Slashdot Mirror
Apple Issues Patches For 25 Security Holes
TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site.
All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected.
Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."
The truth is more Apple is willing and able to patch its software in a timely manner, while Microsoft waits for big chunk updates and service packs to do it.
"Slashdot, where telling the truth is overrated but lying is insightful."
Why isn't this listed under "HaHa" as well? Not trolling, as much as wondering what the reasoning of that was for. Bias?
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes.
That's the beauty of Open Source (from Apple's POV).
When things go well: Hey - look at us! We 'support' OSS by leveraging all that free software.
When things go bad: Oh well - it's MIT's software! Not ours...
Seriously - I for one am really glad that one closed O/S vendorout there lets OSS do the heavy lifting security wise on their products. Apple users are left in a far less leaky boat. Thanks MIT, Thanks FOSS, Thanks Apple!
There are shills on slashdot. Apparently, I'm one of them.
Yeha, that's usually how it happens. Microsoft has holes because the OS supposedly stinks, all other OS's Just patch holes to make their OS even better.
Basically saying, "I'm not screwing the sheep. I'm Merely helping it through the fence."
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
No, there are no OS's without security issues. Even OpenBSD has had a few. Since Mac OS X uses many open standards / open source components, they benefit from the wide deployment, review, and testing that turns up bugs in that code and generates fixes. In closed OS's, the holes are still there, they just cannot be easily analyzed, so it's mostly the highly motivated "black hat" types that discover them and use them for their devious purposes.
The Mac ads clearly referred to all the viruses, worms, spyware, etc. Which are VERY common on Windows PCs, and for whatever reason, are very uncommon on Macs. (I don't really care why they are not prevalent on Macs, I just care that my MacBook Pro is free of exploits, as are my Linux servers.)
Patched bugs are a good thing. Bugs are practically unavoidable. Unpatched bugs, as evidenced by rampant exploits, are the real problem.
Don't ALL operating systems have holes? I think the only thing different here is that Apple waited until there were a lot found and fixed to release the patch. MS and Apple release patches differently; MS releases them as soon as they can, one at a time usually, while Apple chooses to wait until there are a lot of patches to release it. Not really the best idea, but not the worst for both companies. Not news.
(I tried posting this earlier, but it has disappeared for some reason, weird. Still, gives me the chance to fix some of the language...)
It wouldn't be but for the fact that there's a dubious assumption that Mac OS X is bulletproof (or close to it) because Windows machines are always being attacked, and, by-and-large, Macs and GNU/Linux are being left alone. The assumption is then combined with the false belief that Mac OS X and GNU/Linux distributions have less significant holes.
Windows machines suffer for a variety of reasons, but not really because they have more bugs. It's more the case that a combination of there being a lot of them out in the wild, most of which are "administered" by people who really aren't familiar with the system's internals, not helped by a poor UI which, after Mac OS X and GNOME 2.x, is easily a poor third in the user friendliness/transparent computing front.
It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms. Users were just more vigilant, and the operating system's transparency (the degree to which the way the system worked was obvious to the end user) meant end users had a better idea of the consequences of their actions. This is a lesson worth noting for those building systems like GNOME: making something secure and user friendly does not mean hiding how it works, it means exposing how it works using legitimate metaphors.
Contrary to myth, Mac OS X has vulnerabilities. If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus. And while that remains the prevailing consensus, the fact Mac OS X (or GNU/Linux) has vulnerabilities will always be news.
You are not alone. This is not normal. None of this is normal.
If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches? Didn't feedback from big IT shops compel MS to release patches in bigger batches with less frequency (hence the introduction of "Patch Tuesday")?
I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Not to be to flameable here, but who says they aren't part of botnets? The various Unix flavours and derivatives are the reason why we know what a rootkit is.
As my CS professor said once, "With Windows, you know it's broken right up front, and that you have to take certain steps right away to fix it. such as slap an AV program on. With the various Unix-based OSes, you have to go over every little detail with a fine-toothed comb, putz around in the code, recompile, and all of that other hassle because they put the Root into Rootkit."
If you ask me, the only botnet secure OS is the one not sitting with an allowed/established connection to the internet to begin with. If it's human-created code, it's vulnerable, period.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Sigh. Have you ever worked in the software development industry. There is this thing called "testing" that some people find important. If you work on Kereberos and find a bug and patch it, you then test just it before distributing. If you work at Apple or Redhat where you are shipping an entire OS with a bunch of packages, it is impossible to patch and test those patches in conjunction with all other hardware in the same timeframe because you have multiple things to patch at once. Thus, the only real solution s to do it in bundles, where you stick a group of patches together then QA them all at once. This results in longer delays for some fixes, but it also means the patch is actually tested in conjunction with the other patches so one does not break another. Any responsible vendor uses this method for dealing with bugs.
Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)Individual developers roll out patches and you could have patched your OS X box from them if you felt it was an emergency for you. As for what Linux vendors do, I don't know of any who roll one-off fixes into the stable branch intended for real use, instead of testing patches in bundles. You don't seem to know what you're talking about.
Well, some FOSS supporters on Slashdot are known to equivocate about what "Linux" consists of. When trying to compare functionality with other OS's they consider the entire distro, when comparing stability or security the definition shrinks down to only the kernel.
It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.
Ah. So you mean like a media player that can't display full screen videos ?
(It would be interesting to see what you thinkg DR, Clippy and UAC are stopping you doing that is "normally expected", as well.)
Yeah, 'cos patched local privilege escalation vulnerabilities that nobody has bothered to exploit is exactly the same as unpatched remote code-execution vulnerabilities affecting a default installation for which exploits are widely circulated in the wild for nefarious purposes.
If you think the two are the same, it's no wonder you think they're all fanboys.
How is it FUD to call a dangerous flaw dangerous?
I administer a network of 50 systems and the only thing protecting those machines is that I don't allow users to execute downloaded software.
Any program which issued those malformed instructions while claiming to allow the users to punch the monkey or something could install the first OS X backdoor worms, installing them with root privileges then effectively hiding themselves.
This flaw allows exactly the same attack as the P2P "hot_teen_action.mpg.exe" trojan scams on OS X - which is supposed to be secure against that kind of attack because it requires an administrator password to obtain higher than user-level access to the machine.
Telling users that this is serious and dangerous is certainly not spreading FUD, it's just getting them to stop ignoring the Jack Russel Terrier update icon.
The land shall stone them with the bread of his son.
Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong.
Because Microsoft has a lot more to patch.