Slashdot Mirror
Apple Releases 31 Security Fixes
Agram writes, "This week Apple has released fixes for 31 vulnerabilities in its OS, although reportedly a number of known flaws remain un-addressed (according to the instigator of the Month of Kernel Bugs, 'Apple hasn't fixed any of the bugs published during [MoKB], except for the AirPort issue'). Earlier this year, in a move reminiscent of Microsoft's past patching faux pas, Apple released a 'fix' the installation of which broke features unrelated to the targeted flaw. With the growing number of low-level flaws, one has to wonder if Apple's 'more secure' argument still stands. Earlier this month, Microsoft released 6 fixes. Linux does not seem to fare much better. Despite all of these fixes, exploits remain in the wild for each platform. Perhaps, security-wise, the OS choice really boils down to a 'pick-your-poison X user-base' equation?"
Dear Slashdot editors,
your readers are all technically literate. Please don't post stories where dumb ideas like "how secure an operating system is = number of potential security holes fixed". That kind of stuff is for pointy haired bosses, not technically literate people.
Thanks!
The issue is having an actual usable vector for mass-propogation, resulting in the massive downtime and recovery time, billions of dollars of lost productivity, and tens of thousands of manhours in remediation. That's not to say no one could ever find some suitable vector for propagation that can strike large numbers of Mac OS X users effectively; just that it's very unlikely for a variety of reasons, not the least of which is that these days, most Mac OS X computers aren't exposed in such a way that anything could effectively spread en masse remotely without user interaction.
Almost everything relies on some form of user interaction, and yes, these things are still bad, especially ones that take advantage of some shortcoming in the OS. What's laughable about the submission is that it makes it look like it's "bad" that Apple fixed oh-so-many vulnerabilities, and then complains that it's not fixing enough. Apple does fix issues reported to them, period. And yes, we all have stories about this or that outstanding bug or vulnerability that is still open, but Apple has markedly, hugely improved, mostly because of listening to feedback from customers, particularly enterprise customers, in the security arena. It does have a way to go, and whether or not any fix is "fast enough" will always be subjective.
No one sane ever said Mac OS X was invulnerable. It has bugs and vulnerabilities like any OS. Apple responds to them. Someone will always think they're not responding fast enough, or correctly, or what have you, but the fact remains that Mac OS X has been on the market for over 5 years, and there has yet to be any substantial issue that has been exploited on any scale. And no, it's not exclusively because of marketshare.
I think that it is pretty simple. It is not the number of security bugs that is the issue, it is their severity, and their remote exploitability. Despite the statistics from the article, my department (which has 500 computers, with a mix of windowsXP, OSX and Linux) has had not a single security breach of a Linux or OSX system, but lots of breaches of Windows systems. Part of it is that the OSX and Linux security problems are situations where a local user can escalate his priveledges, something which is serious, but does not necessarily cause security problems. The other part of it is that the worst WindowsXP security breaches come through ad- and spy-ware that come from routine web surfing. This is not considered a bug in WindowsXP (if we just classed ActiveX and IE as security problems, we would have to list that as a windowsXP bug every month/day/week, and the numbers would change pretty quickly).
Anyway, as we all know, don't trust statistics because 82.35% of statistics are made up on the spot.
My linux laptop is all crudded up with 9000 spyware bonzi buddy applets, and my OSX work machine was just discovered to be a spam zombie spewing out half a billion UBE's per week.
Bad, Apple, bad. *thwacks Apple with rolled up newspaper*
Don't break any fixes anymore, you're supposed to be perfect.
They shouldn't have to listen; the system should be designed for security from the ground up.
Relying on user education is #5 on the Six Dumbest Ideas in Computer Security.All 3 of them?
I fixed over 50 bugs in my web-game during the past two days. Does that mean I'm less secure than windos?
These numbers mean nothing at all.
First, it's the number of fixed bugs, not of existing bugs. If product A has 500 holes and fixes 5 of them, and product B has 50 holes and fixes 10 of them - these dumbwit journalists would tell you that product A is more secure.
Two, quantity alone means nothing. If product A has 5 remote root holes and product B has 20 spelling bugs - these dumbwit journalists would tell you that product A is more secure.
The worst thing is that they get paid for producing this kind of misinformation. No, wait - the worst part is that there are lots of people out there who don't know technology and actually believe that crap.
Assorted stuff I do sometimes: Lemuria.org
No, no, one doesn't.
Number of Windows machines I've had to painstakingly remove highly virulent spyware/adware from: Dozens.
Number of Mac OS X machines I've had to painstakingly remove highly virulent spyware/adware from: ZERO.
This is far more than just anecdotal evidence; this is how things go in the real world. In the real world, 50+% of Windows machines are badly infected by spyware, and 0% of Mac OS X machines.
ZERO.
By far the most prevalent security and stability breaches "in the wild" are not rootkits or remote exploits... they're spyware and viruses, both of which are virtually exclusively Windows issues. You can claim that this is mostly or wholly due to the overwhelming dominance of Windows over all other operating systems (in terms of "market share"), but the fact remains.
Until I start getting calls from blue-haired grandmas to hand-pick bits of Hotbar and Bonzibuddy and porno pop-up daemons out of their Macs, I won't buy the "Macs aren't any more secure than Windows" FUD. And neither should you!
With spending like this, exactly what are "conservatives" conserving?
If an exploit does nothing more than let you play solitare someplace you shouldn't, then it doesn't matter. And the thing is, even if OS X is only as secure as Windows (which I'd dispute), it's still good for overall security of the Internet. One of the biggest problems with the Internet today is that if 95% of the computers run one operating system, it becomes easier to write exploits that affect the majority of people.
On the other hand, if 50% of the people were running OS X, then no exploit could harm more than half the people at any given time. So in the long run, perversely, OS X is beneficial to the security of Windows.
This sig has been temporarily disconnected or is no longer in service
Almost no regular user is thinking about the security implications of his or her computer use. Therefore, the OS designer should do it for them, to prevent damage to other users.
If they are sophisticated enough to think about security at every step, power users can disable or change security features manually.
A computer, to most people, is a tool to write stuff, communicate, and have fun. It's not, in their minds, a tool to promote security. So why not have the machine be as secure as possible automatically?
Any program files that might have a negative impact on the OS X system must be authorized with the Admin password.
Wrong. The attacker can simply use a privilege escalation exploit.
I'm sorry but I don't agree with this marketshare thing.
If someone is standing on the corner going 'neener neener you can't hit me' someone out of spite regardless of any reward is going to do it. The fact that they've been touting they can't be hacked for several years now and they still haven't been hacked says to me that it's not easy to do/not able to be done as easily as it is on Windows.
Plus a lot of the 'security' problems don't focus on the exploits of IE and simple browsing hijacking your system with crap. That's the largest problem facing most IT departments that I've run across in the last year or two, not the OS itself being hacked but something stupid the browser does destroying the system.
As a rock-in-roll Physicist once said, No matter where you go, there you are.
Your argument seems to be that OS X runs on loads of servers, which makes it a great target.. First off it doesn't run on loads of servers, it has no presence in the server market. Second the vulnerabilities are mostly all in WiFi drivers, PPPoE code, and Safari. Why would hackers going after servers be looking in client code?
Also you can only apply the fixes to 10.3 and 10.4. Never mind <10.3 users, they can pay $99 for security, and never mind if they have a machine which won't run 10.3, they can buy a new Mac. This is like MS charging for SP1.
If MS came out with a massive load of critical security fixes like this, which had all been around for ages and in use by hackers, they would be quite rightly ridiculed. When Apple comes out with this disgrace
I wish I was exaggerating but people really are posting these; it's bizarre the double standards some people on slashdot have.. We should at least like and dislike Apple and Microsoft for the right reasons, there are many reasons to prefer Apple but security just isn't one of them.
// MD_Update(&m,buf,j);
``A script kiddie can completely take over a critical windows server. It's far harder to get your code executed as admin or with admin priviliges on a linux,unix,or OSX machine.''
Yes, because buffer overflows are so much harder to exploit on non-Windows OSes, and it's so much harder to get someone to type "sudo make install" than to get them to do the equivalent on Windows.
Please correct me if I got my facts wrong.