Slashdot Mirror
Apple Forcing Panther Upgrade for Security Patch
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
"You didn't pay up when we wanted to, and so now you're screwed."
How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.
I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
My sig is blank, I typed this by hand.
I can't remember anytime Apple has ever released an update for a non-current version of MacOS. They always assume that you should update to the latest version that you can run on your machine.
There are all sorts of bugs in 10.1 that Apple will has addressed in 10.2 and 10.3. That does not mean they go backwards and release patches for older OSes. They don't have the resources to do that. Many such bugs are also potential security holes.
Avoid Missing Ball for High Score
I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
Isn't it possible that they just haven't released the 10.2 patch yet?
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.
On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and use them are surprisingly small. They're more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.
IAALS.
This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.
Let's not get too pissy yet.
On the surface, it seems a bad move not to offer patches to Jaguar (10.2.x) users. If the assumption is correct, that Apple is indeed withholding a patch simply to spur sales of Panther (10.3), it borders on bad ethics. There are many users of now unsupported hardware that won't tun Panther who rely on their Macs to earn a living, Apple seems to be holding their security as ransom forcing them to upgrade not only the OS, but hardware too. - Bad form, Apple! In all fairness, we need to see what the next few week hold regarding Apple releasing (or not releasing) a patch. I'd be very suprised if they don't. It's probably just a marketing tactic to spur every possible user to upgrade - Still, bad form.
Click and help me get an iPod?
While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
What's interesting is that you somehow missed this part of the article:
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
I, like many other folks, run OS X 10.2 (Jaguar) on an older, "Beige" G3, which is not supported by Panther.
Just because you own a mac doesn't mean you can expect to have your hardware supported until the case turns to dust.
"I run Windows 95 on an older "Pentium 90", which is not supported by Windows XP. I'm enraged that Microsoft has dropped support for Windows 95 leaving all of us Pentium 90 users stuck with a system with KNOWN SECURITY HOLES."
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Bad analogies are like waxing a monkey with a rainbow.
The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
Unlike MS, Apple doesn't have such a gigantic installed base of, say, 8.6 users compared to Win95/98 in the MS world.
If MS said, "We're scrapping the Windows kernel and writing a new Unix-based OS (Is that a pig that just flew by?), MS would try to drop support for the old Windows, to get developers, users, and enterprises all using the same software.
Is this a good idea? Sure, if you are the maker of the software - less bugs, exploits and versions to support and fix. If you're a user of the software, it would suck - buy (licence :( new software, try and get old files to work with new programs, loss of hardware investment. Change happens, especially in the coumputer industry.
One reason I doubt that Apple will stop releasing patches for pre-Panther is on the Xtools developers' disk. There is an option to install compilers? for 10.x thru Panther. It wouldn't stand to reason that Apple would kill support for pre-Panther and include tools to develop for the older versions.
My two cents.
why doesn't someone write a letter to Apple and find out exactly what's up? I would but i really don't care. The fact that none of the posters know the full story, and are only assuming, is bothering.
1. Core Files are disabled by default. So unless you've enabled them you should be ok.
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
No, these problems are already fixed in 10.3 . It's 10.2 (and maybe 10.1, I don't know) that are vulnerable.
That fact should speak to those saying "just give them a week, the bug was only found yesterday", too. The bugs were found quite some time ago if they are already fixed in 10.3. It's just that the group that found the bugs withheld them from public disclosure to give Apple some time to fix them.
At least MS supports an OS for 5+ years before abandoning it, unlike Apple, who is forcing you to pay for yearly upgrades now if you want patches.
The Beige G3 is a 6 year old computer. Think about that for a minute...
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
At least wait a week or so before posting something this absurd. I'm pretty damn sure Apple was planning on patching 10.2 sooner or later, but they just got around to 10.3 first.
Or maybe they just wanted to test 10.2 a bit more since it is more likely to be use in production than the week-old 10.3. Either way, it is a bit of a stretch to say that Apple has massively changed their patching policy just because one patch is a bit later than some would like. Quite the big accusation; quite little evidence.
In the end, Apple gets all this negative publicity on Slashdot for no reason at all. I guess MS gets that a lot on here, but I'd expect us to be a bit kinder to our UNIX brothers.
Because it's on your Mac already? Because you don't want to shell out $129 for an upgrade? Because it's better than Classic?
anybody who uses their computer for work dosen't use 10.1.Umm...most Macs are in schools or homes, not work. How many schools buy OS upgrades every year? How many grandmas?
Why should they support it?Because Apple was selling it less than 18 months ago? Because if Microsoft, or RedHat, or anyone else, dropped support for an OS version that early then everyone would be screaming.
That should be adequate for virtually all users of 10.1. The rare 10.1 users who actually need SSH enabled are probably sophisticated enough to apply the open source patch.
Oh I see - so any user who knows how to SSH into a remote machine and run a few commands automatically knows how to download, compile and install a piece of software from source, with the correct options to get all the paths in the right places, overwriting the Apple-supplied binaries (which of course you've backed up first).
And, of course they all know the problem exists in the first place.
Right.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
There's two things going on here. There's a bug Apple has said, once, briefly, they'll not fix. This appears to be harmless for Jaguar users. There are also a bunch of security fixes in Panther itself. Apple hasn't commented upon these fixes.
Somehow, the wires are being crossed, and the comment about the first is being treated, somehow, as applying to the second.
You are not alone. This is not normal. None of this is normal.