Slashdot Mirror
Apple Issues Patches For 25 Security Holes
TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site.
All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected.
Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."
Apple does it, and they are just staying ahead of the curve and being proactive. Microsoft does it and they released a crappy product that shouldn't of been released until these security holes were fixed.
I predict:
/. doesn't savage Apple the same way it does MS for security holes
- Apple apologist posts explaining that Apple is proactively improving security
- MS defender posts wondering why
- Linux fanbois taunting both
In other words, nothing to see here.
Life needs more saving throws.
Mac: Hi, I'm a mac!
PC: And I'm a PC.
Mac: Steve Jobs just plugged up all my holes
PC: GOODNIGHT! (tapdances off stage)
I don't need no instructions to know how to rock!!!!
those apples commercials tell me they don't have security issues?
The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes. One hole each in libinfo, portmap, ichat.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
As an Apple 'outsider' I'm not certain why this is news.
Is it because these issues/vulnerabilities have been outstanding for a long time? Or perhaps Apple does not patch things often?
It's an honest question, my Ubuntu systems at home have frequent patches rolled out and the staff at work are always talking about another update on their Windows desktops.
Isn't Apple the same?
Ripping an new rectum in the fabric of spacetime.
The "defectivebydesign" tag is intended for use whenever discussing DRM and the way that technology can and will be changed to further restrict or disenfranchise you from using content on your own hardware, even if you are otherwise completely in the clear by your rights as a consumer and citizen of your particular country. It's defective, but it was intentionally designed to be that way.
Not that it's not misused occasionally by idiots and zealots, but there you are.
[
Microsoft Issues Holes for 25 Security Patches
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
Why isn't this listed under "HaHa" as well? Not trolling, as much as wondering what the reasoning of that was for. Bias?
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
Before swiftly moving on to the next slownewsday article summary I noticed something about this one which made me realize just how subtle the differences of opinion of the /. crowd towards MS and Apple can really be shown. Would any article summary on an XP patch care to mention that the patch is 'free'? No. But everybody likes free, so it must be a good thing Apple is doing for us. Is there usually a link to the MS updates in the summary? No. Are there usually subjective comments about MS direction in the market or evility in the summary? Yea. I don't see any flamebait tags for this article... interesting. defectivebydesign. You all make me sick and puke up tiny bits of my hatred for you all that I tried to swallow this morning along with my pride.
JK.
MS sucks.
There's no mention of CVE-2007-1841, a remote DoS against the IPsec daemon racoon.
You know, with his "switcheur" troll post and links to pics of fugly people... Heh heh heh :)
I have bad karma. What do I care what you think?
This is why the whole tags system is worthless. The article has already been placed into one or more sections and has thus been "tagged" by the administrators. You have the title and the article itself to get more information about the article. Having user-applied tags is superfluous and can be misleading - either by accident or on purpose.
Personally I ignore all tags and I think it's a waste of time to have the whole tagging system. Either the moderators should tag the article or there should be no tagging. User-applied tags are just extra fluff that have little relevance to the actual article.
Sapere aude!
Apple is providing some patches for 10.3.9 as well. Good to see that they are still providing security related updates for the previous system.
defectivebydesign
Hey, it shows up on every article about MS updates, let's give Mac the same treatment.
Come on, all you non-fanboys. Get to tagging.
120 characters for a sig? That's bloody useless.
If this was an MS System, we'd now be at SP1.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
http://apple.slashdot.org/comments.pl?sid=231607&c id=18811133
Read that url and its statements and understand this: The Pro Linux/Unix/BSD/MacOS X line of bullshit constantly spouted on slashdot and other very "pro unix and its derivants" sites is not only restricted to the internet, but is also cascading to their advertisements because they know 9/10 folks are not security saavy out there. The bigger the lie you tell, the more apt it is to be believed is what they operate on. If Unix and its progeny were indeed the best platform to use they should have ousted windows dominance 5-8 years ago, and still have not. I wager it is largely because people are not stupid like they probably think and that people will believe anything they read without researching it first and checking opposing views and sources verifying statements like "Unix/Linux/MacOS X/BSD is more secure than Windows". I know that when I shop for any high priced items I do my research, because it is my monies on the line. The reason for this line of b.s. is that the Unix (and its variants) camp is fearful they will be totally phased out at some point imo. They have lost a lot of marketshare to Windows and this trend continues, hence their b.s. campaigns vs. Windows, period. Misinformation? It is as powerful as good information when people don't look deeper and they know it.
They rolled out these patches all at once. But the patches were almost certainly not done all at the same time. That's right, Apple has deliberately left you (and me! although I only have one mac to deal with and it's not my primary machine) vulnerable so that they could roll out a bunch of patches at the same time instead of one at a time. Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)
Apple's convenience is more important than your security.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Don't ALL operating systems have holes? I think the only thing different here is that Apple waited until there were a lot found and fixed to release the patch. MS and Apple release patches differently; MS releases them as soon as they can, one at a time usually, while Apple chooses to wait until there are a lot of patches to release it. Not really the best idea, but not the worst for both companies. Not news.
You stated this:
"Windows is, in its default configuration. FreeBSD, Linux and Mac OS X (not to mention a fair few others) aren't." - by nevali (942731) on Friday April 20, @10:30AM (#18811399)
And, do note that the holes found in Apple's MacOS X are remotely exploitable, and had to be patched. Unix derivants ARE just as likely to be exploited by bugs as Windows is, else why did the MacOS X need patchwork, period? BSD based or not, this illustrates that your statement untrue in & of itself.
(Also, the fact that Apple's commercials insinuate their OS is anymore than Windows on the television as of late is outright b.s. period, just by the fact they had to issue these patches which this posting on slashdot is about.)
I also have to point out to you that I stated this in my first post, and per my subject line? I stated this to you, so please, read my entire post next time:
"Newsflash: None of them are 100% secure out of the box and require hardening or special builds to be even remotely considered so, if not specialized hand tuning/tweaking for security" - by Anonymous Coward on Friday April 20, @10:03AM (#18811133)
Thanks, and that is so you do not restate what I did as a defense of your words.
The majority of the security holes patched are ones where you would have to be in a very unusual situation for someone to use them to any real effect. That doesn't lessen the fact that these are holes being patched up mind you. But, if you look closely at what was patched, you'll see a lot of the patches focus on the foundation that OSX is built on(BSD and its respective tools), and most are relatively harmless/hard to use to your advantage flaws.
As others have said, no operating system is bullet proof by any means. All of them are going to require security updates from time to time because it's impossible to catch everything, and security needs change over time as methods of attack change. But, this patch is more like monthly house cleaning than "seriously critical flaw fixing" like you get with the large majority of Windows security patches.
You are who you are, let no one tell you different. But, never close your mind to a new point of view.
Also in the news, Germany surrenders, the War in Europe is over.
and Franco is still dead.
all very newsworthy, it's a sloooowwwww day
A lot of us like the tagging system.
SJW: Someone who has run out of real oppression, and has to fake it.
One problem I have with Apple is that their change logs and what's new on releases and patches are poorly documented if ever. iPod is a good example. I guess you're supposed to apply the 'don't fix it if it ain't broke' approach which is good. But then why does iTunes constantly remind me of available updates? In either case I hope Apple documents their fixes on the computer side a little better. That way I can decide if I need to fix them.
And as for the MS ObiWan Kenfanboys, just because MS has a constant stream of fixes, doesn't make them better. I just saw 6 patches for code I don't use. That it's imperative for the people who do run it to apply these fixes means nothing to me. But chalk it up to at least documenting it so I don't waste time with them.
I care because it is a waste of coding effort and time. I also care because it is being used to misrepresent what the actual article is about. The "defectivebydesign" tag that was being discussed further up in this thread is a good example of that.
How many times have you seen an article tagged with "yes", "no", "maybe" and all other sort of contradictory nonsense. Tags literally mean nothing when this sort of thing happens and they now serve no purpose other than being a kind of high-tech graffiti that gets sprayed onto the article. If people want to comment on the submission then do so in the comments, if you want a quick idea of what the submission is about then read the title, summary, or look at what sections it is in.
Tags as they are now serve no good purpose other than being part of the "Web 2.0" fad that is in vogue right now. I was kind-of hoping that Slashdot wouldn't get sucked into its void.
Sapere aude!
Vista
OS X
Have you ever been to a turkish prison?
"the free patches.."
wow, FREE security patches
How generous of Mr. Jobs.
this is an example of market-speak, an orwellian version of the english language, where the subject (apple) is always made to appear in a favorable light, with every possible action embellished, and every possible flaw minimized.
this might seem like minor carping, untill you think about why the word "free" is there. surely you would expect a reputable company, as a matter of course, to stand behind its products and deliver free fixes to flaws; that this is embellished with positive language is perverse.
Given the smug "it's so secure" comments from Mac users, I would agree the 'haha' would be appropriate. However, defectivebydesign insinuates that it is intended to be problematic or broken, and is not appropriate in this case. It's not appropriate in similar cases on MS news articles either, but /. is hardly an unbiased group. Additonally, many people want to lash out at MS, making them a good target. Few people care enough about Apple to give a damn.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
My work laptop (XP Pro) has developed an aversion to installing Office XP components. I tried to add MS-Access for a special project. In "Add/Remove programs" from the Control Panel it fails silently. From setup.exe on the the CD I get this message: "No valid sequence could be found for the set of patches."
This appears to be related to the Microsoft Windows Installer (msi.dll).
Eventually, I tried to uninstall Office XP and start over. The machine refuses do do this with another silent failure. I considered uninstalling msi, but it warns me that every program on the computer may fail to work if I do so. Microsoft list a large number of registry hacks that might either fix the problem or create a doorstop.
Now I'm looking at starting from a fresh install.
I do not know if the frequency and volume of patches from Microsoft is related, but I am highly suspicious that msi.dll is confused because of this. Microsoft describes Microsoft Windows Installer as "...an installation and configuration service that reduces the total cost of ownership." Not.
But, would you ever want do search for articles about things that are "defectivebydesign?" It's commentary-in-the-tags that caused me to disable them in my profile months ago.
For instance, on any article which poses a question, you can invariably find the tags, "yes," "no," and "maybe." But since they're so often together, they're basically redundant: searching any of them brings up the same articles. Better would be to use the tag, "question." but since all of the questions are titled ASK SLASHDOT, even this is redundant. Best would be to categorize based on the subject of the question, so people looking for questions (and answers) about say, linux wifi networking could search for the tags "linux," and "wifi" under ask.slashdot and find what they're looking for.
Still even if the tags were working, there still wouldn't be a reason to display by default, since you only really need them for searching. You don't even really need to see them to add them.
Can you be Even More Awesome?!
Notice that those were taken from the SERVER security update? Guess what portmap is running and the firewall open for port 111 if an Xserve is exporting NFS. A very common configuration actually.
God help us, we're linking to Krebs now. Your average /.er knows more than that guy.
OK, resume your Apple troll-fest.
I would love to have /. tell us what we as a group use. I have a website and I can look up what percentage of my hits were from each OS and each browser. I think it would be very interesting, it might make a good discussion. Especially on a slow news day (like today).
/. itself. I think that the moderation, meta-moderation, and karma systems are fascinating. A bi-annual state of the /. post with feedback about the various systems in place would be a huge value. I expect there will be much more of this sort reputation system in the future in both online and offline communities and there would be much to learn from /.
Actually I'd like to see more discussions about
-- QED
Unless you patch them with a Feisty Fawn cd, they're still running OS X.
Fortunately there are no automated exploit tools readily available for these mac vulnerabilities like there are Windows.
http://blogs.zdnet.com/security/?p=173
So I wonder if this invalidates the contest. This just revealed vulns that aren't patched on the contest machines.
According to http://docs.info.apple.com/article.html?artnum=617 98
Apple released a Security Update almost every month in 2005. Less so in 2006, but the 2006 updates were huge (one fixed over 40 flaws, others fixed over 20 each). Face facts - Apple patches their system just as much as does MS and Linux distros (particularly when you normalize for frequency vs size).
-- "I never gave these stories much credence." - HAL 9000
OS X has been in production use for six years. Six years of real-world threats and thorough examinations by security experts.
Compare with XP, which is about the same age. (Secunia does not break down the point releases of OS X.)
The US free market: two halves of a government-granted duopoly are free to set the market price.
It wouldn't be but for the fact that there's a dubious assumption that Mac OS X is bulletproof (or close to it) because Windows machines are always being attacked, and, by-and-large, Macs and GNU/Linux are being left alone.
Every open source OS has security-related patches on a regular basis, including the ones that have a good reputation for security like OpenBSD. So why isn't it news when they release security patches?
Contrary to myth, Mac OS X has vulnerabilities. If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus.
Though not many will admit it a good reason OSX and the Unices don't suffer as many exploits as Windows does is because they only have a small market share. Once their desktop market shares increase substantially, and I hope to see both Linux and Macs gain a lot on Windows this year, more people will work on exploits, viri, and other malware on them.
FalconShould there be a Law?
It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.
Back in the '80s and early '90s the Mac was a fertile breeding ground for viruses, because of the design of the system. Just putting a floppy in the drive was enough to run code. Apple's response to this was to get rid of automatic execution of code fragments on floppies and in resource forks of documents. This was a normal and sane response to a bad design.
If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus.
While the fact that there are more Windows boxes out there, there are several features of Windows that are insecure-by-design that have had a huge impact on Windows security. In particular, the design of Internet Explorer and the integration of the HTML control into the desktop and email programs had an enormous and direct effect on the spread of viruses and worms on Windows machines all out of proportion to their popularity.
Before the release of "Open Desktop", the virus problem on Windows really was managable without antivirus software. Just following good software hygiene was enough to make viruses a rare problem. Afterwards, I found that simply not allowing the use of IE and Outlook and other components that used the HTML control to display untrusted documents was more effective than antivirus software, because it removed the mosty common point of entry of new viruses.
The sane response to this would have been to back out the desktop-browser integration and redesign the system so that the right to run unsandboxed code was SOLELY mediated by the application displaying the document. Microsoft, instead, attempted to come up with tighter and tighter heuristics as to when to allow documents out of the sandbox, which boggled my mind then and still boggles my mind now.
There are other problems in the design of Windows that I've discussed before, but this one should be more than enough to make my point, especially after you handed me such a great counterexample.
Huh? Why would "haha" be appropriate?
No Mac users were hurt, no Macs compromised.
When any substantial number of Macs are compromised, that will be the time to say, "haha."
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
A side effect of code reuse and object orientation is that certain defects may have effects far beyond that originally reported. The full extent of the vulnerability might not be readily apparant to the person fixing the defect or writing the report. With respect to IE on Windows for example, there are many other things that can be affected by these defects, even 3rd party products. Remote / network defects on Windows are even harder to pin down, due to certain common elements in the core Windows services. If anything, Microsoft has historically been guilty of being less than clear when these defects had the potential to affect more than one listener on more than one port, or affect more than one application. It never looked like a coverup to me, though, because it was so inconsistent.
If you mod me down, I shall become more powerful than you could possibly imagine.
ANY security problem is automatically assigned "critical" status.You claim that you know for a fact that Apple never releases any information on their security problems to the public because a source told you that they don't. When it was demonstrated that you were wrong,the voices in your head changed their story. For more on the subject you shall better visit me at: web design company Apple almost always waits until the next build to fix security problems. They can get away with this because there is never any press stories calling attention to flaws. Microsoft being more proactive releases critical updates with hours of problems being discovered. Of course Apple is not going to publicize the newest security problems because they don't like to release patchs but rather new builds. Apple released a document with security updates. If you can't find a MS document just as easily, then how can you say that MS is more forthcoming with their information? I have not even tried and will not try. I dont waste time on Macer boondoggle requests. You're pretending that MS has better security - in spite of the fact that even MIcrosoft disagrees with you. You are the pretender here. Pretending to have a healthy brain.
Windows market share didn't increase several thousand percent in 1997. What increased Windows virus load so dramatically in 1997 was the desktop-browser integration.
:(
Which is still in there.
If you avoid using browsers and mail software using the HTML control, your exposure to malware drops dramatically.
Microsoft seems to have noticed this... Outlook 2007 doesn't use the HTML control. Hopefully this will lead to fewer email worms as it's taken up. Unfortunately the pushback from the "how dare you stop me from making your email look like a web page" crowd may lead to Microsoft backing down on this, or duplicating the same kinds of security holes in the new rendering engine to keep them happy.