Slashdot Mirror
Apple Forcing Panther Upgrade for Security Patch
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
I thought only windows was insecure...
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Meanwhile at Microsoft HQ...
Gates: Damnit! Apple stole our idea to no longer support old versions of Operating Systems and force everyone to upgrade! Lawyer #1, isn't that illegal? Let's get a suit together!
Here are the bugtraq links to the specific vulnerabilities:
Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow
If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.
Did MS buy Apple when I wasn't paying attention?
I remember how people reacted when they found out that Microsoft was going to stop patching Win98. At least they had the decency to wait 5 years. OSX is a really new product, why would they stop putting patches out so soon?
"You didn't pay up when we wanted to, and so now you're screwed."
How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.
I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.
~D
This sig has been enciphered with a one-time pad. It could say almost anything.
If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
My sig is blank, I typed this by hand.
I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.
... and I was gonna boycott Panther until they added an 'up' button to the Finder. Oh, well..
Isn't it possible that they just haven't released the 10.2 patch yet?
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
of screwing its own customers. I learned that well -- I bought a @&#* Newton.
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
But they will, they copy most things Apple do.
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.
On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and use them are surprisingly small. They're more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.
IAALS.
This is a typical Apple bluff. Of course they want everyone to upgrade (and pay $129 yet again), and hope to encourage users to do so with new features (such as the drool-worthy Expose). Apple has many times tried to cut off support for earlier version of an OS and had to eventually relent. Sometimes it takes a lawsuit for them to do so. OS X is just getting some great press so it would be very damaging if the bad press from this decision serves to highlight a security vulnerability in what is otherwise being lauded as much more secure by design than any flavor of Windows. Expect Apple to quietly issue a patch for 10.2.
This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.
Let's not get too pissy yet.
One of these days one of them is going to get seriously taken to court over this.
Either that, or the government is eventually going to have to get sw publishers to provide a warranty for their sw, like all other good are forced to have. I guess it's just up to us to stop settling for defective sw.
AC comments get piped to
From TFA: Other vulnerabilities could allow a local or remote user to crash the system.
Lol, I'd love to see the patch they came up with for preventing a local user from crashing the system.
-You may license this sig for only $6.99.
Whoa, slow down - Apple has not said they aren't going to support 10.2 Jaguar. I'd be willing to bet they simply released the Panther patch first.
That's so wrong that I have a hard time believing that this is actually Apple's position. I expect that we'll hear from Apple shortly, and they will clarify their position -- that the patches for 10.2 will be out Real Soon Now.
But if not, Apple's going to get a lot of bad PR from this.
Easy, automatic testing for Perl.
I just looked at the BUGTRAQ mailings, and I get the impression that you need physical access to the computer to break in to it. Have I got that right? I'm no expert, but I've always assumed that given physical access to a computer, a decent hacker could easily have their evil way with it. Of course that doesn't excuse Apple's failure to provide a patch and their rather glib upgrade suggestions.
after OS X was released OS 9 was given a final patch 9.2.2 ...
MABASPLOOM!
While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
NetInfo connection failed for server 127.0.0.1/local
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
"Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."
So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.
not only have there been updates to 10.1 and 10.2, there have historically been updates on 'less-than-newest' MacOS versions.
quick, what was the version of system software immediately before the release of 7.0?
6.0.7. System 7 was released after 6.0.7 and 6.0.8 was released AFTER System 7. When MacOS X came out, how many updates were there to 9.x?
neopets.com
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Bad analogies are like waxing a monkey with a rainbow.
"'In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that,' he said."
"'...this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year...'"
Though Apple has been slow in providing updates to fully support their hardware in OS X (e.g. the ATI driver issue), this story is based on speculation on the part of the people interviewed. Also, there is no comment from Apple, so much for quality journalism.
From the site at @stake....
Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt (login: archives password:archives):
>The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.
-- Charles A. Plater
Give it a day or two. Apple has not said that they won't be issuing the patch for Jaguar, they merely haven't released it yet. In all likelyhood, a Jaguar patch will follow.
If memory serves, they continued to issue security patches for 10.1 after Jaguar was released. I see no reason why they'd choose to alienate their customers by not doing the same for Jaguar now that Panther's out in the wild.
Journalistic integrity on Slashdot? Yeah, I'm asking a bit much.
This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
Unlike MS, Apple doesn't have such a gigantic installed base of, say, 8.6 users compared to Win95/98 in the MS world.
If MS said, "We're scrapping the Windows kernel and writing a new Unix-based OS (Is that a pig that just flew by?), MS would try to drop support for the old Windows, to get developers, users, and enterprises all using the same software.
Is this a good idea? Sure, if you are the maker of the software - less bugs, exploits and versions to support and fix. If you're a user of the software, it would suck - buy (licence :( new software, try and get old files to work with new programs, loss of hardware investment. Change happens, especially in the coumputer industry.
One reason I doubt that Apple will stop releasing patches for pre-Panther is on the Xtools developers' disk. There is an option to install compilers? for 10.x thru Panther. It wouldn't stand to reason that Apple would kill support for pre-Panther and include tools to develop for the older versions.
My two cents.
So, you mean that a vulnerability in 10.3 has to exist in 10.2?
/., so I'm not at all surprised.
It's not at all possible that with new functionality comes new bugs?
The very title of this story indicates a lack of proper investigative journalism. Of course, this is
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
1. Core Files are disabled by default. So unless you've enabled them you should be ok.
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
The problem only appears to apply to Panther. The version of QuickTime in Panther appears to be 6.4. According to this TechNote:
9 34 14
http://docs.info.apple.com/article.html?artnum=
QuickTime 6.4 for Jaguar (10.2) doesn't include QuickTime Java support.
I will make the leap that a) a fix is effectively in place for Jaguar (no support for vulnerable software) and b) the issue doesn't exist in versions of QuickTime's Java support prior to 6.4.
If all of the above is true, this is simply a big, fat FUD piece.
--fp
I'm reminded of a battered wife who will never leave her husband despite getting beaten again and again.
A few people point out that there's no evidence to support the story yet, and you're reminded of a battered wife? I bet every time you stub your toe, you're reminded of the Hindenburg. Oh, the humanity!
But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.
WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--
MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY
Er, carry on.
If Jesus wants me it knows where to find me.
Or are well all going based on the assumption that since there is a Panther patch and there isn't yet a Jaguar patch that none is forthcoming?
If I were running a company I'd patch my new product and test that before I worried about patching my legacy products.
As a long-time Mac user, I'm surprised at all the FUD flying around in this discussion. I remember Apple releasing OS 9 updates long after 10.1 was released. I'm still running 10.1.x at work and it's been patched many times since 10.2 came out. Has anyone from Apple actually said anything in the REAL press about not supporting 10.2 anymore? Relax, people! Of course they will patch 10.2, I'm sure a large majority of their guys are still working on 10.3 so it happened first. Breath. Exhale. Repeat.
This article helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.
Most of it only speculates as to Apple's intent. Here is the only part relevant to their actual intent:
Apple declined comment.
Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.
The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.
In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.
.sig: file not found
At least wait a week or so before posting something this absurd. I'm pretty damn sure Apple was planning on patching 10.2 sooner or later, but they just got around to 10.3 first.
Or maybe they just wanted to test 10.2 a bit more since it is more likely to be use in production than the week-old 10.3. Either way, it is a bit of a stretch to say that Apple has massively changed their patching policy just because one patch is a bit later than some would like. Quite the big accusation; quite little evidence.
In the end, Apple gets all this negative publicity on Slashdot for no reason at all. I guess MS gets that a lot on here, but I'd expect us to be a bit kinder to our UNIX brothers.
Apple has posted a security update for both 10.3 and 10.2.8.
The Seventh Rule: Take others more seriously than yourself, particularly when you are leading them.
I honestly don't think that this will remain a problem, Apple has been pretty good about patching things as they come along, but the point of the article is that 10.2 IS vulnerable, with the only protection/patch being an upgrade to Panther.
Life shrinks or expands in proportion to one's courage. - Anais Nin
Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here, here and here.
Let me repeat. OS X 10.1 and 10.2 are not vulnerable, so no patch is required.
Does ANYONE read the articles? Apple recently released a security patch for a completely unrelated security issue in 10.3 that does not apply to 10.2, and everyone assumes that's what this is about, even though this article is about three COMPLETELY DIFFERENT security issues that @Stake found in 10.2 that do NOT exist in 10.3 that Apple HAS NOT YET released patches for.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
I hate to sound rude but that is just pure BS. A shame to slashdot that you could achieve a +5 for that cr*p. Instead of your generalized disinformation here are the facts: Take a look at CAN-2003-0877. To quote:
Now if the vulnerability only existed in 10.3, how come you are supposed to update to 10.3 in order to fix it?
Now take a look at the Apple Security Updates page. Is the fix for CAN-2003-0877 listed under 10.2.8? No. It's only under 10.3.
Take a look at this comment for more links to vulnerabilities that exist under 10.2 but are only fixed for 10.3.
To all the mods who modded the parent up: Shame on you! It contains not one link to any evidence. A statement like "As others have pointed out..." without any further specification is a generalization and stinks of disinformation.
When choosing a corporate platform, we don't just consider the QuickTime Java patch, we talk about hypothetical situations. This is done by asking "What would we do if..." In this case, we could not buy from a vendor that only fixes the current release and will not publish a road-map detailing availability policy for future security patches. Microsoft typically publishes security patches for free for about 5 years, until the OS is end-of-life'd.
Now, Jaguar is currently using older versions of the following:
OpenSSH
Apache
OpenSSL
Samba
The Kernel
Security concerns will be found and have been found that affect both Panther and Jaguar, because they are using duplicate code in much of their software.
And by the way, if you read the article you would see that. It clearly states that @stake found vulnerabilities in Jaguar that Apple said they do not intend to patch:
You could also try reading Apple Security Updates to see what the concern is about. In the FCS Panther release, Apple fixed many vulnerabilities that still exist in 10.2.8.
Like I said, I love my Macs, but they're home behind a firewall where internal security and unauthorised users are not such a big concern. I cannot bring them into the corporate world until we get some assurances that the OS will receive security patches for longer than one year.