Slashdot Mirror
Apple Forcing Panther Upgrade for Security Patch
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
Isn't it possible that they just haven't released the 10.2 patch yet?
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.
Let's not get too pissy yet.
" If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill."
I see this argument on slashdot all the time. It does not work. It seems to follow some of the worse arguments in popular culture. Basically it claims that since Slashdot readers take a particular position about software, they are biased and can't possibly be doing so because they have good reason to.
This is a bad argument. If you think a particular post ignores facts and make poor arguments, point them out. Don't just yell "BIAS" as a blanket acusation against every future post that expresses the position that this is not as bad as it seems. If you think the moderation system is biased, I suggest you provide evidence showing particular posts of high quality being ignored and low quality advance to an extent that you can establish their is a systemic process going on here.
Just because people here seem to currently prefer OS X to XP does not mean everything they say can be ignored under the all encompasing label of bias. Please, provide arguments, not unsuported assertions.
The preceding passage has been checked for spelling, you will find no sentence without at least one mis spelled word
While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
- Apple has not yet released security fixes for 10.2
- Apple have not officially stated that they are not going to.
- Someone claims that Apple told him that they would not support 10.2
It seems a little early to be jumping to the conclusion that they will not support an OS a week after releasing the successor. To do so would be incredibly stupid, and I find it hard to imagine that Apple would intentionally shoot themselves in the foot like this.I am TheRaven on Soylent News
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
What's interesting is that you somehow missed this part of the article:
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Bad analogies are like waxing a monkey with a rainbow.
The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
1. Core Files are disabled by default. So unless you've enabled them you should be ok.
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
The Beige G3 is a 6 year old computer. Think about that for a minute...
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
Because it's on your Mac already? Because you don't want to shell out $129 for an upgrade? Because it's better than Classic?
anybody who uses their computer for work dosen't use 10.1.Umm...most Macs are in schools or homes, not work. How many schools buy OS upgrades every year? How many grandmas?
Why should they support it?Because Apple was selling it less than 18 months ago? Because if Microsoft, or RedHat, or anyone else, dropped support for an OS version that early then everyone would be screaming.