Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Forcing Panther Upgrade for Security Patch

Posted by CmdrTaco on from the well-thats-a-bit-stingy dept.

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

12 of 605 comments (clear)

  1. Bugtraq links by chennes · · Score: 5, Informative

    Here are the bugtraq links to the specific vulnerabilities:

    Arbitrary File Overwrite via Core Files
    Systemic Insecure File Permissions
    Long argv[] buffer overflow

    If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.

    1. Re:Bugtraq links by gclef · · Score: 4, Informative

      What's interesting (and/or disappointing) about this story is that all of the quotes I could see in the actual article were pulled straight from the Bugtraq thread about this. It appears that the reporter did no actual work besides paraphrasing and cut/paste from public emails.

    2. Re:Bugtraq links by Trillan · · Score: 3, Informative

      Hmm. The only one that looks like it might be a problem to normal desktop users is the argv[] overflow. And that doesn't seem like much of a problem to me, since it's highly unlikely they'll hit it.

      The other two are easily fixable by users. In fact, by default they're already configured to not be an issue.

      Systemic Insecure File Permissions in particular is such a yawner as to not even be worth mentioning.

  2. Not True... by Anonymous Coward · · Score: 4, Informative

    While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.

    1. Re:Not True... by prockcore · · Score: 4, Informative

      oh really? Then where is the SSH patch for 10.1?

  3. Re:As a long time Mac user, I'm not surprised. by bizard · · Score: 5, Informative
    I can't remember anytime Apple has ever released an update for a non-current version of MacOS.
    actually, apple has been releasing 10.1 security patches all through the 10.2 lifespan. In addition they have been patching Mac OS 9 as well. This would truly be a change of attitude if it is true, but I imagine there will be enough hue and cry to fix it.
  4. This just in from Apple: by BlowChunx · · Score: 3, Informative

    "Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."

    So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.

  5. This does not effect 10.2.x by cplater · · Score: 4, Informative

    From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt (login: archives password:archives):

    >The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.

    --
    -- Charles A. Plater
  6. Re:10.3 Only Problem by Phroggy · · Score: 3, Informative

    This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.

    You're a moron.

    The 10.3-only security issue Apple just patched has nothing whatsoever to do with what we're talking about, which is three security issues identified by @Stake that do not exist in 10.3. Sure, the summary is stupid, but that's because the article is stupid. They're saying Apple is only making the fixes available in 10.3; the truth is, the problems don't exist in 10.3 and Apple hasn't released a patch for 10.2 yet because @Stake only announced them two days ago.

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
  7. Here's the real story by saddino · · Score: 4, Informative

    This article helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.

  8. You need to RTFA by petard · · Score: 4, Informative

    Most of it only speculates as to Apple's intent. Here is the only part relevant to their actual intent:

    Apple declined comment.

    Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.

    The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.

    In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.

    --
    .sig: file not found
  9. Debunked by uw_dwarf · · Score: 3, Informative

    Apple has posted a security update for both 10.3 and 10.2.8.

    --
    The Seventh Rule: Take others more seriously than yourself, particularly when you are leading them.