Slashdot Mirror
Apple to Fix Security Holes in Jaguar
Simon Cozens writes "Yesterday's unsubstantiated report that Apple is refusing to supply security upgrades to Jaguar turns out to be untrue; Apple told MacCentral they will be fixing the bugs turned up by @stake. Next conspiracy, please!"
I didn't see this comming at all! Who would have thought they would be supporting their own products.
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
Of course Apple is going to fix them, they still support the 10.2 Server, so they have to...
Damn Windows zealota making shit up...
e to the pi i plus one equals zero
Definitely Apple deserves more credit and unlike other companies, the benefit of the doubt until official statements are made.
Conspiracy! And slashdotters believed it? Un-be-lievable!
However, the story makes reference to Jaguar specifically, but what about OS X releases before that?
Panther, Apple's latest operating system, was not affected by the security issues outlined by @Stake -- the flaws only affect Mac OS X 10.2.8 and lower.
This PROVES it! Apple has NO INTENTION of fixing these egregious bugs in Panther! How is Apple ever going to be taken seriously in [echo]THE ENTERPRISE[/echo] when all they care about are legacy customers?!?!?!?!
Now the real question is whether they told @stake they weren't going to fix them and changed their mind after the because of all the talk about it. It is as wrong to assume they were always going to fix it as it is to assume they weren;t going to fix it. I would tend to believe they told @stake that, and then when word got out and everyone screamed, they changed their minds right quick.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Duh. Who thought that Apple was forcing upgrades? Idiots! Even if Apple was going to come up with some sort of conspiracy to "force" people to upgrade, they wouldn't use security. This is one of the most important features of the OS--this goes way beyond upgrade money.
They will entice us with OSX.4 being "snappier than ever"!
---gralem
Apple rolled several security updates into that thing called 10.2.8, which has caused many people no end to troubles, especially those with older hardware.
:P)
Yes, I have a beige G3. Yes, I've put a much faster ZIF processor in it. It's a small OS X Server. 10.2.8 screwed up all *kinds* of things.
Can Apple please release the security updates individually so we can apply them as needed instead of bundling them into a dot-whatever release?
That's all I ask, Apple. I'll buy a shiny new G4 (or G5) when I can actually afford it. (No, they're not too expensive, I'm just flat broke.
Get over here.
Now. (smack) Mac (smack) OS (smack) X (smack) supports (smack) multibutton (smack) mice (smack) right (smack) out (smack) of (smack) the (smack) box!
(smack) (smack) (smack) (smack) (smack)
Now pound sand before I officially sanction a hit. Jobs is a made man, and you shall not direspect his product. Capisca?
--- Ban humanity.
At least ZDNet continues their excellent track record of fair, unbiased reporting with regards to apple.
Hello. I would like to discuss a neat little command line utility included in Mac OS X that doesn't get enough attention in my humble opinion. Living in /usr/bin/, this simple Open Source tool is something that I just can not live without. What is this wondrous textual utility that I'm talking about? It's none other than machine!
Included since 1991 with the 4.4BSD platform, machine gives you the processor name that your system is based on. I don't know if it works for Intel or any other architectures since when I opened up the binary in TextEdit.app and couldn't find any processor name strings. Here's an incomplete list of machine output that I do know of to help illustrate what I mean:
What I think is the funnest part of machine is bringing up its manual page. I wonder who was clever enough to invent this little pun, but it makes me LOL every time I do it. Sometimes I do it just to laugh, even if I don't want to learn about machine at the moment. In case you can't guess, here is the command to bring up the manual:
omfg LOL!!11! I have been accessing this program since OpenStep 4.2, then in Rhapsody DR2 and continue to use it today under Mac OS X v10.3. Kudos to NeXT and now Apple for including this Wunderwerkzeug for almost 10 years. It sure makes my Power Mac a joy to use. Check it out!
Heh! It really has - take a look as long as it's still 31Oct otherwise avert those eyes...
--
Reverse outsourcing: it's the future
would they have done it as quickly without @stake first finding these bugs then putting bugtraq and media pressure on apple?
TODO: 753) write sig.
I don't want to be forced to upgrade to an Apple ][gs...
I doubt they told @stake they weren't going to fix them. I doubt they told @stake they were going to fix them. In fact, I doubt they even told @stake that the flaws didn't affect Panther... @stake probably found that out and told Apple.
Apple doesn't talk details in unreleased products.
There's a couple reasons we're seeing this press release:
Ethical reporting of security flaws involves going to the company and giving them time to get a patch out. Then, one or both companies announces the flaw... and includes details of the patch. @stake jumped the gun and did not use white hat practices.
ZDNet decided that @stake's announcement meant Apple wasn't going to fix the problem, and decided to give it a spin. As they actually indicated in their story, they did not wait for a comment from Apple before rushing the thing to press.
Hopefully, @stake will do better next time. But I doubt their role in this will be examined very carefully.
I know ZDNet will do the same thing next time. They smell any blood around Apple, they're the first to paint a picture of mass destruction, mayhem and cats and dogs sleeping together.
If @stake hadn't jumped the gun, we'd have seen a press release some time next week on Apple's site about the security flaws, with a fix, and with credit to @stake for finding them. How do I know this? Because it's what they've done every other time, including with 10.1 after 10.2 was released!
from the do-not-jump-to-the-island-of-conclusions dept.
Wow, and here I was starting to think I was the only person in the world who read "The Phantom Tollbooth".
End of lesson. You may press the button.
According to this advisory at @stake, they have at least once withheld release of a vulnerability until affected systems could be patched. This paragraph kinda sums it up:
Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release this information no later than 1st June 2003.
So it does seem a little childish to just jump out and announce a vulnerability to the world.... My guess (yeah, it's just the little scenario I've worked up in my mind) is that @stake wanted to "work with Apple" and release a joint press-release type scenario on squashing a vulnerability. Apple of course doesn't want to give credit to anyone for anything (not trolling, just stating an observation), and refuses the offer. @stake gets pissed and blares this up and down the board, issuing press releases, contacting specific non-Apple-loving reporters, etc. You know why I think this? From the same advisory linked above is this self-serving text:
@stake worked with Nokia to ensure that all affected operators where informed and upgraded and only after this time did @stake agree to release this information to the public.
Do you really think that Nokia let @stake get into their code, make security changes, and essentially be a full partner in the effort to crush this vulnerability? I don't.
The initial security advisories did include a "vendor response" section. Across the board that said "upgrade to 10.3", without any mention of a forthcoming patch for earlier releases.
That's the only thing that had Bugtraq up in arms: the lack of assurance that earlier versions would see a patch. And most of the people worried about that were worried because they want Apple to suceed as a Unix vendor, not because they want to see it crash and burn. (I don't know about the Slashdot comments, because I only read more than the highest rated couple of comments when I've got moderator points, but I'd guess that at least some of them were along the same lines.)
I don't know if it was merely a typographical oversight, or if Apple really didn't have any plans to release patches for earlier releases. In the first case they should have been more clear initially (and now they will), in the latter case they were making a huge mistake. I'm inclined to believe it's the former.
This is not the first time that Apple's security PR has been less than impeccable. They've rebounded pretty well each time, and I haven't seen them make the same mistake twice.
It's only reasonable to expect them to get harshly criticized, especially with Mac OS X: they're jumping from a very soft, easy-going market (desktop publishing and education) into an insanely security-conscious market (Unix enterprise servers). They're actually doing quite well, but there are still more entrance pains to come. The security community is, to an extent, xenophobic, and certainly disinclined to believe that a vendor with a relatively small amount of experience in the market can be relied upon to do the right thing. So Apple has to prove themselves a bit. So far, they're doing pretty well. It doesn't matter if you make mistakes like this, as long as you admit to them, patch things up, and then don't keep making them (hey Microsoft, you listening here?).
And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't matter, because Red Hat doesn't support them commercially).
Do you have a
According to David Goldsmith of @Stake, "In my initial conversations with them [Apple], they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that."
In other words, this isn't just some sort of overblown speculation run amok. Apple did initially tell security experts they didn't plan to patch Jaguar. That was a stupid plan, and even the security experts didn't expect that to last, but that doesn't change the fact that someone from Apple did claim Jaguar wouldn't be patched.
What I find amusing is the fact that Apple zealots are using this story and its development as further evidence in the conspiracy against Apple, when even the much-hated (and deservedly so) Microsoft has been known to back-port security and even many stability patches to the current and previous versions of their OSes as they're working on their next generation products. Does anybody remember that MS backported lots of fixes to NT 4.0 in SP5 and SP6 based on work they'd done developing Win2k?
Unlike Apple, however, MS didn't make NT 4.0 users wait until after Win2k shipped before bothering to release the fixes for NT 4.0. Jaguar users shouldn't have had to wait until after Panther shipped to get those security fixes. They're still waiting, aren't they?
But did you hear that M$ is buying Google?
*smack*
Under capitalism man exploits man. Under communism it's the other way around.
machine(1)
Description
The machine command displays the machine type.
double bullshit for "i386"
We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
Apple said:
"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," Apple said in a statement given to MacCentral. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."
Which is a nice bit of damage control but stops far of saying "We are going to patch pre 10.3 releases."
I personally think they will fix 10.2 but I do find it unsettling that they, having been givin the opportunity *twice* to directly answer now, haven't done so with a definitive answer.
* The "reinstall to change IP address" is actually an OpenDirectory issue, and only happens if you slected "permanent IP address" at install. Not really an OS issue.
/System/Library/Extensions, probably for licensing reasons. SCSI drivers is a sore button since I have a couple fo Adaptec 2906 cards that just won't run under 10.2.8. Possibly Adaptec's fault.
* SCSI drivers. These exist in
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
I only have a simple question, really:
If the original story, about Apple not fixing security holes in Jaguar, made the front page, why didn't this?
Fox^H^H^HSlashdot: Fair and Balanced.
Mikey-San
Karma: +Eleventy billion (mostly affected by watching Celebrity Jeopardy)
So you admit you are wrong.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Apple did initially tell security experts they didn't plan to patch Jaguar.
That is speculation. You have no way of knowing, unless you know exactly who said what to Goldsmith. And you don't.
There is a very simple way to determine who Goldsmith talked to. Just check and see who was fired at Apple on Friday.
I think it's a bit naive to swallow that Apple did this on it's own and not even consider that it was done to stop the backlash.