Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Forcing Panther Upgrade for Security Patch

Posted by CmdrTaco on from the well-thats-a-bit-stingy dept.

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

7 of 605 comments (clear)

  1. Bugtraq links by chennes · · Score: 5, Informative

    Here are the bugtraq links to the specific vulnerabilities:

    Arbitrary File Overwrite via Core Files
    Systemic Insecure File Permissions
    Long argv[] buffer overflow

    If it is going to be Apple's policy to not provide support for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report Apple will do something about it.

  2. Possible by mojowantshappy · · Score: 5, Insightful

    Isn't it possible that they just haven't released the 10.2 patch yet?

    --

    This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!

  3. Re:As a long time Mac user, I'm not surprised. by bizard · · Score: 5, Informative
    I can't remember anytime Apple has ever released an update for a non-current version of MacOS.
    actually, apple has been releasing 10.1 security patches all through the 10.2 lifespan. In addition they have been patching Mac OS 9 as well. This would truly be a change of attitude if it is true, but I imagine there will be enough hue and cry to fix it.
  4. Apple has not made a statement by CraigCourtney · · Score: 5, Insightful

    While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.

  5. Fortunatly... by ProfessionalCookie · · Score: 5, Insightful

    1. Core Files are disabled by default. So unless you've enabled them you should be ok.

    2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.

    3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.

    In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.

    Panther hasn't even been out a week yet.

  6. Apple is unacceptable as a server provider. by emil · · Score: 5, Insightful
    David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

    "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

    Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.

    Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.

    At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.

    Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.

    I am not amused.

  7. What's with the Enterprise by thatguywhoiam · · Score: 5, Funny
    All over this thread, I keep seeing comments like:

    But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.

    WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--

    MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY

    ....Ah. I see.

    Er, carry on.

    --
    If Jesus wants me it knows where to find me.