Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
I'd like to find your rational for that statement. OS X is based off of the Mach Microkernel. The FreeBSD people, to my knowledge, never bought into the idiotic "Microkernel on a multipurpose OS" hype.
Additionally, I'm pretty sure MacOS came out before January 2003 When FreeBSD 5.0 was released
Actually, according to Wikipedia, though not the best source available, it was based on OPENSTEP/NEXTSTEP. This also reports the release as 1999/2001 depending on version.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
You: "Microsoft makes such a bloated terrible operating system"
y -does-open-source-software-suck.html
Me: "XYZ in a OSS distro is crap"
You: "Well its free. what do you expect?" Exactly."
Classic example of this linux truth right in this post. Omg some of you linux nerds are unbelievable.
For a perfect explination of way OSS sucks, read http://microsoftisawesome.blogspot.com/2006/11/wh
From the blurb: Linux (if you need a URL for Linux, you are probably at this site by mistake)
Fantastic! So what the poster is saying is that "If you're on slashdot and you're not a Linux geek you're out of place here".
Out of place as in not welcome for the most part too considering some of the groupthink that goes on.
Just try to get a valid, non-snobbish answer to a n00b Linux question around here. I dare you. Just like the snobs on #Linux. Try it there and you'll get the same.
The day I decided that Linux wasn't for me was the day I went to #Linux and asked for the name of a good distro a n00b could run without pulling out his hair. The response was directing me to DistroWatch or some-such site with nothing more than a list of distros. Out of 40 people this is the lone answer I got.* Great. And yet Linux users still claim Joe Sixpack is welcome to try to adopt? It sounds more like throwing down the gauntlet as opposed to inviting him in.
* Later I tried DSL and Mepis. While I found nothing "wrong" with them I do find overall Linux support lukewarm at best and I don't have the problems with windows that most claim to have. I just don't see a reason to switch yet. Maybe in a few more years when some of the zealots mature a bit and realize that supporting a product is more than just shouting "OMFG~! It's the best, if you don't like it you're just a fucktard!!11!!" and start producing apps a little bit better than Gimp I'll give it another go.
No, no, one doesn't.
Number of Windows machines I've had to painstakingly remove highly virulent spyware/adware from: Dozens.
Number of Mac OS X machines I've had to painstakingly remove highly virulent spyware/adware from: ZERO.
This is far more than just anecdotal evidence; this is how things go in the real world. In the real world, 50+% of Windows machines are badly infected by spyware, and 0% of Mac OS X machines.
ZERO.
By far the most prevalent security and stability breaches "in the wild" are not rootkits or remote exploits... they're spyware and viruses, both of which are virtually exclusively Windows issues. You can claim that this is mostly or wholly due to the overwhelming dominance of Windows over all other operating systems (in terms of "market share"), but the fact remains.
Until I start getting calls from blue-haired grandmas to hand-pick bits of Hotbar and Bonzibuddy and porno pop-up daemons out of their Macs, I won't buy the "Macs aren't any more secure than Windows" FUD. And neither should you!
With spending like this, exactly what are "conservatives" conserving?
Any program files that might have a negative impact on the OS X system must be authorized with the Admin password.
Wrong. The attacker can simply use a privilege escalation exploit.
I'm sorry but I don't agree with this marketshare thing.
If someone is standing on the corner going 'neener neener you can't hit me' someone out of spite regardless of any reward is going to do it. The fact that they've been touting they can't be hacked for several years now and they still haven't been hacked says to me that it's not easy to do/not able to be done as easily as it is on Windows.
Plus a lot of the 'security' problems don't focus on the exploits of IE and simple browsing hijacking your system with crap. That's the largest problem facing most IT departments that I've run across in the last year or two, not the OS itself being hacked but something stupid the browser does destroying the system.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
I remember root-my-mac-mini - the whole thing was a sham - the guy was giving out SSH accounts to the machine and the "local" user was just using a privilege escalation to get more rights. Granted, its a bug that needs fixing - but giving out logins to anonymous users on the internet isn't something I'm in the habit of.... not after last time..... damn squirrels.....
The Root My Mac mini event you mention was a fraud and was demonstrated to be so at the time. The hacker was given on account on the machine. While it was pitched and reported as being a "remote exploit" the "hacker" was given SSH access to the machine so that what he really did was have full run of a local machine.
So, come on. While there may be some great examples of OS X vulnerabilities, this is not one.
Unfortunately it's not in OS X either, though it's long overdue.
We'll have to see what exactly is in OS X 10.5.
They should pay the author of Little Snitch and just incorporate it, but extend it to file access too (don't think it does that, if it did I'd buy it). Very easy to do, and the payoff would be huge for security against simple trojans and spyware.
Well, little snitch is sort of an add on for the firewall and not a good basis for ubiquitous system level security. Apple announced a month or two ago that they had ported to 10.5 the Mandatory Access Controls (designed for exactly this purpose) from TrustedBSD, which is itself a port of SELinux controls from the NSA, I believe. The trick with such a system is designing the UI component (which Little Snitch does provide a good model for) and designing good defaults. Since they also announced an application signing framework at the same time my hope is that they will provide ACLs for pre-installed apps, give certified and verified apps an ACL included with that app, give certified apps a fairly restrictive default ACL, and give unsigned apps a very restrictive ACL as the default settings. As for the filesystem access, I'd like to see the most restrictive default be access only to files created by that program itself. I think more granular access than you present would be nice as well and if proper defaults are provided it should be easy to change them with a simple violation notice ala Little Snitch, or by editing that program's restrictions.
Anyway, at least the frameworks for this look to be coming soon. Hopefully the OS integration, UI, and defaults are as well.
This does not seem to apply to the kernel, however. Apple's kernel programmer documentation (which claims to have been updated on 2006-11-07) says:
o nceptual/KernelProgramming/index.html
"Darwin is based on proven technology from many sources. A large portion of this technology is derived from FreeBSD, a version of 4.4BSD that offers advanced networking, performance, security, and compatibility features. Other parts of the system software, such as Mach, are based on technology previously used in Apple's MkLinux project, in Mac OS X Server, and in technology acquired from NeXT. Much of the code is platform-independent. All of the core operating-system code is available in source form."
Link here:
http://developer.apple.com/documentation/Darwin/C
If this document is wrong, then Apple are to blame for that, not me.
I'm not going to change your sheets again, Mr. Hastings.
Mac OS X v10.2.0 (build 6C115), released August 23, 2002 (retail)
Mac OS X v10.3.0 (build 7B85), released 24 October 2003 (retail)
Mac OS X v10.4.0 (build 8A428), released April 29, 2005 (retail)
Mac OS X v10.5.0 (build 9A303), Developer Preview, released November 9, 2006 (beta)
--
Windows NT 4.0 Released July 29, 1996
Windows 2000 Released February 17, 2000
Windows XP Released October 25, 2001
Windows Server 2003 Released April 24, 2003
--
It's more like Microsoft not supporting Windows 2003 than Windows NT...Apple is squeezing every last drop of money out of its users. Extended support for Windows 2000 ends 7/13/2010...just because Apple patches faster doesn't mean they should screw you out of updates once the latest and greatest comes out.
That quote doesn't really deny my claim. FreeBSD branched from 4.4BSD, and that's all the quote seems to say.
After all, I am strangely colored.
99% of all windows users run as admin. 100% of all windows server administrators log in with a admin level account and do lots of things as admin they they should not.
99% of the things malware wants to do, do not require elevated privileges.
NO APP NEEDS WRITE ACCESS TO THE C:/WINDOWS directory... NONE! yet the microsoft morons designed it that way because of the stupid registry.
Broken application that require write access to Windows system areas are 100% the fault of the app developer. It's got *nothing* to do with Microsoft.
No developer has had an excuse for releasing software that writes to places like C:\Windows for ca. 7 - 8 years.
Let's ignore the fact that most services under Unix lately do not run at the system level but under a protected user that does not have ADMIN access... but hey you were hoping that nobody noticed that.
Like modern Windows services do, you mean ?
Windows web server, buffer overflow = admin access. Linux web server, buffer overflow = user acces. Big different there. granted if you are silly and let apache user read the shadow passwords file your fault for not setting up security right.
IIS runs as its own user. A buffer overflow only nets you the privilege level of that user.
In that case "Participants were given local client access to the target computer and invited to try their luck." Which is a big leg up. No evidence of "hackers exploiting Mac vulnerabilities for months" in the real world.