Slashdot Mirror
Apple Forcing Panther Upgrade for Security Patch
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
I thought only windows was insecure...
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Meanwhile at Microsoft HQ...
Gates: Damnit! Apple stole our idea to no longer support old versions of Operating Systems and force everyone to upgrade! Lawyer #1, isn't that illegal? Let's get a suit together!
Here are the bugtraq links to the specific vulnerabilities:
Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow
If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.
If Microsoft did this there would be a huge outcry (BTW I hate Microsoft and all they stand for.) But at least Microsoft waits a few years before stopping support for the older versions of it's OS.
Did MS buy Apple when I wasn't paying attention?
I remember how people reacted when they found out that Microsoft was going to stop patching Win98. At least they had the decency to wait 5 years. OSX is a really new product, why would they stop putting patches out so soon?
"You didn't pay up when we wanted to, and so now you're screwed."
How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.
I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
My sig is blank, I typed this by hand.
I can't remember anytime Apple has ever released an update for a non-current version of MacOS. They always assume that you should update to the latest version that you can run on your machine.
There are all sorts of bugs in 10.1 that Apple will has addressed in 10.2 and 10.3. That does not mean they go backwards and release patches for older OSes. They don't have the resources to do that. Many such bugs are also potential security holes.
Avoid Missing Ball for High Score
I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.
... and I was gonna boycott Panther until they added an 'up' button to the Finder. Oh, well..
Isn't it possible that they just haven't released the 10.2 patch yet?
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
of screwing its own customers. I learned that well -- I bought a @&#* Newton.
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.
On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and use them are surprisingly small. They're more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.
IAALS.
"Imagine if Microsoft tried to charge for security fixes--people would go crazy," Larholm said. And the Apple users are going to bend over and take it?
I, for one, am not happy... I stupidly let applecare lapse on my ibook... now it needs a new logic board ($500 repair job). I don't have the $$$ for Panther right now, and I'm extremely upset about the immediate lack of support for old OS versions.
/. really make a difference? No. There's no point to it, so I'll spare myself the energy for more enjoyable pursuits. Like nethack :)
But really, would my excessive ranting and whining on
This is a typical Apple bluff. Of course they want everyone to upgrade (and pay $129 yet again), and hope to encourage users to do so with new features (such as the drool-worthy Expose). Apple has many times tried to cut off support for earlier version of an OS and had to eventually relent. Sometimes it takes a lawsuit for them to do so. OS X is just getting some great press so it would be very damaging if the bad press from this decision serves to highlight a security vulnerability in what is otherwise being lauded as much more secure by design than any flavor of Windows. Expect Apple to quietly issue a patch for 10.2.
...and if you were a company with only 3% market share, what would you do? It's a for-profit company folks. It's not a glaring windoze RPC hole or anything. They have to make money somehow.
Cut them some slack--they're competing against MS.
This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.
Let's not get too pissy yet.
On the surface, it seems a bad move not to offer patches to Jaguar (10.2.x) users. If the assumption is correct, that Apple is indeed withholding a patch simply to spur sales of Panther (10.3), it borders on bad ethics. There are many users of now unsupported hardware that won't tun Panther who rely on their Macs to earn a living, Apple seems to be holding their security as ransom forcing them to upgrade not only the OS, but hardware too. - Bad form, Apple! In all fairness, we need to see what the next few week hold regarding Apple releasing (or not releasing) a patch. I'd be very suprised if they don't. It's probably just a marketing tactic to spur every possible user to upgrade - Still, bad form.
Click and help me get an iPod?
I don't see why anybody aware of the open source technologies that underpin OS X couldn't just locate and apply the fixes themselves. The users who don't know how can pay for the convenience of continued consumer-level support. As for the OS specific security concerns, is it unreasonable to expect an upgrade when there is a new OS release?
If you disagree then it must be overrated, redundant or trolling.
From TFA: Other vulnerabilities could allow a local or remote user to crash the system.
Lol, I'd love to see the patch they came up with for preventing a local user from crashing the system.
-You may license this sig for only $6.99.
This hasn't been a good followup week for Panther. First the upgrade issues, then the abysmal transfer rate of the belkin iPod media transfer thingy, now this security update fiasco.
Stebe, please save us with all your messiah powers. We want to bask in the glory of your healing rays!
I'm very sure Apple will bring out the patches.
If they didn't they would lose a lot f trust in their community and I would no longer think of buying an iBook myself.
Apple isn't cheap, but they have good hardware and Panther is, as far as I can judge it, a very nice example of friendly unix.
They can't continue without bringing out the patches.
42 + 1 = 42
It seems really dodgy that something as big as a security update would be withheld from an OS that was "current" until a week ago. I'm just going to wait and see what happens. My guess is that they'll patch Jaguar in the near future.
-or so you'd think
Perhaps they're still in the process of writing a patch for the older version.
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
Whoa, slow down - Apple has not said they aren't going to support 10.2 Jaguar. I'd be willing to bet they simply released the Panther patch first.
That's so wrong that I have a hard time believing that this is actually Apple's position. I expect that we'll hear from Apple shortly, and they will clarify their position -- that the patches for 10.2 will be out Real Soon Now.
But if not, Apple's going to get a lot of bad PR from this.
Easy, automatic testing for Perl.
That perhaps the vulnerabilities are limited to Panther...
Just wild-ass speculation of course, I have no reason to believe this is the case...
However, my father, a long time Mac user has commented on this before. Now, being an educator, it was allways trivial for him to keep current, mostly the Faculty IT group would keep all the Macs current.
TBMK, there isn't any way to force Apple to offer the patch to preceding versions, and the license probably states as much. That said, it really isn't great publicity.
Kind of cries out to update the old aphorism:
Any press is good press, unless it limps you in with M$...
"Talk minus action equals nothing" - Joey Shithead, D.O.A.
"Talk minus action equals
I just looked at the BUGTRAQ mailings, and I get the impression that you need physical access to the computer to break in to it. Have I got that right? I'm no expert, but I've always assumed that given physical access to a computer, a decent hacker could easily have their evil way with it. Of course that doesn't excuse Apple's failure to provide a patch and their rather glib upgrade suggestions.
Patches... We don't need no stinking patches.
More of my thoughts
While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
Security Fixes already?
wtf?
do() || do_not();
"It only takes on[sic] rotten apple to ruin a whole basket."
That doesn't make sense. If someone gave me a basket of apples and one was rotten, that doesn't mean the rest of them aren't perfectly tasty delicious apples. Just rinse them off. I mean, "rotten" isn't contagious is it?
the latest flaw is apparently only a 10.3 problem, hence the 10.3 only update.
*** For a better tommorow, change your life today ***
NetInfo connection failed for server 127.0.0.1/local
Wow. Maybe we should calm down and wait to actually HEAR SOMETHING OFFICIAL from apple before we get the torches and pitchforks out.
All the more reason to turn to piracy. I'm sure a lot of people that would have stuck with their existing version of OS X are going to just pirate a newer version. The amount of piracy in response to this dumb move from apple will probably exponentially outweigh the amount of legal upgrades.
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
"Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."
So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.
Granted, Apple doesn't control the guys that release it, but in this case Panther already has the fix built in, so where's the one for Jaguar?
Time (and public opinion) will tell I guess...
AC comments get piped to
I guess I'm going to be modded as flamebait...
;-).
/flame
But...
If I had to upgrade my OS every year in order to get the latest security patches, I would shit a brick.
Seriously.
I'm glad that all the machines in my office get automatic patches from SuSE. I spend enough time screwing around with the applications on my system.
If my OS works, I don't want to have to upgrade it. I don't care how easy it is, I don't care how much cool stuff comes with it.
That's what my 'test-bed' (read toy) systems at home are for.
When I'm working, I have work to do. We've been very, very seriously considering getting some OS X boxes, but if I don't see a patch come out for older version of OS X, the most I will do is get a Mac for my home (to go along side my 8 pcs
No patches=no business use.
Seriously, though, I'll be very surprised if they don't patch the older versions. They'll probably get round to it after a week or so.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
Apple, as far as I knw has always tried to keep up with industry standards by forcing it's users to buy the new soft/hardware of the times. Their software prices don't seem to be all that high. A quick glance at Apple's site said that the new OS X Panther is only $129 while just an upgrade to Windoze XP Pro is $199 (a full version will run ya $299, this is from M$'s site). Remember back when Apple decided to switch from the 68k to Power PC format? Everyone hated it but look what happend. Apple had a brand new architecture that was very powerful and reliable and from what I understand, the OS's for the early PPC's were very good and user friendly. I don't really see this as being unfair, Apple is a very up to date company that tries to maintain an image of modern computing. The computer industry changes so much that people get lazy and never upgrade their software and then they complain when it becomes too slow after a few years. All Apple is doing is making sure it's users are up to date. Apple doesn't give their software away for free but I believe that it's reasonably priced. I am not an Apple user but I wouldn't mind being one. I like how they have good, solid hardware and decent software to support it. I hate M$, I hate their software and their horrible business practices that push people around.
and I think so because of this:
I upgraded my machine at home 10.2.8->10.3. Unfortunately, one piece of software would not work (Silverfast SE, my scanner software. It would not detect the scanner even though the System Profiler showed that it was at SCSI address 2).
It was easy to downgrade to 10.2, then run software update to get back to the 10.2.8 system. Then I realized that there were security updates for 10.3 that were unavailable to me. My choice is security updates, or using my scanner. For now, I have chosen to stick with 10.2.8.
This is OK at home, as I only have on computer behind a firewall, but the dillema is unacceptable at my job.
At work, our CIO, my manager, and several staff use Macs, and we wish we could bring them into the company; our CIO said that the 15" PB is the best computer he has ever used. But, we are still running Windows 2000, and only stopped using NT4 a few months ago, but MS made security patches available up to the end. We continue to download and install security patches for 2000 server and workstation.
I think it is unreasonable to tell a company to upgrade all machines on the vendors' schedule; companies need to control their own upgrade cycle if their environment is to be stable. I work for a financial management company, and we have consistently near-zero downtime, in part because we control our software upgrades. We have a company policy of making no changes the last week of the month when accounts need to be settled, and no changes for one month at the end of the fiscal year so we can close our books. However, critical security fixes are required, after reasonable testing on our QA systems.
If Apple gives us the choice of 1) no security patches after one year max, or b) one critical app stops working on the new version, it means no OS X at work.
Worse, Apple has no clearly stated policy on upgrades, support, patch releases, and end-of-life schedules, and nobody you can get on the phone tells the same story. They are a very secretive company, which does not help when selling to the corporate market. I have read that Apple recently started setting up a corporate sales force, so hopefully this message will get back home and get into the right ears.
And, we don't like Windows, but MS at least tries to get get security fixes out and does state when we can expect support for old releases to stop, so we can make a schedule for ourselves.
All the above has a history of evilness, apple might just be breaking into the market now (though I'm hoping that this is just delay and not profiteering on their part)
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it. If you living alone (or you trust the people you live with), then the walls of your house are your "security." If your home is that insecure, I'd be more worried about someone walking away with your big screen TV than fooling around on your computer. Even if there are many people who could theoretically access your computer, don't most modern operating systems require users to log on? Sure, some systems allow you to disable password requirements, but that's your own choice if you want to trade security for convenience.
When Microsoft stopped support of Windows 98, they link on the Windows 98 support webpage to Microsoft Support Product Lifecycle. At least they have a consistent product support policy. I mean 98 was released 5 years ago, so it goes with their policy of only providing support for 5 years from release for consumer products. Thats more than you can say about Apple.
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Bad analogies are like waxing a monkey with a rainbow.
"'In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that,' he said."
"'...this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year...'"
Though Apple has been slow in providing updates to fully support their hardware in OS X (e.g. the ATI driver issue), this story is based on speculation on the part of the people interviewed. Also, there is no comment from Apple, so much for quality journalism.
From the site at @stake....
Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
Whenever a Microsoft or Linux hole appears, the Apple extremists come out of the woodwork, talking about how "If Apple was the majority player, not MS, none of this would happen." Well, guess what. If Apple was the majority player, this would have just screwed the majority of computer users.
True, when Blaster was running rampant, MS refused to patch NT4 systems. But, those systems were not 1 year old either. This behavior is completely irresponsible of Apple, and should be a good example of why, even though the core is open source (Darwin), if you rely on proprietary extensions (Aqua), etc., you have the potential to get burned.
Overrated / Underrated : Moderation
The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt (login: archives password:archives):
>The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.
-- Charles A. Plater
Give it a day or two. Apple has not said that they won't be issuing the patch for Jaguar, they merely haven't released it yet. In all likelyhood, a Jaguar patch will follow.
If memory serves, they continued to issue security patches for 10.1 after Jaguar was released. I see no reason why they'd choose to alienate their customers by not doing the same for Jaguar now that Panther's out in the wild.
Journalistic integrity on Slashdot? Yeah, I'm asking a bit much.
I think I've figured it out.
They have a hardened group of insane users who simply won't switch to anything else.
As such, it makes good business sense for Apple to make them pay through the noise----They've got them by the short and curlies, now then can generate revenue by forcing Apple users to constantly purchase new stuff.
Look for Apple to move to a subscription OS model, soon.
WhiteWolf666 an exBush supporter. All you new-school,compassionate,save the children Republicans can rot in hell
The new viruses will be shipping worldwide in early 2004.
This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
Boy, I'm sure glad you do your research before posting:
f tw are.html
http://simplest-shop.com/Macintosh--1-229660-so
Let's see
X.1 Sept 28, 2001
X.2 Aug 23, 2002
That puts 11 months between those two releases
X.3 Oct 25, 2003
That's a nice 14 months in between those releases
By contrast:
Windows 2000 , Feb 17 2000
Windows ME released Sept 14 2000
That would be 7 months
Windows XP Oct 25 2001
That would be 13 months
And lets compare prices:
Mac OS X $130 always (full version)
Windows 2000 $320
Windows ME $110 (upgrade) or $210 (full)
XP Home $100 (upgrade) $200 (full)
XP Pro $200 (upgrade) $300 (full)
So from OS X.0 to X.3
March 2001 to Oct 2003 (32 Months)
You've spent $390
From Windows 2000 to Windows XP (19 Months)
Feb 2000 to Oct 2001
You spend at minimum $530 and at most $830
And if you factor out Windows ME, it's still more expensive.
T Money
World Domination with a plastic spoon since 1984
Good news is Linux already runs on this platform :-)
I'm torn, mod insightful or funny?? Aaaah I'll respond then...
Well think about it, you advertise a whole mess of new features as well a "safer more robust operating system" and people will snap it up. Marketing over practicality wins yet again. It's the same reason why I'm feeling a sudden impulse to go out and buy a new Toyota right now...
Or maybe Microsoft needs to take note of that? Consider smaller cheaper incremental upgrades like they did back in the good old days of DOS and Windows 3.1 (Dos 5.0, 6.0, 6.22, etc...;Windows 3.0,3.1,3.11, etc...)?
...in bed
why doesn't someone write a letter to Apple and find out exactly what's up? I would but i really don't care. The fact that none of the posters know the full story, and are only assuming, is bothering.
...Tech Report is a site that capitalizes on hearsay and likes to spread FUD. Avoid in future.
-- thinkyhead software and media
That's funny. When I first saw the subject, I thought you were going to say that making an assumption that Apple is not going to fix these "security problems" after three days was unfair. I would have agreed.
I find the whole patching debate interesting... As someone who just bought a G5 with 10.2, I am paying for the $19.95 upgrade to 10.3 anyway but I would also prefer that if I chose not to that they would patch the bug/security hole.
What I find interesting though is expectations... For example, if you buy a PC game and find a bug, you expect to be able to go to their web site and download a patch. OTOH, if you buy the SAME game for PS2, you certainly don't expect patches -- you expect it to work.
Come play Moral Decay!
So, you mean that a vulnerability in 10.3 has to exist in 10.2?
/., so I'm not at all surprised.
It's not at all possible that with new functionality comes new bugs?
The very title of this story indicates a lack of proper investigative journalism. Of course, this is
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
1. Core Files are disabled by default. So unless you've enabled them you should be ok.
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
Why don't Apple just be done with it and call it OS X subscription? After all, I bet most of their customers are paying $120 every 12-18 months anyway just to keep their machines current. So why not be honest about it? And this on top of the premium for the hardware.
This is just plain ridiculous, as stated the bug may not be in 10.2, and on top of that, just because a patch has not come out yet, does not mean that it is not going to come out.
Show me ONE software company that posts lists of patces that are yet to come! If a company did do that, all they would be doing is making a list of bugs for people to exploit. Typical Mac bashing, plain and simple.
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
Educate yourself before you speak, my boy.
As I've said before, and apparently the anti-Apple automatons on slashdot are too thick headed to hear: this is a perfectly valid business decision for Apple to make with their limited resources. Unlike Microsoft which has a monopoly, and Linux which has thousands of amateur hobbyist programmers (which shows in the quality of their work), the professionals at Apple have only so much time and effort they can put into creating top quality software. The fix for this has been stated and is clear, if you need an up to date operating system, you should pay for it. In the real world, we live in a capitalist country with a capitalist system where people get paid for the work they do. If you don't like capitalism, use Linux, but you will of course get what you pay for. Those of us who have made the switch to Apple understand that superior technology is the result of hard working professional programmers who are not afraid to stretch the limit of technology and innovation to create products that make our lives easier. So stick to Linux, or Windows, or whatever. In the meantime, I'll pay the cheap upgrade cost and get back to doing actual work rather than struggling with kernel patches and email virues.
I'm reminded of a battered wife who will never leave her husband despite getting beaten again and again.
A few people point out that there's no evidence to support the story yet, and you're reminded of a battered wife? I bet every time you stub your toe, you're reminded of the Hindenburg. Oh, the humanity!
To those that did not upgrade to the 10.2.x series, is Apple still offering security updates to the 10.1.x series? If not, I think we know what they will now that 10.2.x is no longer "new."
But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.
WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--
MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY
Er, carry on.
If Jesus wants me it knows where to find me.
Apple should milk its fanatical user base for every penny they're worth. Apple has never apologized before (remember the short-lived outcry after they started charging for that .Mac service?) - Apple users quickly forgive and forget.
Or are well all going based on the assumption that since there is a Panther patch and there isn't yet a Jaguar patch that none is forthcoming?
If I were running a company I'd patch my new product and test that before I worried about patching my legacy products.
Maybe its in one of the additions to OS X 10.3 so there's no update required for 10.u | where u 3.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
The crowds are longing for a commercial alternative to Microsoft; linux does just fine but there are so many people that just can't handle the glitches and quirks of the good penguin. Sometime in the near future Linux based distributions will obtain OS X grade nirvana but until then people want an escape from Microsoft without the hassle. So Apple fills the void but people are also terrified at the thought that under the sheep hide is a wolf in disguise so many are too trigger happy. I'll give them some slack and wait for the Software Update to bounce on my dock. I'm holding my breath...
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
Apple is taking care of its customers.
MSBPodcast.com The opinions expressed here are my own. If you don't like 'em... Think up your own stuff.
If a non-Apple computer is a better solution for you, for whatever reason, you'd be silly to pick an Apple
For me, though, Apple is a pretty good solution. There's no bargain basement model, sure, but I've managed to save up enough money for a new Apple recently (first one in a while, but my old one was ticking along just fine).
I like Apple because their computers make me want to do things with their computers. (I'm setting someone up for a +5, Funny post with that line, I know) I want to make movies with iMovie and iDVD. I want to find out about new music with the iTMS. I don't doubt that I could do all those things on another machine, and probably fairly well. But I don't think the other machine would make me _want_ to do it the way my Mac does.
But like you said, they're not for everyone, for a host of different reasons. And that's ... OK
Your example is like buying every new release of Photoshop and Photoshop Elements. It's stupid. I don't know one 2000 user who went to ME.
Oh, and since longer release cycles are better by your standard, you should be happy to include Windows Longhorn in there, which seems to be coming out in 2005, four years after XP.
Many companies do this already. If you are not current, you are outta luck on updates of any kind.
Since Panther is 'current' then you cant demand they support something older..
True, its irratating as hell..
Just wait until fixes for SUPPORTED versions are pay only...
---- Booth was a patriot ----
ehm, unless the newton came with a defective keyboard or a really messed up spellchecker I don't get the joke. Anyone care to enlighten me?
MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
... General Motors will not be fixing older GM vehicles that have a problem with the navigation system. When asked by tinfoil-hat-wearing /. users why they wouldn't support earlier versions, GM's CEO mentioned that older vehicles don't have this feature so they wouldn't need to be fixed.
In other news, Apple has reported that "Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."
--AB
What strikes me as strange about this is that Apple is allowing this news story to fester. It is popping up in several news sites now and is creating a lot of bad press for them, regardless of the facts. I thought Apple was smarter about marketing than that. All we have at the moment is "no comment".
For a good operating system, $129 is small price to pay because you get an excellent operating system that is user-friendly and stable at the same time. I am sorry, but Apple has the best GUI engineers that actually put a lot of time into usability testing (open any HCI book and you will see the reference to Apple's products here and there); combined with a solid backbone OS X is an excellent choice for everybody who wants the beauty (the interface) and the beast (UNIX) combined into one.
I used to be a big Linux fan, but that OS has become a pain in the rear due to inconsistency probelms between distributions and other misc. stuff that pissed me off on the daily basis. I switched to FreeBSD and I still use it on my servers; however, my primary desktop is a G4 running 10.3. Now I spend more time doing useful things rather than trying the interface to work. I will switch to any Open Source product that offers a clean and functional (from the user's point of view) GUI + precise guidelines for developers. Unfortunately, neither KDE nor GNOME can offer it at this point of time.
Also, I found out that my productivity increased after I switched to OS X because I do not have to spend hours on tweaking a desktop or trying to fight any of its features. Plus, $129 is a small price to pay for a piece of mind. My shoes are worth more than that and yet I change them on a yearly basis.
Actually, it's worse. Even MS doesn't require its customers to upgrade to its latest OS in order to keep getting OS security patches. Hell -- they patched Win98 for ~ 6 years.
And if Apple is serious about releasing a new version of OS X EVERY YEAR, you'll have to buy it every year or risk vulnerabilities. That's just crazy -- some people are running SERVERS on this stuff.
This is too ridiculous for them to be serious. Either someone has misunderstood something or Apple is going to backtrack quickly.
Who is RTFM and when will he help me with Unix?
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
I recently read about these "security problems" in 10.2.x found by @stake, and I find it amusing that the details were virtually left out of this current article.
The current set of vulnerabilities include a flaw in the operating system that causes applications to be installed that have insecure file permissions. Other vulnerabilities could allow a local or remote user to crash the system.
IMHO, this is being blown way out of proportion. I've never heard of @stake before, and it sounds like they're trying to make a mountain out of a mole hill, possibly to make a name for themselves.
I read an article a few days ago (sorry, no link) about this security thing on 10.2.x. From that article, it said that one of the security issues is that some files have default filesystem privs open to "group" or "other", such that if you were to install something malicious it might have access to modify certain other pieces of your filesystem that should otherwise be read-only. This is pretty idiotic, I think, because if you're about to install something malicious, that's your fricking problem right there. Should this filesystem thing be fixed? Sure. Is this a serious "security issue"? I don't think so.
Two of the other vulnerabilities had to do with somebody sitting at your console typing in specific, malicious commands that would result in a kernel panic. Problem? Sure, this should probably be fixed. But I don't see how this is a "security issue". If somebody is sitting behind my machine with a terminal window open, I've got a lot more to be worried about (stealing files, deleting data, mucking up configurations) than whether he's about to type in some command to send my machine into kernel panic mode.
I don't see how any of this is worthy of the kind of media hype that we're seeing.
Apple has released an updater for WebObjects 5.2.2 development on MacOS X, and updates for deployment on Windows and Solaris, but they only way to get WebObjects 5.2.2 deployment for OS X Server is to upgrade to 10.3 server. Apple has not officially said that they won't release the update for OS X Server 10.2, but it is it not available now, and there is no official word either way.
-- Charles A. Plater
I've head of @stake before. They're the people who recently fired a researcher for writing a paper that was critical of Microsoft.
OS X does have a lower local-security profile than most UNIX systems, but it's still significantly better than Windows even with all Microsoft's recent hype. If there aren't any remote security exploits I would say that the thing to do is watch the Panther patches as they're released and apply the same permission changes by hand.
I thought this was a Panther fix and not a 10.* fix. Are we sure it's a 10.* fix? The way things read it was a new bug for Panther only when it was on the other mac sites a few days ago.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Why is everyone surprised about this?
After all it's Apple, the wonder boys of the computers. Hailed to fame because they are monopolistic and OSX only runs on their own propriatery hardware. And now you're all surprised because they use the same tactics as MS? Go figure!
I would be more surprised if they actually caved in. Why? Well, there is more money to be had from having the users pay an upgrade fee to move to the new and fixed version rather than providing the fixes for free. Basic economy. And you're surprised because?
If you mod me down, I *will* introduce you to my sister!
As much as I hate to admit it, at least MS supports more than two years' worth of versions. They still support back to 98. This is a very bad move by apple - if your security support in any way makes MS look *good*, you've got problems.
With as much as Macs do cost, great support should be something taken for granted.
And before the flames fly, like they always do, I do not use and cannot stand MScrap.
-Looking for a job as a materials chemist or multivariat
This article helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.
People don't buy Macs to run Apache. They blow the dust off an old PII for that and then run BSD, or Linux.
You run Macs for hi-end i/o-intensive bandwidth applications like ProTools, PhotoShop, and Premiere. Best I recall, you can't do those things on OpenBSD.
WRT the patch, most Macs don't run in hostile environments either. So the realities of not getting these "security" patches, while irritating, is probably not going to expose any vulnerable machines. The precedent Apple sets to their customers, however is something I find disturbing. The only reason I'm running XP for my ProTools LE is for the same predicament it appears Apple is placing it's users. Perhaps I won't buy that Mac after all... seems like the same problem Micro$oft has been inflicting on me for the past 15 years without having to spend $2k on proprietary hardware. The decision metric just changed back in favor of Mickey$oft, Apple; hope you guys are listening...
www.dedserius.com
VB != VisualBasic
I've already paid for an excelent operating system that's user-friendly and stable, and follows Apple's HCI guidelines better than Panther. It's called Jaguar.
Panther won't run on my Mac yet, until Ryan gets XPostFacto 3.0 out. After that, I think I'll wait until Max Rudberg gets Milk working on Panther, and someone comes up with a way to keep running the Jaguar Finder on it.
It's a pity about the OS improvements, the things Apple doesn't seem to be crowing about like the new UFS, but maybe I can update the Darwin core underneath OS X and pick those up as well...
A jihad has been declared! It is YOUR duty to make certain that the target of our attacks be made aware of their misdeeds. If they will meet us halfway, then we shall remain peaceful. If not, there will be much suffering. Choose your side and play it well, for in the end there will be much rejoicing for the victor! And that victor shall be the one who as spoken against the infidels with their unfair moderating practices. Choose now! Choose wisely.
The only difference between Apple and MS is that MS has a monopoly. Apple applies the same kind of tactics as MS to force users to upgrade. I personally find it sad and I am thankful for Open Source that allows me to do something as simple as choose when *I* want to upgrade.
Go ahead and mod me a troll now : )
If Tyranny and Oppression come to this land,
it will be in the guise of fighting a foreign enemy. -James Madison
It may well be that Apple hasn't issued a statement yet. If so, they need to get their propoganda machine in motion.
In Apple's defense, I will say that the security bugs I've seen do not include any "Remote Arbitratry Code Execution" [RACE] holes, so not releasing a patch isn't *completely* insane... albeit, it is insane.
At least one bug allows for remote crashing of a machine. So, combine (using script kiddie tools) a standard M$RPC virus like Blaster with a routine to scan all IP addresses in reach with the Apple-Crashing RPC, and every infectable Internet PC takes out every Jaguar Mac on the net. Someone's going to do it sooner or later; probably one of the fanatic anti-Mac zealots. Apple *NEEDS* to release this patch, or it will be a PR disaster.
I work for a group that teaches engineering ethics. Speaking as someone with purchasing-recommendation authority, I've checked with half of my Mac users so far, and my purchasing-authoritied boss (who buys what I tell her to). The response has been unanimous: requiring payment to recieve security patches on an operating system barely a year old (and which we've been using for less than six months) is "an unethical business practice" and completely unacceptable. I now have my Apple users all ready to consider switching to Windows, and my boss ready to stop all future Mac hardware purchases, unless Apple provides the security patches.
I am willing to consider bugs (like Preview crashing on opening a certain ordinary digital photo) to be something where they can say "we fixed that, but you have to buy Jaguar." Security flaws are a whole different kettle of cat. They need to patch any RACE holes at least, and probably all of the security holes.
//Information does not want to be free; it wants to breed.
Most of it only speculates as to Apple's intent. Here is the only part relevant to their actual intent:
Apple declined comment.
Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.
The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.
In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.
.sig: file not found
At least wait a week or so before posting something this absurd. I'm pretty damn sure Apple was planning on patching 10.2 sooner or later, but they just got around to 10.3 first.
Or maybe they just wanted to test 10.2 a bit more since it is more likely to be use in production than the week-old 10.3. Either way, it is a bit of a stretch to say that Apple has massively changed their patching policy just because one patch is a bit later than some would like. Quite the big accusation; quite little evidence.
In the end, Apple gets all this negative publicity on Slashdot for no reason at all. I guess MS gets that a lot on here, but I'd expect us to be a bit kinder to our UNIX brothers.
First, agreed - damn, it sucked. I still run it one one machine for games, and it's a real treat. I hadn't checked for a while, but it appears they have indeed stopped as of a few months ago. Still, that's pretty good - and it's better than suspending support of an OS *months* after it ceases to be the newest OS. That's inexcusable.
-Looking for a job as a materials chemist or multivariat
only for 10.3? i hardly think that is true. this is more of a commentary on techreview's crappyness than apple's
members are seeing something, your seeing an ad
And I can get OS X for $79. Actualy, to tell the truth, I can get if for $40, but I'll be reasonable here.
T Money
World Domination with a plastic spoon since 1984
Might the reason it's not being released for 10.2 is that it says in the Update that it is for versions of software running under 10.3?
Nah - that's to fricken simple, now isn't it?
If Apple want to be taken seriously in the enterprise, they'd damn well better patch 10.2. Of course, I'm not going to take a mere two days as confirmation that they never intend to do so. It wouldn't surprise me if they did cut 10.2's life-line, though. Sometimes I wonder what the fuck is going on over there. They can't seriously expect everyone to upgrade to 10.3 the second it comes out, especially server administrators. It's attitudes like this that keep Apple out of the enterprise; they can't conceive of a scenario where an earlier version of an OS would be acceptable for server use.
Precisely what I've said all along. Apple would be Microsoft if they could, but they lost. They're evil, but not as good at it.
CEE5210S The signal SIGHUP was received.
haha.. this is a what i think is an insteresting twist to this. i kinda noticed it reading a previous patch.
the libaray of congress just released some guidence rules on the dmca, included in that was a part about being able to fix or reverse engineer software that you already have to make it usable when part of it becomer obsolite. this is mostly considered wht like an atari 2600 or somethign doesn't work anymore you can use the rom pack on another platform. but will this open up the possobilities to either a: reverseengineer the os to make it secure, B: allow you to not only fix the security holes but maybe even port it to intel platforms or such if thier fix doesn't support your hardware, and m,aybe other possabilities too.
of couse i'm banking this on the fact that they state they plan not to patch 10.2 for the security flaw (as minor as it is) making the os functionally obsolite. even it works if it doesn't operate safely then it is non funnctional in todays dangerous digital society.
also with the upgrade not supporting older hardware that osX at one time did support thereby making that platform obsolite.
this combined with the library of congresses recent dmca guidlines could spell out some unintended consequences for apple when they take a page out of microsofts handbook and try to force the upgrade.
am i reading too much into this or is this approache possible? maybe it would make apple rethink it's position? can anyone say osX on intell? maybe that is a stretch.
by the way microsoft had an issue in the help and support feature that would allow any well crafted email or website to delete entire directories from the users harddrive with no interaction from theuser. all they needed to do was visit the page or download and preview the email. they held a patch for this over 11 weeks waiting to include it in the service pack for xp so people were compelled to update and thereby defeating some way pirates were stealing thier software.
actually, no.. i've never heard of that. I also didnt realize that rotten was contagious. that makes sense in hindsight. Thanks for the knowledge. Now I will go off and feel dumb.
The per-year figures for a workstation do not include rebates. That lowers the sum by about $100. Thus, per-year costs are actually lower than $63.
Actually, yes. I realize that you're trying to make a joke (and you succeed hands down, BTW), but the colorful G3 iMacs are fully supported under Panther.
I just upgraded the hard drive in my wife's "Grape" iMac, partially in preparation for Panther (and partially so she can continue ripping her CD collection w/o running out of space).
-Cybrex
Boundless Expansion, Self-Transformation, Dynamic Optimism, Intelligent Technology, Spontaneous Order- BEST DO IT SO!
From a Mac forum @ dslreports:
The attacker needs an account on the system to exploit these unless the system has been deliberately made insecure, as in the case of enabling core files. So if your passwords are secure and not known to untrusted folks, you are OK.
What it is saying is that a non-admin account can overwrite the executable in the Applications folder in some instances (dragging the app off a disk image, or the app shipped with permissions set to allow non-admins to overwrite). Then when the real user executes the altered executable, it executes the attacker's code with admin privileges. It would still need for the real Admin to enter his/her password for the attacker's code to get root. Good ol' OS X.
---
Sounds like FUD to me.
---
and...
MacDailyNewsTake:These "security issues" are quite a lot of todo about virtually nothing. Something smells bad @Stake. You might remember that in late September of this year, Dan Geer, computer security researcher, was dismissed from @Stake for calling "the ubiquity of Microsoft software a hazard to the economy and to national security." The problem for Geer was that @Stake is "a consulting company that works closely with the software giant [Microsoft]," as John Borland reported for CNET News.com.
Apple has posted a security update for both 10.3 and 10.2.8.
The Seventh Rule: Take others more seriously than yourself, particularly when you are leading them.
I didn't RTA or anything, but still:
If true, a big "fuck you" to all those people who said Apple wasn't forcing people into upgrading to 10.3 when the story about 10.3 broke a week or two ago.
With OS 10.3 we expect a few if the "gee wiz" features that will not make it back to the 10.2 experience. While the "security flaws" are a little difficult to get installed in such a way that they are actually flaws... they are still flaws.
The thing that has gotten to me in the near week that OS 10.3 has been out is, there is no Safari 1.1 for Mac OS 10.2.x
Safari is Apple freeware, but if they fixed all the Javascript and many of the issues that plagued the 1.0 release, why not let us 10.2.x users have our fill of it. We want javascript to work for us.
I had a flame... but she had a fire.
"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent, if they did."
Why? Microsoft does it!
I origiunally thought this was a very scummy thing, but I spoke to an apple insider. Security issues in 10.2 will be fixed through the normal issue tracking system. File your reports and they will get repaired in due time.
As seen on Wired: Get a free desktop PC
I honestly don't think that this will remain a problem, Apple has been pretty good about patching things as they come along, but the point of the article is that 10.2 IS vulnerable, with the only protection/patch being an upgrade to Panther.
Life shrinks or expands in proportion to one's courage. - Anais Nin
If if that obvious then why would Commander Taco have posted this on Slashdot?
If it was just a careless mistake or a lack of fact checking then shouldn't there be an upate under the original post saying something like "Ooops. Turns out apple is NOT forcing a Panther upgrade."?
The Engineering Process/Committee at Apple which prior was the one at NeXT has a long standing record of supporting earlier versions of their Operating Systems.
More specifically, they also have, in the past, classified a three-tier escalation level of Bug Fix Package Releases.
For mission critical custom apps which want addons to the Operating System they pay for blanket policy support accounts that make their needs fulfilled.
ATT Wireless was a classic example, and so was Merrill Lynch. They both had custom build fixes that only they held the rights to, until such time in the future when these unique features became features in the present release. Then if it was agreed upon from the client and NeXT earlier versions of the OS got these addon updates.
NeXTAnswers was a great system for information.
Expect Apple to make sure Panther works first and then retro fit Jaguar. I wouldn't expect Puma.
I also don't expect Panther to be the Trojan Horse into the Enteprise. I expect the next major revision, OS X 11.0 to be the first full blown Enterprise targeted (beyond video needs and small/mid web deployment needs) version to do so.
Let's not compare Microsoft. There current round of security fixes locks my system half-way into the update process, every time. Thankfully, Debian is on a separate partition.
Anti-Mac is Pro-Microsoft? But I'm Anti-Mac and Anti-Microsoft! The conflict is eating my soul!!!
Karma: It's all a bunch of tree-huggin' hippy crap!
Even David Goldsmith seems to believe, based on his comment, that whoever he spoke with at Apple was wrong and that Apple is likely to continue fixing security problems in 10.2. This whole thing is silly.
...it would put the SoCal fires to shame.
How do you spell hypocrisy?
sarchasm: The gulf between the author of sarcastic wit and the person who doesn't get it.
Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here, here and here.
For ever, no, but maybe a bit more than one year ? Jaguar (10.2) isn't that old.
I'm still waiting for the patches for DOS 6.22. As far as I know MS haven't released a single security fix for this OS.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Let me repeat. OS X 10.1 and 10.2 are not vulnerable, so no patch is required.
Does ANYONE read the articles? Apple recently released a security patch for a completely unrelated security issue in 10.3 that does not apply to 10.2, and everyone assumes that's what this is about, even though this article is about three COMPLETELY DIFFERENT security issues that @Stake found in 10.2 that do NOT exist in 10.3 that Apple HAS NOT YET released patches for.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
Conveniently enough, one of the Apple Senior System Engineers was in town talking with one of my bosses. I had mentioned my concern yesterday to him at a meeting-- I had only time to see headlines at the Inquirer ("13 bugs!") and ZDNet ("No fix!"), but that I didn't know if this was a real panic issue.
Quoth my boss to me in E-mail, "I brought the subject up with the Apple representatives this morning. The response was that they were patching 10.3 first, but that they expected 10.2 to also be patched in a timely way." Which is not unreasonable.
This, combined with the fact that none of these 13 bugs reported allow Remote-Arbitraty-Code-Execution, has me calmed down... for now.
//Information does not want to be free; it wants to breed.
from the article:"David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software. "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said. "
The last line above is the most important. If Apple users defend Apple, they're stuck upgrading, and paying the $129. If they complain about it, however, the @stake guy thinks Apple will change its mind. So rather than defending Apple, you should start complaining to Apple, if you want patches to older OSs.
Vote for Pedro
They'll patch it, they patched 10.1.x several times after Jaguar was released.
Not true.
The last Security Update for my 10.1.5 was last March. See here. That is from a similar story on MacSlash a week ago.
The article makes a big todo about "security enhancements" available in Panther not being released for Jaguar. Well whoop-te-do. Please note, we're not talking about apple fixing an SSH bug here, we're talking about SYSTEMIC changes to the security model. No rational end user expects the security enhancements Microsoft made to XP to be back ported to 2K or Win98. Same applies here.
Well, yes, flavors of UNIX (including MacOS X) are in general more secure than Windows. UNIX has been playing on the internet for decades and has been the favored OS at computer science schools across the country, where its source code has been often been publicly available.
That adds up to a system that's been banged on for a long time. Windows is the new kid on the block internet-wise and MS is finally getting around to understanding security.
(We're not even getting into the issue of who attracts the most creative programmers: MS or the Internet/Open-Source/Hacker crowd.)
Reading the reports, I'd say Apple should fix #1 and #3. I hope they will. But this is not quite anything urgent: the first is an apparent bug if you turn on core files. Well, they are off by default. The second bugtraq has two parts: the first half should be fixed by Apple (changing permissions of dirs when copying between disk images); the second half is not Apple's fault. The argv[] buffer overflow is a stability issue, not a security issue IMHO, And since it so extremely rare, I don't consider it a bug deal.
/Applications -type d -perm -002 -print /Applications -type d -exec chmod o-w {} \; but this may break apps) /usr/sbin/diskutil verifyPermissions $diskname /Library/Receipts). To repair, type: /usr/sbin/diskutil repairPermissions /
I think the permission thing is the biggest deal. If you are concerned, you can run these commands:
% find
(the article mentions an autofix with: find
%
(where diskname might be / )
This command (available in MacOS x.2 and higher), will compare the permissions to that of the original installer (as stored in
%
It's $69 for students at my school, according to apple's online store.
If you want to bring academic prices in this argument, MS operating systems like Windows XP Professional and Windows Server 2003 are free to CS students. Same with most other MS products through their MSDN Academic Alliance program. They're really fighting a battle in the academic arena, mostly in response to Linux.
Microsoft provides full support for their products for 5 years after release and business products get an additional 2 years of patches.
Only if you agree to try it yourself.
Because Apple declined to comment, their current intent is not known. If you read the quote from the article:
Note the past tense. The key phrases "initial conversations" and "I wouldn't be surprised if they change that". The lack of any statement as to their current intent from either Mr. Goldsmith or an Apple mouthpiece. In short, a non-story.
You seem to have mistaken my post for a defense of Apple rather than a criticism of yet another sensationalized, moronic article on C|Net.
.sig: file not found
Clearly I have no alternative but to rip all cables from my macs, stuff the offending sockets with wine gums, toss each useless hunk of plastic and silicon into a vat of cement and sit rocking in the corner of my room, tears streaming down my cheeks as the flames slowly engulf a photo of Steve Jobs. Oh, the humanity!
I hate to sound rude but that is just pure BS. A shame to slashdot that you could achieve a +5 for that cr*p. Instead of your generalized disinformation here are the facts: Take a look at CAN-2003-0877. To quote:
Now if the vulnerability only existed in 10.3, how come you are supposed to update to 10.3 in order to fix it?
Now take a look at the Apple Security Updates page. Is the fix for CAN-2003-0877 listed under 10.2.8? No. It's only under 10.3.
Take a look at this comment for more links to vulnerabilities that exist under 10.2 but are only fixed for 10.3.
To all the mods who modded the parent up: Shame on you! It contains not one link to any evidence. A statement like "As others have pointed out..." without any further specification is a generalization and stinks of disinformation.
You're missing a REALLY big point here.
These "security flaws" still leave Jaguar less exposed than any consumer or commercial version of Windows, and on top of that they don't actually require Apple to do anything to fix them... we, the Apple users, have the source code to the underlying OS. If there are real holes that need patching we can do it.
So... you're asking us why we're not bitching and moaning about something that's of vanishingly low importance. Well, there's your answer right there.
You mean like Microsoft not providing the security upgrades in Office 2003 for previous versions of Office? Nah, that'd never happen. Right? Right...?
You'd GFY I've never paid full retail for any m$ os (nor should anyone w/ half a brain have too. besides windows 98/SE/and ME
are as seperate upgrade path from NT/2k/and XP/home/pro
I bought 2k ($120~ish don't remember OEM w/ floppy drive =) for hardware requirement
approx 16~mos later got XP Pro $130~ish) OEM w/ molex pwr connector (see newegg.com's) hareware req w/ m$ os purchase) and have been using that since
I'm at about $250 for about 3 years of computing.
I'm not trying to rank on apple but I am saying if you wanna argue that the cost ratio is the same or better for mac's you are mistaken.
I have $1400 into my pc (including monitro and os)
It is like this
2500XP
NF7-S
512 (256x2)corsair DDR3200
ATI 9500pro
3ware escalade 7000 raid controller
2x120GB 180GXP hd's
onboard soundstorm
onboard lan
winXP Pro
19" NEC 991SB monitor
it is considerably cheaper than a mac set would have been, and my video editing results have been stellar w/ my PC
actually I am happy to see you, however that is in fact a banana in my pocket.
As a matter of fact, you DO get the source to the OS, or at least to the part of the OS that's relevant to your 17 MB copies, the microkernel, I/O subsytems and file system code are all available as part of the Opendarwin project.
You don't even have to pay for the OS to get the source code to it. How generous is that for a commercial Unix vendor?
I'm betting that for all your bleating about source code, you wouldn't have a fucking clue what to do about the problem anyway, because like 99.999% of the world you wouldn't have a clue how to optimize a filesystem or IDE transfer.
Besides, contrary to what you're saying I've found I am easily able to sustain 100Mbit when copying files to and from my PowerBook, which is not bad for a laptop. Perhaps you should look at your samba configuration, or consider using something else for your file transfers if it's going to save you as much time as your concerns indicate.
@stake recently fired their CTO because he had the nerve to suggest that if you don't run entirely Microsoft software, then all your computers might not get infected with the same virus at the same time.
Does this sound like the kind of company that would call up Apple and tell them about a possibly embarassing security problem, or might they just take the worst possible interpretation of events and present it as fact, purely to stick it to a competitor of their favorite customer?
I'm not 100% sure this is reasonable, and as I have a couple of Beige G3s I'm somewhat concerned, but right now I don't see the evidence that Apple is going to leave Jaguar users in the lurch if there are serious flaws found. It looks to me like a single comment about a single bug is being taken to mean something far more dramatic than it should be.
You are not alone. This is not normal. None of this is normal.
Accorcding to Apple: APPLE-SA-2003-10-28 Security Update 2003-10-28 Security Update 2003-10-28 is available. It addresses CAN-2003-0871 a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system. The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.7 98
More info at http://docs.info.apple.com/article.html?artnum=61
To clear up some general confusion that neither article has understood yet...
1) The most recent apple security update to Panther has nothing to do with the @stake-identified vulnerabilities. It fixes a flaw in Quicktime Java on 10.3 only.
2) True, the @stake vulnerabilities do not affect 10.3. However, this means you cannot say that apple is issueing sec. updates for 10.3 and not 10.2
3) The @stake vulnerabilities have not been patched yet, but this doesn't mean they won't be. I would expect that apple will have a patch out for these as soon as it's developed and tested.
Nothing to really worry about. Apple releases a major fix for the new point release they just brought around. Sure it doesn't apply to the older versions, they lacked the features to have bugs in.
Open "about this mac" off the apple menu, then click the "more info" button. The apple system profiler will open, and after a short delay you will get a report that includes the cache size.
Microsoft may provide cost free updates for Windows but spending time with securoty updates and viruses takes up alot of time. So is Windows Updates really free, I think not time is money and I don't want to spend hours on a $300.00 operating system. Please select the following link regarding and Article by Walt Mossberg, supporting my view point. http://ptech.wsj.com/archive/ptech-20031023.html
This is all just a bunch of FUD as far as I'm concerned. There was _never_ any official statement from Apple that they weren't going to fix jaguar, only a quote from a guy who may have talked to an Apple janitor for all we know, from a company who fires people for saying Microsoft has security problems. Come on! The title of this who thread is ridiculous "Apple forcing upgrade"! There was never a shread of real evidence to the fact. Of course, I suppose in this day and age the standards for evidence for public statements is lower than ever...
Apple's going to patch Jaguar. Details at MacCentral.
Tech Report is full of moronic shit.
See also here. I don't quite know why that guy is offering a prize. It's well understood as coming from the properties of the j-function.
Very briefly: you may have sketched the function y^2=P(x) in your life where P(x) is a cubic. If you allow x and y to be complex numbers you get a 2D surface. That 2D surface is basically a twisted up torus (minus a point at or two corresponding to when x and y go to infinity) and the j function gives a way of specifying exactly what torus. It also plays an important role in string theory. But the full explanation of why you get all these near integers is quite long and involved.
Doesn't it make you feel good to know that our freedoms are protected by politicans, lawyers and journalists.
Interesting--thanks!
Well, using your Mac you can host a local website on your desktop, develop PHP code, learn the underpinnings of BSD Unix, muck around with MySQL, do shell-scripting, write cross-platform games in C++ using SDL and OpenGL, etc. ad nauseum.
Having Mac skills now means gaining skills that scale extremely well. Thanks to my experience playing around with the myriad of technologies and standards provided in Mac OS X has made me highly adaptable and eminently employable.
So take advantage of what's on your desk and develop yourself. You won't regret a second of it.
-- thinkyhead software and media