Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Patch Released, But Is It Enough?

Posted by ryuzaki0 on from the conflicting-viewpoints dept.

entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."

10 of 338 comments (clear)

  1. Stupidity by Phroggy · · Score: 5, Insightful

    and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.

    Let's settle this debate.

    No.

    Changing CPU architectures will have absolutely effect on security.

    Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).

    --
    $x='S24;r)>63/* h@<5+oZ)32"5cz';$me='phroggy'x$];
    $x=~y+ -xz+\0-Tx+;print$_^chop$me for split'',$x;
    1. Re:Stupidity by Anonymous Coward · · Score: 5, Insightful

      I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

      You have to make the initial exploit to get "in." Once you are in you can use most standard unix libraries to do whatever you want. The hard part with PPC was finding someone who knew how to code the inital exploiit and the carefully crafted shellcode (with no null bytes, etc.). With Mac moving to Intel this part is MUCh easier for the people who know x86 ASM.

    2. Re:Stupidity by CODiNE · · Score: 5, Insightful

      You mentioned avoiding null bytes, I seem to recall reading that on PPC that's much harder to pull off because of many RISC ops tend to have a byte of null padding that smaller CISC ops don't need. So besides having to learn a new asm, its also much harder to exploit... PPC did have a real advantage here.

      --
      Cwm, fjord-bank glyphs vext quiz
    3. Re:Stupidity by ImaNihilist · · Score: 5, Funny

      And building your own PC teaches you absolutely nothing about discovering vulnerabilities. Sure it does. It teaches you that all systems, regardless of CPU and OS, are vunerable to static electricity. Thus, the best "hacks" are to break into someones house with a ballon, find their PC, open it, rub the ballon on their head, and then start touching the motherboard.

  2. Relativity by ImaNihilist · · Score: 5, Funny

    Good thing I use Microsoft® Windows XP so I don't have to worry about things like this.

    1. Re:Relativity by Golias · · Score: 5, Insightful

      Whoever modded you down "Troll" has obviously not heard of sarcasm.

      Anyway. The difference between Mac OS X and XP can be summarized thus:

      Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.

      If a new actual virus or worm comes along for Windows, making it ever more sure that you still can't even put a new Windows box online to download patches until after the patches you need are already installed... it's business as usual.

      Windows users concerned about they penis size go on chanting "B B B But that's only because the Mac is less popular, so nobody bothers to write malware for it. Wait until the Mac gets more popular, then you'll be in a world of hurt!!!1!"

      Whatever. The Mac is probably never going to see double-digit market share, and even if it does, it's still vastly more secure than Windows is, and you all know it. So there's no need to worry about such a scenario ever happening.

      So I use Macs.

      If the market dominance of Windows has anything to do with Macs being relatively free of haX0r attention, then I just gotta say to all you stubborn Windows users out there:

      Hey man, thanks for taking one for the team.

      --

      Information wants to be anthropomorphized.

  3. Re:Since I hate smug Mac users, let me be the firs by noidentity · · Score: 5, Funny

    "Since I hate smug Mac users, let me be the first. . .to say hahahaha hahahaha ha ha ha ha ha hahaha hah ha hahahahahahaha HA!!"

    Yeah, us Mac users and our potential vulnerabilities. All the potential data I haven't lost has really cost me.

    And smug people suck, no matter what computer they choose.

  4. Re:What purpose? by lancejjj · · Score: 5, Informative

    Purpose? Easy... he makes money by promoting himself.

    If you check out his web site, it seems that he's trying to maximize advertising revenue. Not only does he have many ads, he also has many Amazon referal links. In addition, he is directly selling advertising:

    From his website:

    Want to advertise on the Security-Protocols website?

    Below are our rates:
    Banner Advertising:
    10,000 impressions = $75
    20,000 impressions = $135
    30,000 impressions = $180

  5. Only learning that first assembly language is hard by AHumbleOpinion · · Score: 5, Insightful

    I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

    I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.

  6. Missing the point by mrraven · · Score: 5, Interesting

    It's not that there are no vulnerabilities, all complex code contains multiple vulnerabilities, it's that Macs being set up with a user level account as opposed to Windows default admin account are much less liable to being actually exploited. The same can of course be said for most Linux distros which are also set up with a default user level account.

    Vista will probably help IF it's ever released and as I read on here on slashot the way Vista handles admin tasks (at least in it's current release state) involves an infuriating number of dialog boxes. I'll stick with my mac for now so I can just get some work done (shrug).

    I guess this is what I get for responding to a troll.

    --
    Tired of all the isms, don't exploit people as an employer, or a government, mmmmK?