Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
Apple has known security bugs and yet people still focus on killing Windows boxes. I'd like to know Apple's secret.
/whisper/ Thanks for the candy!
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.
Monstar L
Dear Slashdot editors,
your readers are all technically literate. Please don't post stories where dumb ideas like "how secure an operating system is = number of potential security holes fixed". That kind of stuff is for pointy haired bosses, not technically literate people.
Thanks!
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
First of all whats the URL for Linux? and second what's a URL?
My linux laptop is all crudded up with 9000 spyware bonzi buddy applets, and my OSX work machine was just discovered to be a spam zombie spewing out half a billion UBE's per week.
Bad, Apple, bad. *thwacks Apple with rolled up newspaper*
Don't break any fixes anymore, you're supposed to be perfect.
The main point they should make is that OpenBSD doesn't bundle in lots of other software packages.
... as Apple patched 31 vulnerabilities, but most of them were not part of the OS (applications like FontBook and FontImporter) and not even maintained by Apple (like OpenSSL, PHP, Samba, perl).
Therefore, they don't have people saying 'fixes for 31 vulnerabilities in its OS'
Build it, and they will come^Hplain.
I'd like to find your rational for that statement. OS X is based off of the Mach Microkernel. The FreeBSD people, to my knowledge, never bought into the idiotic "Microkernel on a multipurpose OS" hype.
Additionally, I'm pretty sure MacOS came out before January 2003 When FreeBSD 5.0 was released
Actually, according to Wikipedia, though not the best source available, it was based on OPENSTEP/NEXTSTEP. This also reports the release as 1999/2001 depending on version.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
...what is being suggested is that the more complex a system becomes the more points of failure it has - wow, I need me a ticker tape parade.
It's hardly news that if someone goes looking for problems they find them - what is more revealing is the general response to the issues discovered:
Windows: 'well that's what you get when you write closed source crap and you try and bleed money out of your customers'.
Apple: 'That'll wipe the smiles off their smarmy faces'.
Linux: 'Oh we so good - look at how open source instantaneously fixes these problems, cures cancer and helps little orphans'.
all these above responses are of course propaganda (please refrain from using that awful, awful word "fud").
It's ironic that one of the hottest topics on slashdot, climate warming is accused of being one of the most tainted sciences but when it comes to something much simpler, the efficacy of patches on modern systems it turns into the biggest mud slinging match you could imagine.
Promote Charity on Myspace, Show Your Colours!
Yeah, I mostly could care less what /.ers think in their oppinions. While the news is interesting, and the commentary is often amusing, in the end, I find I go for what works, not what looks good. Certain groups of /.ers tend to follow certain trains of thought that appear noble or righteous, but often ignore many aspects of reality.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
All 3 of them?
The days of cracking just for "fun" or "reputation" are mostly over. Malware is driven by money now. Botnets, and spyware are the name of the game. No point in disabling ("owning") computers with malicious code when you can just silently commandeer them to make money. A lot of the malware spreading requires user intervention, which requires a mass audience, and a targeted spreading mechanism (e-mail is still the #1 way to spread).
I fixed over 50 bugs in my web-game during the past two days. Does that mean I'm less secure than windos?
These numbers mean nothing at all.
First, it's the number of fixed bugs, not of existing bugs. If product A has 500 holes and fixes 5 of them, and product B has 50 holes and fixes 10 of them - these dumbwit journalists would tell you that product A is more secure.
Two, quantity alone means nothing. If product A has 5 remote root holes and product B has 20 spelling bugs - these dumbwit journalists would tell you that product A is more secure.
The worst thing is that they get paid for producing this kind of misinformation. No, wait - the worst part is that there are lots of people out there who don't know technology and actually believe that crap.
Assorted stuff I do sometimes: Lemuria.org
From the blurb: Linux (if you need a URL for Linux, you are probably at this site by mistake)
Fantastic! So what the poster is saying is that "If you're on slashdot and you're not a Linux geek you're out of place here".
Out of place as in not welcome for the most part too considering some of the groupthink that goes on.
Just try to get a valid, non-snobbish answer to a n00b Linux question around here. I dare you. Just like the snobs on #Linux. Try it there and you'll get the same.
The day I decided that Linux wasn't for me was the day I went to #Linux and asked for the name of a good distro a n00b could run without pulling out his hair. The response was directing me to DistroWatch or some-such site with nothing more than a list of distros. Out of 40 people this is the lone answer I got.* Great. And yet Linux users still claim Joe Sixpack is welcome to try to adopt? It sounds more like throwing down the gauntlet as opposed to inviting him in.
* Later I tried DSL and Mepis. While I found nothing "wrong" with them I do find overall Linux support lukewarm at best and I don't have the problems with windows that most claim to have. I just don't see a reason to switch yet. Maybe in a few more years when some of the zealots mature a bit and realize that supporting a product is more than just shouting "OMFG~! It's the best, if you don't like it you're just a fucktard!!11!!" and start producing apps a little bit better than Gimp I'll give it another go.
No, no, one doesn't.
Number of Windows machines I've had to painstakingly remove highly virulent spyware/adware from: Dozens.
Number of Mac OS X machines I've had to painstakingly remove highly virulent spyware/adware from: ZERO.
This is far more than just anecdotal evidence; this is how things go in the real world. In the real world, 50+% of Windows machines are badly infected by spyware, and 0% of Mac OS X machines.
ZERO.
By far the most prevalent security and stability breaches "in the wild" are not rootkits or remote exploits... they're spyware and viruses, both of which are virtually exclusively Windows issues. You can claim that this is mostly or wholly due to the overwhelming dominance of Windows over all other operating systems (in terms of "market share"), but the fact remains.
Until I start getting calls from blue-haired grandmas to hand-pick bits of Hotbar and Bonzibuddy and porno pop-up daemons out of their Macs, I won't buy the "Macs aren't any more secure than Windows" FUD. And neither should you!
With spending like this, exactly what are "conservatives" conserving?
I thought it was a pretty well-established fact at this point that Mac OS X is considered to be more secure not because it is less vulnerable to attacks, but because it is a less desirable target for attacks.
It's both. Macs don't have the numbers that make botnet operators look to make a worm. They do, however, have a lot of valuable data and make just as nice of control channels as a Linux box somewhere. There are a lot of credit card numbers and the like on Macs. The thing is, they're also a lot harder to get to than on a typical Windows box, so people go for the easy target.
Windows, according to this analogy, would be more like the U.S.: A huge defense system, but every hole in the security matters, because people are actually trying to get through.
Okay, I can see that analogy. And malware is like the Mexican immigrants walking across the border without any problems. It's not in the best economic interests of the US to stop them, just as Microsoft has no real motivation to stop malware. They both like to make noise about it for PR reasons though.
That said, what I really want to know is why big companies like MS and Apple don't explain more fully WHY they aren't releasing patches to known issues.
I think most people don't care. I mean the average Joe says, "they found a hole and fixed it, cool." The security geek already knows the score. So who are they targeting with this info? And what info, exactly do you want?
Of course, the problem with GODOS is that you can't know if it's perfect until the computer is scrapped. In the Bitchy Beadle release of GODOS, the Schrödinger kernel is expected to improve the tracelogs.
There have been reports of computer users who claim to have briefly seen the perfection of GODOOS when their power supplies have developed an intermittent fault. Unfortunately for the proponents of GODOS, no one whose motherboard has been completely fried has ever been able to compute with it again.
Confusing the question further is the fact that computer users are known to declare that SATANOS is running on their computers whenever anything goes wrong.
Rich And Stupid is not so bad as Working For Rich And Stupid.
If an exploit does nothing more than let you play solitare someplace you shouldn't, then it doesn't matter. And the thing is, even if OS X is only as secure as Windows (which I'd dispute), it's still good for overall security of the Internet. One of the biggest problems with the Internet today is that if 95% of the computers run one operating system, it becomes easier to write exploits that affect the majority of people.
On the other hand, if 50% of the people were running OS X, then no exploit could harm more than half the people at any given time. So in the long run, perversely, OS X is beneficial to the security of Windows.
This sig has been temporarily disconnected or is no longer in service
Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?
Yeah, like, everyone knows that all OSes are, like, equal in all respect. It's not like they were designed differently or anything. It's all just 1s and 2s anyway. Every computer gets cloggged up with worms, viruses, and malware. It's just that there are more Windows users out there, and the Mac users just keep quiet about their virus infestations, so they can keep the Sacret Cult of the Mac going strong. I know plenty of Mac users who have to do clean installs all the time because their machines get so clogged up with worms and viruses. All of these whiners talk like that's not true!
Read the EFF's Fair Use FAQ
Good thing I'm using Windows. Oh wait...
w00t
The philosophical differences are that the Linux user base can both find and fix the problems, but closed source can only find and report problems.
Although you multiply poison by the user base, the more people that use Linux the more secure it becomes. The more people that use an OS where the users cannot find and fix problems, the less secure it becomes as an overall platform.
A large part of the problem is finding it, and when a security flaw is found in Linux it is pretty much always fixed So, userbase for Linux is good because they can fix the problems themselves, or report it directly to someone who can.
But when you are sourceless, a large userbase can report a problem and they must depend on someone else to fix it. So, the more people that use it, the more people using it with a particular bug. Usually, the fix timeframe is based on Impact * number of reports, and although Microsoft has gotten pretty good about turnaround time for patches, they used to be horrible and if there's a lack of reports I suspect bugs will go unpatched for quite some time. However, you still have the issue that all closed source has: the user can't fix things for himself and that includes bugs.
Lastly, comparing OSX to Linux and WinXP isn't really fair to Apple... they're still relatively new to the scene and have a lot of bugs to shake out. And when comparing, you can't just say "N bugs in X OS over K days", you have to also multiply this by the impact. 31 local DoS security fixes is not as scary as 1 remote execution fix.
``With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands.''
It never did. First of all, you can't compare security of operating systems, because you can't eliminate bias from your tests. Secondly, Apple's OS is closed source, which you can never trust. Thirdly, much of the OS is written in unsafe languages (particularly C, C++, and, perhaps, Objective C - I don't know if the last is unsafe), and thus, the statistical probability that it will contain security holes is high. Finally, I don't think Mac OS X has been so thouroughly scrutinized by security experts as Windows has, so it's very well possible that Windows is more secure by now, regardless of it's starting position. However, we will never know that, because of the first point.
Please correct me if I got my facts wrong.
I've been following Mac news for about 3ish years since I switched. It seems that on the run up to the Vista release there has been a bit of a Spike in "Macs aren't as secure as you think" articles. Is this a stealthy "Get the facts" campaign?....
The Root My Mac mini event you mention was a fraud and was demonstrated to be so at the time. The hacker was given on account on the machine. While it was pitched and reported as being a "remote exploit" the "hacker" was given SSH access to the machine so that what he really did was have full run of a local machine.
So, come on. While there may be some great examples of OS X vulnerabilities, this is not one.
Amen! Nothing else to add. Go patch your servers and monitor the logs... stop whining about insecure OS's when the real problem is you. YOU!
Check out Pandora by Music Genome Project
"based on" is never "is", based on implies changes to varying degrees.
Also, I thought earlier versions of OS X, at some point prior to X.4, they still had a microkernel. I know threads were actually added to the Kernel in X.4.
Having used both, I know OS X is not the same as FreeBSD, I much prefer the FreeBSD system to be honest, but that's just my not-so-humble oppinion.
What part of FreeBSD did Apple use I wonder? I thought userland was still pretty generic across BSD with only minor changes, the filesystem structure resembles that of FreeBSD less than Linux's, and as I said, FreeBSD never used Mach or any other microkernel to my knowledge.
It seems to me it's more of a sibling than a child.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
This does not seem to apply to the kernel, however. Apple's kernel programmer documentation (which claims to have been updated on 2006-11-07) says:
o nceptual/KernelProgramming/index.html
"Darwin is based on proven technology from many sources. A large portion of this technology is derived from FreeBSD, a version of 4.4BSD that offers advanced networking, performance, security, and compatibility features. Other parts of the system software, such as Mach, are based on technology previously used in Apple's MkLinux project, in Mac OS X Server, and in technology acquired from NeXT. Much of the code is platform-independent. All of the core operating-system code is available in source form."
Link here:
http://developer.apple.com/documentation/Darwin/C
If this document is wrong, then Apple are to blame for that, not me.
I'm not going to change your sheets again, Mr. Hastings.
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.Emphisis is mine where I find it unbelievable people think that this is "advice". The way the modern computer operating system HMI works is "users click on things". Windows and MacOS are designed to present the user with an interface to click on things. What in the world kind of advice is it is to say "don't click on stuff!"??
Browsing files is normal operation. Browsing web pages is normal user activity. Looking at email is a normal user activity. Clicking on objects presented by the shell is a normal user activity. All of these activites are things users do normally and yet are "dangerous by default" in some systems and require a high level of diligence or more (sometimes expensive) software to handle. Stating stuff like "don't click on bad stuff" shifts the blame away from the vendor and onto the user. I'm not saying the user isn't to fault but lets not forget the vendor here since they are equally culpable.
How about this instead: Your computer shouldn't self destruct doing normal user activies. If your computer does self destruct doing normal user activities then it is a bug. Bugs happen in any complex piece of software. What isn't excusable is when the vendor refuses to address the issue. The vendor should fix the flaw. And before you ask, no amount of confirmation dialogs counts as a fix. No amount of "blame the user" is sufficient either.
More specifically: The operating system should handle browsing files without destroying itself. The operating system should be able to handle browsing to web pages without destroying itself. Your operating system should handle looking at email without destroying itself. Your operating system should handle "clicking on stupid stuff" without destroying itself. If the operating system can't handle these nominal activies without a high degree of confidence then it needs to be redesigned and engineered to do. This is not an issue with "users being stupid" but a flaw in the design and engineering.
Baring things like "wear", most people would consider a machine that breaks from normal usage as "flawed". But all too often in Operating Systems when the machine breaks down when the user performances a normal activity it isn't the system but the user's fault. How in the world did we get to this state where the responsibility for function is not on the system designer but on the users??
I do get what you mean in that there should be some "common sense" but on the other hand lets not let the vendors get off the hook because of a lack thereof. The user should have some common sense **and** the vendor should provide a system that is robust, just in case the user's judgement slips.
Personally I interpret the article summary as anti-Apple FUD. Everyone has security problems, and everyone can do better. I'm not - at all - trying to say that Apple shouldn't be better. They should. But there are two huge problems that make Windows worlds worse than anything else, and will continue to do so until they're actually fixed... Until then, comparing Windows to OS X in desktop* security is merely FUD.
I. ActiveX. ActiveX is DESIGNED to give a web server full control over your machine. With Flash or Java, even if they're enabled a website can only do stuff if they also exploit a - very rare - flaw in your Virtual Machine. In ActiveX, if you let that control run it can basically do anything. They have some checks to try to block the probably-worst applets, but in the end it runs the code unprotected. Until ActiveX is limited to a VM, it should be totally disabled.
I'd personally guess that this alone accounts for more regular attacks than everything-else-put-together. Don't use ActiveX. And if you're not using ActiveX, there's little reason to use IE...
II. Administrator use is chronic. Basically nobody runs OSX in root or sudo-d mode. LOTS of people run Windows routinely in Administrator mode, for a few main reasons: 1) Lots of software only runs that way, and switching is a pain. NO user app should need to be root to run. 2) LOTS of software is very hard to install so a nonAdmin can use it properly, for starters because it only works on the account it was installed into.
I will completely admit that if all the ISVs behaved perfectly 1 & 2 wouldn't be a problem - but it is VERY plausible for Microsoft to exert enough control to make this better for the vast majority of users. Also, I don't believe all these ISVs do it just to be stupid - my guess is that the structure of Windows makes it MUCH easier to do it that way.
3) Lots of software that shouldn't even need admin privs to install does for no good reason. (I presume because of the way DLLs and the registry work they need to modify system folders even if they're only going to run as a local user - but that's definitely a Windows problem that it's structured that way.) And once you give those pieces of software admin privs, they can do anything - like installing themself as System so you can't kill them even WITH admin privs. All software should be installable with the MINIMUM possible privs. (Obviously system software or a virus checker needs admin privs.)
There are plenty of smaller reasons to be unhappy with Windows security, and I'm not trying to say I love their track record. I didn't address at all the fact that it comes out of the box extremely remote exploitable, (average of ~20 minutes for an unpatched box to be exploited on the internet - and several hours to download the patches!) But those are problems other OSes at least sometimes have and you can make reasonable comparisons. Until the two above are fixed, you shouldn't even COMPARE Windows desktop* security to OS X or Linux.
*Note that I said desktop. While there are some problems, neither of the above super-problems is a server problems. In fact, if you have to choose a server OS, you should probably choose based on what your admin is experienced in - better to have a well administered box than ANY badly admined box.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
That quote doesn't really deny my claim. FreeBSD branched from 4.4BSD, and that's all the quote seems to say.
After all, I am strangely colored.