Apple to Fix Security Holes in Jaguar

Simon Cozens writes "Yesterday's unsubstantiated report that Apple is refusing to supply security upgrades to Jaguar turns out to be untrue; Apple told MacCentral they will be fixing the bugs turned up by @stake. Next conspiracy, please!"

Good to hear

[AvantLegion]

There's no question people were gratuitously jumping the gun on the last story, but it's good to hear official confirmation that the fixes will be made available for Jaguar. There would not have been a story here at all if not for nonsense speculation.

However, the story makes reference to Jaguar specifically, but what about OS X releases before that?

were they always going to?

[dirk]

Now the real question is whether they told @stake they weren't going to fix them and changed their mind after the because of all the talk about it. It is as wrong to assume they were always going to fix it as it is to assume they weren;t going to fix it. I would tend to believe they told @stake that, and then when word got out and everyone screamed, they changed their minds right quick.

Re:were they always going to?

[kalidasa]

Well, let's see, @Stake is the same company that only a few weeks ago fired Dan Geer for that article on the Microsoft monoculture (http://news.com.com/2100-1009_3-5082649.html). Who do you want to believe today?

Re:Well hell

[feldsteins]

Mac fans can't win on these stories. First an alarmist article claiming that they are "forcing" paid upgrades by not fixing security holes in existing systems. Hundreds of Apple-bashing posts later, it comes out that they are indeed patching the existing systems. You come on here to point this out and say "see? They ARE fixing it!" and someone comes behind you and says "big fucking deal! this is what everyone else would do!"

Following Apple-related discussions on Slashdot is like riding on a bus with no steering: it careens onto the right shoulder, heads back toward the middle, only to screetch onto the left shoulder, back toward the middle...

@stake sometimes waits for a fix....

[masonbrown]

According to this advisory at @stake, they have at least once withheld release of a vulnerability until affected systems could be patched. This paragraph kinda sums it up:

Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release this information no later than 1st June 2003.

So it does seem a little childish to just jump out and announce a vulnerability to the world.... My guess (yeah, it's just the little scenario I've worked up in my mind) is that @stake wanted to "work with Apple" and release a joint press-release type scenario on squashing a vulnerability. Apple of course doesn't want to give credit to anyone for anything (not trolling, just stating an observation), and refuses the offer. @stake gets pissed and blares this up and down the board, issuing press releases, contacting specific non-Apple-loving reporters, etc. You know why I think this? From the same advisory linked above is this self-serving text:

@stake worked with Nokia to ensure that all affected operators where informed and upgraded and only after this time did @stake agree to release this information to the public.

Do you really think that Nokia let @stake get into their code, make security changes, and essentially be a full partner in the effort to crush this vulnerability? I don't.

Apple DID NOT initially plan to patch Jaguar

[McSpew]

According to David Goldsmith of @Stake, "In my initial conversations with them [Apple], they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that."

In other words, this isn't just some sort of overblown speculation run amok. Apple did initially tell security experts they didn't plan to patch Jaguar. That was a stupid plan, and even the security experts didn't expect that to last, but that doesn't change the fact that someone from Apple did claim Jaguar wouldn't be patched.

What I find amusing is the fact that Apple zealots are using this story and its development as further evidence in the conspiracy against Apple, when even the much-hated (and deservedly so) Microsoft has been known to back-port security and even many stability patches to the current and previous versions of their OSes as they're working on their next generation products. Does anybody remember that MS backported lots of fixes to NT 4.0 in SP5 and SP6 based on work they'd done developing Win2k?

Unlike Apple, however, MS didn't make NT 4.0 users wait until after Win2k shipped before bothering to release the fixes for NT 4.0. Jaguar users shouldn't have had to wait until after Panther shipped to get those security fixes. They're still waiting, aren't they?

Re:Apple DID NOT initially plan to patch Jaguar

[buysse]

I'm paranoid, I'll freely admit, but this is the same l0pht^H^H^H^H^H @stake that canned someone who was critical of Microsoft? Hmmp.
$credibility{'@stake'}--;

Re:Apple DID NOT initially plan to patch Jaguar

[McSpew]

I'm guessing the director of research at a leading security company is not going to bother with clueless tech support droids. I'd suspect he has a direct line to the people responsible for security issues with the various OS products. It's highly probable the person he spoke to was reasonably well-informed. Does that mean that the person he spoke to was definitely in the loop? Possibly not. However, I'd suspect if that person didn't know, they might just say, "I don't know what the plans are at this point," as opposed to saying they weren't planning to port those security updates back to Jaguar.

And keep in mind, here, that the quote wasn't, "They didn't know of any plans," it was "they weren't going to." It's possible that Goldsmith misunderstood what he was told or exaggerated what he was told, but security researchers depend on their reputations, so I think they tend to be careful about overstating such things. Again, keep in mind that Goldsmith said, "I wouldn't be surprised if they change that," which shows that he wasn't trying to make more of it than there was.

However, none of this changes the fact that Apple initially planned not to backport the fixes to Jaguar. Apple zealots can stop trying to rewrite history after the fact.

Re:Apple DID NOT initially plan to patch Jaguar

[McSpew]

A) shipped Panther and B) were informed of the bug after A)

Please tell me how Apple fixed security problems before they were informed of them? Public disclosure does not equal initial notification. Security researchers routinely privately notify software companies of their discoveries of flaws and then allow those companies time to fix the flaws before they publicly disclose them. In return, the software companies state in their press releases, something to the effect of, "XYZ software thanks Foo Bar of Baz Security Research for discovering this flaw."

As for Microsoft, they sure as hell fixed bugs in NT 4 after Win2k shipped, as well as after XP shipped - and NT4 is EOL, so they won't fix any more bugs that are found, and there will be more bugs found in NT4.

Clearly, you're speaking as someone who doesn't bother actually reading security notices or reading discussions on security-related mailing lists. Of course MS discovered and fixed security bugs in NT 4.0 after Win2k and XP shipped. My point was that MS frequently releases patches to existing products based on fixes to the code base that were discovered while developing new products. Microsoft has the same arrangement with security researchers that Apple does: Let us know privately about any flaws and when we finish the patch, we'll publicly give you credit for finding the flaw. This is done to give MS or Apple time to develop, test and release a patch before exploit code gets out "in the wild."

And yes, MS has EOL'd NT 4.0, but that product is seven years old, as opposed to Jaguar, which is about a year old. You can't compare MS's decision to stop patching NT with Apple's initial reluctance to patch Jaguar. I have never heard of MS deciding to hold off on releasing a fix until a new OS version ships and then not getting around to simultaneously releasing the fix for the formerly-current-now-previous version. Even if Apple did plan to patch Jaguar all along and this is a colossal misunderstanding, their inability to coordinate updates for Jaguar and Panther simultaneously doesn't speak well of their security efforts.

Re:This might not be good news.

I bought 10.2 server to run on a new G5 only to find that it can't run the software. I was forced to use on a beige G3. Then, an update kill that computer. It was not upgraded except for ram and harddrive. So, you see apple sometimes has trouble supporting even new hardware.

PS: Since I purchase 10.2 server before 10/8/03, I don't qualify for 10.3 update for $20. Thank Linus for Linux though.

Re:the million $ question is...

[gunnk]

Apple has generally been very responsive in fixing security problems. I don't have any reason to believe they would have acted differently in this case.

Since the historical trend indicates that Apple is good at issuing fixes in a timely manner, what makes you think that Apple has suddenly changed their policy on patches?

The real million dollar question here is whether or not @stake acted responsibly in releasing the details of the flaws publicly. Did they give Apple time to prepare the patches or did they publish too soon? Remember that @stake fired their CTO for making negative comments about Microsoft. To what degree is this firm a "white hat" security consultant vs. a Microsoft "compensated endorser"?

@stakes inability to tolerate anyone critical of Microsoft and this security flaw announcement which included erroneous statements that Apple would not fix the problem tend to bring @stake's credibility and integrity into question.

THey haven't said they will fix them.

[ccarter]

Apple said:

"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," Apple said in a statement given to MacCentral. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."

Which is a nice bit of damage control but stops far of saying "We are going to patch pre 10.3 releases."

I personally think they will fix 10.2 but I do find it unsettling that they, having been givin the opportunity *twice* to directly answer now, haven't done so with a definitive answer.

Re:Let's be fair and balanced (no, really) (OT)

[Maserati]

* The "reinstall to change IP address" is actually an OpenDirectory issue, and only happens if you slected "permanent IP address" at install. Not really an OS issue.

* SCSI drivers. These exist in /System/Library/Extensions, probably for licensing reasons. SCSI drivers is a sore button since I have a couple fo Adaptec 2906 cards that just won't run under 10.2.8. Possibly Adaptec's fault.

Conspiracy? yeah, right

[komputerguy]

I think it's a bit naive to swallow that Apple did this on it's own and not even consider that it was done to stop the backlash.