Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
It's no secret ... There are more Windows boxes in sensitive areas (servers, etc.) than Macs. Focusing on Windows is more bang-for-the-buck....
for security, you have already lost the battle. Staying(relatively) secure involves a few simple steps that most people still won't listen to:
1. Run a firewall and only open what you need to be opened
2. Most importantly: DONT CLICK ON STUPID SHIT! Don't run seedy programs etc. It's amazed how many Windows users get infected like that
Those obviously won't protect against 100% of threats, but very few things in life are guarenteed.
Monstar L
Perhaps Steve Jobs doesn't invoke the same "I'm gonna get him!" feeling in the black hats that Bill Gates does. Or maybe it's that darn reality distortion field...
The determined Real Programmer can write Fortran programs in any language.
Dear Slashdot editors,
your readers are all technically literate. Please don't post stories where dumb ideas like "how secure an operating system is = number of potential security holes fixed". That kind of stuff is for pointy haired bosses, not technically literate people.
Thanks!
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
That and it's far FAR easier to get admin access for your app or bug-exploit in a windows machine than any other OS based machine.
A script kiddie can completely take over a critical windows server. It's far harder to get your code executed as admin or with admin priviliges on a linux,unix,or OSX machine.
THAT is the biggest reason. Unixes run far more of the internet than windows does, making it a prime target for someone who wants to cause trouble or steal information.
Do not look at laser with remaining good eye.
First of all whats the URL for Linux? and second what's a URL?
I think that it is pretty simple. It is not the number of security bugs that is the issue, it is their severity, and their remote exploitability. Despite the statistics from the article, my department (which has 500 computers, with a mix of windowsXP, OSX and Linux) has had not a single security breach of a Linux or OSX system, but lots of breaches of Windows systems. Part of it is that the OSX and Linux security problems are situations where a local user can escalate his priveledges, something which is serious, but does not necessarily cause security problems. The other part of it is that the worst WindowsXP security breaches come through ad- and spy-ware that come from routine web surfing. This is not considered a bug in WindowsXP (if we just classed ActiveX and IE as security problems, we would have to list that as a windowsXP bug every month/day/week, and the numbers would change pretty quickly).
Anyway, as we all know, don't trust statistics because 82.35% of statistics are made up on the spot.
My linux laptop is all crudded up with 9000 spyware bonzi buddy applets, and my OSX work machine was just discovered to be a spam zombie spewing out half a billion UBE's per week.
Bad, Apple, bad. *thwacks Apple with rolled up newspaper*
Don't break any fixes anymore, you're supposed to be perfect.
The main point they should make is that OpenBSD doesn't bundle in lots of other software packages.
... as Apple patched 31 vulnerabilities, but most of them were not part of the OS (applications like FontBook and FontImporter) and not even maintained by Apple (like OpenSSL, PHP, Samba, perl).
Therefore, they don't have people saying 'fixes for 31 vulnerabilities in its OS'
Build it, and they will come^Hplain.
All 3 of them?
The days of cracking just for "fun" or "reputation" are mostly over. Malware is driven by money now. Botnets, and spyware are the name of the game. No point in disabling ("owning") computers with malicious code when you can just silently commandeer them to make money. A lot of the malware spreading requires user intervention, which requires a mass audience, and a targeted spreading mechanism (e-mail is still the #1 way to spread).
I fixed over 50 bugs in my web-game during the past two days. Does that mean I'm less secure than windos?
These numbers mean nothing at all.
First, it's the number of fixed bugs, not of existing bugs. If product A has 500 holes and fixes 5 of them, and product B has 50 holes and fixes 10 of them - these dumbwit journalists would tell you that product A is more secure.
Two, quantity alone means nothing. If product A has 5 remote root holes and product B has 20 spelling bugs - these dumbwit journalists would tell you that product A is more secure.
The worst thing is that they get paid for producing this kind of misinformation. No, wait - the worst part is that there are lots of people out there who don't know technology and actually believe that crap.
Assorted stuff I do sometimes: Lemuria.org
From the blurb: Linux (if you need a URL for Linux, you are probably at this site by mistake)
Fantastic! So what the poster is saying is that "If you're on slashdot and you're not a Linux geek you're out of place here".
Out of place as in not welcome for the most part too considering some of the groupthink that goes on.
Just try to get a valid, non-snobbish answer to a n00b Linux question around here. I dare you. Just like the snobs on #Linux. Try it there and you'll get the same.
The day I decided that Linux wasn't for me was the day I went to #Linux and asked for the name of a good distro a n00b could run without pulling out his hair. The response was directing me to DistroWatch or some-such site with nothing more than a list of distros. Out of 40 people this is the lone answer I got.* Great. And yet Linux users still claim Joe Sixpack is welcome to try to adopt? It sounds more like throwing down the gauntlet as opposed to inviting him in.
* Later I tried DSL and Mepis. While I found nothing "wrong" with them I do find overall Linux support lukewarm at best and I don't have the problems with windows that most claim to have. I just don't see a reason to switch yet. Maybe in a few more years when some of the zealots mature a bit and realize that supporting a product is more than just shouting "OMFG~! It's the best, if you don't like it you're just a fucktard!!11!!" and start producing apps a little bit better than Gimp I'll give it another go.
No, no, one doesn't.
Number of Windows machines I've had to painstakingly remove highly virulent spyware/adware from: Dozens.
Number of Mac OS X machines I've had to painstakingly remove highly virulent spyware/adware from: ZERO.
This is far more than just anecdotal evidence; this is how things go in the real world. In the real world, 50+% of Windows machines are badly infected by spyware, and 0% of Mac OS X machines.
ZERO.
By far the most prevalent security and stability breaches "in the wild" are not rootkits or remote exploits... they're spyware and viruses, both of which are virtually exclusively Windows issues. You can claim that this is mostly or wholly due to the overwhelming dominance of Windows over all other operating systems (in terms of "market share"), but the fact remains.
Until I start getting calls from blue-haired grandmas to hand-pick bits of Hotbar and Bonzibuddy and porno pop-up daemons out of their Macs, I won't buy the "Macs aren't any more secure than Windows" FUD. And neither should you!
With spending like this, exactly what are "conservatives" conserving?
If an exploit does nothing more than let you play solitare someplace you shouldn't, then it doesn't matter. And the thing is, even if OS X is only as secure as Windows (which I'd dispute), it's still good for overall security of the Internet. One of the biggest problems with the Internet today is that if 95% of the computers run one operating system, it becomes easier to write exploits that affect the majority of people.
On the other hand, if 50% of the people were running OS X, then no exploit could harm more than half the people at any given time. So in the long run, perversely, OS X is beneficial to the security of Windows.
This sig has been temporarily disconnected or is no longer in service
Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?
Yeah, like, everyone knows that all OSes are, like, equal in all respect. It's not like they were designed differently or anything. It's all just 1s and 2s anyway. Every computer gets cloggged up with worms, viruses, and malware. It's just that there are more Windows users out there, and the Mac users just keep quiet about their virus infestations, so they can keep the Sacret Cult of the Mac going strong. I know plenty of Mac users who have to do clean installs all the time because their machines get so clogged up with worms and viruses. All of these whiners talk like that's not true!
Read the EFF's Fair Use FAQ
Any program files that might have a negative impact on the OS X system must be authorized with the Admin password.
Wrong. The attacker can simply use a privilege escalation exploit.
``With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands.''
It never did. First of all, you can't compare security of operating systems, because you can't eliminate bias from your tests. Secondly, Apple's OS is closed source, which you can never trust. Thirdly, much of the OS is written in unsafe languages (particularly C, C++, and, perhaps, Objective C - I don't know if the last is unsafe), and thus, the statistical probability that it will contain security holes is high. Finally, I don't think Mac OS X has been so thouroughly scrutinized by security experts as Windows has, so it's very well possible that Windows is more secure by now, regardless of it's starting position. However, we will never know that, because of the first point.
Please correct me if I got my facts wrong.
I'm sorry but I don't agree with this marketshare thing.
If someone is standing on the corner going 'neener neener you can't hit me' someone out of spite regardless of any reward is going to do it. The fact that they've been touting they can't be hacked for several years now and they still haven't been hacked says to me that it's not easy to do/not able to be done as easily as it is on Windows.
Plus a lot of the 'security' problems don't focus on the exploits of IE and simple browsing hijacking your system with crap. That's the largest problem facing most IT departments that I've run across in the last year or two, not the OS itself being hacked but something stupid the browser does destroying the system.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Your argument seems to be that OS X runs on loads of servers, which makes it a great target.. First off it doesn't run on loads of servers, it has no presence in the server market. Second the vulnerabilities are mostly all in WiFi drivers, PPPoE code, and Safari. Why would hackers going after servers be looking in client code?
Also you can only apply the fixes to 10.3 and 10.4. Never mind <10.3 users, they can pay $99 for security, and never mind if they have a machine which won't run 10.3, they can buy a new Mac. This is like MS charging for SP1.
If MS came out with a massive load of critical security fixes like this, which had all been around for ages and in use by hackers, they would be quite rightly ridiculed. When Apple comes out with this disgrace
I wish I was exaggerating but people really are posting these; it's bizarre the double standards some people on slashdot have.. We should at least like and dislike Apple and Microsoft for the right reasons, there are many reasons to prefer Apple but security just isn't one of them.
// MD_Update(&m,buf,j);
Er, no, his argument was that Unix runs on lots of servers, not OSX.
Wow, in that case I'm gonna have to cut down on the coffee because I'm having powerful hallucinations every time I walk into my server room...
One should never throw the letter Q into a privet bush.
``A script kiddie can completely take over a critical windows server. It's far harder to get your code executed as admin or with admin priviliges on a linux,unix,or OSX machine.''
Yes, because buffer overflows are so much harder to exploit on non-Windows OSes, and it's so much harder to get someone to type "sudo make install" than to get them to do the equivalent on Windows.
Please correct me if I got my facts wrong.
I remember root-my-mac-mini - the whole thing was a sham - the guy was giving out SSH accounts to the machine and the "local" user was just using a privilege escalation to get more rights. Granted, its a bug that needs fixing - but giving out logins to anonymous users on the internet isn't something I'm in the habit of.... not after last time..... damn squirrels.....
Or, more importantly, the cracker is more likely to have a Windows box kicking around to practice on. A Linux box is also likely. A PowerPC Mac, however, was not. With the Intel switch, it is possible for a cracker to install a pirate copy of OS X in a VM or on a spare machine and do whatever they like to it, so this level of 'protection' goes away. It will be interesting to see what effect this has.
I am TheRaven on Soylent News
Personally I interpret the article summary as anti-Apple FUD. Everyone has security problems, and everyone can do better. I'm not - at all - trying to say that Apple shouldn't be better. They should. But there are two huge problems that make Windows worlds worse than anything else, and will continue to do so until they're actually fixed... Until then, comparing Windows to OS X in desktop* security is merely FUD.
I. ActiveX. ActiveX is DESIGNED to give a web server full control over your machine. With Flash or Java, even if they're enabled a website can only do stuff if they also exploit a - very rare - flaw in your Virtual Machine. In ActiveX, if you let that control run it can basically do anything. They have some checks to try to block the probably-worst applets, but in the end it runs the code unprotected. Until ActiveX is limited to a VM, it should be totally disabled.
I'd personally guess that this alone accounts for more regular attacks than everything-else-put-together. Don't use ActiveX. And if you're not using ActiveX, there's little reason to use IE...
II. Administrator use is chronic. Basically nobody runs OSX in root or sudo-d mode. LOTS of people run Windows routinely in Administrator mode, for a few main reasons: 1) Lots of software only runs that way, and switching is a pain. NO user app should need to be root to run. 2) LOTS of software is very hard to install so a nonAdmin can use it properly, for starters because it only works on the account it was installed into.
I will completely admit that if all the ISVs behaved perfectly 1 & 2 wouldn't be a problem - but it is VERY plausible for Microsoft to exert enough control to make this better for the vast majority of users. Also, I don't believe all these ISVs do it just to be stupid - my guess is that the structure of Windows makes it MUCH easier to do it that way.
3) Lots of software that shouldn't even need admin privs to install does for no good reason. (I presume because of the way DLLs and the registry work they need to modify system folders even if they're only going to run as a local user - but that's definitely a Windows problem that it's structured that way.) And once you give those pieces of software admin privs, they can do anything - like installing themself as System so you can't kill them even WITH admin privs. All software should be installable with the MINIMUM possible privs. (Obviously system software or a virus checker needs admin privs.)
There are plenty of smaller reasons to be unhappy with Windows security, and I'm not trying to say I love their track record. I didn't address at all the fact that it comes out of the box extremely remote exploitable, (average of ~20 minutes for an unpatched box to be exploited on the internet - and several hours to download the patches!) But those are problems other OSes at least sometimes have and you can make reasonable comparisons. Until the two above are fixed, you shouldn't even COMPARE Windows desktop* security to OS X or Linux.
*Note that I said desktop. While there are some problems, neither of the above super-problems is a server problems. In fact, if you have to choose a server OS, you should probably choose based on what your admin is experienced in - better to have a well administered box than ANY badly admined box.
Looking for freelance Actionscript (Flash/Flex) or ColdFusion work and/or freelance developers. Email me, put Slashdot
99% of all windows users run as admin. 100% of all windows server administrators log in with a admin level account and do lots of things as admin they they should not.
99% of the things malware wants to do, do not require elevated privileges.
NO APP NEEDS WRITE ACCESS TO THE C:/WINDOWS directory... NONE! yet the microsoft morons designed it that way because of the stupid registry.
Broken application that require write access to Windows system areas are 100% the fault of the app developer. It's got *nothing* to do with Microsoft.
No developer has had an excuse for releasing software that writes to places like C:\Windows for ca. 7 - 8 years.
Let's ignore the fact that most services under Unix lately do not run at the system level but under a protected user that does not have ADMIN access... but hey you were hoping that nobody noticed that.
Like modern Windows services do, you mean ?
Windows web server, buffer overflow = admin access. Linux web server, buffer overflow = user acces. Big different there. granted if you are silly and let apache user read the shadow passwords file your fault for not setting up security right.
IIS runs as its own user. A buffer overflow only nets you the privilege level of that user.
In my last job, I had to support Mac OS 10.2 clients and servers. It was a nightmare as there is a severe problem with samba in OS X server which would easily cause a DOS attack on the box. I had to disable access to windows clients which were primarily IT and accounting employees. Apple has a terrible patch policy. I feel that they are a large enough company to release patches at least 2 versions back considering they like to do a release every 1-1.5 years. Imagine if Microsoft released a new vista every year. That would be a support nightmare. Of course Microsoft can't even get a start menu change done in a year...
Apple can develop great products, but they sure can't support them very long. Someone at apple needs to learn about maintaining software. Essentially you have to pay for security patches every two to three years. I end up running the latest OS release because safari and a few other things rarely see patches once its a version behind.
Before someone points out that apple is smaller than Microsoft, consider that smaller companies and groups maintain patches to their linux distros for far longer than Apple does with a commercial OS. I suppose some projects have worse policies... for instance FreeBSD EOL'd a bunch of stuff recently. I'm not in a position to back port patches when I get a few releases done with MidnightBSD yet since I don't have many developers. Apple does have developers.
MidnightBSD: The BSD for Everyone