Slashdot Mirror
Apple Issues Patches For 25 Security Holes
TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site.
All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected.
Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."
Mac: Hi, I'm a mac!
PC: And I'm a PC.
Mac: Steve Jobs just plugged up all my holes
PC: GOODNIGHT! (tapdances off stage)
I don't need no instructions to know how to rock!!!!
those apples commercials tell me they don't have security issues?
The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes. One hole each in libinfo, portmap, ichat.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
As an Apple 'outsider' I'm not certain why this is news.
Is it because these issues/vulnerabilities have been outstanding for a long time? Or perhaps Apple does not patch things often?
It's an honest question, my Ubuntu systems at home have frequent patches rolled out and the staff at work are always talking about another update on their Windows desktops.
Isn't Apple the same?
Ripping an new rectum in the fabric of spacetime.
The "defectivebydesign" tag is intended for use whenever discussing DRM and the way that technology can and will be changed to further restrict or disenfranchise you from using content on your own hardware, even if you are otherwise completely in the clear by your rights as a consumer and citizen of your particular country. It's defective, but it was intentionally designed to be that way.
Not that it's not misused occasionally by idiots and zealots, but there you are.
[
Microsoft Issues Holes for 25 Security Patches
Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
Got Mod?
Why isn't this listed under "HaHa" as well? Not trolling, as much as wondering what the reasoning of that was for. Bias?
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
Yeha, that's usually how it happens. Microsoft has holes because the OS supposedly stinks, all other OS's Just patch holes to make their OS even better.
Basically saying, "I'm not screwing the sheep. I'm Merely helping it through the fence."
"Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
This is why the whole tags system is worthless. The article has already been placed into one or more sections and has thus been "tagged" by the administrators. You have the title and the article itself to get more information about the article. Having user-applied tags is superfluous and can be misleading - either by accident or on purpose.
Personally I ignore all tags and I think it's a waste of time to have the whole tagging system. Either the moderators should tag the article or there should be no tagging. User-applied tags are just extra fluff that have little relevance to the actual article.
Sapere aude!
Apple is providing some patches for 10.3.9 as well. Good to see that they are still providing security related updates for the previous system.
If this was an MS System, we'd now be at SP1.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Generally when they say 'secure' they mean 'susceptible to attack'.
Windows is, in its default configuration. FreeBSD, Linux and Mac OS X (not to mention a fair few others) aren't.
Some local privilege escalations that nobody beyond a couple of security researchers have paid attention to is nothing compared to the stuff a Windows user has to put up with.
For average Joe on the street who connects his computer to the Internet and browses the web and so forth, the vulnerabilities mean approximately squat.
Don't ALL operating systems have holes? I think the only thing different here is that Apple waited until there were a lot found and fixed to release the patch. MS and Apple release patches differently; MS releases them as soon as they can, one at a time usually, while Apple chooses to wait until there are a lot of patches to release it. Not really the best idea, but not the worst for both companies. Not news.
I think you have totally misunderstood what that tag means. It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.
These were bugs, not by design. Apple didn't not specifically intend for them to exist, and has now fixed them.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
The majority of the security holes patched are ones where you would have to be in a very unusual situation for someone to use them to any real effect. That doesn't lessen the fact that these are holes being patched up mind you. But, if you look closely at what was patched, you'll see a lot of the patches focus on the foundation that OSX is built on(BSD and its respective tools), and most are relatively harmless/hard to use to your advantage flaws.
As others have said, no operating system is bullet proof by any means. All of them are going to require security updates from time to time because it's impossible to catch everything, and security needs change over time as methods of attack change. But, this patch is more like monthly house cleaning than "seriously critical flaw fixing" like you get with the large majority of Windows security patches.
You are who you are, let no one tell you different. But, never close your mind to a new point of view.
If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches? Didn't feedback from big IT shops compel MS to release patches in bigger batches with less frequency (hence the introduction of "Patch Tuesday")?
I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?
Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
Here we go, another uptight suit fretting that that competition has just improved while their own latest attempt at imitation continues to flop.
Aren't you late for you colonic ?
Linux does it, and the guy who found the bug is of course the first to do so.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
A lot of us like the tagging system.
SJW: Someone who has run out of real oppression, and has to fake it.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Not to be to flameable here, but who says they aren't part of botnets? The various Unix flavours and derivatives are the reason why we know what a rootkit is.
As my CS professor said once, "With Windows, you know it's broken right up front, and that you have to take certain steps right away to fix it. such as slap an AV program on. With the various Unix-based OSes, you have to go over every little detail with a fine-toothed comb, putz around in the code, recompile, and all of that other hassle because they put the Root into Rootkit."
If you ask me, the only botnet secure OS is the one not sitting with an allowed/established connection to the internet to begin with. If it's human-created code, it's vulnerable, period.
@Mindless Drivel: 100% of Twitter posts ever Tweeted.
Heu!!!! how can you say that they are proactive if the patches fixes issue that are already there and they know about it.
proactive is seeing for potential threat in the future and taking steps to correct them before they happen
There are no more proactive than any other company when it comes to bugs and patches.
>Also, Windows is not the preferred OS for the slashdot crowd.
Is there a poll to this effect? I find that hard to believe.
There's an argument to be made either way. You could argue that it would be better to QA a patch rollup because you only have to do one test. But you could also argue that it's better to be able to test the patches separately so you can apply all the patches that don't bend you over.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Sigh. Have you ever worked in the software development industry. There is this thing called "testing" that some people find important. If you work on Kereberos and find a bug and patch it, you then test just it before distributing. If you work at Apple or Redhat where you are shipping an entire OS with a bunch of packages, it is impossible to patch and test those patches in conjunction with all other hardware in the same timeframe because you have multiple things to patch at once. Thus, the only real solution s to do it in bundles, where you stick a group of patches together then QA them all at once. This results in longer delays for some fixes, but it also means the patch is actually tested in conjunction with the other patches so one does not break another. Any responsible vendor uses this method for dealing with bugs.
Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)Individual developers roll out patches and you could have patched your OS X box from them if you felt it was an emergency for you. As for what Linux vendors do, I don't know of any who roll one-off fixes into the stable branch intended for real use, instead of testing patches in bundles. You don't seem to know what you're talking about.
I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?
It all depends on the shop, but in general it does. The larger the company, the more likely you are to stage your roll out after a decent testing cycle...or at least that's been my experience. My experience has been that small shops tend to have more variety in the hardware that's out there, so it'd be tougher to get a really good test cycle built and running anyway. It's easier to test a patch, make sure nothing deal-breaking is broken with the patch, and then let it go and mop up afterwards. Large shops tend to have the same base hardware installed across the board (or at least across large segments) AND more places you'd have to personally touch if something breaks. Far better to have the patch in house, give it a decent test, then roll it out.
"It is a miracle that curiosity survives formal education." -Albert Einstein
One problem I have with Apple is that their change logs and what's new on releases and patches are poorly documented if ever. iPod is a good example. I guess you're supposed to apply the 'don't fix it if it ain't broke' approach which is good. But then why does iTunes constantly remind me of available updates? In either case I hope Apple documents their fixes on the computer side a little better. That way I can decide if I need to fix them.
And as for the MS ObiWan Kenfanboys, just because MS has a constant stream of fixes, doesn't make them better. I just saw 6 patches for code I don't use. That it's imperative for the people who do run it to apply these fixes means nothing to me. But chalk it up to at least documenting it so I don't waste time with them.
I care because it is a waste of coding effort and time. I also care because it is being used to misrepresent what the actual article is about. The "defectivebydesign" tag that was being discussed further up in this thread is a good example of that.
How many times have you seen an article tagged with "yes", "no", "maybe" and all other sort of contradictory nonsense. Tags literally mean nothing when this sort of thing happens and they now serve no purpose other than being a kind of high-tech graffiti that gets sprayed onto the article. If people want to comment on the submission then do so in the comments, if you want a quick idea of what the submission is about then read the title, summary, or look at what sections it is in.
Tags as they are now serve no good purpose other than being part of the "Web 2.0" fad that is in vogue right now. I was kind-of hoping that Slashdot wouldn't get sucked into its void.
Sapere aude!
Vista
OS X
Have you ever been to a turkish prison?
It's "shouldn't have," not "shouldn't of". Jackass.
I always wondered just how effective IT testing of patches really is and how often it finds stuff that breaks. What do you do, sit there and run through every menu of every single application that the business runs? Is there some kind of automated test suite you can run? Sounds like a huge, tedious pain in the ass to me. I'm glad I've never had to work anywhere that is so paranoid.
-matthew
"THERE IS NO JUSTICE, THERE IS ONLY ME." -Death
It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.
Ah. So you mean like a media player that can't display full screen videos ?
(It would be interesting to see what you thinkg DR, Clippy and UAC are stopping you doing that is "normally expected", as well.)
Given the smug "it's so secure" comments from Mac users, I would agree the 'haha' would be appropriate. However, defectivebydesign insinuates that it is intended to be problematic or broken, and is not appropriate in this case. It's not appropriate in similar cases on MS news articles either, but /. is hardly an unbiased group. Additonally, many people want to lash out at MS, making them a good target. Few people care enough about Apple to give a damn.
34486853790
Connection too slow for X forwarding? Try "ssh -CX user@host"
I didn't say that most slashdot users don't use windows. What I said was that they prefer to not use windows. I sympathize with all those who can't use anything else, for whatever reason.
Also, any poll on the subject would be useless. All it would tell us is that CowboyNeal is more popular than Vista.
"Some local privilege escalations that nobody beyond a couple of security researchers have paid attention to is nothing compared to the stuff a Windows user has to put up with."
Yeah, Windows users have to put up with a constant stream of hypocritical double standards by rabid Mac Fanboys on Slashdot...
"But this one goes to 11!"
My work laptop (XP Pro) has developed an aversion to installing Office XP components. I tried to add MS-Access for a special project. In "Add/Remove programs" from the Control Panel it fails silently. From setup.exe on the the CD I get this message: "No valid sequence could be found for the set of patches."
This appears to be related to the Microsoft Windows Installer (msi.dll).
Eventually, I tried to uninstall Office XP and start over. The machine refuses do do this with another silent failure. I considered uninstalling msi, but it warns me that every program on the computer may fail to work if I do so. Microsoft list a large number of registry hacks that might either fix the problem or create a doorstop.
Now I'm looking at starting from a fresh install.
I do not know if the frequency and volume of patches from Microsoft is related, but I am highly suspicious that msi.dll is confused because of this. Microsoft describes Microsoft Windows Installer as "...an installation and configuration service that reduces the total cost of ownership." Not.
Yeah, 'cos patched local privilege escalation vulnerabilities that nobody has bothered to exploit is exactly the same as unpatched remote code-execution vulnerabilities affecting a default installation for which exploits are widely circulated in the wild for nefarious purposes.
If you think the two are the same, it's no wonder you think they're all fanboys.
Almost went there, but it seem shameful to waste mod points on an AC who's clearly trolling. Why mark it as such, when it's so intuitively obvious to the most casual of observers?
And yet none of those remotely-vulnerable services are enabled by default. Indeed, of the three, two of them wouldn't get switched on by the vast majority of Mac users.
.ANI vulnerability.
Which is somewhat different to, say, the
An exploit is an exploit is an exploit. I'm not going to bother splitting hairs over that stupid argument. There WERE remote exploits, at least 3 of them. The only reason they aren't "in the wild" yet is because there isn't profit to be had by attacking an OS with less than 5% marketshare.
Let's all be honest - the only "secure" system would be one locked in a room nobody was allowed in ever, and not connected to any other machines. An operating system is just that - nothing magical or special about it. Every OS has flaws, and every OS can also be hardened. It is the techniques that matter, not the underlying OS.
"But this one goes to 11!"
The difference is, no one has exploited the Apple security loopholes yet, while with Microsoft they are reacting after there have already been attacks.
No such opinion appears in the article, and, your comment being the first post, clearly no such opinion has been expressed on Slashdot. So shut the fuck up and sit down.
But, would you ever want do search for articles about things that are "defectivebydesign?" It's commentary-in-the-tags that caused me to disable them in my profile months ago.
For instance, on any article which poses a question, you can invariably find the tags, "yes," "no," and "maybe." But since they're so often together, they're basically redundant: searching any of them brings up the same articles. Better would be to use the tag, "question." but since all of the questions are titled ASK SLASHDOT, even this is redundant. Best would be to categorize based on the subject of the question, so people looking for questions (and answers) about say, linux wifi networking could search for the tags "linux," and "wifi" under ask.slashdot and find what they're looking for.
Still even if the tags were working, there still wouldn't be a reason to display by default, since you only really need them for searching. You don't even really need to see them to add them.
Can you be Even More Awesome?!
Whoa, wait a minute there bucko. Where did I say that Apple does it right? I don't actually own a single Apple product. Not a Mac Mini, not an iPod, nothing. I've thought about an iPod, and a ModBook, and a Mac Mini. But since the first thing I'd do would be to put Kubuntu on the computers, or MP3s on the iPod, it didn't make sense to spend my money that way.
I'll admit it. I used to -really- hate Apple computers. After the IIe, and before OS X, I found nothing I liked about them. I used Windows most of that time, and recently (a couple years ago) switched to Linux for most of my computing needs. (Games! -sigh-)
So no, none of my 'comebacks' are in your list. Here it is instead:
Are you better than the MS-bashers or not? Why would you follow their lead if you are? Just because they mistakenly take MS articles with the wrong tag does not mean that you should do the same to Apple, and it certainly doesn't mean you should attempt to encourage others to.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
So you assert there's no hypocrisy on the part of the Mac fanboys?
120 characters for a sig? That's bloody useless.
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
You and everyone else missed the point entirely. Linux provides you a patch ASAP, and you have a choice as to when to install it, whereas Apple and Microsoft and just about every other vendor releases patches on their schedule.
Microsoft makes early announcement of vulnerabilities in some cases, so you at least know there is a problem and can devise a workaround.
Apple doesn't tell you shit in almost all cases until the patch is released, so you have no idea you are vulnerable. But the black hats do.
With Linux (etc) someone announces a vuln and a patch is available almost immediately - you would have to compile from source to use it. There is often a listed workaround at this stage. Your distribution will come up with a patch fairly rapidly after that in almost all cases. If you are currently being hit with this vulnerability, then you can apply the patch without testing if you choose to, in situations in which the cure must necessarily be better than the disease. If you are not, then you can start testing, and either deploy when it becomes a problem, or when testing is complete. You could also choose to just do it every week or two or four, which would bring you into parity with the major commercial closed-source vendors.
Linux provides you choice far in excess of both Apple and Microsoft, with no drawbacks.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
How does the availability (or not) of other Quicktime players that aren't defective by design negate the point that Apple's QuickTime Player is defective by design? Ohh, wait, it doesn't - tough luck.
Notice that those were taken from the SERVER security update? Guess what portmap is running and the firewall open for port 111 if an Xserve is exporting NFS. A very common configuration actually.
the difference between Microsoft's way and Apple's way in this case is that Microsoft actually gives you more information about vulnerabilities and is actually less afraid to make themselves look bad than Apple. Maybe that's because Apple operates on looks, and Microsoft operates on lock-in.
Apple has traditionally been and continues to be somewhat sticky on the subject of disclosure.
Regardless, I find the way both of them operate to be shameful.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
He didin't sas it wasn't used, only that it wasn't perferred.
The Kruger Dunning explains most post on
Very simple yet suprisingly time consuming :-)
so use iTunes
or better yet, shell out the ca$h for quicktime pro which can do full screen
IMHO the whole defective by design thing is rubbish for both platforms, microsoft doesn't try to make their software buggy they just don't try as hard as some may want to make it more secure.
I also don't get the "nobody wants to hack a mac" argument, I know plenty of people who, if they could, would love to hack a mac just to prove that I'm wrong when I tell them that macs are more secure. People are out there that would hack a mac if they could, just to prove their point. Anyone who can release a large scale mac worm is going to get noticed, but it ain't happened yet. That to me says something about the design being a bit better.
now to find my fire suit before i get flamed
Jayne: "These are stone killers, little man. They ain't cuddly like me."
98% of America's teens drink alcohol, smok
I would love to have /. tell us what we as a group use. I have a website and I can look up what percentage of my hits were from each OS and each browser. I think it would be very interesting, it might make a good discussion. Especially on a slow news day (like today).
/. itself. I think that the moderation, meta-moderation, and karma systems are fascinating. A bi-annual state of the /. post with feedback about the various systems in place would be a huge value. I expect there will be much more of this sort reputation system in the future in both online and offline communities and there would be much to learn from /.
Actually I'd like to see more discussions about
-- QED
That's why I get a thousand monkeys banging on Bluetooth keyboards to write all my operating systems.
Though all the Shakespeare transcriptions in between software updates get a little old.
there isn't profit to be had by attacking an OS with less than 5% marketshare.
Yet there are already more viruses for iPod's running Linux. How does that fit in your market share world view?
You are correct, it is simply impractical to test everything. Any IT department that has the time / manpower to test every single application with every single patch would require more IT staff than any company I have ever worked for or with. The reality is, we run system backups, and try to screen patches as best as possible. Yup, sometimes something slips through, and hoses something up, but it is easier to repair than it is to test everything. 99% of patches from MS work fine, so fixing the other 1% is the far easier solution. Most small-medium sized businesses anyway simply do not have the staff for testing.
Some people would argue with this, but then they must work in a fairly uniform environment. In our department, we have a few hundred machines/systems to manage, each one being unique in 1 way or another, so how could you possibly test every software combination?
Easy, iPods have way more of a 5% marketshare in their product market. Once again proving my point that the most used is the most attacked. Think of iPods as the "Windows" of the mp3 world - they are the most commonly used so they will be the most targeted.
"But this one goes to 11!"
the difference between Microsoft's way and Apple's way in this case is that Microsoft actually gives you more information about vulnerabilities and is actually less afraid to make themselves look bad than Apple.
As this guy notes, not really.
Maybe that's because Apple operates on looks
Hardly. If that's all they cared about, they wouldn't give a shit about security, just like Microsoft when their only concern was making a longer billeted list of "features" to convince people to "upgrade".
and they don't. They care what you think about their security.
Actually being secure would be one way to accomplish that. Looking like they're working hard to protect you is another way.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Fortunately there are no automated exploit tools readily available for these mac vulnerabilities like there are Windows.
http://blogs.zdnet.com/security/?p=173
So I wonder if this invalidates the contest. This just revealed vulns that aren't patched on the contest machines.
THAT's your comeback? Wow. You'd have been better off saying nothing. Seriously.
-- "I never gave these stories much credence." - HAL 9000
According to http://docs.info.apple.com/article.html?artnum=617 98
Apple released a Security Update almost every month in 2005. Less so in 2006, but the 2006 updates were huge (one fixed over 40 flaws, others fixed over 20 each). Face facts - Apple patches their system just as much as does MS and Linux distros (particularly when you normalize for frequency vs size).
-- "I never gave these stories much credence." - HAL 9000
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
"The 802.11 thing was apparently due to some legal crap and was only $5 anyway."
That's great.
Now please explain why Apple charges $10 to enable its video player to play videos full-screen. While you're at it, please explain why Apple charges another $10 for an MPEG2 codec for that same video player, when the OS already ships with an MPEG2 codec (which is used to allow its DVD player to play DVDs).
Jobs knows how to nickel and dime his user base for all they're worth. He knows that they'll just line up, bend over, and take it with a smile on their faces (as evidenced by your sycophantic post).
-- "I never gave these stories much credence." - HAL 9000
Perhaps you missed the IPOD'S RUNNING LINUX bit, which is what 0.000,000,1% of the MP3 player market...
Any figures to back up your claims?
"But this one goes to 11!"
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
Er, neither of which means that the original system is not defective by design.
To simplify:
"System A is crap!""No it's not! You just use System B instead!"
"Er, how does that mean that System A is not crap?"
OS X has been in production use for six years. Six years of real-world threats and thorough examinations by security experts.
Compare with XP, which is about the same age. (Secunia does not break down the point releases of OS X.)
The US free market: two halves of a government-granted duopoly are free to set the market price.
Of course QuickTime is defective by design; it even enables DRM. However, QT isn't tied to the system the same way WMP, IE, et al. are in Windows, so you can easily replace QT with something like VLC.
'Yes, firefox is indeed greater than women. Can women block pops up for you? No. Can Firefox show you naked women? Yes.'
It wouldn't be but for the fact that there's a dubious assumption that Mac OS X is bulletproof (or close to it) because Windows machines are always being attacked, and, by-and-large, Macs and GNU/Linux are being left alone.
Every open source OS has security-related patches on a regular basis, including the ones that have a good reputation for security like OpenBSD. So why isn't it news when they release security patches?
Contrary to myth, Mac OS X has vulnerabilities. If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus.
Though not many will admit it a good reason OSX and the Unices don't suffer as many exploits as Windows does is because they only have a small market share. Once their desktop market shares increase substantially, and I hope to see both Linux and Macs gain a lot on Windows this year, more people will work on exploits, viri, and other malware on them.
FalconShould there be a Law?
It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.
Back in the '80s and early '90s the Mac was a fertile breeding ground for viruses, because of the design of the system. Just putting a floppy in the drive was enough to run code. Apple's response to this was to get rid of automatic execution of code fragments on floppies and in resource forks of documents. This was a normal and sane response to a bad design.
If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus.
While the fact that there are more Windows boxes out there, there are several features of Windows that are insecure-by-design that have had a huge impact on Windows security. In particular, the design of Internet Explorer and the integration of the HTML control into the desktop and email programs had an enormous and direct effect on the spread of viruses and worms on Windows machines all out of proportion to their popularity.
Before the release of "Open Desktop", the virus problem on Windows really was managable without antivirus software. Just following good software hygiene was enough to make viruses a rare problem. Afterwards, I found that simply not allowing the use of IE and Outlook and other components that used the HTML control to display untrusted documents was more effective than antivirus software, because it removed the mosty common point of entry of new viruses.
The sane response to this would have been to back out the desktop-browser integration and redesign the system so that the right to run unsandboxed code was SOLELY mediated by the application displaying the document. Microsoft, instead, attempted to come up with tighter and tighter heuristics as to when to allow documents out of the sandbox, which boggled my mind then and still boggles my mind now.
There are other problems in the design of Windows that I've discussed before, but this one should be more than enough to make my point, especially after you handed me such a great counterexample.
and they don't.
:)
Uh huh. Zero viruses since OS X was released. Zero worms. No lowspread reports of Macs being compromized, much less widespread. The exploits that are out there depend on 1) having local access, in which case you are screwed anyway 2) have access to an account for privledge escallation attacks or 3) be running a service. They release bug fixes on a regular basis, and real problems are addressed in days. There's good priveldge separation, and a good GUI method for privelede escalation, as opposed to the craptacular "run as" command. You can take a Mac running a default install of OS X 10.0.0 and be exploit free, as opposed to some other OS's available.
Actually being secure would be one way to accomplish that. Looking like they're working hard to protect you is another way.
Actually providing some reasoning or evidence would be one way to back up your argument. Speaking out of your ass with unsubstantiated statements is another, far less effective way.
Of course QuickTime is defective by design; it even enables DRM. However, QT isn't tied to the system the same way WMP, IE, et al. are in Windows, so you can easily replace QT with something like VLC.
In actual fact, QT is "tied to the system" in an essentially identical way to "WMP, IE, et al".
Huh? Why would "haha" be appropriate?
No Mac users were hurt, no Macs compromised.
When any substantial number of Macs are compromised, that will be the time to say, "haha."
"It is our blasphemy which has made us great, and will sustain us, and which the gods secretly admire in us." - Zelazny
A side effect of code reuse and object orientation is that certain defects may have effects far beyond that originally reported. The full extent of the vulnerability might not be readily apparant to the person fixing the defect or writing the report. With respect to IE on Windows for example, there are many other things that can be affected by these defects, even 3rd party products. Remote / network defects on Windows are even harder to pin down, due to certain common elements in the core Windows services. If anything, Microsoft has historically been guilty of being less than clear when these defects had the potential to affect more than one listener on more than one port, or affect more than one application. It never looked like a coverup to me, though, because it was so inconsistent.
If you mod me down, I shall become more powerful than you could possibly imagine.
ANY security problem is automatically assigned "critical" status.You claim that you know for a fact that Apple never releases any information on their security problems to the public because a source told you that they don't. When it was demonstrated that you were wrong,the voices in your head changed their story. For more on the subject you shall better visit me at: web design company Apple almost always waits until the next build to fix security problems. They can get away with this because there is never any press stories calling attention to flaws. Microsoft being more proactive releases critical updates with hours of problems being discovered. Of course Apple is not going to publicize the newest security problems because they don't like to release patchs but rather new builds. Apple released a document with security updates. If you can't find a MS document just as easily, then how can you say that MS is more forthcoming with their information? I have not even tried and will not try. I dont waste time on Macer boondoggle requests. You're pretending that MS has better security - in spite of the fact that even MIcrosoft disagrees with you. You are the pretender here. Pretending to have a healthy brain.
Windows market share didn't increase several thousand percent in 1997. What increased Windows virus load so dramatically in 1997 was the desktop-browser integration.
:(
Which is still in there.
If you avoid using browsers and mail software using the HTML control, your exposure to malware drops dramatically.
Microsoft seems to have noticed this... Outlook 2007 doesn't use the HTML control. Hopefully this will lead to fewer email worms as it's taken up. Unfortunately the pushback from the "how dare you stop me from making your email look like a web page" crowd may lead to Microsoft backing down on this, or duplicating the same kinds of security holes in the new rendering engine to keep them happy.