Apple Releases 'Highly Critical' Patch

Toothpick writes "Apple Insider reports that a new security update is available for download from Apple. This addresses issues identified in sudo, Safari, and OpenSSL among others. The gory details are, predictably, available on the Apple Info site." Commentary from ZDNet is also available.

Not really

[sam_paris]

"Highly critical"??

If you think about it, it's not really highly critical at all, mainly because the odds are that there will be no programs written that exploit these security flaws. If these were Windows flaws then yes, it would be critical as you could bet a virus would be written within the week that exploited them.

I bet you could leave your OSX system unpatched for years without ever really being at risk.

Re:Not really

[Aggamemnon]

I run OS X, and I wouldn't risk it.

Re:Not really

[yardbird]

Most of these are local exploits, but I count 4 vulnerabilities (2 in Safari, 1 each in CoreFoundation and curl) which could allow "arbitrary code execution". No thanks, I'll patch today.

Re:Not really

[macaulay805]

Is a 10 minute patch and a reboot really worth the risk of not patching for years?

Re:Not really

[snuf23]

Yeah exactly. Because OS X is UNIX based and we all know there are NO UNIX hackers in world. I mean who could possibly have the knowledge to exploit a known vulnerability on a UNIX or Linux system? I wouldn't even know where to go to look for that imaginary beast. :P

This could wait a few months, right?

[Golias]

Why can't Apple just patch their...

... oh, they did? Before there were any exploits in the wild?

Never mind.

all fine

[Councilor+Hart]

Installed yesterday. No problems so far.

helpful list of Apple's recent security updates

[ubiquitin]

http://get.sent.to/apple_security_updates

Some Apple's security updates are available for older releases of Mac OS X such as Panther and Jaguar as well.

Re:helpful list of Apple's recent security updates

Ummmmmm... when did Apple change their domain to "get.sent.to" ? Don't support someone with clickthrough advertising, just go directly to http://www.apple.com/support/downloads/

Re:helpful list of Apple's recent security updates

[andrewski]

Get BENT dude.

Apple?

[Mr2cents]

Shouldn't that become GNU/Apple? You could have fooled me it was a security report for some GNU/Linux distro.. Well, except for the Safari part..

Time to ask RMS about his opinion on this..

Re:Apple?

[lelkes]

No. Mac OS X is based on BSD (mainly FreeBSD). It has nothing to do with RMS.

Re:Apple?

[Golias]

Well, it does use a version of gcc and their terminal app has bash as the default shell, so it's a little strong to say it has "nothing" to do with RMS.

Re:Apple?

[lelkes]

Really? I use bash as my shell on my FreeBSD box, and I compile programs with gcc. Then maybe I should call it GNU/FreeBSD?

Re:Apple?

[Golias]

I don't even use the "GNU/" prefix when I'm talking about Linux, but credit where credit is due. Stallman and other GNU participants have made a crapload of really good tools which are used in almost every flavor of *nix these days, including OS X.

Re:Apple?

[Shisha]

Indeed, even the KHTML part of Safari is GPLed. So Apple owes a lot to GPL. On a lighter note it would be great fun to see Steve Jobs and Richard Stallman clash... such two dominant personalities... maybe one of them is made of anti-matter and if they touched they'd anihilate in a bright flash of light.

Re:Apple?

[jtshaw]

Apple includes the BSD userland utilities, and while it does include some GPL'd software it does not require any to run properly. However, I believe we should petition them to starting calling it the "Mach based Darwin/BSD/Mac OS X featuring OSS Software by GNU, Apache, Postfix, Samba, ect."

Re:Apple?

[Mr2cents]

Hmmm.. I thought that the GNU part in GNU/Linux referred to the GNU tools and the Linux kernel, not to the GPL'ed kernel. But it's true, I never heared RMS make the same claims for .*BSD systems, although they also use the GNU tools unless I'm terribly mistaken.

Re:Apple?

[Golias]

I'm told that Jobs recently appeard on "Charlie Rose" with Bill Gates.

Word is, he was quietly smirking to himself when Rose asked Gates about Dell's recently-stated desire to offer OS X 10.4 on their systems.

Re:Apple?

[outZider]

Yeah, but Steve Jobs bathes, so he wins. :)

Re:Apple?

[TheRaven64]

The GNU/ does refer to the GNU userland. The BSDs have their own userland, although they tend to use the the GNU Compiler Collection. The rest of the toolchain (make, loader, etc) are all non-GNU, as is the shell and the standard collection of POSIX utilities. It is common for BSDs to include GCC, GDB and GROFF, but very little other GNU software. In contrast a common Linux distro uses the GNU versions of ps, top, etc, a GNU shell (bash) and a whole raft of other GNU utils - if you removed them, then you would have an unusable system, which is why RMS requests people say GNU/Linux.

By the way, both sudo and OpenSSL are OpenBSD spin-offs and nothing at all to do with the GNU project.

Re:Apple?

[byolinux]

GNU refers to the GNU OS, which when combined with Linux, makes GNU/Linux (GNU slash Linux, or GNU with Linux, as I prefer to say) - if GNU had just been a project to make userland tools, there would be no GNU prefix.

Re:Apple?

[irc.goatse.cx+troll]

If you removed them then you would replace them with the BSD counterparts and have a perfectly usable system.
For that matter, I doubt you need them at all to run a stardard kde+firefox+thunderbird+minesweeper setup.

Re:Apple?

[TheRaven64]

If you removed them then you would replace them with the BSD counterparts and have a perfectly usable system.

If you removed them and replaced them with BSD counterparts, you would not have a GNU/Linux system, you would have a BSD/Linux system. Similarly, you could remove the Linux kernel and replace it with a FreeBSD kernel built with Linux ABI support and probably not notice (you can even install Debian on a FreeBSD kernel instead of a Linux one). This doesn't mean that the system isn't Linux.

For that matter, I doubt you need them at all to run a stardard kde+firefox+thunderbird+minesweeper setup.

Well, let's look at the boot process, shall we. The kernel starts. Then it runs init. Init runs a load of shell scripts (ooops, you've just removed /bin/sh, provided by the GNU project). Never mind, init could execute binaries instead - well, as long as they are statically linked, since the standard Linux loader is GNU, and so you've just removed it. Never mind, still at least you can log in to your statically linked system. Well, you could if you hadn't just deleted your login program. Never mind, we can replace it with a statically linked copy of X - that's not GNU, at least. Oh, it seems X won't compile - you've just deleted GNU libc, and X won't run without it.

Sure, you could replace bash, glibc, top, ps, cat, chown, chmod, ls, ln, cp, mv, ld, ldd, getty, etc. with non-GNU counterparts, but until you do then you should accept the fact that a significant amount of essential GNU software exists in your 'Linux' OS and defines the visible behaviour a lot more than the Linux kernel does.

Re:Apple?

[Mr2cents]

Thanks, I have learned something today (karma well spent, I'd say :-P)

I knew that the GNU utils were running on .*BSD, but now I realize they are but one of the alternatives. I was a bit misguided, I admit. I really should make the time/diskspace to install some .*BSD's and Darwin on a spare system, but "make time" keeps returning an error message ;-).

Re:Apple?

[TheRaven64]

It's definitely worth playing with at least one BSD. I run FreeBSD on this laptop, and OpenBSD on a co-located Mac Mini (hosted by these people who have the best customer service I have ever encountered and, depressingly, no referrer program - I guess they don't need one). There are a lot of similarities and a lot of differences. OpenBSD is very much a classic BSD system. The kernel is an older design (it has the same sort of SMP support FreeBSD had five years ago), but older means better tested, and if you don't need anything newer it feels very polished.

The WiFi support in OpenBSD is nicer, as is pretty much anything connected to networking, although FreeBSD is slowly importing most of the OpenBSD code (they've got pf - a really nice packet filter - and OpenBSD's dhcpd already). If you're looking for something to put on a firewall, OpenBSD is what you want - pf is so much better than any alternative I've seen (miles ahead of iptables, which was clearly designed by someone on LSD, both for flexibility and ease of use).

FreeBSD has some nicer features on a desktop. The new scheduler, SCHED_ULE, is great for interactive processes - a compile job using 100% of the CPU has no effect on the responsiveness of the desktop, it's almost like being on an SMP machine (you need to enable it in a custom kernel in 6.0 - the default one is throughput, not latency, optimised). FreeBSD also has nVidia support in the form of binary drivers and DRI drivers for many other cards, OpenBSD does not yet. FreeBSD also supports some Windows WiFi card drivers through Project Evil.

Both FreeBSD and NetBSD have a more modern init system (init scripts contain requires and provides lines, allowing them to be run in the right order with as much parallelism as possible), while OpenBSD uses the simpler BSD init system.

Which you prefer will be a matter of personal perference. Do make sure you read the documentation. All of the BSDs have good man pages (although OpenBSD is ahead here by quite a margin), and the FreeBSD Handbook is also very good.

Re:Apple?

[drsmithy]

Indeed, even the KHTML part of Safari is GPLed.

KHTML is LGPLed (the one RMS doesn't really like). If it had been GPLed, Apple wouldn't have touched it with a barge pole.

Re:Apple?

[Mr2cents]

Thanks, I just salvaged a 40gig hdd, I'll give OpenBSD a try over the weekend..

(btw, Nice site you have.)

Re:Apple?

You know you can replace all of them (right down to init) with a static Busybox (built with uclib if you like) and till have a working system?

Re:Apple?

[iamacat]

They already do

How is this news?

[Paul+Bristow]

So called highly critical patch installed itself yesterday on my iBook.

For those of us who need it, Apple update takes care of it.

If there was an exploit that meant we should click on "Software Update" instead of waiting for it to cycle round, great but this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too" while there are many many exploits in the wild for them?

    Anyway it's a day late. This is "internet time", if you can remember that far back :-)

Re:How is this news?

[frankie]

No, that doesn't cut it. Any time any major OS has a remote "arbitrary code execution" vulnerability (and privilege escalation too), that is by definition a critical problem. In this case, the haters are absolutely right: Mac users will probably get away unscathed because we aren't a big enough target for crackers to write a 0-day exploit. If more bad guys knew how to code for OSX, a lot of iMacs would be toast right now.

I'm definitely disappointed with Apple's dev team. They should have caught these things long ago.

Re:How is this news?

[jht]

Yes, it would be better if this (and other flaws) never occurred. The main point here, though, is that Apple typically does a pretty good job of finding and addressing these flaws when they occur, and in a timely fashion. Microsoft does so in many cases, but in others they sit on the problem long enough that there's an opportunity for crackers to find and exploit it.

So for the most part Apple's methods work well. Of course zero bugs is a good target, but prompt identification and dissemination of fixes is reasonable. It's also pretty tough to craft an exploit that will simply zap Mac users and then get to them before Apple has an opportunity to get the patch out.

One thing Apple should do, though, is make Software Update a bigger part of the Guided Tour, and set it to default to check daily and download critical fixes automatically (right now, it just notifies as default behavior, and checks weekly). I've noticed users who simply ignore Software Update's dialog boxes because they don't understand what it's doing.

Re:How is this news?

[prichardson]

Users don't ignore software update dialogues because they don't know what it's doing, they ignore them because they've been trained that they won't know what it's talking about. If they actually took a minute to READ the dialogue, I think all but the most naive and illiterate would find it pretty self-explanitory. The window is titled "Software Update," and that is the extent of the vocabulary required to know what's going on. The word update is a common english word, so everyone should be able to get it, and the word software is far from obscure computer vocabulary. Right below that is a text space that says in bold "New software is available for your computer." Finally, the words "Security Update" are in the name of the patch itself, which is visible and the user can click on it to get a more detailed description.

This is a not a difficult dialog box, and it's explained in the (very short) OS X manual. If a user can't figure this one out either they're illiterate or they just don't want to (much more likely). An absolute worst case scenario would be to ask someone else what it was. The explanation would take mere minutes.

Re:How is this news?

Of the three links in the summary, only the one to Secunia included the word "critical" - and that wasn't applied to any specifuc vulnerability, merely the whole update.

What you say is true; some of those vulns do include the execution of arbitrary code and potential privilege escalation - never a good thing. But some of the vulnerabilities (the Safari-saving-download-in-unexpected-location for example) are pretty trivial.

The Secunia summary errs on the side of inclusiveness - a good thing. For example, one of the Apache vulns listed is for Apache 2.x, which limits it to OS X Server, not client (at least for 10.3; don't know if the Client OS upgraded to 2.x in 10.4).

Could Apple's dev team had done better? Of course - that's always true. But at least 3 of the 13 (two for Apache 2.x, one for OpenSSL) are for packages not developed in-house. Whether they should have (1) caught these and (2) independently patched them before the actual maintainers of the code is an open question, I guess.

Your thinly disguised "security through obscurity" argument fails to account for timeliness of response from Apple. Did they sit on reports for six months? I don't know, but I doubt it. I doubt you know either. If Company X didn't patch a vuln that had been privately reported to them 4 months ago, and then someone nefarious discovered it independently and exploited it, would that count as "zero day" by your reckoning?

Re:How is this news?

[Toothpick]

this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too"

Quite fiercely not. I'm just as anti-ms as the next /.er, having run OS/2 as of 1994, Linux since 1995, and Mac as of October of this year.

I just submitted the story; I left it up to the /. ops to determine whether it was newsworthy. I haven't even (fully) applied the patch. I've had a HandBrake job running and didn't want to interrupt it with a reboot.

Re:How is this news?

[Ilgaz]

You are fairly new to Apple community. The trick is, there should be no word about security in Mac community.

All systems run fine. All users are reviewing what they grant admin access, there were no finder exploit , intego like companies are "snake oil" sellers. :)

Re:How is this news?

i'd also argue that SU is put off because it pops up in the middle of whatever you're doing. i cant tell you how many times i've been interrupted in the middle of a task by SU telling me i need to get an ipod updater for an ipod i dont have. it popped up the other day to tell me about this security update, but i'm waiting till i can check macfixit. ive been burned before by installing updates from apple without doing my reading first.

maybe apple periodically breaking machines via SU is another detriment to SU?
e

Nothing to see here

[Yahweh+Doesn't+Exist]

I installed it yesterday, but decided to give Software Update a check anyway. for those of you with iPod shuffles, there's a new iPod updater with some bug fixes.

Full disclosure please

For the protection of our customers, Apple does not disclose, discuss, or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.

That isn't responsible when the security updates are patches that users of non-proprietry OS's applied upto 1.5 months ago (OpenSSL).

Re:Full disclosure please

[aristotle-dude]

I'm sorry but that is a strawman argument. Most of those security flaws (not counting Safari) are for programs which the average desktop user would not enable. The server specific flaws are indeed a flaw but you would expect that any business would have performed a security audit and ensured that they had proper "hardware" firewall protections in place to prevent unauthorized access by external hots.

Perfect example

[MyOtherUIDis3digits]

All OS's are going to have their vulnerabilities. Without even looking at number and severity of them, look at the typical response. Apple finds what they also may consider "highly critical" issues (although relatively not), and they are all over it. Someone finds an issue in Linux, and coders all over the world are all over it. Microsoft finds a critical flaw (or more likely is told about it) and it's, "Bah, minor DDoS issue. Nothing to worry about." And we've recently seen how that ended up.

I'm not trying to be flamebait, but c'mon. How low can "Good enough" get?

MOD PARENT UP

n/t

Re:One problem

[vertinox]

nstalled yesterday. No problems so far

I installed updates on a 10.3.9 and a 10.4 machine and it appeared fine til I noticed I can't share files anymore between the two machines. Might be a configuration change though.

Highly Critical? Huh?

[Erik+K.+Veland]

Huh? What the fuck are you talking about? Highly critical? Why didn't my highly vulnerable mac get attacked for the last five years?

Re:Highly Critical? Huh?

Highly critical? Why didn't my highly vulnerable mac get attacked for the last five years?

You don't understand the Windows vs. Professional OS sequence for vulnerabilities:

Professional OS:
-Vulnerability found by white hat security world
-OS Vendor informed
-OS Vendor works on patch that both fixes vulnerability and doesn't make things worse
-Vendor tests patch thoroughly
-Vendor releases patch; world as a whole, including script kiddies, first hear about vulnerability
-Users, trusting vendor's track record, install patch (see "doesn't make things worse" above)
-Any exploit is too little, too late.

Microsoft:
-Vulnerability found
-Microsoft informed
-Nature of vulnerability leaks out to world as a whole
-Microsoft shoves thumb up bum, waits 6 months
-Exploit released
-Microsoft shoves second thumb up bum, wonders about apparent discomfort
-Microsoft eventually releases patch, may or may not make things better or worse
-Frustrated people buy Macintoshes

Simple, isn't it?

Re:Highly Critical? Huh?

[plj]

-Frustrated people buy Macintoshes

Huh? Given Microsoft's security record this should mean that Apple's share of PC market is at least 70%...

Re:Highly Critical? Huh?

[argent]

Given Microsoft's security record this should mean that Apple's share of PC market is at least 70%...

If most people were as easily frustrated and as aware of why they should be frustrated and care about security as you and I are, it would be. But it's amazing how much crap people are willing to accept as a normal cost of using computers.

I find myself regularly watching people put up with horribly broken systems and, after I fix the problem (because I can't even stand watching someone suffer), they're shocked. They didn't even realise the problem was a problem that could be fixed, they just EXPECTED it.

And security?

After having a contractor who is technically very good, and has been working in this business longer than me, stand there and argue why he should be an exception to my "No Outlook" policy WHILE I'M CLEANING OUT HIS COMPUTER THAT WAS INFECTED THROUGH AN OUTLOOK HOLE... I reckon that there's some fundamental difference between "average computer users" (no matter how skilled) and people like myself myself that goes far beyond experience and training and into some kind of "Zen" thing... I don't know.

Re:Highly Critical? Huh?

-Nature of vulnerability leaks out to world as a whole

Just curious...in your sequence, who leaks the vulnerability? Microsoft employees? Or white hats gone bad?

Re:Highly Critical? Huh?

[iamacat]

After having a contractor who is technically very good, and has been working in this business longer than me, stand there and argue why he should be an exception to my "No Outlook" policy WHILE I'M CLEANING OUT HIS COMPUTER THAT WAS INFECTED THROUGH AN OUTLOOK HOLE... I reckon that there's some fundamental difference between "average computer users" (no matter how skilled) and people like myself myself that goes far beyond experience and training and into some kind of "Zen" thing... I don't know.

There is nothing worse than a sysadmin who forgets his place. I personally prefer Thunderbird or Opera, but I understand from other people that it's not nearly enough for serious business users. Install the latest, fully patched version of Outlook, educate users, run virus filters on your mail server and let your users do their jobs while you do yours. In the worst case, you can setup that guy with a Mac Mini running Mail.app or Entourage.

Re:Highly Critical? Huh?

[argent]

There is nothing worse than a sysadmin who forgets his place.

I agree, more on that later...

I personally prefer Thunderbird or Opera, but I understand from other people that it's not nearly enough for serious business users.

I'm sorry, but "I understand from other people" doesn't cut it. Also, a system administrator's place is implementing and where appropriate guiding business policy, not simply doing what "I understand from other people" is the best solution.

I had to make a business case for this ban. I had to compare the features of Outlook with the alternatives, the costs, and convince my CEO that this was a good idea. I didn't just sit down and say "we're not going to use Outlook".

I got the ban approved and moved the few people using Outlook and the MANY people using Internet Explorer over to Netscape Mail, Eudora, and other applications. Shortly afterwards the first of the big email worms that exploited the active content hole hit. EVERY OTHER DIVISION OF THE COMPANY came to a standstill while they battled these worms, even the ones with clueful admins and excellent antivirus policies. All we saw was an increase in junk mail from the infected messages, particularly from other parts of the company.

These events were repeated over and over again. I implemented tools on our own webserver to fill in the gaps, and we just crusied along virus-free until the Head System Administrator forcibly integrated the networks and put us in the same mail and security domain... against the wishes of our division's CEO. That week the company got hit with another worm and that was the first time in six years that we had to stop everything and deal with a network meltdown. And that experience has been repeated over and over again.

Oh, and my users begged me to find a way to let them keep using Thunderbird, Mozilla, Eudora, or even "elm" instead of putting up with the centralized virus-checked super-functional "I understand from other people" is the leading corporate mail system. Because they much preferred something that worked to all the bells and whistles.

So don't get on my case about the place of a system administrator, bucko. The place of a system administrator is to make his users effective and the network and computer environment as transparent as possible. That doesn't necessarily mean letting them do whatever they want to, and "I understand from other people" isn't going to convince me... but you're welcome to talk to my boss about it.

Re:Highly Critical? Huh?

[the_humeister]

Because you're not important enough... yet

Re:Highly Critical? Huh?

[iamacat]

I guess it sucks to be you. We have a virus/suspicious attachment filter on the server, Norton Antivirus on standard base image and latest Windows updates. However, 99% of users use Outlook. Outlook Express or IE. Very occasionally, a bugger sneaks in and pollutes a corporate mailing list with a couple of junk messages, but it's not a problem that in any way affects our productivity.

If you are a system administrator, your e-mail/calendar/web access needs are drastically different from your users, so "understand from other people" is a necessity. You are doing a horrible job if 95% of users are happy and virus free, but 5% can not get their work done because they are unable to access an IE-only website or don't have access to a distributed calendar, to do lists and other collaboration tools. Those people have some function in the company and could very well bring it to standstill. If you want, install Firefox and Thunderbird by default, make IE and Outlook available for people who need the features and prepare countermeasures to deal with worms.

Re:Highly Critical? Huh?

[argent]

You are doing a horrible job if 95% of users are happy and virus free, but 5% can not get their work done because they are unable to access an IE-only website or don't have access to a distributed calendar, to do lists and other collaboration tools.

I'm sorry, but it's just not true that 5% or 1% or any% of users actually need Outlook more than everyone else, and you can just give Outlook to those and keep everyone else on whatever mail interface they want. To make these things useful you need everyone to be using them. For example, a distributed calendar that only 5% of the people used would be pointless. The calendar that I implemented in scripts works for 100% of the users on any browser, and scales up very nicely thank you. The same is true of the other web-based tools I implemented or purchased. It's only old-school legacy software like Exchange that forces you to use mail as the transport and interface for web services, because they evolved from software designed for primitive networks that pretty much only did email.

Anyway, it sounds like you're arguing that I should force the 95% of the people who don't want Outlook to put up with it instead of the mail software of their choice, for the sake of some tiny subset of that 5% who are somehow magically incapable of using a web browser for calendering. How is THAT more responsive to user's needs?

And there certainly aren't 5% of websites that require IE. And despite actively seeking out users and polling them for sites they have trouble with I've found precisely zero business-related sites outside the New Corporate Intranet that require it. Virtually all the IE-only sites are games or movie traler/video clip sites, and if your users have a business related reason to play Luminous or Diamond Drop or whatever I want to work there.

Re:Highly Critical? Huh?

[iamacat]

For example, a distributed calendar that only 5% of the people used would be pointless. The calendar that I implemented in scripts works for 100% of the users on any browser, and scales up very nicely thank you.

I am glad that your PHP calendar works so well on PDAs, cell phones and notebooks without network connectivity. But other companies where executives do travel and make appointments on the go might ask non-Outlook users to use web interface for calendar. I assume you know that Exchange is not the only choice of server here.

And there certainly aren't 5% of websites that require IE.

MSDN, Windows Update, American Express... In addition, how does your company get customers outside slashdot if your own web designers are not testing their stuff with IE?

Re:Highly Critical? Huh?

[argent]

There are roughly forty zillion applications for loading appointments into Palm Desktop, and we use those. Notebooks without network connectivity are pretty much useless for so many other reasons that it doesn't much matter that they need it for appointments.

MSDN and Windows Update are special cases, and you know that... and Windows Update runs the HTML control for its access even if you pick another default browser, so that's a non-issue.

In addition, how does your company get customers outside slashdot if your own web designers are not testing their stuff with IE?

Man, every damn message you've posted is full of all kinds of bad assumptions.

I'm in the real-time control systems business. Bugs in our software can kill people quicker than you can say "high voltage". Our customer's systems, you should be glad to know, don't even have internet access by policy, and are not only behind the corporate firewall they have their own firewall protecting them from the untrusted corporate network, and even then they're careful what protocols they run between systems.

Re:Problem solved

[vertinox]

Apparently the Apple File Sharing had become unchecked after the patch and by rechecking it and rebooting both machines it resolved the issue (oddly enough it wouldn't resolve the issue til they were rebooted)

What a shock?

[plazman30]

OS X has bugs and security vulnerabilities???? No way!

Actually, I am a HUGE Apple fan. They are pretty timely with their updates. They don't let an exploit linger for long. Neither do most Linux distros.

I tend to wonder though, when it comes to MS Patching stuff like IE, does Microsoft delay because the fix breaks too manyu things? MS has said before that IE can't be fully standards compliant because it would break too many intranets.

Re:What a shock?

[kmo]

does Microsoft delay because the fix breaks too manyu things

The reason Microsoft patches to IE take so long is that their quality control is so good. They view every web page on the internet with each new version of IE before releasing it. Of course, by they time they do, some of those pages have changed such that they break, but Microsoft isn't responsible for that.

There's vulnerablity in MacOS X...

[ElitistWhiner]

Safari is crashing repeatedly, and reproducibly on a PB. I've been pumping Apple reports for two weeks on their crash catcher. Another iBook running Safari is unaffected, running a lower ver of MacOS X.

Take the update at face value, friends.

Re:There's vulnerablity in MacOS X...

[Squozen]

Working fine here on two PowerBooks. Sure you're not running a Safari plugin like Saft or PithHelmet?

Don't worry Apple...

[frostilicus2]

...Pobody's Nerfect

The interesting commentary

[Budenny]

The interesting commentary is to be found on the Security Focus site.

http://www.securityfocus.com/news/11359

Look at the numbers. Whoever would have thought that the numbers for MS and Apple would have got this close? Complacency is their, and their users, greatest danger right now. You can see it in most of this thread. Time to wake up.

Re:The interesting commentary

[Morgalyn]

SecurityFocus is apparently owned by Symantec, so I'm unsure just how much salt you might want to throw on that article. I'm guessing at least a grain or two.

Re:The interesting commentary

[falcon5768]

the question truely isnt "vulnerablilitys" but patched ones. A great deal more Apple ones have been patched why the windows ones are still open. I could see OSX, Linux, Unix, and Win all haveing the same amount of vulnerabilitys, but only the first three go through the effort to patch them as soon as they are announced.

Re:The interesting commentary

[99BottlesOfBeerInMyF]

Look at the numbers. Whoever would have thought that the numbers for MS and Apple would have got this close?

Counting the number of bugfixes released is no measure a a system's security. The number of remote vulnerabilities on a default install of the OS, the ease of exploiting those vulnerabilities, the number of local exploits, and the likelihood of an exploit happening are all factors. Additionally, predictive criteria, like past performance and the exposure and design of the architecture may be useful. If you look at Windows it has innumerable unpatched local vulnerabilities and working exploits that have existed for many years. They don't even bother fixing them most of the time. OS X on the other hand has a handful of potential local priviledge escalations vulnerabilities, that are fixed in a timely manner, and with one or two proof of concept exploits (none unpatched). Windows has a number of long running remote vulnerabilities and they crop up every month. Exploits for these vulnerabilities occasionally appear before a fix is available for the vulnerability, and regularly appear before administrators have time to thoroughly test those fixes (which is very necessary due to the kludgy Windows architecture and their history of catastrophically broken patches). On OS X I am unaware of any remote vulnerability with a published exploit that preceded the fix for that vulnerability.

The ease of exploitation of vulnerabilities on Windows is much higher due to the lack of a usable non-admin environment, non-network services that run exposed on the network, default settings that run unneeded services, auto execution of scripts and executables within default and unremovable applications, ease of concealing the nature of an executable in the GUI, integration of web browsing and file browsing code, lack of packaging for executables, shared registry, and larger install base for automated propagation. OS X is by no means perfect and experiences regular security flaws. Much of the security auditing that is done, is a side benefit of the open source user environment components OS X shares with other UNIX-like systems. I'd be much happier if Apple did some more thorough security testing of their products. That said, to make the argument that the security of OS X is approaching the same level of complete cluster-fuckedness that is Windows based solely on counting the number of vulnerabilities patched by the respective vendors is ludicrous.

Troll?

Damn, are you really such a thin-skinned fanboy that any criticism of Apple inherently reflects on your penis size? I've been a Mac evangelist for the past 17 years (and a ][ user before that) but when they screw up I call them on it.

Re:Troll?

I have to agree. I modded up several posts that were reasonable yet critical (or both Apple and open source). They're all labeled Troll or Flamebait now. The groupthink is out of control.

Re:Troll?

Posts critical of open source ARE INHERENTLY flaimbait or troll posts.

Sorry, Micro$oft fanboi.

Two things...

[Space+cowboy]

1) Securityfocus is owned by a company with a vested interest in selling anti-virus software to Mac (and PC) users. It does serve a useful purpose, but when the points made are so vague, I consider it more advertising than service.

Say I wanted to market X, and say that I'm a sneaky and underhand individual. I might purchase or support a website dedicated either to X or anti-X and have *some* articles on it that suit my purpose. I wouldn't undermine the integrity of the site (well, much), but I would use it as an authoratitive mouthpiece that mouthed off about *my* preferred direction.

So, ok I'm a cynic, but so far my cynicism has been proved right depressingly often. Sigh.

2) "Looking at the numbers" is no useful guide to pretty much anything to do with security. The phrase works when the numbers themselves are the pertinent facts (eg: a bank-balance sheet). "Humans are obviously not the dominant species on the planet - there are millions more houseflys. Look at the numbers".

The point is that one dose of cancer can kill you, but you may survive fifty or more infections of the common cold without significant harm. The numbers don't tell you the relative importance of the problem, and indeed may just reflect different counting methods or diligence in detection.

Simon.

Re:Two things...

[woolio]

Microsoft is not the answer. Microsoft is the question. NO is the answer.

Insightful sig!

Microsoft is the question... the question that has been driving us..........insane.

These are serious.. but kudos for fixing them.

[dreamer-of-rules]

My brother recently switched to Apple.. We were IM'ing about this update and he said..

"one thing i looove about this thing is that i'm never afraid to update like in windows. i'm not scared that it will be worse off"

Trust is important. How many people haven't updated Windows to SP2 still??

Re:These are serious.. but kudos for fixing them.

[javaxman]

How many people haven't updated Windows to SP2 still??

Forget SP2, how many haven't updated to XP ??

Re:These are serious.. but kudos for fixing them.

[mmkkbb]

notice that you didn't say "upgrade"

Re:These are serious.. but kudos for fixing them.

[Smack]

This is ignorant. Apple has released updates that break stuff, including some that were even withdrawn after release.

Re:These are serious.. but kudos for fixing them.

[dreamer-of-rules]

Nearly all security-related Windows and Mac updates are just fine.

If the trust in Apple is just "ignorant", it's still has a great result. Most non-geek Mac users I know do regular updates. Most non-geek Windows users I know, don't.

Re:These are serious.. but kudos for fixing them.

[argent]

I have no plans to update to XP until I'm actually required to by software that doesn't work on 2000.

A more complex system with boobytraps deliberately hidden in the kernel and dubious anti-virus enhancements that actually make cleaning up malware harder? Yeh, I've gotta get me some of that. Plus, 2000 ships with a version of Windows Media Player old enough that it doesn't have its DRM tentacles coiled around the kernel's balls.

I'm also going to be staying clear of the new Intel-based Macs until I'm reasonably confident they don't have boobytraps or effective "strong DRM" support. Not because I want to pirate software or rip protected CDs, but because that stuff's toxic.

Re:These are serious.. but kudos for fixing them.

[adpowers]

Yeah, I'm worried about that with the Intel Macs as well. I don't want my ability to break the iTMS DRM removed because I would like to be able to 'protect my investment'.

Andrew

PS: I love the last sentence of your second paragraph.

Re:These are serious.. but kudos for fixing them.

[aristotle-dude]

How many people haven't updated Windows to SP2 still??

Probably a lot of business have not. We have not rolled out SP2 at work yet and probably never will. We rely on exterprise level security tools rather than the crap MSFT provides in SP2 and the former is less likely to break the software we use.

Re:These are serious.. but kudos for fixing them.

[argent]

I don't even want to break the iTMS DRM. I burn audio CDs as my backup.

I just don't want the REST of the baggage that would have to come along with any kind of effective DRM, which REALLY imply a closed source kernel and legal and technical restrictions on even necessary reverse engineering.

Re:These are serious.. but kudos for fixing them.

[Gr8Apes]

Some of us long ago because our game machines required it and our company's license allowed us to (MS had some really wierd licenses way back when).

In any case - the first thing I do with any Windows machine is strip out all the stupid unnecessary services, including Windows Update. That thing is the most moronic thing I've ever seen. Half the time, after rebooting, some piece of software no longer works at all, or, better yet, you'll start doing a checkdisk on startup and start seeing "lost cluster found" messages scrolling across your screen. While entertaining, it certainly isn't after it completes and you get another reboot and a message like "hal.dll missing or corrupt" or "ntloader.dll missing or corrupt".

So after all this, you can imagine my trepidation when I finally installed my 10 month old copy of Half Life 2 last weekend, I had to update DirectX and my video drivers before being able to start HL2. Those were the first updates done in over a year. Fortunately it still runs. :)

Re:These are serious.. but kudos for fixing them.

[Scudsucker]

Some of us long ago because our game machines required it

What did you need to run that had to have XP rather than Win2k?

Re:These are serious.. but kudos for fixing them.

[Gr8Apes]

Win 2K didn't support the version of DirectX required by whatever game it was back then, either Half Life or Quake III, or perhaps Dungeon Siege, I don't recall. It could have been any number of other games. Oh, and I had Win2K Pro or Server, I don't recall which of those either. I've since moved to Debian/RH/Fedora and OSX, depending upon the need.

If games only came in Mac versions as well at the same time. :)

Re:These are serious.. but kudos for fixing them.

[Scudsucker]

Eh? I thought they had just one DirectX package for both 2k and XP...sure the developer wasn't wacked in the head?

Re:These are serious.. but kudos for fixing them.

[Gr8Apes]

When the original DirectX packages came out, MS wanted to migrate people to XP, so they initially did not support 2K. Later on, that changed. But you also have to recall at the time that XP did not sell at all, and was a huge flop for the first year plus.

Whoosh?

[BeerCat]

I think you need to remember your tags next time, otherwise everyone just takes your post at face value.

IE has bigger problems than that...

[argent]

Internet Explorer can't be secured because it would require changing the API. I expected them to do that back in 1997, when it became obvious that backing out the tight integration between the desktop, the browser, and the ActiveX API was the only way to fix the real problem. Obviously I'm naive... having seven (no, eight now) years of spyware and viruses is preferable to abandoning their 'loophole' in the consent decree.

But if they're prepared to stonewall on deep security flaws, why do you expect them to pay attention to compliance with standards that they don't need to comply with because everyone has to support them anyway?

Microsoft vs Apple

[argent]

Microsoft: the latest security hole in the HTML control is a buffer overflow in Javascript. They've known about it for months. Nothing happens until a sample exploit is released.

Apple: the latest security hole in Webkit is a buffer overflow in URLs. The first anyone hears of it is a patch through Software Update.

my take

[mkoz]

While comparing these things is difficult at best, try (for example) Secunia's relevant product pages:

Advisories (2003-2005) OSX 57 & XP Pro 102

As for vendor patches Apple is at 100%... not bad.

(XP Professional) http://secunia.com/product/22/
and...
(Mac OS X) http://secunia.com/product/96/

Is any system perfect... no (even OpenBSD admits to 1 hole in 8 years), but Apple does make it as painless as possible.

Re:Highly Critical? Huh? -- Explained

[commodoresloat]

You just don't understand what they mean by critical. I installed this patch and it immediately started complaining about all the junk on my desktop. Then it started berating me for my lack of sensible folder organization. It criticized my choice of web browsers. I turned on iTunes to drown it out and it started giving me a hard time about my musical choices. By the time it started in on my clothes I was sick of it, so I uninstalled the patch. I'll take the data insecurity so as not to put up with the emotional insecurity, but YMMV.

Works OK, now about my Nano

[ursabear]

The patch caused no issues for me on any of our four Macs. I'm pleased that (most of the time) Apple patches fairly fast and in high quality.

Now, if they can just make an iPod Nano that doesn't scratch because you breathe on it...

so what

[tezbobobo]

Mostly only apple people read apple.slashdot. We're already all patched up, days before this item came to print. There are no worm, trojans, virii, or etcetera. In short, this isn't news. If this were microsoft it would be news. Because it is Apple, this is not news. As it is only Apple people who read apple.slashdot this shouldn't be taken as a flame: This article on slashdot, and the time of oue lives we wasted reading this is evidence of our superiority. We are superior in our decision making process. We are superior in recognising quality. I would even hazard a guess that, due to the efficiency of our time spent on computers, we are better looking (more leisure time for sport, sunshine, and etcetera). In short - nothing to see here - feel good.

Credit where it's due

[gryf]

What I like is that Apple is providing public credit for institutions that are pointing out these flaws. Kudos for Apple for this, and double kudos for the third-parties who are assisting the public as a whole.

All eggs in one basket = foolish boy

[Zhe+Mappel]

For those of us who need it, Apple update takes care of it.

If there was an exploit that meant we should click on "Software Update" instead of waiting for it to cycle round, great but this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too" while there are many many exploits in the wild for them?

Save that corporate brand wars stuff for someone who cares.

This is about security. People need to be informed; it's how disasters are prevented.

And FYI: not everyone has Software Update turned on. Know why? Because even Apple has been known to issue patches that break things.

How long did apple wait?

[woolio]

Is apple normally slow with updates?

The SUDO flaw was discovered in June 2005 and a patch was released subsequently after...

So 6 months later, Apple decicdes to update their OS? WTF!?!?!

http://www.securityfocus.com/archive/1/402741

It already did

[scruffyMark]

Seriously - look at the detailed description, follow the links to the CVE entries. These are old, old vulnerabilities. I think the oldest one in there is about five or six months old.

I love Apple's products, I use Macs myself, but they really have to get their act together on security patching.

And there have been proof of concept exploits for some of these vulnerabilities published quite a while ago.