Slashdot Mirror
Apple Forcing Panther Upgrade for Security Patch
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
I thought only windows was insecure...
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Meanwhile at Microsoft HQ...
Gates: Damnit! Apple stole our idea to no longer support old versions of Operating Systems and force everyone to upgrade! Lawyer #1, isn't that illegal? Let's get a suit together!
Here are the bugtraq links to the specific vulnerabilities:
Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow
If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.
I hope Bill Gates doesn't hear about this practice ... Besides, aren't they OBLIGATED to fix software that they wrote and sold to people when its discovered to be insecure? I don't see how Apple thinks they can get away with this.
If Microsoft did this there would be a huge outcry (BTW I hate Microsoft and all they stand for.) But at least Microsoft waits a few years before stopping support for the older versions of it's OS.
Wind-OS X?
Did MS buy Apple when I wasn't paying attention?
Jobs is taking a leaf out of gates book.
I remember how people reacted when they found out that Microsoft was going to stop patching Win98. At least they had the decency to wait 5 years. OSX is a really new product, why would they stop putting patches out so soon?
"You didn't pay up when we wanted to, and so now you're screwed."
How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.
I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
My sig is blank, I typed this by hand.
I can't remember anytime Apple has ever released an update for a non-current version of MacOS. They always assume that you should update to the latest version that you can run on your machine.
There are all sorts of bugs in 10.1 that Apple will has addressed in 10.2 and 10.3. That does not mean they go backwards and release patches for older OSes. They don't have the resources to do that. Many such bugs are also potential security holes.
Avoid Missing Ball for High Score
I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.
Microsoft is evil! No, SCO is! No way, Sun is evil!
Apple forces you to pay for security fixes folks. Why aren't they on the list above?
At least MS tries to patch its bugs; if Apple refuses to offer patches for free, it's setting itself up for some serious troubles methinks
AC comments get piped to
It's a little unfair on those who bought 10.2 several months ago - compare them with Microsoft, who only just stopped providing support updates for Windows 98. Apple have stopped providing updates for my copy of 10.1, bought a year ago. However, I guess OS X is generally more secure than Windows any way, so fewer updates should be needed.
... and I was gonna boycott Panther until they added an 'up' button to the Finder. Oh, well..
Isn't it possible that they just haven't released the 10.2 patch yet?
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
of screwing its own customers. I learned that well -- I bought a @&#* Newton.
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
And you wonder why some of us STILL claim Apple is no better than Microsoft despite everything Apple is doing? Well, this is the perfect example why. For every good thing Apple does, they do something just as bad. It only takes on rotten apple to ruin a whole basket.
Mac OSX is great. Sure. But it's still proprietary software owned by a control freak company that down to its very essence is an even bigger control freak than Microsoft. Neither is satisfactory.
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.
On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and use them are surprisingly small. They're more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.
IAALS.
"Imagine if Microsoft tried to charge for security fixes--people would go crazy," Larholm said. And the Apple users are going to bend over and take it?
I, for one, am not happy... I stupidly let applecare lapse on my ibook... now it needs a new logic board ($500 repair job). I don't have the $$$ for Panther right now, and I'm extremely upset about the immediate lack of support for old OS versions.
/. really make a difference? No. There's no point to it, so I'll spare myself the energy for more enjoyable pursuits. Like nethack :)
But really, would my excessive ranting and whining on
This is a typical Apple bluff. Of course they want everyone to upgrade (and pay $129 yet again), and hope to encourage users to do so with new features (such as the drool-worthy Expose). Apple has many times tried to cut off support for earlier version of an OS and had to eventually relent. Sometimes it takes a lawsuit for them to do so. OS X is just getting some great press so it would be very damaging if the bad press from this decision serves to highlight a security vulnerability in what is otherwise being lauded as much more secure by design than any flavor of Windows. Expect Apple to quietly issue a patch for 10.2.
...and if you were a company with only 3% market share, what would you do? It's a for-profit company folks. It's not a glaring windoze RPC hole or anything. They have to make money somehow.
Cut them some slack--they're competing against MS.
This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.
Let's not get too pissy yet.
Welcome to the world of proprietary software.
On the surface, it seems a bad move not to offer patches to Jaguar (10.2.x) users. If the assumption is correct, that Apple is indeed withholding a patch simply to spur sales of Panther (10.3), it borders on bad ethics. There are many users of now unsupported hardware that won't tun Panther who rely on their Macs to earn a living, Apple seems to be holding their security as ransom forcing them to upgrade not only the OS, but hardware too. - Bad form, Apple! In all fairness, we need to see what the next few week hold regarding Apple releasing (or not releasing) a patch. I'd be very suprised if they don't. It's probably just a marketing tactic to spur every possible user to upgrade - Still, bad form.
Click and help me get an iPod?
I don't see why anybody aware of the open source technologies that underpin OS X couldn't just locate and apply the fixes themselves. The users who don't know how can pay for the convenience of continued consumer-level support. As for the OS specific security concerns, is it unreasonable to expect an upgrade when there is a new OS release?
If you disagree then it must be overrated, redundant or trolling.
From TFA: Other vulnerabilities could allow a local or remote user to crash the system.
Lol, I'd love to see the patch they came up with for preventing a local user from crashing the system.
-You may license this sig for only $6.99.
This hasn't been a good followup week for Panther. First the upgrade issues, then the abysmal transfer rate of the belkin iPod media transfer thingy, now this security update fiasco.
Stebe, please save us with all your messiah powers. We want to bask in the glory of your healing rays!
I'm very sure Apple will bring out the patches.
If they didn't they would lose a lot f trust in their community and I would no longer think of buying an iBook myself.
Apple isn't cheap, but they have good hardware and Panther is, as far as I can judge it, a very nice example of friendly unix.
They can't continue without bringing out the patches.
42 + 1 = 42
.... I had enough money to be a MAC user.. I mean $2k+ for the Computer then $129 for security updates ...I mean upgrades every what ??? 6mos..
I only wish I had this kinda cash laying about =)
oh yeah in other news m$ announces SP2 for windowsXP is cancelled and windows XP.1 will cost $129 =)
actually I am happy to see you, however that is in fact a banana in my pocket.
It seems really dodgy that something as big as a security update would be withheld from an OS that was "current" until a week ago. I'm just going to wait and see what happens. My guess is that they'll patch Jaguar in the near future.
-or so you'd think
Time to pay the piper OS X users. Why do you think we call it FeeBSD.
Whoa, slow down - Apple has not said they aren't going to support 10.2 Jaguar. I'd be willing to bet they simply released the Panther patch first.
At least a simple security issue isn't $130...
This isn't new news. I guess apple is getting enough use now that people are starting to care. Apple has been very bad about software updates on old OS's. We're still running a 10.0 server and there haven't been any software updates for it in ... well I can't remember the last one. Mind you I do have the same option now as any other *nix user of downloading and compiling my own services... which is less convenient but just as effective.
There are clearly security updates posted here for 10.1 and other updates posted here for 10.2.
I would think that fixes for these bugs will be available from these locations.
10-4,
os-xor
Who's tolerating it? The posts I've seen here aren't, for the most part, sympathetic to Apple. Microsoft takes their licks here, as does Apple. If Microsoft seems to catch more of it, well, maybe they're just working harder at earning our hostility. That doesn't mean Apple gets automatically praised for (what initially appears to be) a boneheaded security patch policy.
Score 1:Troll, thank god. /. finally modded something correctly =)
You'd have to ask Apple users why they let Apple treat them that way. Apple is well known for sticking it to its users, but even so they remain as loyal as ever. They obviously feel that the Apple experience is worth it to them no matter what. They are also used to being told how things are going to be and relish having one company making all their decisions for them. Hence why so many Apple users have a strong desire to use nothing but Apple software and Hardware. In return they have to take the good with the bad. The bad in this case being if they want to continue enjoying the "Apple experience" they need to pay up.
So personally do I think its unfair to force people to upgrade just because Apple is too greedy to backport to an almost new OS? Yes. Does my opinion matter to Apple users? Nope.
If you wanna get rich, you know that payback is a bitch
That's so wrong that I have a hard time believing that this is actually Apple's position. I expect that we'll hear from Apple shortly, and they will clarify their position -- that the patches for 10.2 will be out Real Soon Now.
But if not, Apple's going to get a lot of bad PR from this.
Easy, automatic testing for Perl.
That perhaps the vulnerabilities are limited to Panther...
Just wild-ass speculation of course, I have no reason to believe this is the case...
However, my father, a long time Mac user has commented on this before. Now, being an educator, it was allways trivial for him to keep current, mostly the Faculty IT group would keep all the Macs current.
TBMK, there isn't any way to force Apple to offer the patch to preceding versions, and the license probably states as much. That said, it really isn't great publicity.
Kind of cries out to update the old aphorism:
Any press is good press, unless it limps you in with M$...
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
I just looked at the BUGTRAQ mailings, and I get the impression that you need physical access to the computer to break in to it. Have I got that right? I'm no expert, but I've always assumed that given physical access to a computer, a decent hacker could easily have their evil way with it. Of course that doesn't excuse Apple's failure to provide a patch and their rather glib upgrade suggestions.
Patches... We don't need no stinking patches.
More of my thoughts
Apple is a proprietery, EXPENSIVE, rip off company, once you strip away the candy colours, the iapps, and the G5, Apple is just a company that offers less for more.
Want a fast CPU?, get a Athlon 64, or A second hand Sparkstation.
Want candy colours, get KDE, the keramik GUI included in 3.1 and improved in the upcoming 3.2 is a whole lot better tahn Aqua. Plus you can switch to a plain style if you don't like it. Face it, Apple is a disgrace to the community. They are fucking expensive outside the USA (A G5 costs the Equivilent of $5000 in my country, where $20000 a year is RICH! x86 is expensive too, but at least i can get one for around $50)
Fuck OSX, Fuck Apple and Fuck the Apple zealots who will mod the truth unfairly -1, flame "zealot got upset" bait.
I for one, welcome our Linux overlords, and when christmas comes I will have KDE 3.2, which will put a cap in you zealots ass once and for all (If you havent tried the KDE 3.2 alphas, you don't know WHAT your missing)! Not to mention that Apple uses KDE technology in OSX.
While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
Security Fixes already?
wtf?
do() || do_not();
IF these bugs aren't Panther-only (I haven't been able to verify either way) AND Apple doesn't cough up a patch soon for the Jaguar and earlier OS X variants, then yes that's a seriously crappy thing.
Doesn't fit Apple's pattern at all on security patches though, which is why I believe it's either Panther-only or an additional patch will be out soon for older revs.
Speaking of which, just about to do a clean install of Panther on a new HD....
Hey, let's remember that this is Apple, folks. They can do whatever they want and Apple fans will continue to love them. Don't want to upgrade? Too bad! Steve commands thee to upgrade, thus thou shalt upgrade! But never in a million years will anyone criticize Apple for this. Apple gets a free pass!
...oh wait... ...they've already sunset (gasp!) Windows 98, a five year old product! And NT 4.0, an eight year old product! And remember the howls of protest, the derision, the "you're a fool for running Windows" comments that graced this oh-so-thoughtful-and-unbiased website when that was announced? Oh, how MS caught hell for their heavy handed tactics, forcing users to upgrade in order to get the latest features and patches!
Now if Microsoft were to do something like this...
But that's Microsoft, and this is Apple, and us anti-Microsoft zealots must maintain our double standards! Praise Apple! Damn Microsoft! Oh, I feel good!
... that maybe the bug just isn't there in 10.2?
Perhaps its not so much a forced upgrade, as it is that the bug was introduced in 10.3, and 10.2 is fine?
Coz in Appleville no one knows what a computer is...
the latest flaw is apparently only a 10.3 problem, hence the 10.3 only update.
*** For a better tommorow, change your life today ***
NetInfo connection failed for server 127.0.0.1/local
Wow. Maybe we should calm down and wait to actually HEAR SOMETHING OFFICIAL from apple before we get the torches and pitchforks out.
"My job duties involve frequent copying of 17 MB files from one location to another."
So when you see someone with the "Go away or I will replace you with a very small shell script." t-shirt, you basically have to do what they say? Cool.
But I don't see a bunch of posts from Mac users saying "Oh, well this is ok."
What makes you think that Mac users think this is ok?
All the more reason to turn to piracy. I'm sure a lot of people that would have stuck with their existing version of OS X are going to just pirate a newer version. The amount of piracy in response to this dumb move from apple will probably exponentially outweigh the amount of legal upgrades.
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
"Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."
So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.
I guess I'm going to be modded as flamebait...
;-).
/flame
But...
If I had to upgrade my OS every year in order to get the latest security patches, I would shit a brick.
Seriously.
I'm glad that all the machines in my office get automatic patches from SuSE. I spend enough time screwing around with the applications on my system.
If my OS works, I don't want to have to upgrade it. I don't care how easy it is, I don't care how much cool stuff comes with it.
That's what my 'test-bed' (read toy) systems at home are for.
When I'm working, I have work to do. We've been very, very seriously considering getting some OS X boxes, but if I don't see a patch come out for older version of OS X, the most I will do is get a Mac for my home (to go along side my 8 pcs
No patches=no business use.
Seriously, though, I'll be very surprised if they don't patch the older versions. They'll probably get round to it after a week or so.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
[skr1p7 kiddies are] more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.
Although you are correct, why would script kiddies care about (1) and (2)? Those are issues for the script writer, not the script downloader/runner.
Apple, as far as I knw has always tried to keep up with industry standards by forcing it's users to buy the new soft/hardware of the times. Their software prices don't seem to be all that high. A quick glance at Apple's site said that the new OS X Panther is only $129 while just an upgrade to Windoze XP Pro is $199 (a full version will run ya $299, this is from M$'s site). Remember back when Apple decided to switch from the 68k to Power PC format? Everyone hated it but look what happend. Apple had a brand new architecture that was very powerful and reliable and from what I understand, the OS's for the early PPC's were very good and user friendly. I don't really see this as being unfair, Apple is a very up to date company that tries to maintain an image of modern computing. The computer industry changes so much that people get lazy and never upgrade their software and then they complain when it becomes too slow after a few years. All Apple is doing is making sure it's users are up to date. Apple doesn't give their software away for free but I believe that it's reasonably priced. I am not an Apple user but I wouldn't mind being one. I like how they have good, solid hardware and decent software to support it. I hate M$, I hate their software and their horrible business practices that push people around.
Trick or Treat!
and I think so because of this:
I upgraded my machine at home 10.2.8->10.3. Unfortunately, one piece of software would not work (Silverfast SE, my scanner software. It would not detect the scanner even though the System Profiler showed that it was at SCSI address 2).
It was easy to downgrade to 10.2, then run software update to get back to the 10.2.8 system. Then I realized that there were security updates for 10.3 that were unavailable to me. My choice is security updates, or using my scanner. For now, I have chosen to stick with 10.2.8.
This is OK at home, as I only have on computer behind a firewall, but the dillema is unacceptable at my job.
At work, our CIO, my manager, and several staff use Macs, and we wish we could bring them into the company; our CIO said that the 15" PB is the best computer he has ever used. But, we are still running Windows 2000, and only stopped using NT4 a few months ago, but MS made security patches available up to the end. We continue to download and install security patches for 2000 server and workstation.
I think it is unreasonable to tell a company to upgrade all machines on the vendors' schedule; companies need to control their own upgrade cycle if their environment is to be stable. I work for a financial management company, and we have consistently near-zero downtime, in part because we control our software upgrades. We have a company policy of making no changes the last week of the month when accounts need to be settled, and no changes for one month at the end of the fiscal year so we can close our books. However, critical security fixes are required, after reasonable testing on our QA systems.
If Apple gives us the choice of 1) no security patches after one year max, or b) one critical app stops working on the new version, it means no OS X at work.
Worse, Apple has no clearly stated policy on upgrades, support, patch releases, and end-of-life schedules, and nobody you can get on the phone tells the same story. They are a very secretive company, which does not help when selling to the corporate market. I have read that Apple recently started setting up a corporate sales force, so hopefully this message will get back home and get into the right ears.
And, we don't like Windows, but MS at least tries to get get security fixes out and does state when we can expect support for old releases to stop, so we can make a schedule for ourselves.
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it. If you living alone (or you trust the people you live with), then the walls of your house are your "security." If your home is that insecure, I'd be more worried about someone walking away with your big screen TV than fooling around on your computer. Even if there are many people who could theoretically access your computer, don't most modern operating systems require users to log on? Sure, some systems allow you to disable password requirements, but that's your own choice if you want to trade security for convenience.
When Microsoft stopped support of Windows 98, they link on the Windows 98 support webpage to Microsoft Support Product Lifecycle. At least they have a consistent product support policy. I mean 98 was released 5 years ago, so it goes with their policy of only providing support for 5 years from release for consumer products. Thats more than you can say about Apple.
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Bad analogies are like waxing a monkey with a rainbow.
"'In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that,' he said."
"'...this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year...'"
Though Apple has been slow in providing updates to fully support their hardware in OS X (e.g. the ATI driver issue), this story is based on speculation on the part of the people interviewed. Also, there is no comment from Apple, so much for quality journalism.
From the site at @stake....
Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
Why is this modded as Troll? It's a perfectly reasonable and relevant point, users of _free_ software are not subject to the forced upgrades of companies and this posting exemplifies exactly the kind of behaviour that free software frees you from.
Whenever a Microsoft or Linux hole appears, the Apple extremists come out of the woodwork, talking about how "If Apple was the majority player, not MS, none of this would happen." Well, guess what. If Apple was the majority player, this would have just screwed the majority of computer users.
True, when Blaster was running rampant, MS refused to patch NT4 systems. But, those systems were not 1 year old either. This behavior is completely irresponsible of Apple, and should be a good example of why, even though the core is open source (Darwin), if you rely on proprietary extensions (Aqua), etc., you have the potential to get burned.
Overrated / Underrated : Moderation
... a patch to 10.2 called 10.3.
So it's a $129, it's a little buggy- but it comes with a colorful manual, in a sleek black box.
Microsoft forces you to update your computer through Windows Update---they don't give you a manual, and they don't put it in a box...
No wonder they can't get anyone to use Windows Update-- If they would only box their updates and charge 129$ for them this whole trojan/virus issue would be over.
The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt (login: archives password:archives):
>The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.
-- Charles A. Plater
Then Karma comes along and sticks a shard of glass from a window that breaks as you're pasing by through your fucking eye!
Sorry.
Of all the types of fanboys, why are Apple fanboys the worst?
We hear regularly from the NVidia and ATI fanboys, but at least they don't have a way of life that revolves around their graphics cards. Apple fanboys seem to have their own culture, and probably should have their own schools.
Give it a day or two. Apple has not said that they won't be issuing the patch for Jaguar, they merely haven't released it yet. In all likelyhood, a Jaguar patch will follow.
If memory serves, they continued to issue security patches for 10.1 after Jaguar was released. I see no reason why they'd choose to alienate their customers by not doing the same for Jaguar now that Panther's out in the wild.
Journalistic integrity on Slashdot? Yeah, I'm asking a bit much.
I think I've figured it out.
They have a hardened group of insane users who simply won't switch to anything else.
As such, it makes good business sense for Apple to make them pay through the noise----They've got them by the short and curlies, now then can generate revenue by forcing Apple users to constantly purchase new stuff.
Look for Apple to move to a subscription OS model, soon.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
The new viruses will be shipping worldwide in early 2004.
Consider that Sun supports their OS for 10 years. That's enterprise quality.
This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
When you have a whole bowl of oranges sitting on the kitchen counter, and one of them starts to go soft and mouldy, and then the rest of them nearby get mouldy too. "Rotten" is sort of contagious. But then, I'm comparing--
nah, forget it.
Good news is Linux already runs on this platform :-)
Only MVS and VM/ESA, the king and queen of operating systems, are totally without security flaws.
And then Karma comes along and...wait a minute, that's a different ending.
Erm, the glass from that window sticks into the end of your nose!
Bad AC, BAD BOY! Go to your room.
and I cannot get a patch for the 10.2 that runs on them (beige g3) Talk aboot a rock and a hard place !
why doesn't someone write a letter to Apple and find out exactly what's up? I would but i really don't care. The fact that none of the posters know the full story, and are only assuming, is bothering.
...Tech Report is a site that capitalizes on hearsay and likes to spread FUD. Avoid in future.
-- thinkyhead software and media
I find the whole patching debate interesting... As someone who just bought a G5 with 10.2, I am paying for the $19.95 upgrade to 10.3 anyway but I would also prefer that if I chose not to that they would patch the bug/security hole.
What I find interesting though is expectations... For example, if you buy a PC game and find a bug, you expect to be able to go to their web site and download a patch. OTOH, if you buy the SAME game for PS2, you certainly don't expect patches -- you expect it to work.
Come play Moral Decay!
Since most of the posts so far have been concerned about equality in policies across OSes, here you go:
BLOODY MURDER!!!!!!
-You may license this sig for only $6.99.
So, you mean that a vulnerability in 10.3 has to exist in 10.2?
/., so I'm not at all surprised.
It's not at all possible that with new functionality comes new bugs?
The very title of this story indicates a lack of proper investigative journalism. Of course, this is
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
1. Core Files are disabled by default. So unless you've enabled them you should be ok.
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
Just because you are a LinSux user and your OS runs on crappy CPU's, has no apps or user interface to speak of and sucks rocks through a garden hose, don't come whining to us. Fact is, this is a wise business decision on the part of Apple, a company that does not rely on volunteer hobbyist developers to do its work. Your stupid attempt to paint all Mac users are mindless automatons appears to be newspeak cover for the fact that you are yourself a mindless Linux loving automaton.
Apple apologist are hard at work in this very thread. I have eight examples here for you, what more do you want? There isn't anything apple could do (anti-trust would prevent MS sellout) to it's users that they wouldn't defend religously. The merits are never relevant with the Mac Zealout, only the worship. I'm reminded of a battered wife who will never leave her husband despite getting beaten again and again.
e nth
First
Second
Third
Fourth
Fifth
Sixth
Sev
Eighth
Why don't Apple just be done with it and call it OS X subscription? After all, I bet most of their customers are paying $120 every 12-18 months anyway just to keep their machines current. So why not be honest about it? And this on top of the premium for the hardware.
Apple is great at requiring new boards for a broken trace...we had a 128K Mac that "needed a new analog board." Found the trace, fixed, it worked for a while...when it stopped, we shimmed the case with a wedge that put enough pressure on the board that made it work again.
This is a stupid non issue.
It was originally cased by developers using third-party installers. Most Developers now use Apple's installers.
A simple cron job repairing permissions will fix the problem.
This is just plain ridiculous, as stated the bug may not be in 10.2, and on top of that, just because a patch has not come out yet, does not mean that it is not going to come out.
Show me ONE software company that posts lists of patces that are yet to come! If a company did do that, all they would be doing is making a list of bugs for people to exploit. Typical Mac bashing, plain and simple.
How quick it is that pee cee userz are to jump on the bash-Apple bandwagon. Yet more proof that you are all scared shitless of the superiority of Apple products, and indeed, Apple users.
But in the end, when you're searching for the righ text files and information to configure the right setting so your computer can work with the latest hardware you installed, I'll already have it running.
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
En SU, slashdot admit que michael sux.
You obviously didn't. See the first reply to your post.
As I've said before, and apparently the anti-Apple automatons on slashdot are too thick headed to hear: this is a perfectly valid business decision for Apple to make with their limited resources. Unlike Microsoft which has a monopoly, and Linux which has thousands of amateur hobbyist programmers (which shows in the quality of their work), the professionals at Apple have only so much time and effort they can put into creating top quality software. The fix for this has been stated and is clear, if you need an up to date operating system, you should pay for it. In the real world, we live in a capitalist country with a capitalist system where people get paid for the work they do. If you don't like capitalism, use Linux, but you will of course get what you pay for. Those of us who have made the switch to Apple understand that superior technology is the result of hard working professional programmers who are not afraid to stretch the limit of technology and innovation to create products that make our lives easier. So stick to Linux, or Windows, or whatever. In the meantime, I'll pay the cheap upgrade cost and get back to doing actual work rather than struggling with kernel patches and email virues.
Sigh. Get a life, people. You cry foul over the most inane things. Yeah, Apple is not going to support any 10.2 users now that 10.3 has just been released. Duuuh. If you are only paranoid about esoteric security, or running a very high profile machine, run OpenBSD. Maybe it was quicker and simpler to get the 10.3 update out, or was more serious for 10.3 than 10.2. Maybe all of you need to get out into the world a little more often. You're in love with your computers, and your computers won't do jack shit for you in a brick fight.
Leave old stuff broken, force upgrades. Office anyone? Every version of windows?
Just goes to show that Apple isn't above being a greedy corp. They care more about their bottom line than the security of their product.
-- Having a Creationist Museum is like having an Atheist place of worship
I'm reminded of a battered wife who will never leave her husband despite getting beaten again and again.
A few people point out that there's no evidence to support the story yet, and you're reminded of a battered wife? I bet every time you stub your toe, you're reminded of the Hindenburg. Oh, the humanity!
To those that did not upgrade to the 10.2.x series, is Apple still offering security updates to the 10.1.x series? If not, I think we know what they will now that 10.2.x is no longer "new."
I know it's /., so nobody expects him to read the article, but he isn't even talking about the same flaws that affect all versions of OSX.
Actually I saw this news yesterday from C|Net (news.com.com) news (so, that's actually less than two days before the security 'holes' (?) were found) and wondering if it's a FUD... then I read it a little bit more and found out somebody from @stake comment on that 'OS upgrading practice'. I thought, wait a minute, wasn't there a recent news that the co-author of a report get fired from @stake becuase the report citing the monopoly of Microsoft put security at risk...
You can say I'm paranoid... but I can see some sort of link...
By the way, if somebody have enough proof of organization(s) synthesizing FUD, is there any way to make the respobsible part(s) held accountable? Fruad?
Et n'obliez pas manger vos French Fries, fagots Americains!
But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.
WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--
MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY
Er, carry on.
If Jesus wants me it knows where to find me.
Apple should milk its fanatical user base for every penny they're worth. Apple has never apologized before (remember the short-lived outcry after they started charging for that .Mac service?) - Apple users quickly forgive and forget.
Or are well all going based on the assumption that since there is a Panther patch and there isn't yet a Jaguar patch that none is forthcoming?
If I were running a company I'd patch my new product and test that before I worried about patching my legacy products.
Maybe its in one of the additions to OS X 10.3 so there's no update required for 10.u | where u 3.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
Sounds like they're trying to pull a Microsoft, by not supporting old software anymore.
There's probably something about that in the EULA.
The crowds are longing for a commercial alternative to Microsoft; linux does just fine but there are so many people that just can't handle the glitches and quirks of the good penguin. Sometime in the near future Linux based distributions will obtain OS X grade nirvana but until then people want an escape from Microsoft without the hassle. So Apple fills the void but people are also terrified at the thought that under the sheep hide is a wolf in disguise so many are too trigger happy. I'll give them some slack and wait for the Software Update to bounce on my dock. I'm holding my breath...
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
Apple is taking care of its customers.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
If a non-Apple computer is a better solution for you, for whatever reason, you'd be silly to pick an Apple
For me, though, Apple is a pretty good solution. There's no bargain basement model, sure, but I've managed to save up enough money for a new Apple recently (first one in a while, but my old one was ticking along just fine).
I like Apple because their computers make me want to do things with their computers. (I'm setting someone up for a +5, Funny post with that line, I know) I want to make movies with iMovie and iDVD. I want to find out about new music with the iTMS. I don't doubt that I could do all those things on another machine, and probably fairly well. But I don't think the other machine would make me _want_ to do it the way my Mac does.
But like you said, they're not for everyone, for a host of different reasons. And that's ... OK
Your example is like buying every new release of Photoshop and Photoshop Elements. It's stupid. I don't know one 2000 user who went to ME.
Oh, and since longer release cycles are better by your standard, you should be happy to include Windows Longhorn in there, which seems to be coming out in 2005, four years after XP.
Excuse me, but my iThinkSafe alien-mind-control-ray blocker is not a "tinfoil hat". It is a beautiful and effective combination of translucent polycarbonate and brushed aluminum.
.. nope, the designers thought of everything! Random noise centered at theta frequency 56 is added before display.. any insidious thought-control messages are randomized and rendered ineffective. It's those little details that set this device apart from yours.
And don't think for a second it won't effectively attenuated mind control rays. Do you see these channels here? They aren't for "looks", they channel psi-waves from anywhere on the surface, to here, where they exit the cranial dome safely.
Your run-of-the-mill tinfoil design simply relies on the properties of the metal itself. One tiny hole and you'll start hearing instructions to kill the president.. but with this reflector/channel array, tuned to the wavelength of alien psi-waves, you don't have to worry. In fact there are holes underneath for ventilation! Does your "tinfoil special" have that? No, so better not head out the beach while wearing your protector (well, and because the water contains hallucinogens added by the CIA, but that's a story for another time).
And look at these twinkling blue lights that give power level readings. Tinfoil doesn't have anything like that, how could it, it's a passive device! This bad boy on the other hand, draws power from the psi-waves themselves! Sometimes I can sit for hours, mesmerized by the dancing lights.
I know what you're thinking, though: "won't the alien brain forces just start modulating the lights and program you that way?"
You can stick with your tin-foil hat, sure. But wouldn't you like a thought protector that "just works"? I do, that's why I happily paid $129 for mine.
Sorry, You lose Zealot. The world has moved on from Debian Potato, and All modern distros dectect my hardware automagiaclly.
Many companies do this already. If you are not current, you are outta luck on updates of any kind.
Since Panther is 'current' then you cant demand they support something older..
True, its irratating as hell..
Just wait until fixes for SUPPORTED versions are pay only...
---- Booth was a patriot ----
So I see Bill Gates has secretly purchased Apple Corp.
ehm, unless the newton came with a defective keyboard or a really messed up spellchecker I don't get the joke. Anyone care to enlighten me?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
... General Motors will not be fixing older GM vehicles that have a problem with the navigation system. When asked by tinfoil-hat-wearing /. users why they wouldn't support earlier versions, GM's CEO mentioned that older vehicles don't have this feature so they wouldn't need to be fixed.
In other news, Apple has reported that "Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."
--AB
What strikes me as strange about this is that Apple is allowing this news story to fester. It is popping up in several news sites now and is creating a lot of bad press for them, regardless of the facts. I thought Apple was smarter about marketing than that. All we have at the moment is "no comment".
For a good operating system, $129 is small price to pay because you get an excellent operating system that is user-friendly and stable at the same time. I am sorry, but Apple has the best GUI engineers that actually put a lot of time into usability testing (open any HCI book and you will see the reference to Apple's products here and there); combined with a solid backbone OS X is an excellent choice for everybody who wants the beauty (the interface) and the beast (UNIX) combined into one.
I used to be a big Linux fan, but that OS has become a pain in the rear due to inconsistency probelms between distributions and other misc. stuff that pissed me off on the daily basis. I switched to FreeBSD and I still use it on my servers; however, my primary desktop is a G4 running 10.3. Now I spend more time doing useful things rather than trying the interface to work. I will switch to any Open Source product that offers a clean and functional (from the user's point of view) GUI + precise guidelines for developers. Unfortunately, neither KDE nor GNOME can offer it at this point of time.
Also, I found out that my productivity increased after I switched to OS X because I do not have to spend hours on tweaking a desktop or trying to fight any of its features. Plus, $129 is a small price to pay for a piece of mind. My shoes are worth more than that and yet I change them on a yearly basis.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
I recently read about these "security problems" in 10.2.x found by @stake, and I find it amusing that the details were virtually left out of this current article.
The current set of vulnerabilities include a flaw in the operating system that causes applications to be installed that have insecure file permissions. Other vulnerabilities could allow a local or remote user to crash the system.
IMHO, this is being blown way out of proportion. I've never heard of @stake before, and it sounds like they're trying to make a mountain out of a mole hill, possibly to make a name for themselves.
I read an article a few days ago (sorry, no link) about this security thing on 10.2.x. From that article, it said that one of the security issues is that some files have default filesystem privs open to "group" or "other", such that if you were to install something malicious it might have access to modify certain other pieces of your filesystem that should otherwise be read-only. This is pretty idiotic, I think, because if you're about to install something malicious, that's your fricking problem right there. Should this filesystem thing be fixed? Sure. Is this a serious "security issue"? I don't think so.
Two of the other vulnerabilities had to do with somebody sitting at your console typing in specific, malicious commands that would result in a kernel panic. Problem? Sure, this should probably be fixed. But I don't see how this is a "security issue". If somebody is sitting behind my machine with a terminal window open, I've got a lot more to be worried about (stealing files, deleting data, mucking up configurations) than whether he's about to type in some command to send my machine into kernel panic mode.
I don't see how any of this is worthy of the kind of media hype that we're seeing.
No more Karma, thanks, I'm full
Apple has released an updater for WebObjects 5.2.2 development on MacOS X, and updates for deployment on Windows and Solaris, but they only way to get WebObjects 5.2.2 deployment for OS X Server is to upgrade to 10.3 server. Apple has not officially said that they won't release the update for OS X Server 10.2, but it is it not available now, and there is no official word either way.
-- Charles A. Plater
I've head of @stake before. They're the people who recently fired a researcher for writing a paper that was critical of Microsoft.
OS X does have a lower local-security profile than most UNIX systems, but it's still significantly better than Windows even with all Microsoft's recent hype. If there aren't any remote security exploits I would say that the thing to do is watch the Panther patches as they're released and apply the same permission changes by hand.
>>I am a MeatScript.
:)
I nearly shit my pants after reading that....
I thought this was a Panther fix and not a 10.* fix. Are we sure it's a 10.* fix? The way things read it was a new bug for Panther only when it was on the other mac sites a few days ago.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Why is everyone surprised about this?
After all it's Apple, the wonder boys of the computers. Hailed to fame because they are monopolistic and OSX only runs on their own propriatery hardware. And now you're all surprised because they use the same tactics as MS? Go figure!
I would be more surprised if they actually caved in. Why? Well, there is more money to be had from having the users pay an upgrade fee to move to the new and fixed version rather than providing the fixes for free. Basic economy. And you're surprised because?
If you mod me down, I *will* introduce you to my sister!
As much as I hate to admit it, at least MS supports more than two years' worth of versions. They still support back to 98. This is a very bad move by apple - if your security support in any way makes MS look *good*, you've got problems.
With as much as Macs do cost, great support should be something taken for granted.
And before the flames fly, like they always do, I do not use and cannot stand MScrap.
-Looking for a job as a materials chemist or multivariat
This article helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.
Does anyone remember Darwin, the open source core to Mac OS X? A lot of these security issues are within the Darwin source code, therefore allowing a smart hacker to make the proper fix. Once the fix is made, I'm sure a 3rd party would gladly make an update package for Jaguar.
I've already paid for an excelent operating system that's user-friendly and stable, and follows Apple's HCI guidelines better than Panther. It's called Jaguar.
Panther won't run on my Mac yet, until Ryan gets XPostFacto 3.0 out. After that, I think I'll wait until Max Rudberg gets Milk working on Panther, and someone comes up with a way to keep running the Jaguar Finder on it.
It's a pity about the OS improvements, the things Apple doesn't seem to be crowing about like the new UFS, but maybe I can update the Darwin core underneath OS X and pick those up as well...
A jihad has been declared! It is YOUR duty to make certain that the target of our attacks be made aware of their misdeeds. If they will meet us halfway, then we shall remain peaceful. If not, there will be much suffering. Choose your side and play it well, for in the end there will be much rejoicing for the victor! And that victor shall be the one who as spoken against the infidels with their unfair moderating practices. Choose now! Choose wisely.
Okay first let me get this out I dont flag wave for any OS.
now back to the point. It amazes me how there is a large chuck of users here that will jump in and take a bullet for apple on things like this and pretty much argue it to death trying to say how apple should be given time and that it cant possibly be but those same users would tear into microsoft in big long threads if they did anything similar to what apple is doing right now.
Personaly I think they are both business they are both in it for the money, they both make (somewhat) competeing products and you know what they are both evil. It's just microsoft has been pretty much shown for what they are where as apple for some reason is still behind this new age hippie veil that they are the good guy. If the past had happend diffrently and apple was the big kahuna now the world of software would be no better and probly no worse. So i say to all you mac fanatics out there please realize that well the operating system might be cooler and maybe even better then the microsoft offering Apple is just as evil and would love to sqrew you over for every last penny you have.
Its just good business!
The only difference between Apple and MS is that MS has a monopoly. Apple applies the same kind of tactics as MS to force users to upgrade. I personally find it sad and I am thankful for Open Source that allows me to do something as simple as choose when *I* want to upgrade.
Go ahead and mod me a troll now : )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
It may well be that Apple hasn't issued a statement yet. If so, they need to get their propoganda machine in motion.
In Apple's defense, I will say that the security bugs I've seen do not include any "Remote Arbitratry Code Execution" [RACE] holes, so not releasing a patch isn't *completely* insane... albeit, it is insane.
At least one bug allows for remote crashing of a machine. So, combine (using script kiddie tools) a standard M$RPC virus like Blaster with a routine to scan all IP addresses in reach with the Apple-Crashing RPC, and every infectable Internet PC takes out every Jaguar Mac on the net. Someone's going to do it sooner or later; probably one of the fanatic anti-Mac zealots. Apple *NEEDS* to release this patch, or it will be a PR disaster.
I work for a group that teaches engineering ethics. Speaking as someone with purchasing-recommendation authority, I've checked with half of my Mac users so far, and my purchasing-authoritied boss (who buys what I tell her to). The response has been unanimous: requiring payment to recieve security patches on an operating system barely a year old (and which we've been using for less than six months) is "an unethical business practice" and completely unacceptable. I now have my Apple users all ready to consider switching to Windows, and my boss ready to stop all future Mac hardware purchases, unless Apple provides the security patches.
I am willing to consider bugs (like Preview crashing on opening a certain ordinary digital photo) to be something where they can say "we fixed that, but you have to buy Jaguar." Security flaws are a whole different kettle of cat. They need to patch any RACE holes at least, and probably all of the security holes.
//Information does not want to be free; it wants to breed.
Most of it only speculates as to Apple's intent. Here is the only part relevant to their actual intent:
Apple declined comment.
Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.
The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.
In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.
.sig: file not found
At least wait a week or so before posting something this absurd. I'm pretty damn sure Apple was planning on patching 10.2 sooner or later, but they just got around to 10.3 first.
Or maybe they just wanted to test 10.2 a bit more since it is more likely to be use in production than the week-old 10.3. Either way, it is a bit of a stretch to say that Apple has massively changed their patching policy just because one patch is a bit later than some would like. Quite the big accusation; quite little evidence.
In the end, Apple gets all this negative publicity on Slashdot for no reason at all. I guess MS gets that a lot on here, but I'd expect us to be a bit kinder to our UNIX brothers.
First, agreed - damn, it sucked. I still run it one one machine for games, and it's a real treat. I hadn't checked for a while, but it appears they have indeed stopped as of a few months ago. Still, that's pretty good - and it's better than suspending support of an OS *months* after it ceases to be the newest OS. That's inexcusable.
-Looking for a job as a materials chemist or multivariat
only for 10.3? i hardly think that is true. this is more of a commentary on techreview's crappyness than apple's
members are seeing something, your seeing an ad
I was turned off from Apple when they rigged their software to not run on older hardware because they wanted to squeeze their user base for an upgrade.
Fuck Apple.
Now go ahead and mod me down because I just pissed on one of Slashdot's sacred cows.
Karma means nothing to me, so suck it...
More references to stuff from @stake... didn't they just prove that they're owned (or is it 0wn3d) by Microsoft by firing one of the authors of a critcal piece?
Might the reason it's not being released for 10.2 is that it says in the Update that it is for versions of software running under 10.3?
Nah - that's to fricken simple, now isn't it?
...as it usually takes 6-8 months for macsales to drop the price to this point.
And for those who don't think that a beige g3 could be classed as a server... well, mine has a 350mhz g4 upgrade, and it's faster than my HP K380s (6-way 240mhz).
If Apple want to be taken seriously in the enterprise, they'd damn well better patch 10.2. Of course, I'm not going to take a mere two days as confirmation that they never intend to do so. It wouldn't surprise me if they did cut 10.2's life-line, though. Sometimes I wonder what the fuck is going on over there. They can't seriously expect everyone to upgrade to 10.3 the second it comes out, especially server administrators. It's attitudes like this that keep Apple out of the enterprise; they can't conceive of a scenario where an earlier version of an OS would be acceptable for server use.
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications.
Such as statement was obviously taken out of context, carefully edited for maximum anti-Mac (and by implication pro-Microsoft) effect. As others have pointed out, the security flaw is only applicable to OS X 10.3. 10.1 and 10.2 are not vulnerable, so no patch is required.
Let me repeat. OS X 10.1 and 10.2 are not vulnerable, so no patch is required. Saying "Apple isn't going to release patches for 10.2" without pointing out the fact is dishonest, yellow journalism on steroids, and more indicative of a marketing FUD campaign than any serious technical reporting.
Indeed, the spin and dishonesty in the article is so severe, and the pro-Micorosoft bias in the (mis)reporting of the facts so obvious, that I'm surprised even Intel zealots would buy it outright, hook-line-and-sinker, without even a thought to the contrary. The allegation itself should be setting even the most ardent Microsoft zealot's bullshit alarm off.
And I say this as one who does most if his work on an Intel box, ableit running GNU/Linux (though I do enjoy my Apple Powerbook and OS X as well).
The Future of Human Evolution: Autonomy
MOD PARENT UP, they have an important point.
"'I pass the test,' she said. 'I will diminish, and go into the West, and remain Galadriel.'"
- JRR Tolkien.
haha.. this is a what i think is an insteresting twist to this. i kinda noticed it reading a previous patch.
the libaray of congress just released some guidence rules on the dmca, included in that was a part about being able to fix or reverse engineer software that you already have to make it usable when part of it becomer obsolite. this is mostly considered wht like an atari 2600 or somethign doesn't work anymore you can use the rom pack on another platform. but will this open up the possobilities to either a: reverseengineer the os to make it secure, B: allow you to not only fix the security holes but maybe even port it to intel platforms or such if thier fix doesn't support your hardware, and m,aybe other possabilities too.
of couse i'm banking this on the fact that they state they plan not to patch 10.2 for the security flaw (as minor as it is) making the os functionally obsolite. even it works if it doesn't operate safely then it is non funnctional in todays dangerous digital society.
also with the upgrade not supporting older hardware that osX at one time did support thereby making that platform obsolite.
this combined with the library of congresses recent dmca guidlines could spell out some unintended consequences for apple when they take a page out of microsofts handbook and try to force the upgrade.
am i reading too much into this or is this approache possible? maybe it would make apple rethink it's position? can anyone say osX on intell? maybe that is a stretch.
by the way microsoft had an issue in the help and support feature that would allow any well crafted email or website to delete entire directories from the users harddrive with no interaction from theuser. all they needed to do was visit the page or download and preview the email. they held a patch for this over 11 weeks waiting to include it in the service pack for xp so people were compelled to update and thereby defeating some way pirates were stealing thier software.
The per-year figures for a workstation do not include rebates. That lowers the sum by about $100. Thus, per-year costs are actually lower than $63.
It sure looks like the latest update on 10.2 has fixes for all of these problems. Three days from announcement to a downloadable fix seems reasonable to me.
Actually, yes. I realize that you're trying to make a joke (and you succeed hands down, BTW), but the colorful G3 iMacs are fully supported under Panther.
I just upgraded the hard drive in my wife's "Grape" iMac, partially in preparation for Panther (and partially so she can continue ripping her CD collection w/o running out of space).
-Cybrex
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!
"someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it"
And they would have a helluva lot more problems than if they stayed home and tried to do a sploit. Something about the cycle of a 12-gauge shotgun that screams security.
...since Panther is insanely great why would a developer want to waste time patching old out-dated technology. ;-)
Apple cracks me up sometimes. They want to be this they want to be that they don't know what they want to be. They're great at reinventing themselves just not in offering long term benefit and stability. This latest support fiasco is just the latest example.
It's really a shame. If any other company had half of apple's marketing savy and consumer product design abilities they'd be completely unstoppable.
For Apple's part they'd be scary if they had M$ marketshare...granted anyone with that much of the market is scary.
There is nothing wrong with saying "Our last offering had bugs, we have a new version that is better, and we suggest you upgrade because we do not wish to suppot the out-dated version"
What is wrong with this? Is a company required to support old software for ever?
My Karma is bad. May I take you out for a drink? It's on me...
From a Mac forum @ dslreports:
The attacker needs an account on the system to exploit these unless the system has been deliberately made insecure, as in the case of enabling core files. So if your passwords are secure and not known to untrusted folks, you are OK.
What it is saying is that a non-admin account can overwrite the executable in the Applications folder in some instances (dragging the app off a disk image, or the app shipped with permissions set to allow non-admins to overwrite). Then when the real user executes the altered executable, it executes the attacker's code with admin privileges. It would still need for the real Admin to enter his/her password for the attacker's code to get root. Good ol' OS X.
---
Sounds like FUD to me.
---
and...
MacDailyNewsTake:These "security issues" are quite a lot of todo about virtually nothing. Something smells bad @Stake. You might remember that in late September of this year, Dan Geer, computer security researcher, was dismissed from @Stake for calling "the ubiquity of Microsoft software a hazard to the economy and to national security." The problem for Geer was that @Stake is "a consulting company that works closely with the software giant [Microsoft]," as John Borland reported for CNET News.com.
Apple has posted a security update for both 10.3 and 10.2.8.
The Seventh Rule: Take others more seriously than yourself, particularly when you are leading them.
I didn't RTA or anything, but still:
If true, a big "fuck you" to all those people who said Apple wasn't forcing people into upgrading to 10.3 when the story about 10.3 broke a week or two ago.
With OS 10.3 we expect a few if the "gee wiz" features that will not make it back to the 10.2 experience. While the "security flaws" are a little difficult to get installed in such a way that they are actually flaws... they are still flaws.
The thing that has gotten to me in the near week that OS 10.3 has been out is, there is no Safari 1.1 for Mac OS 10.2.x
Safari is Apple freeware, but if they fixed all the Javascript and many of the issues that plagued the 1.0 release, why not let us 10.2.x users have our fill of it. We want javascript to work for us.
I had a flame... but she had a fire.
All I can say is a lot of posts that happen to critcise Apple are being unfarily modded down as flaimbait or offtopic. See examples: 7350155, 7350421, 7350334
"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent, if they did."
Why? Microsoft does it!
I origiunally thought this was a very scummy thing, but I spoke to an apple insider. Security issues in 10.2 will be fixed through the normal issue tracking system. File your reports and they will get repaired in due time.
As seen on Wired: Get a free desktop PC
I honestly don't think that this will remain a problem, Apple has been pretty good about patching things as they come along, but the point of the article is that 10.2 IS vulnerable, with the only protection/patch being an upgrade to Panther.
Life shrinks or expands in proportion to one's courage. - Anais Nin
The Engineering Process/Committee at Apple which prior was the one at NeXT has a long standing record of supporting earlier versions of their Operating Systems.
More specifically, they also have, in the past, classified a three-tier escalation level of Bug Fix Package Releases.
For mission critical custom apps which want addons to the Operating System they pay for blanket policy support accounts that make their needs fulfilled.
ATT Wireless was a classic example, and so was Merrill Lynch. They both had custom build fixes that only they held the rights to, until such time in the future when these unique features became features in the present release. Then if it was agreed upon from the client and NeXT earlier versions of the OS got these addon updates.
NeXTAnswers was a great system for information.
Expect Apple to make sure Panther works first and then retro fit Jaguar. I wouldn't expect Puma.
I also don't expect Panther to be the Trojan Horse into the Enteprise. I expect the next major revision, OS X 11.0 to be the first full blown Enterprise targeted (beyond video needs and small/mid web deployment needs) version to do so.
Let's not compare Microsoft. There current round of security fixes locks my system half-way into the update process, every time. Thankfully, Debian is on a separate partition.
Yes, you will.
Anti-Mac is Pro-Microsoft? But I'm Anti-Mac and Anti-Microsoft! The conflict is eating my soul!!!
Karma: It's all a bunch of tree-huggin' hippy crap!
Even David Goldsmith seems to believe, based on his comment, that whoever he spoke with at Apple was wrong and that Apple is likely to continue fixing security problems in 10.2. This whole thing is silly.
...it would put the SoCal fires to shame.
How do you spell hypocrisy?
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
I'm still waiting for the patches for DOS 6.22. As far as I know MS haven't released a single security fix for this OS.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Let me repeat. OS X 10.1 and 10.2 are not vulnerable, so no patch is required.
Does ANYONE read the articles? Apple recently released a security patch for a completely unrelated security issue in 10.3 that does not apply to 10.2, and everyone assumes that's what this is about, even though this article is about three COMPLETELY DIFFERENT security issues that @Stake found in 10.2 that do NOT exist in 10.3 that Apple HAS NOT YET released patches for.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Conveniently enough, one of the Apple Senior System Engineers was in town talking with one of my bosses. I had mentioned my concern yesterday to him at a meeting-- I had only time to see headlines at the Inquirer ("13 bugs!") and ZDNet ("No fix!"), but that I didn't know if this was a real panic issue.
Quoth my boss to me in E-mail, "I brought the subject up with the Apple representatives this morning. The response was that they were patching 10.3 first, but that they expected 10.2 to also be patched in a timely way." Which is not unreasonable.
This, combined with the fact that none of these 13 bugs reported allow Remote-Arbitraty-Code-Execution, has me calmed down... for now.
//Information does not want to be free; it wants to breed.
from the article:"David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software. "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said. "
The last line above is the most important. If Apple users defend Apple, they're stuck upgrading, and paying the $129. If they complain about it, however, the @stake guy thinks Apple will change its mind. So rather than defending Apple, you should start complaining to Apple, if you want patches to older OSs.
Vote for Pedro
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
Confirmed. No patches for earlier version. Do you have evidence that @stake (which you yourself reference as a source of information) is lying about this?
Apple may have declined to comment to C|Net, but they didn't to @stake - they confirmed NO PATCHES FOR 10.2. Sorry to burst your little Apple zealot bubble.
Instead of a "wait and see" approach, might I suggest a "read and comprehend" one.
They'll patch it, they patched 10.1.x several times after Jaguar was released.
Not true.
The last Security Update for my 10.1.5 was last March. See here. That is from a similar story on MacSlash a week ago.
The article makes a big todo about "security enhancements" available in Panther not being released for Jaguar. Well whoop-te-do. Please note, we're not talking about apple fixing an SSH bug here, we're talking about SYSTEMIC changes to the security model. No rational end user expects the security enhancements Microsoft made to XP to be back ported to 2K or Win98. Same applies here.
Well, yes, flavors of UNIX (including MacOS X) are in general more secure than Windows. UNIX has been playing on the internet for decades and has been the favored OS at computer science schools across the country, where its source code has been often been publicly available.
That adds up to a system that's been banged on for a long time. Windows is the new kid on the block internet-wise and MS is finally getting around to understanding security.
(We're not even getting into the issue of who attracts the most creative programmers: MS or the Internet/Open-Source/Hacker crowd.)
Reading the reports, I'd say Apple should fix #1 and #3. I hope they will. But this is not quite anything urgent: the first is an apparent bug if you turn on core files. Well, they are off by default. The second bugtraq has two parts: the first half should be fixed by Apple (changing permissions of dirs when copying between disk images); the second half is not Apple's fault. The argv[] buffer overflow is a stability issue, not a security issue IMHO, And since it so extremely rare, I don't consider it a bug deal.
/Applications -type d -perm -002 -print /Applications -type d -exec chmod o-w {} \; but this may break apps) /usr/sbin/diskutil verifyPermissions $diskname /Library/Receipts). To repair, type: /usr/sbin/diskutil repairPermissions /
I think the permission thing is the biggest deal. If you are concerned, you can run these commands:
% find
(the article mentions an autofix with: find
%
(where diskname might be / )
This command (available in MacOS x.2 and higher), will compare the permissions to that of the original installer (as stored in
%
Only if you agree to try it yourself.
Because Apple declined to comment, their current intent is not known. If you read the quote from the article:
Note the past tense. The key phrases "initial conversations" and "I wouldn't be surprised if they change that". The lack of any statement as to their current intent from either Mr. Goldsmith or an Apple mouthpiece. In short, a non-story.
You seem to have mistaken my post for a defense of Apple rather than a criticism of yet another sensationalized, moronic article on C|Net.
.sig: file not found
Clearly I have no alternative but to rip all cables from my macs, stuff the offending sockets with wine gums, toss each useless hunk of plastic and silicon into a vat of cement and sit rocking in the corner of my room, tears streaming down my cheeks as the flames slowly engulf a photo of Steve Jobs. Oh, the humanity!
You're missing a REALLY big point here.
These "security flaws" still leave Jaguar less exposed than any consumer or commercial version of Windows, and on top of that they don't actually require Apple to do anything to fix them... we, the Apple users, have the source code to the underlying OS. If there are real holes that need patching we can do it.
So... you're asking us why we're not bitching and moaning about something that's of vanishingly low importance. Well, there's your answer right there.
Bah... never have I seen a Titanium laptop with a hypnotic glowing MVS logo on it.
Who cares if it has no security holes if it doesn't have stripes on everything and purdy coloured buttons that pulsate and stuff. I'll take security holes and price gouging for my fix of eye-candy!
You mean like Microsoft not providing the security upgrades in Office 2003 for previous versions of Office? Nah, that'd never happen. Right? Right...?
Don't be a fucking whitey
As a matter of fact, you DO get the source to the OS, or at least to the part of the OS that's relevant to your 17 MB copies, the microkernel, I/O subsytems and file system code are all available as part of the Opendarwin project.
You don't even have to pay for the OS to get the source code to it. How generous is that for a commercial Unix vendor?
I'm betting that for all your bleating about source code, you wouldn't have a fucking clue what to do about the problem anyway, because like 99.999% of the world you wouldn't have a clue how to optimize a filesystem or IDE transfer.
Besides, contrary to what you're saying I've found I am easily able to sustain 100Mbit when copying files to and from my PowerBook, which is not bad for a laptop. Perhaps you should look at your samba configuration, or consider using something else for your file transfers if it's going to save you as much time as your concerns indicate.
Accorcding to Apple: APPLE-SA-2003-10-28 Security Update 2003-10-28 Security Update 2003-10-28 is available. It addresses CAN-2003-0871 a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system. The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.7 98
More info at http://docs.info.apple.com/article.html?artnum=61
Apple only has 2 OSes, 9, and X. The current version of X is 10.3. You pay for the service pack from 10.2 to 10.3. It's like a subscription model with an option to stop paying and keep what you have at any point.
To view 10.2 as a different OS than 10.3 is like viewing each service pack upgrade of WinXP as a different OS.
-theed
To clear up some general confusion that neither article has understood yet...
1) The most recent apple security update to Panther has nothing to do with the @stake-identified vulnerabilities. It fixes a flaw in Quicktime Java on 10.3 only.
2) True, the @stake vulnerabilities do not affect 10.3. However, this means you cannot say that apple is issueing sec. updates for 10.3 and not 10.2
3) The @stake vulnerabilities have not been patched yet, but this doesn't mean they won't be. I would expect that apple will have a patch out for these as soon as it's developed and tested.
Nothing to really worry about. Apple releases a major fix for the new point release they just brought around. Sure it doesn't apply to the older versions, they lacked the features to have bugs in.
My Beige G3 with an Apple G4/350 upgrade seems kinda slow runing 10.2.8. I don't think the 1Meg L2 cache is enabled, but I haven't figured out how to tell.
Open "about this mac" off the apple menu, then click the "more info" button. The apple system profiler will open, and after a short delay you will get a report that includes the cache size.
Microsoft may provide cost free updates for Windows but spending time with securoty updates and viruses takes up alot of time. So is Windows Updates really free, I think not time is money and I don't want to spend hours on a $300.00 operating system. Please select the following link regarding and Article by Walt Mossberg, supporting my view point. http://ptech.wsj.com/archive/ptech-20031023.html
see post on Macentral at 12:35pm [EST]....now go find some other lame excuse to justify your choice in OS
Apple's going to patch Jaguar. Details at MacCentral.
Info at MacWorld
Silence. :) :) :)
Tech Report is full of moronic shit.
See also here. I don't quite know why that guy is offering a prize. It's well understood as coming from the properties of the j-function.
Very briefly: you may have sketched the function y^2=P(x) in your life where P(x) is a cubic. If you allow x and y to be complex numbers you get a 2D surface. That 2D surface is basically a twisted up torus (minus a point at or two corresponding to when x and y go to infinity) and the j function gives a way of specifying exactly what torus. It also plays an important role in string theory. But the full explanation of why you get all these near integers is quite long and involved.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Interesting--thanks!
Well, using your Mac you can host a local website on your desktop, develop PHP code, learn the underpinnings of BSD Unix, muck around with MySQL, do shell-scripting, write cross-platform games in C++ using SDL and OpenGL, etc. ad nauseum.
Having Mac skills now means gaining skills that scale extremely well. Thanks to my experience playing around with the myriad of technologies and standards provided in Mac OS X has made me highly adaptable and eminently employable.
So take advantage of what's on your desk and develop yourself. You won't regret a second of it.
-- thinkyhead software and media
let's see-three days after the mostly inflammatory and untrue article-apple never said they weren't going to patch jaguar, merely 'declined to comment (whatever that means-could be that the 'journalist' never asked the apppropriate people-that's been done to me by 'journalists') apple tells us it is going to patch jaguar- THEY NEVER SAID THEY WOULDN'T- let's see-when asked by me, microsoft declines to comment on newest worm- any surprise?