Apple Releases 'Highly Critical' Patch

Toothpick writes "Apple Insider reports that a new security update is available for download from Apple. This addresses issues identified in sudo, Safari, and OpenSSL among others. The gory details are, predictably, available on the Apple Info site." Commentary from ZDNet is also available.

Re:Problem solved

[vertinox]

Apparently the Apple File Sharing had become unchecked after the patch and by rechecking it and rebooting both machines it resolved the issue (oddly enough it wouldn't resolve the issue til they were rebooted)

Re:helpful list of Apple's recent security updates

Ummmmmm... when did Apple change their domain to "get.sent.to" ? Don't support someone with clickthrough advertising, just go directly to http://www.apple.com/support/downloads/

The interesting commentary

[Budenny]

The interesting commentary is to be found on the Security Focus site.

http://www.securityfocus.com/news/11359

Look at the numbers. Whoever would have thought that the numbers for MS and Apple would have got this close? Complacency is their, and their users, greatest danger right now. You can see it in most of this thread. Time to wake up.

Re:The interesting commentary

[99BottlesOfBeerInMyF]

Look at the numbers. Whoever would have thought that the numbers for MS and Apple would have got this close?

Counting the number of bugfixes released is no measure a a system's security. The number of remote vulnerabilities on a default install of the OS, the ease of exploiting those vulnerabilities, the number of local exploits, and the likelihood of an exploit happening are all factors. Additionally, predictive criteria, like past performance and the exposure and design of the architecture may be useful. If you look at Windows it has innumerable unpatched local vulnerabilities and working exploits that have existed for many years. They don't even bother fixing them most of the time. OS X on the other hand has a handful of potential local priviledge escalations vulnerabilities, that are fixed in a timely manner, and with one or two proof of concept exploits (none unpatched). Windows has a number of long running remote vulnerabilities and they crop up every month. Exploits for these vulnerabilities occasionally appear before a fix is available for the vulnerability, and regularly appear before administrators have time to thoroughly test those fixes (which is very necessary due to the kludgy Windows architecture and their history of catastrophically broken patches). On OS X I am unaware of any remote vulnerability with a published exploit that preceded the fix for that vulnerability.

The ease of exploitation of vulnerabilities on Windows is much higher due to the lack of a usable non-admin environment, non-network services that run exposed on the network, default settings that run unneeded services, auto execution of scripts and executables within default and unremovable applications, ease of concealing the nature of an executable in the GUI, integration of web browsing and file browsing code, lack of packaging for executables, shared registry, and larger install base for automated propagation. OS X is by no means perfect and experiences regular security flaws. Much of the security auditing that is done, is a side benefit of the open source user environment components OS X shares with other UNIX-like systems. I'd be much happier if Apple did some more thorough security testing of their products. That said, to make the argument that the security of OS X is approaching the same level of complete cluster-fuckedness that is Windows based solely on counting the number of vulnerabilities patched by the respective vendors is ludicrous.

Re:Apple?

[TheRaven64]

It's definitely worth playing with at least one BSD. I run FreeBSD on this laptop, and OpenBSD on a co-located Mac Mini (hosted by these people who have the best customer service I have ever encountered and, depressingly, no referrer program - I guess they don't need one). There are a lot of similarities and a lot of differences. OpenBSD is very much a classic BSD system. The kernel is an older design (it has the same sort of SMP support FreeBSD had five years ago), but older means better tested, and if you don't need anything newer it feels very polished.

The WiFi support in OpenBSD is nicer, as is pretty much anything connected to networking, although FreeBSD is slowly importing most of the OpenBSD code (they've got pf - a really nice packet filter - and OpenBSD's dhcpd already). If you're looking for something to put on a firewall, OpenBSD is what you want - pf is so much better than any alternative I've seen (miles ahead of iptables, which was clearly designed by someone on LSD, both for flexibility and ease of use).

FreeBSD has some nicer features on a desktop. The new scheduler, SCHED_ULE, is great for interactive processes - a compile job using 100% of the CPU has no effect on the responsiveness of the desktop, it's almost like being on an SMP machine (you need to enable it in a custom kernel in 6.0 - the default one is throughput, not latency, optimised). FreeBSD also has nVidia support in the form of binary drivers and DRI drivers for many other cards, OpenBSD does not yet. FreeBSD also supports some Windows WiFi card drivers through Project Evil.

Both FreeBSD and NetBSD have a more modern init system (init scripts contain requires and provides lines, allowing them to be run in the right order with as much parallelism as possible), while OpenBSD uses the simpler BSD init system.

Which you prefer will be a matter of personal perference. Do make sure you read the documentation. All of the BSDs have good man pages (although OpenBSD is ahead here by quite a margin), and the FreeBSD Handbook is also very good.