Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Patch Released, But Is It Enough?

Posted by ryuzaki0 on from the conflicting-viewpoints dept.

entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."

3 of 338 comments (clear)

  1. Re:What purpose? by lancejjj · · Score: 5, Informative

    Purpose? Easy... he makes money by promoting himself.

    If you check out his web site, it seems that he's trying to maximize advertising revenue. Not only does he have many ads, he also has many Amazon referal links. In addition, he is directly selling advertising:

    From his website:

    Want to advertise on the Security-Protocols website?

    Below are our rates:
    Banner Advertising:
    10,000 impressions = $75
    20,000 impressions = $135
    30,000 impressions = $180

  2. Re:Stupidity by Have+Blue · · Score: 4, Informative

    The truth is the Intel processor is a lot more prone to buffer overflow attacks

    Bullshit. Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.

    And building your own PC teaches you absolutely nothing about discovering vulnerabilities.

  3. Re:Stupidity by LO0G · · Score: 3, Informative

    There are processor architectures that make stack overflows orders of magnitude harder. For instance, processors with a grow down stack architecture are way easier to exploit than processors with a grow up stack architecture (grow down means that a forward memory copy can overwrite the return address thus enabling the attacker to control the return address, that's a classic buffer overflow).

    There are other processor features that make stack overflows harder, NX being a classic example (also mentioned above). The processors calling convention can also help - if your processor operates with three stacks, one for parameters, one for local data, the third for data flow, it renders the return stack immune from overflow of local data buffers, and mitigates the damage that can be caused by an overflow.

    So yes, buffer overflows are a software problem. But the damage that they can cause is strictly a processor architecture issue.