indicates OpenSSL version 0.9.6i, which is supposedly vulnerable.
Again, on a side note, I wish Apple would allow security updates to be installed independently of the main bulk upgrade.
Sendmail and SSH are off by default. Sendmail is particularly difficult (e.g. there's no GUI) to enable.
There exists no way of exchanging information without making judgments. --Bene Gesserit Axiom
It's not like things don't work the exact same way in every other OS created in the past 10 years.
It's hard to be religious when certain people are never incinerated by bolts of lightning.
Perhaps, if SSH and Sendmail were enabled in a default install, you might have a point.
Flame me if you'd like
This sentence is garanteed to get you modded down.
I recommend not uttering it.
You can't take the sky from me...
Meanwhile sendmail is not only not enabled by default, but there is no way to enable without the command line.
As for ssh, is there a working root exploit out? Just about *everything* that connects to the internet is vulnerable to connection overloading via a DoS. This makes it easier, sure, but that a DoS is possible isn't exactly a deal breaker.
Finally, if you are using these in a production environment where security patches are time-critical, you should probably be compiling your own versions of these services and not depending on Apple.
I would have liked to see the security patches to come faster as well, but for these kinds of things its not a big deal to me if they are a bit lax.
Integrate Keynote and LaTeX
Meanwhile, moving into the land of people who actually GET work done on their machine, there have been instructions available for rolling your own ssh, replete with fix, available for roughly 12 days now.
Get off your ass, do some work, and stop complaining - you fscking tool.
Unless the update specifically fixes something that you are having a problem with, why install these interim updates at all? Remember the good old days when the free updates offered significant performance increases and new features? (Like 8. something). They ain't doing that anymore.
Well, maybe Apple has once failed to manage to do the grunt work for you in a timely manner. If i recall well, most other security holes had been addressed very rapidly in the past. This particular one tanked because it was rolled out as part of a buggy overall update. Big deal. That security hole existed on a service that is not enabled by default. And unless you are an Xserve customer with a valid, active support license, Apple doesn't owe you shit. Complain all you want. But if you enable "remote access" from your control panel, you should have a minimal understanding of the risks it presents and be prepared to cope with potential security issues, and unless you pay Apple, be prepared to wait for a patch.
But you see, in the end, you still benefit from Apple's original architecture decision for the core of their operating system: An open-source operating system. Full disclosure as to where the bug lives. As you said it, even the OS X server people had to remove the system-installed version and compile their own to not be vulnerable to Denial of Service attacks.
Be GLAD you were able to do that. Systems administrators who maintain production-environment servers have had OPTIONS as to how to deal with this situation, based on priorities. Sure it would have been nice to let Apple do the work for you. But hey, if you maintain something of importance, you'd better know your way around the operating system you maintain. But since those are all open-source components, chances are there were about 892739847238974 other people who had found a workaround and/or a solution to your problem within hours of the vulnerability being found, and chances are a good chunk of them have shared those solutions with the community at large.
There is no such thing as a secure operating system. A secure operating system is not connected to any network and doesn't otherwise interact with anything or anybody. Security is a frame of mind, procedures and processes surrounding the usage of computing facilities, and does not exist in an absolute form. Certain practices and philosophies allow administrators to build systems that are more secure than others. But it is all relative.
Take an off-the-shelf Jaguar installation, install it on a mac, then run nmap on that machine. How many ports will you find open? ZERO. NONE. NADA. ZILCH. not one. Why? How many will you find on windows? 5 to 10 depending on which flavor you're installing.
Extraordinary Vacations. Exceptional Prices
now that's a cool news.. geesh.. maybe we should start posting every linux/windows updates here too ? i mean, wtf ?