Slashdot Mirror
Apple to Fix Security Holes in Jaguar
Simon Cozens writes "Yesterday's unsubstantiated report that Apple is refusing to supply security upgrades to Jaguar turns out to be untrue; Apple told MacCentral they will be fixing the bugs turned up by @stake. Next conspiracy, please!"
I didn't see this comming at all! Who would have thought they would be supporting their own products.
This page was generated by a Barrel of Circus Midgets, and that is the way I like it!!!
Of course Apple is going to fix them, they still support the 10.2 Server, so they have to...
Damn Windows zealota making shit up...
e to the pi i plus one equals zero
Definitely Apple deserves more credit and unlike other companies, the benefit of the doubt until official statements are made.
Conspiracy! And slashdotters believed it? Un-be-lievable!
However, the story makes reference to Jaguar specifically, but what about OS X releases before that?
Now the real question is whether they told @stake they weren't going to fix them and changed their mind after the because of all the talk about it. It is as wrong to assume they were always going to fix it as it is to assume they weren;t going to fix it. I would tend to believe they told @stake that, and then when word got out and everyone screamed, they changed their minds right quick.
"Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"
Apple rolled several security updates into that thing called 10.2.8, which has caused many people no end to troubles, especially those with older hardware.
:P)
Yes, I have a beige G3. Yes, I've put a much faster ZIF processor in it. It's a small OS X Server. 10.2.8 screwed up all *kinds* of things.
Can Apple please release the security updates individually so we can apply them as needed instead of bundling them into a dot-whatever release?
That's all I ask, Apple. I'll buy a shiny new G4 (or G5) when I can actually afford it. (No, they're not too expensive, I'm just flat broke.
Get over here.
Now. (smack) Mac (smack) OS (smack) X (smack) supports (smack) multibutton (smack) mice (smack) right (smack) out (smack) of (smack) the (smack) box!
(smack) (smack) (smack) (smack) (smack)
Now pound sand before I officially sanction a hit. Jobs is a made man, and you shall not direspect his product. Capisca?
--- Ban humanity.
At least ZDNet continues their excellent track record of fair, unbiased reporting with regards to apple.
I doubt they told @stake they weren't going to fix them. I doubt they told @stake they were going to fix them. In fact, I doubt they even told @stake that the flaws didn't affect Panther... @stake probably found that out and told Apple.
Apple doesn't talk details in unreleased products.
There's a couple reasons we're seeing this press release:
Ethical reporting of security flaws involves going to the company and giving them time to get a patch out. Then, one or both companies announces the flaw... and includes details of the patch. @stake jumped the gun and did not use white hat practices.
ZDNet decided that @stake's announcement meant Apple wasn't going to fix the problem, and decided to give it a spin. As they actually indicated in their story, they did not wait for a comment from Apple before rushing the thing to press.
Hopefully, @stake will do better next time. But I doubt their role in this will be examined very carefully.
I know ZDNet will do the same thing next time. They smell any blood around Apple, they're the first to paint a picture of mass destruction, mayhem and cats and dogs sleeping together.
If @stake hadn't jumped the gun, we'd have seen a press release some time next week on Apple's site about the security flaws, with a fix, and with credit to @stake for finding them. How do I know this? Because it's what they've done every other time, including with 10.1 after 10.2 was released!
The initial security advisories did include a "vendor response" section. Across the board that said "upgrade to 10.3", without any mention of a forthcoming patch for earlier releases.
That's the only thing that had Bugtraq up in arms: the lack of assurance that earlier versions would see a patch. And most of the people worried about that were worried because they want Apple to suceed as a Unix vendor, not because they want to see it crash and burn. (I don't know about the Slashdot comments, because I only read more than the highest rated couple of comments when I've got moderator points, but I'd guess that at least some of them were along the same lines.)
I don't know if it was merely a typographical oversight, or if Apple really didn't have any plans to release patches for earlier releases. In the first case they should have been more clear initially (and now they will), in the latter case they were making a huge mistake. I'm inclined to believe it's the former.
This is not the first time that Apple's security PR has been less than impeccable. They've rebounded pretty well each time, and I haven't seen them make the same mistake twice.
It's only reasonable to expect them to get harshly criticized, especially with Mac OS X: they're jumping from a very soft, easy-going market (desktop publishing and education) into an insanely security-conscious market (Unix enterprise servers). They're actually doing quite well, but there are still more entrance pains to come. The security community is, to an extent, xenophobic, and certainly disinclined to believe that a vendor with a relatively small amount of experience in the market can be relied upon to do the right thing. So Apple has to prove themselves a bit. So far, they're doing pretty well. It doesn't matter if you make mistakes like this, as long as you admit to them, patch things up, and then don't keep making them (hey Microsoft, you listening here?).
And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't matter, because Red Hat doesn't support them commercially).
Do you have a
According to David Goldsmith of @Stake, "In my initial conversations with them [Apple], they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that."
In other words, this isn't just some sort of overblown speculation run amok. Apple did initially tell security experts they didn't plan to patch Jaguar. That was a stupid plan, and even the security experts didn't expect that to last, but that doesn't change the fact that someone from Apple did claim Jaguar wouldn't be patched.
What I find amusing is the fact that Apple zealots are using this story and its development as further evidence in the conspiracy against Apple, when even the much-hated (and deservedly so) Microsoft has been known to back-port security and even many stability patches to the current and previous versions of their OSes as they're working on their next generation products. Does anybody remember that MS backported lots of fixes to NT 4.0 in SP5 and SP6 based on work they'd done developing Win2k?
Unlike Apple, however, MS didn't make NT 4.0 users wait until after Win2k shipped before bothering to release the fixes for NT 4.0. Jaguar users shouldn't have had to wait until after Panther shipped to get those security fixes. They're still waiting, aren't they?
But did you hear that M$ is buying Google?
*smack*
Under capitalism man exploits man. Under communism it's the other way around.
Apple did initially tell security experts they didn't plan to patch Jaguar.
That is speculation. You have no way of knowing, unless you know exactly who said what to Goldsmith. And you don't.
There is a very simple way to determine who Goldsmith talked to. Just check and see who was fired at Apple on Friday.