Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Issues Patches For 25 Security Holes

Posted by CmdrTaco on from the it's-much-better-now-trust-me dept.

TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site. All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected. Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."

42 of 241 comments (clear)

  1. cue doodly piano music by stratjakt · · Score: 5, Funny

    Mac: Hi, I'm a mac!

    PC: And I'm a PC.

    Mac: Steve Jobs just plugged up all my holes

    PC: GOODNIGHT! (tapdances off stage)

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:cue doodly piano music by CowTipperGore · · Score: 3, Funny

      Mac: Steve Jobs just plugged up all my holes Way to go. You've just taken all the Apple fanbois away from their keyboards, as they think about Steve Jobs plugging up their holes.
    2. Re:cue doodly piano music by Bullfish · · Score: 5, Funny

      My own take on one of those ads is the upgrade ad...

      First day, Mac approaches PC wearing hospital smock

      Mac: What's with the smock PC?
      PC: I have to upgrade for Vista. I'm a bit scared
      Mac: Okay, be cool. I'll send you flowers in the hospital.

      Next day: Robust looking PC stands there smiling while Mac runs up in panic.

      Mac: Hide me PC! Hide me!
      PC: Why, what's up?
      Mac: They want to upgrade me!!
      PC: Don't be afraid, look at me! Upgrading is great!
      Mac: You don't understand!!!

      Three guys run up, one shoots Mac dead while PC stands there stunned. Two of them drag off Mac. Third guy in natty sweater stands beside PC

      PC: Who are you?
      Mac: I'm Mac.

    3. Re:cue doodly piano music by Bat+Country · · Score: 3, Funny

      So you're saying the 1984 Macintosh commercial should have been a Logan's Run them instead?

      --
      The land shall stone them with the bread of his son.
  2. but ... by Anonymous Coward · · Score: 4, Funny

    those apples commercials tell me they don't have security issues?

    1. Re:but ... by tji · · Score: 5, Insightful

      No, there are no OS's without security issues. Even OpenBSD has had a few. Since Mac OS X uses many open standards / open source components, they benefit from the wide deployment, review, and testing that turns up bugs in that code and generates fixes. In closed OS's, the holes are still there, they just cannot be easily analyzed, so it's mostly the highly motivated "black hat" types that discover them and use them for their devious purposes.

      The Mac ads clearly referred to all the viruses, worms, spyware, etc. Which are VERY common on Windows PCs, and for whatever reason, are very uncommon on Macs. (I don't really care why they are not prevalent on Macs, I just care that my MacBook Pro is free of exploits, as are my Linux servers.)

      Patched bugs are a good thing. Bugs are practically unavoidable. Unpatched bugs, as evidenced by rampant exploits, are the real problem.

    2. Re:but ... by Onan · · Score: 2, Interesting

      I'd say the conclusion they'd like you to reach is that macs are so much less susceptible to viruses that they don't require worrying about.

      And fortunately, that conclusion is correct. You'll notice that these are all pre-emptive fixes to bugs that apple or white hats have discovered, not emergency patches for ongoing exploitation. I'd hazard a guess that the total number of macs compromised by these issues outside of a testing environment is zero.

      I'm sorry that your sister was affected by the one mac virus that has ever had even a tiny spread in the wild in the past, well, ever. (Symmantec's estimation of the total number of infections is "0-49". Probably not accurate, but remember that this is an entity that has an incentive to _exaggerate_ virus threats.) But one anecdote of one incredibly rare virus that did minimal damage, was easily detected and removed, and saw a quick extinction does not bring into dispute the idea that macs are extremely virus-un-prone.

  3. Quick summary to avoid reading TFA by 140Mandak262Jamuna · · Score: 5, Informative
    10 of the 25 are local privilege escalations. A few more require physical access to the machine like loading a malformed disk. Some require authenticated access to the machine. (disk access, clear text password exchange, ftp user privilege escalation, untaring a malformed tar file, opening a malformed help file, etc).

    The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes. One hole each in libinfo, portmap, ichat.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Quick summary to avoid reading TFA by Whiney+Mac+Fanboy · · Score: 5, Insightful

      The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes.

      That's the beauty of Open Source (from Apple's POV).

      When things go well: Hey - look at us! We 'support' OSS by leveraging all that free software.
      When things go bad: Oh well - it's MIT's software! Not ours...

      Seriously - I for one am really glad that one closed O/S vendorout there lets OSS do the heavy lifting security wise on their products. Apple users are left in a far less leaky boat. Thanks MIT, Thanks FOSS, Thanks Apple!

      --
      There are shills on slashdot. Apparently, I'm one of them.
    2. Re:Quick summary to avoid reading TFA by Fulkkari · · Score: 2, Informative

      Washingtonpost:

      including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected.

      Apple:

      A buffer overflow vulnerability exists in the AirPortDriver module which processes control commands for AirPort. By sending malformed control commands, a local user could trigger the overflow which may lead to arbitrary code execution with elevated privileges. This issue affects eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card. This issue does not affect systems with the AirPort Extreme card. This update addresses the issue by performing proper bounds checking.

      Forgot to mention its local an exploit? Sounds like FUD spreading to me.

      --
      I demand the Cone of Silence!
    3. Re:Quick summary to avoid reading TFA by ClosedSource · · Score: 4, Insightful

      Well, some FOSS supporters on Slashdot are known to equivocate about what "Linux" consists of. When trying to compare functionality with other OS's they consider the entire distro, when comparing stability or security the definition shrinks down to only the kernel.

    4. Re:Quick summary to avoid reading TFA by Bat+Country · · Score: 2, Insightful

      How is it FUD to call a dangerous flaw dangerous?

      I administer a network of 50 systems and the only thing protecting those machines is that I don't allow users to execute downloaded software.

      Any program which issued those malformed instructions while claiming to allow the users to punch the monkey or something could install the first OS X backdoor worms, installing them with root privileges then effectively hiding themselves.

      This flaw allows exactly the same attack as the P2P "hot_teen_action.mpg.exe" trojan scams on OS X - which is supposed to be secure against that kind of attack because it requires an administrator password to obtain higher than user-level access to the machine.

      Telling users that this is serious and dangerous is certainly not spreading FUD, it's just getting them to stop ignoring the Jack Russel Terrier update icon.

      --
      The land shall stone them with the bread of his son.
  4. Why is this news? by reality-bytes · · Score: 5, Informative

    As an Apple 'outsider' I'm not certain why this is news.

    Is it because these issues/vulnerabilities have been outstanding for a long time? Or perhaps Apple does not patch things often?

    It's an honest question, my Ubuntu systems at home have frequent patches rolled out and the staff at work are always talking about another update on their Windows desktops.

    Isn't Apple the same?

    --
    Ripping an new rectum in the fabric of spacetime.
    1. Re:Why is this news? by falcon5768 · · Score: 3, Insightful
      ITs not news, but people like to make it new. Just like Ubuntu Apple updates and patches their system constantly compared to Microsoft. But people like to say that means the computer is LESS secure than a windows machine.

      The truth is more Apple is willing and able to patch its software in a timely manner, while Microsoft waits for big chunk updates and service packs to do it.

      --

      "Slashdot, where telling the truth is overrated but lying is insightful."

    2. Re:Why is this news? by 140Mandak262Jamuna · · Score: 4, Interesting
      Also the vulnerability notes very clearly spell out what is affected. I am not a mac user. Still I could make sense of what is broken, whether or not I am running a vulnerable service, whehter or not I need this update.

      Compare this to the dense hole descriptions by MSFT. Almost everything affects everything. Even if the bug in Windows is such that "If you dont user IE you are not vulnerable" they cant/wont say it. Wont say it because it will drive FireFox usage up. Cant say it because IE can be invoked by any part of any code. Similarly when a hole in Windows is found, no one seems to know what/who would be affected. Another reason why they dont describe it better is allegedly their fear that the hackers will use it to attack yet unupdated systems. But most hackers use reverse-engineering tools like BlackIce and deconstruct the patch and know precisely how to attack unpatched systems. On the other hand people who might be persuaded to patch their systems faster if the hole description was more specific and pertinent wait because they cant determine whether they are affected. Add to it MSFT's practice of downplaying the bug severity, no wonder MSFT updates are becoming more of a problem than solution.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    3. Re:Why is this news? by 644bd346996 · · Score: 4, Informative

      Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong. I get pestered by Windows update at least twice as often as by OS X Software Update, and I use both operating systems regularly.

    4. Re:Why is this news? by Jeff+DeMaagd · · Score: 2, Interesting

      I think what was meant was that a fix is worked on as soon as possible, but I don't think that's always true. An inability to get Apple's attention on a bug is why that one guy did the Month of Apple Bugs, rightly or wrongly.

      Microsoft's security fixes seem to fix smaller numbers of bugs per update. Recently, they were mostly updates to the malware removal tool, not security fixes.

    5. Re:Why is this news? by squiggleslash · · Score: 2, Insightful

      (I tried posting this earlier, but it has disappeared for some reason, weird. Still, gives me the chance to fix some of the language...)

      It wouldn't be but for the fact that there's a dubious assumption that Mac OS X is bulletproof (or close to it) because Windows machines are always being attacked, and, by-and-large, Macs and GNU/Linux are being left alone. The assumption is then combined with the false belief that Mac OS X and GNU/Linux distributions have less significant holes.

      Windows machines suffer for a variety of reasons, but not really because they have more bugs. It's more the case that a combination of there being a lot of them out in the wild, most of which are "administered" by people who really aren't familiar with the system's internals, not helped by a poor UI which, after Mac OS X and GNOME 2.x, is easily a poor third in the user friendliness/transparent computing front.

      It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms. Users were just more vigilant, and the operating system's transparency (the degree to which the way the system worked was obvious to the end user) meant end users had a better idea of the consequences of their actions. This is a lesson worth noting for those building systems like GNOME: making something secure and user friendly does not mean hiding how it works, it means exposing how it works using legitimate metaphors.

      Contrary to myth, Mac OS X has vulnerabilities. If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus. And while that remains the prevailing consensus, the fact Mac OS X (or GNU/Linux) has vulnerabilities will always be news.

      --
      You are not alone. This is not normal. None of this is normal.
    6. Re:Why is this news? by clintre · · Score: 2, Informative

      Actually that is far from the truth.

      I am no M$ fanboy, but they used to push out patches constantly, but most IT shops do not want that. Generally IT shops like to validate the patches before applying them to their machines to make sure poorly written software does not have issues with a patch.

      No on in their right mind would push patches out directly to the corporate computers without testing them. By having the patches come out on the same day every month you allow preparation and planning.

      Really Apple is no more secure than Windows, Linux yes Apple no. It all comes down to how you configure it after you get it in any case. I have done plenty of penetration tests on Apple, M$, and several Linux distros. M$ is no where near as bad as it once was.

    7. Re:Why is this news? by notthepainter · · Score: 3, Informative

      It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.

      I can only think of one in recent memory. The Hong Kong worm http://www.makingpages.org/pagemaker/virus.html, aka Autostart 9805, was pretty devasting to the pre-press industry which passed around zip cartridges like they were free. This would have been back in 1998.

      Paul

    8. Re:Why is this news? by Scudsucker · · Score: 2, Insightful

      Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong.

      Because Microsoft has a lot more to patch.

  5. In other news... by c0d3h4x0r · · Score: 5, Funny

    Microsoft Issues Holes for 25 Security Patches

    --
    Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
  6. Why by Mockylock · · Score: 2, Insightful

    Why isn't this listed under "HaHa" as well? Not trolling, as much as wondering what the reasoning of that was for. Bias?

    --
    "Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
    1. Re:Why by aicrules · · Score: 5, Insightful

      I think because no one really believes that Apple software is completely bulletproof. No software is completely bulletproof. I'm sure someone could find an exploit even for a Hello World program. Windows gets the majority of the "bad press" from flaws because it has a gigantic market share compared to Apple, so the security holes and related patches affect many more people.

      Yes, some Windows folks will see this as a "haha" nelson moment. However, it isn't a haha moment until the headline reads that someone found 25 Apple exploits and released a huge virus to exploit them. And while I am firmly planted in my Windows environment, I will not be interested in laughing at my Apple compadres when or if that happens.

  7. Re:MS flaws = bad, Apple flaws = good...? by Mockylock · · Score: 2, Insightful

    Yeha, that's usually how it happens. Microsoft has holes because the OS supposedly stinks, all other OS's Just patch holes to make their OS even better.

    Basically saying, "I'm not screwing the sheep. I'm Merely helping it through the fence."

    --
    "Please, shut up. Just when I think you can't say anything more stupid, you speak again." -Archie Bunker.
  8. 10.3.9 also patched by kybred · · Score: 5, Informative

    Apple is providing some patches for 10.3.9 as well. Good to see that they are still providing security related updates for the previous system.

  9. Not news... by IwarkChocobos · · Score: 2, Insightful

    Don't ALL operating systems have holes? I think the only thing different here is that Apple waited until there were a lot found and fixed to release the patch. MS and Apple release patches differently; MS releases them as soon as they can, one at a time usually, while Apple chooses to wait until there are a lot of patches to release it. Not really the best idea, but not the worst for both companies. Not news.

    1. Re:Not news... by Ash-Fox · · Score: 2, Insightful

      MS releases them as soon as they can, one at a time usually
      They usually try to release them once a month.

      while Apple chooses to wait until there are a lot of patches to release it.
      Actually, I've noticed Apple delay updates long enough that a lot come out in the next OS X upgrade.

      Not news.
      Agreed.
      --
      Change is certain; progress is not obligatory.
  10. Re:I'd like to propose a tag by Aladrin · · Score: 3, Informative

    I think you have totally misunderstood what that tag means. It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.

    These were bugs, not by design. Apple didn't not specifically intend for them to exist, and has now fixed them.

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  11. Re:I'll tell you what's news: by frdmfghtr · · Score: 3, Insightful

    If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches? Didn't feedback from big IT shops compel MS to release patches in bigger batches with less frequency (hence the introduction of "Patch Tuesday")?

    I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?

    --
    Government's idea of a balanced budget: take money from the right pocket to balance...oh who am I kidding?
  12. Re:Cue Apologists by thejynxed · · Score: 3, Insightful

    Not to be to flameable here, but who says they aren't part of botnets? The various Unix flavours and derivatives are the reason why we know what a rootkit is.

    As my CS professor said once, "With Windows, you know it's broken right up front, and that you have to take certain steps right away to fix it. such as slap an AV program on. With the various Unix-based OSes, you have to go over every little detail with a fine-toothed comb, putz around in the code, recompile, and all of that other hassle because they put the Root into Rootkit."

    If you ask me, the only botnet secure OS is the one not sitting with an allowed/established connection to the internet to begin with. If it's human-created code, it's vulnerable, period.

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  13. Re:Huh? by Chris+whatever · · Score: 2

    Heu!!!! how can you say that they are proactive if the patches fixes issue that are already there and they know about it.

    proactive is seeing for potential threat in the future and taking steps to correct them before they happen

    There are no more proactive than any other company when it comes to bugs and patches.

  14. Re:I'll tell you what's news: by 99BottlesOfBeerInMyF · · Score: 5, Insightful

    They rolled out these patches all at once. But the patches were almost certainly not done all at the same time. That's right, Apple has deliberately left you (and me! although I only have one mac to deal with and it's not my primary machine) vulnerable so that they could roll out a bunch of patches at the same time instead of one at a time.

    Sigh. Have you ever worked in the software development industry. There is this thing called "testing" that some people find important. If you work on Kereberos and find a bug and patch it, you then test just it before distributing. If you work at Apple or Redhat where you are shipping an entire OS with a bunch of packages, it is impossible to patch and test those patches in conjunction with all other hardware in the same timeframe because you have multiple things to patch at once. Thus, the only real solution s to do it in bundles, where you stick a group of patches together then QA them all at once. This results in longer delays for some fixes, but it also means the patch is actually tested in conjunction with the other patches so one does not break another. Any responsible vendor uses this method for dealing with bugs.

    Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)

    Individual developers roll out patches and you could have patched your OS X box from them if you felt it was an emergency for you. As for what Linux vendors do, I don't know of any who roll one-off fixes into the stable branch intended for real use, instead of testing patches in bundles. You don't seem to know what you're talking about.

  15. Just the facts by ad0gg · · Score: 4, Interesting
    By constantly you mean, every 3 months or so. Some of the holes had been open for over 3 months with a rating of highly critical on secunia. Secunia still list 6 unpatched holes for OSX, highest being moderately critical. Quick comparision to vista which has two unpatched holes which have a rating of not critical.

    Vista
    OS X

    --

    Have you ever been to a turkish prison?

    1. Re:Just the facts by larkost · · Score: 4, Informative

      One thing to note: the one bug that Secunia is rating as "moderately critical" is on FTP, and it is not enabled by default.

  16. Re:I'd like to propose a tag by drsmithy · · Score: 2, Insightful

    It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.

    Ah. So you mean like a media player that can't display full screen videos ?

    (It would be interesting to see what you thinkg DR, Clippy and UAC are stopping you doing that is "normally expected", as well.)

  17. MS Patch management by Hawat · · Score: 2, Interesting

    My work laptop (XP Pro) has developed an aversion to installing Office XP components. I tried to add MS-Access for a special project. In "Add/Remove programs" from the Control Panel it fails silently. From setup.exe on the the CD I get this message: "No valid sequence could be found for the set of patches."

    This appears to be related to the Microsoft Windows Installer (msi.dll).

    Eventually, I tried to uninstall Office XP and start over. The machine refuses do do this with another silent failure. I considered uninstalling msi, but it warns me that every program on the computer may fail to work if I do so. Microsoft list a large number of registry hacks that might either fix the problem or create a doorstop.

    Now I'm looking at starting from a fresh install.

    I do not know if the frequency and volume of patches from Microsoft is related, but I am highly suspicious that msi.dll is confused because of this. Microsoft describes Microsoft Windows Installer as "...an installation and configuration service that reduces the total cost of ownership." Not.

  18. Re:Cue Apologists by nevali · · Score: 2, Insightful

    Yeah, 'cos patched local privilege escalation vulnerabilities that nobody has bothered to exploit is exactly the same as unpatched remote code-execution vulnerabilities affecting a default installation for which exploits are widely circulated in the wild for nefarious purposes.

    If you think the two are the same, it's no wonder you think they're all fanboys.

  19. Re:Cue Apologists by nevali · · Score: 2, Informative

    And yet none of those remotely-vulnerable services are enabled by default. Indeed, of the three, two of them wouldn't get switched on by the vast majority of Mac users.

    Which is somewhat different to, say, the .ANI vulnerability.

  20. Re:I'll tell you what's news: by mkiwi · · Score: 2, Funny

    I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?
    Here's how it works where I work (IT and Software Engineering):

    1. Run MS auto update.
    2. See what breaks.
    3. Reinstall programs that are broken.
    4. Pray the user's outlook database is not larger than 2GB.
    5. ???
    6. ??????
    7. Whew. Only 300 more computers to go.

    Very simple yet suprisingly time consuming :-)

  21. PWN to OWN by slyborg · · Score: 2, Informative

    http://blogs.zdnet.com/security/?p=173
    So I wonder if this invalidates the contest. This just revealed vulns that aren't patched on the contest machines.

  22. Windows before 1997 had relatively few viruses too by argent · · Score: 3, Informative

    It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.

    Back in the '80s and early '90s the Mac was a fertile breeding ground for viruses, because of the design of the system. Just putting a floppy in the drive was enough to run code. Apple's response to this was to get rid of automatic execution of code fragments on floppies and in resource forks of documents. This was a normal and sane response to a bad design.

    If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus.

    While the fact that there are more Windows boxes out there, there are several features of Windows that are insecure-by-design that have had a huge impact on Windows security. In particular, the design of Internet Explorer and the integration of the HTML control into the desktop and email programs had an enormous and direct effect on the spread of viruses and worms on Windows machines all out of proportion to their popularity.

    Before the release of "Open Desktop", the virus problem on Windows really was managable without antivirus software. Just following good software hygiene was enough to make viruses a rare problem. Afterwards, I found that simply not allowing the use of IE and Outlook and other components that used the HTML control to display untrusted documents was more effective than antivirus software, because it removed the mosty common point of entry of new viruses.

    The sane response to this would have been to back out the desktop-browser integration and redesign the system so that the right to run unsandboxed code was SOLELY mediated by the application displaying the document. Microsoft, instead, attempted to come up with tighter and tighter heuristics as to when to allow documents out of the sandbox, which boggled my mind then and still boggles my mind now.

    There are other problems in the design of Windows that I've discussed before, but this one should be more than enough to make my point, especially after you handed me such a great counterexample.