Slashdot Mirror
Apple Forcing Panther Upgrade for Security Patch
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Napster-to-go says "Fill and refill your compatible MP3 player", which is a lie. It's not MP3. It's WMA with DRM.
Meanwhile at Microsoft HQ...
Gates: Damnit! Apple stole our idea to no longer support old versions of Operating Systems and force everyone to upgrade! Lawyer #1, isn't that illegal? Let's get a suit together!
Here are the bugtraq links to the specific vulnerabilities:
Arbitrary File Overwrite via Core Files
Systemic Insecure File Permissions
Long argv[] buffer overflow
If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.
Did MS buy Apple when I wasn't paying attention?
I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
In US, you can easily buy enough major firearms to wipe out your neighbourhood but a few little fireworks are banned.
While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.
... and I was gonna boycott Panther until they added an 'up' button to the Finder. Oh, well..
Isn't it possible that they just haven't released the 10.2 patch yet?
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.
Let's not get too pissy yet.
Whoa, slow down - Apple has not said they aren't going to support 10.2 Jaguar. I'd be willing to bet they simply released the Panther patch first.
" If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill."
I see this argument on slashdot all the time. It does not work. It seems to follow some of the worse arguments in popular culture. Basically it claims that since Slashdot readers take a particular position about software, they are biased and can't possibly be doing so because they have good reason to.
This is a bad argument. If you think a particular post ignores facts and make poor arguments, point them out. Don't just yell "BIAS" as a blanket acusation against every future post that expresses the position that this is not as bad as it seems. If you think the moderation system is biased, I suggest you provide evidence showing particular posts of high quality being ignored and low quality advance to an extent that you can establish their is a systemic process going on here.
Just because people here seem to currently prefer OS X to XP does not mean everything they say can be ignored under the all encompasing label of bias. Please, provide arguments, not unsuported assertions.
The preceding passage has been checked for spelling, you will find no sentence without at least one mis spelled word
While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
- Apple has not yet released security fixes for 10.2
- Apple have not officially stated that they are not going to.
- Someone claims that Apple told him that they would not support 10.2
It seems a little early to be jumping to the conclusion that they will not support an OS a week after releasing the successor. To do so would be incredibly stupid, and I find it hard to imagine that Apple would intentionally shoot themselves in the foot like this.I am TheRaven on Soylent News
Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
"Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."
So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Bad analogies are like waxing a monkey with a rainbow.
From the site at @stake....
Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
$x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
$x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt (login: archives password:archives):
>The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.
-- Charles A. Plater
This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
So, you mean that a vulnerability in 10.3 has to exist in 10.2?
/., so I'm not at all surprised.
It's not at all possible that with new functionality comes new bugs?
The very title of this story indicates a lack of proper investigative journalism. Of course, this is
Raptor
"Procrastination is great. It gives me a lot more time to do things that I'm never going to do."
1. Core Files are disabled by default. So unless you've enabled them you should be ok.
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
The Beige G3 is a 6 year old computer. Think about that for a minute...
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
I'm reminded of a battered wife who will never leave her husband despite getting beaten again and again.
A few people point out that there's no evidence to support the story yet, and you're reminded of a battered wife? I bet every time you stub your toe, you're reminded of the Hindenburg. Oh, the humanity!
But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.
WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--
MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY
Er, carry on.
If Jesus wants me it knows where to find me.
This article helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.
Most of it only speculates as to Apple's intent. Here is the only part relevant to their actual intent:
Apple declined comment.
Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.
The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.
In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.
.sig: file not found
Apple has posted a security update for both 10.3 and 10.2.8.
The Seventh Rule: Take others more seriously than yourself, particularly when you are leading them.