Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
...will ever be perfect (except for GODOS). All we can hope for is the most amount of intuition and the least amount of irritation.
Cake or Death? Cake Please!
It's no secret ... There are more Windows boxes in sensitive areas (servers, etc.) than Macs. Focusing on Windows is more bang-for-the-buck....
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.
Monstar L
Perhaps Steve Jobs doesn't invoke the same "I'm gonna get him!" feeling in the black hats that Bill Gates does. Or maybe it's that darn reality distortion field...
The determined Real Programmer can write Fortran programs in any language.
Dear Slashdot editors,
your readers are all technically literate. Please don't post stories where dumb ideas like "how secure an operating system is = number of potential security holes fixed". That kind of stuff is for pointy haired bosses, not technically literate people.
Thanks!
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
That and it's far FAR easier to get admin access for your app or bug-exploit in a windows machine than any other OS based machine.
A script kiddie can completely take over a critical windows server. It's far harder to get your code executed as admin or with admin priviliges on a linux,unix,or OSX machine.
THAT is the biggest reason. Unixes run far more of the internet than windows does, making it a prime target for someone who wants to cause trouble or steal information.
Do not look at laser with remaining good eye.
I think that it is pretty simple. It is not the number of security bugs that is the issue, it is their severity, and their remote exploitability. Despite the statistics from the article, my department (which has 500 computers, with a mix of windowsXP, OSX and Linux) has had not a single security breach of a Linux or OSX system, but lots of breaches of Windows systems. Part of it is that the OSX and Linux security problems are situations where a local user can escalate his priveledges, something which is serious, but does not necessarily cause security problems. The other part of it is that the worst WindowsXP security breaches come through ad- and spy-ware that come from routine web surfing. This is not considered a bug in WindowsXP (if we just classed ActiveX and IE as security problems, we would have to list that as a windowsXP bug every month/day/week, and the numbers would change pretty quickly).
Anyway, as we all know, don't trust statistics because 82.35% of statistics are made up on the spot.
The main point they should make is that OpenBSD doesn't bundle in lots of other software packages.
... as Apple patched 31 vulnerabilities, but most of them were not part of the OS (applications like FontBook and FontImporter) and not even maintained by Apple (like OpenSSL, PHP, Samba, perl).
Therefore, they don't have people saying 'fixes for 31 vulnerabilities in its OS'
Build it, and they will come^Hplain.
Yeah, I mostly could care less what /.ers think in their oppinions. While the news is interesting, and the commentary is often amusing, in the end, I find I go for what works, not what looks good. Certain groups of /.ers tend to follow certain trains of thought that appear noble or righteous, but often ignore many aspects of reality.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
The days of cracking just for "fun" or "reputation" are mostly over. Malware is driven by money now. Botnets, and spyware are the name of the game. No point in disabling ("owning") computers with malicious code when you can just silently commandeer them to make money. A lot of the malware spreading requires user intervention, which requires a mass audience, and a targeted spreading mechanism (e-mail is still the #1 way to spread).
I fixed over 50 bugs in my web-game during the past two days. Does that mean I'm less secure than windos?
These numbers mean nothing at all.
First, it's the number of fixed bugs, not of existing bugs. If product A has 500 holes and fixes 5 of them, and product B has 50 holes and fixes 10 of them - these dumbwit journalists would tell you that product A is more secure.
Two, quantity alone means nothing. If product A has 5 remote root holes and product B has 20 spelling bugs - these dumbwit journalists would tell you that product A is more secure.
The worst thing is that they get paid for producing this kind of misinformation. No, wait - the worst part is that there are lots of people out there who don't know technology and actually believe that crap.
Assorted stuff I do sometimes: Lemuria.org
I thought it was a pretty well-established fact at this point that Mac OS X is considered to be more secure not because it is less vulnerable to attacks, but because it is a less desirable target for attacks.
It's both. Macs don't have the numbers that make botnet operators look to make a worm. They do, however, have a lot of valuable data and make just as nice of control channels as a Linux box somewhere. There are a lot of credit card numbers and the like on Macs. The thing is, they're also a lot harder to get to than on a typical Windows box, so people go for the easy target.
Windows, according to this analogy, would be more like the U.S.: A huge defense system, but every hole in the security matters, because people are actually trying to get through.
Okay, I can see that analogy. And malware is like the Mexican immigrants walking across the border without any problems. It's not in the best economic interests of the US to stop them, just as Microsoft has no real motivation to stop malware. They both like to make noise about it for PR reasons though.
That said, what I really want to know is why big companies like MS and Apple don't explain more fully WHY they aren't releasing patches to known issues.
I think most people don't care. I mean the average Joe says, "they found a hole and fixed it, cool." The security geek already knows the score. So who are they targeting with this info? And what info, exactly do you want?
If an exploit does nothing more than let you play solitare someplace you shouldn't, then it doesn't matter. And the thing is, even if OS X is only as secure as Windows (which I'd dispute), it's still good for overall security of the Internet. One of the biggest problems with the Internet today is that if 95% of the computers run one operating system, it becomes easier to write exploits that affect the majority of people.
On the other hand, if 50% of the people were running OS X, then no exploit could harm more than half the people at any given time. So in the long run, perversely, OS X is beneficial to the security of Windows.
This sig has been temporarily disconnected or is no longer in service
Spyware and Viruses however usually have NOTHING to do with the security of the OS. Most spyware and viruses are the result of stupid users opening the file sent by a zambian buisinessman or downloading every program popups tell them to. There are just less spyware and viruses for OS X since not as many people use it, thus it is not a primary target.
Spyware/viruses do not mean the OS is insecure, but that the users of it are.
echo YOUR_OPINION >
One word...marketshare.
There is big money in hijacking windows boxes. You can pump spam through them or inundate them with advertisements through spyware. Considering that most users have Windows, there is more advertising money there. I think spammers and spyware people would rather have the number of windows users out there viewing their junk than the number of Apple users. However, expect that to change as Apple's marketshare grows.
The philosophical differences are that the Linux user base can both find and fix the problems, but closed source can only find and report problems.
Although you multiply poison by the user base, the more people that use Linux the more secure it becomes. The more people that use an OS where the users cannot find and fix problems, the less secure it becomes as an overall platform.
A large part of the problem is finding it, and when a security flaw is found in Linux it is pretty much always fixed So, userbase for Linux is good because they can fix the problems themselves, or report it directly to someone who can.
But when you are sourceless, a large userbase can report a problem and they must depend on someone else to fix it. So, the more people that use it, the more people using it with a particular bug. Usually, the fix timeframe is based on Impact * number of reports, and although Microsoft has gotten pretty good about turnaround time for patches, they used to be horrible and if there's a lack of reports I suspect bugs will go unpatched for quite some time. However, you still have the issue that all closed source has: the user can't fix things for himself and that includes bugs.
Lastly, comparing OSX to Linux and WinXP isn't really fair to Apple... they're still relatively new to the scene and have a lot of bugs to shake out. And when comparing, you can't just say "N bugs in X OS over K days", you have to also multiply this by the impact. 31 local DoS security fixes is not as scary as 1 remote execution fix.
Many of these security holes are often due to Buffer Overflow errors. While Common, they are rather difficult to exploit. Unlike the Active X, and VBScript "Viruses" and Spyware.... Buffer Overflow requires the designer of the script to know quite a lot about what is going on underneath. First they will need to know the platform they are attacking. With Macs you will have to choose between Intel and PPC. then you will need to know the OS, Version of OS X, and know it well enough to pass the opt-code in binary format. Ok Now you can run a program. Now if you need to do some more detail stuff that can cause more trouble then just screwing up the home user account then you will need to find an application who buffer overflow error will allow root level access where they can do important things like opening up low number ports 25 for Email, 22 with SSH and configuring it to allow no password for root.... Yes you could break into a Mac System. But if you fix any part in the link the script will not run to completion So one fix could stop one from taking control of the others (Until an other opening is found). So yes you can break into a Linux, BSD, OS X and Windows box. But with Windows attempt at Active X and their refusal to give programming restrictions to it. Figuring that having a Trust Security is better then preventing access (the OLD Java vs. Active X Debate) Really bit MS in the the Butt.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
Your argument seems to be that OS X runs on loads of servers, which makes it a great target.. First off it doesn't run on loads of servers, it has no presence in the server market. Second the vulnerabilities are mostly all in WiFi drivers, PPPoE code, and Safari. Why would hackers going after servers be looking in client code?
Also you can only apply the fixes to 10.3 and 10.4. Never mind <10.3 users, they can pay $99 for security, and never mind if they have a machine which won't run 10.3, they can buy a new Mac. This is like MS charging for SP1.
If MS came out with a massive load of critical security fixes like this, which had all been around for ages and in use by hackers, they would be quite rightly ridiculed. When Apple comes out with this disgrace
I wish I was exaggerating but people really are posting these; it's bizarre the double standards some people on slashdot have.. We should at least like and dislike Apple and Microsoft for the right reasons, there are many reasons to prefer Apple but security just isn't one of them.
// MD_Update(&m,buf,j);
``A script kiddie can completely take over a critical windows server. It's far harder to get your code executed as admin or with admin priviliges on a linux,unix,or OSX machine.''
Yes, because buffer overflows are so much harder to exploit on non-Windows OSes, and it's so much harder to get someone to type "sudo make install" than to get them to do the equivalent on Windows.
Please correct me if I got my facts wrong.
I know the article is specific about OS X, but you took the parents comments about Unixes in general to speak of OS X. He never mentions that OS X runs on a bunch of servers, just Unix and its flavors including OS X. Also yes, Apple does have a presence in the server market, http://www.apple.com/server/macosx/ & http://www.apple.com/xserve/.
On to the ">10.3" section of your comments. Yes the security updates will not work on 10.2 or earlier. That is two complete versions ago. When is the last NT4 security update you saw? Thats two versions ago of the Windows Server market right (2003,2000, NT4). Apple is known for having a quicker turn around for complete updates, this is not news.
I could go on but I will stop there, its obvious that you favor Windows over anything else, which hey thats fine, your prerogative, your a grown adult, do whatcha wanna do. But lets keep it real.
You are all a bunch of idots.
Any piece of software attempting to open an outbound connection, particularly to common port like SMTP, needs to flag the fact to the user and explain, in English, what's going on.
"Tic-Tac-Toe.exe is attempting to send an email, but is not a known email program. Do you want to allow this?"
Any sect, cult, or religion will legislate its creed into law if it acquires the political power to do so.
Yes it is.
if you click on a evil exe in windows it runs and does it's deed. do it in OSX or linux and you have to give it an administrator password.
99% of all windows users run as admin. 100% of all windows server administrators log in with a admin level account and do lots of things as admin they they should not.
So yes, it is way WAY easier to get someone to click on something evil and have it run instantly then have them type sudo evilapp..... type in password... then execute. at least the password is a hint to someone that the potential of evil is there. way too many windows apps, including server apps require admin privileges to run. This is rampant in the Corporate world as most vertical apps are so badly written that they do this by default. Add to that that most machines all share the same admin password and BOOM you have a massive infection running rampant easily. you want proof of this? Spyware is rampant everywhere on every windows machine you touch. EVEN corporate machines with well defined policies STILL GET INFECTED SILENTLY.
At least under unix you have to gain those privileges at each machine, they are not handed to you on a silver platter if you compromise one machine only. (yes this is an IT policy blunder and not a Windows blunder, but it's the modus operandi of the Corporate windows world.)
Windows is a security joke because they do not make it difficult to run as administrator all the time and allows apps to have free reign if they are executed as admin. NO APP NEEDS WRITE ACCESS TO THE C:/WINDOWS directory... NONE! yet the microsoft morons designed it that way because of the stupid registry. windows 95 and 98 did more damage to windows security than anything else and the crap added there still lingers.
That is why windows has no security compared to unix.
Let's ignore the fact that most services under Unix lately do not run at the system level but under a protected user that does not have ADMIN access... but hey you were hoping that nobody noticed that.
Windows web server, buffer overflow = admin access. Linux web server, buffer overflow = user acces. Big different there. granted if you are silly and let apache user read the shadow passwords file your fault for not setting up security right.
"based on" is never "is", based on implies changes to varying degrees.
Also, I thought earlier versions of OS X, at some point prior to X.4, they still had a microkernel. I know threads were actually added to the Kernel in X.4.
Having used both, I know OS X is not the same as FreeBSD, I much prefer the FreeBSD system to be honest, but that's just my not-so-humble oppinion.
What part of FreeBSD did Apple use I wonder? I thought userland was still pretty generic across BSD with only minor changes, the filesystem structure resembles that of FreeBSD less than Linux's, and as I said, FreeBSD never used Mach or any other microkernel to my knowledge.
It seems to me it's more of a sibling than a child.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
Or, more importantly, the cracker is more likely to have a Windows box kicking around to practice on. A Linux box is also likely. A PowerPC Mac, however, was not. With the Intel switch, it is possible for a cracker to install a pirate copy of OS X in a VM or on a spare machine and do whatever they like to it, so this level of 'protection' goes away. It will be interesting to see what effect this has.
I am TheRaven on Soylent News
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.Emphisis is mine where I find it unbelievable people think that this is "advice". The way the modern computer operating system HMI works is "users click on things". Windows and MacOS are designed to present the user with an interface to click on things. What in the world kind of advice is it is to say "don't click on stuff!"??
Browsing files is normal operation. Browsing web pages is normal user activity. Looking at email is a normal user activity. Clicking on objects presented by the shell is a normal user activity. All of these activites are things users do normally and yet are "dangerous by default" in some systems and require a high level of diligence or more (sometimes expensive) software to handle. Stating stuff like "don't click on bad stuff" shifts the blame away from the vendor and onto the user. I'm not saying the user isn't to fault but lets not forget the vendor here since they are equally culpable.
How about this instead: Your computer shouldn't self destruct doing normal user activies. If your computer does self destruct doing normal user activities then it is a bug. Bugs happen in any complex piece of software. What isn't excusable is when the vendor refuses to address the issue. The vendor should fix the flaw. And before you ask, no amount of confirmation dialogs counts as a fix. No amount of "blame the user" is sufficient either.
More specifically: The operating system should handle browsing files without destroying itself. The operating system should be able to handle browsing to web pages without destroying itself. Your operating system should handle looking at email without destroying itself. Your operating system should handle "clicking on stupid stuff" without destroying itself. If the operating system can't handle these nominal activies without a high degree of confidence then it needs to be redesigned and engineered to do. This is not an issue with "users being stupid" but a flaw in the design and engineering.
Baring things like "wear", most people would consider a machine that breaks from normal usage as "flawed". But all too often in Operating Systems when the machine breaks down when the user performances a normal activity it isn't the system but the user's fault. How in the world did we get to this state where the responsibility for function is not on the system designer but on the users??
I do get what you mean in that there should be some "common sense" but on the other hand lets not let the vendors get off the hook because of a lack thereof. The user should have some common sense **and** the vendor should provide a system that is robust, just in case the user's judgement slips.