Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases 'Highly Critical' Patch

Posted by Zonk on from the fill-your-bites-back-in dept.

Toothpick writes "Apple Insider reports that a new security update is available for download from Apple. This addresses issues identified in sudo, Safari, and OpenSSL among others. The gory details are, predictably, available on the Apple Info site." Commentary from ZDNet is also available.

14 of 96 comments (clear)

  1. This could wait a few months, right? by Golias · · Score: 4, Funny
    Why can't Apple just patch their...

    ... oh, they did? Before there were any exploits in the wild?

    Never mind.
    --

    Information wants to be anthropomorphized.

  2. How is this news? by Paul+Bristow · · Score: 5, Insightful

    So called highly critical patch installed itself yesterday on my iBook.

    For those of us who need it, Apple update takes care of it.

    If there was an exploit that meant we should click on "Software Update" instead of waiting for it to cycle round, great but this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too" while there are many many exploits in the wild for them?

        Anyway it's a day late. This is "internet time", if you can remember that far back :-)

    --
    - Paul
    1. Re:How is this news? by jht · · Score: 4, Insightful

      Yes, it would be better if this (and other flaws) never occurred. The main point here, though, is that Apple typically does a pretty good job of finding and addressing these flaws when they occur, and in a timely fashion. Microsoft does so in many cases, but in others they sit on the problem long enough that there's an opportunity for crackers to find and exploit it.

      So for the most part Apple's methods work well. Of course zero bugs is a good target, but prompt identification and dissemination of fixes is reasonable. It's also pretty tough to craft an exploit that will simply zap Mac users and then get to them before Apple has an opportunity to get the patch out.

      One thing Apple should do, though, is make Software Update a bigger part of the Guided Tour, and set it to default to check daily and download critical fixes automatically (right now, it just notifies as default behavior, and checks weekly). I've noticed users who simply ignore Software Update's dialog boxes because they don't understand what it's doing.

      --
      -- Josh Turiel
      "2. Do not eat iPod Shuffle."
    2. Re:How is this news? by prichardson · · Score: 4, Insightful

      Users don't ignore software update dialogues because they don't know what it's doing, they ignore them because they've been trained that they won't know what it's talking about. If they actually took a minute to READ the dialogue, I think all but the most naive and illiterate would find it pretty self-explanitory. The window is titled "Software Update," and that is the extent of the vocabulary required to know what's going on. The word update is a common english word, so everyone should be able to get it, and the word software is far from obscure computer vocabulary. Right below that is a text space that says in bold "New software is available for your computer." Finally, the words "Security Update" are in the name of the patch itself, which is visible and the user can click on it to get a more detailed description.

      This is a not a difficult dialog box, and it's explained in the (very short) OS X manual. If a user can't figure this one out either they're illiterate or they just don't want to (much more likely). An absolute worst case scenario would be to ask someone else what it was. The explanation would take mere minutes.

      --
      Help I'm a rock.
  3. Re:Apple? by jtshaw · · Score: 4, Funny

    Apple includes the BSD userland utilities, and while it does include some GPL'd software it does not require any to run properly. However, I believe we should petition them to starting calling it the "Mach based Darwin/BSD/Mac OS X featuring OSS Software by GNU, Apache, Postfix, Samba, ect."

  4. Re:helpful list of Apple's recent security updates by Anonymous Coward · · Score: 5, Informative

    Ummmmmm... when did Apple change their domain to "get.sent.to" ? Don't support someone with clickthrough advertising, just go directly to http://www.apple.com/support/downloads/

  5. Re:Highly Critical? Huh? by Anonymous Coward · · Score: 5, Funny
    Highly critical? Why didn't my highly vulnerable mac get attacked for the last five years?

    You don't understand the Windows vs. Professional OS sequence for vulnerabilities:

    Professional OS:
    -Vulnerability found by white hat security world
    -OS Vendor informed
    -OS Vendor works on patch that both fixes vulnerability and doesn't make things worse
    -Vendor tests patch thoroughly
    -Vendor releases patch; world as a whole, including script kiddies, first hear about vulnerability
    -Users, trusting vendor's track record, install patch (see "doesn't make things worse" above)
    -Any exploit is too little, too late.

    Microsoft:
    -Vulnerability found
    -Microsoft informed
    -Nature of vulnerability leaks out to world as a whole
    -Microsoft shoves thumb up bum, waits 6 months
    -Exploit released
    -Microsoft shoves second thumb up bum, wonders about apparent discomfort
    -Microsoft eventually releases patch, may or may not make things better or worse
    -Frustrated people buy Macintoshes

    Simple, isn't it?

  6. Re:Apple? by TheRaven64 · · Score: 4, Interesting
    The GNU/ does refer to the GNU userland. The BSDs have their own userland, although they tend to use the the GNU Compiler Collection. The rest of the toolchain (make, loader, etc) are all non-GNU, as is the shell and the standard collection of POSIX utilities. It is common for BSDs to include GCC, GDB and GROFF, but very little other GNU software. In contrast a common Linux distro uses the GNU versions of ps, top, etc, a GNU shell (bash) and a whole raft of other GNU utils - if you removed them, then you would have an unusable system, which is why RMS requests people say GNU/Linux.

    By the way, both sudo and OpenSSL are OpenBSD spin-offs and nothing at all to do with the GNU project.

    --
    I am TheRaven on Soylent News
  7. Re:The interesting commentary by Morgalyn · · Score: 4, Insightful

    SecurityFocus is apparently owned by Symantec, so I'm unsure just how much salt you might want to throw on that article. I'm guessing at least a grain or two.

    --
    You say you got a real solution
    Well, you know
    We'd all love to see the plan
    (The Beatles)
  8. Two things... by Space+cowboy · · Score: 4, Insightful

    1) Securityfocus is owned by a company with a vested interest in selling anti-virus software to Mac (and PC) users. It does serve a useful purpose, but when the points made are so vague, I consider it more advertising than service.

    Say I wanted to market X, and say that I'm a sneaky and underhand individual. I might purchase or support a website dedicated either to X or anti-X and have *some* articles on it that suit my purpose. I wouldn't undermine the integrity of the site (well, much), but I would use it as an authoratitive mouthpiece that mouthed off about *my* preferred direction.

    So, ok I'm a cynic, but so far my cynicism has been proved right depressingly often. Sigh.

    2) "Looking at the numbers" is no useful guide to pretty much anything to do with security. The phrase works when the numbers themselves are the pertinent facts (eg: a bank-balance sheet). "Humans are obviously not the dominant species on the planet - there are millions more houseflys. Look at the numbers".

    The point is that one dose of cancer can kill you, but you may survive fifty or more infections of the common cold without significant harm. The numbers don't tell you the relative importance of the problem, and indeed may just reflect different counting methods or diligence in detection.

    Simon.

    --
    Physicists get Hadrons!
  9. These are serious.. but kudos for fixing them. by dreamer-of-rules · · Score: 5, Interesting

    My brother recently switched to Apple.. We were IM'ing about this update and he said..

    "one thing i looove about this thing is that i'm never afraid to update like in windows. i'm not scared that it will be worse off"

    Trust is important. How many people haven't updated Windows to SP2 still??

    --
    Everyone is entitled to his own opinions, but not his own facts.
    1. Re:These are serious.. but kudos for fixing them. by argent · · Score: 4, Insightful

      I have no plans to update to XP until I'm actually required to by software that doesn't work on 2000.

      A more complex system with boobytraps deliberately hidden in the kernel and dubious anti-virus enhancements that actually make cleaning up malware harder? Yeh, I've gotta get me some of that. Plus, 2000 ships with a version of Windows Media Player old enough that it doesn't have its DRM tentacles coiled around the kernel's balls.

      I'm also going to be staying clear of the new Intel-based Macs until I'm reasonably confident they don't have boobytraps or effective "strong DRM" support. Not because I want to pirate software or rip protected CDs, but because that stuff's toxic.

  10. Microsoft vs Apple by argent · · Score: 4, Insightful

    Microsoft: the latest security hole in the HTML control is a buffer overflow in Javascript. They've known about it for months. Nothing happens until a sample exploit is released.

    Apple: the latest security hole in Webkit is a buffer overflow in URLs. The first anyone hears of it is a patch through Software Update.

  11. Re:Highly Critical? Huh? -- Explained by commodoresloat · · Score: 5, Funny

    You just don't understand what they mean by critical. I installed this patch and it immediately started complaining about all the junk on my desktop. Then it started berating me for my lack of sensible folder organization. It criticized my choice of web browsers. I turned on iTunes to drown it out and it started giving me a hard time about my musical choices. By the time it started in on my clothes I was sick of it, so I uninstalled the patch. I'll take the data insecurity so as not to put up with the emotional insecurity, but YMMV.