Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Issues Patches For 25 Security Holes

Posted by CmdrTaco on from the it's-much-better-now-trust-me dept.

TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site. All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected. Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."

16 of 241 comments (clear)

  1. cue doodly piano music by stratjakt · · Score: 5, Funny

    Mac: Hi, I'm a mac!

    PC: And I'm a PC.

    Mac: Steve Jobs just plugged up all my holes

    PC: GOODNIGHT! (tapdances off stage)

    --
    I don't need no instructions to know how to rock!!!!
    1. Re:cue doodly piano music by Bullfish · · Score: 5, Funny

      My own take on one of those ads is the upgrade ad...

      First day, Mac approaches PC wearing hospital smock

      Mac: What's with the smock PC?
      PC: I have to upgrade for Vista. I'm a bit scared
      Mac: Okay, be cool. I'll send you flowers in the hospital.

      Next day: Robust looking PC stands there smiling while Mac runs up in panic.

      Mac: Hide me PC! Hide me!
      PC: Why, what's up?
      Mac: They want to upgrade me!!
      PC: Don't be afraid, look at me! Upgrading is great!
      Mac: You don't understand!!!

      Three guys run up, one shoots Mac dead while PC stands there stunned. Two of them drag off Mac. Third guy in natty sweater stands beside PC

      PC: Who are you?
      Mac: I'm Mac.

  2. but ... by Anonymous Coward · · Score: 4, Funny

    those apples commercials tell me they don't have security issues?

    1. Re:but ... by tji · · Score: 5, Insightful

      No, there are no OS's without security issues. Even OpenBSD has had a few. Since Mac OS X uses many open standards / open source components, they benefit from the wide deployment, review, and testing that turns up bugs in that code and generates fixes. In closed OS's, the holes are still there, they just cannot be easily analyzed, so it's mostly the highly motivated "black hat" types that discover them and use them for their devious purposes.

      The Mac ads clearly referred to all the viruses, worms, spyware, etc. Which are VERY common on Windows PCs, and for whatever reason, are very uncommon on Macs. (I don't really care why they are not prevalent on Macs, I just care that my MacBook Pro is free of exploits, as are my Linux servers.)

      Patched bugs are a good thing. Bugs are practically unavoidable. Unpatched bugs, as evidenced by rampant exploits, are the real problem.

  3. Quick summary to avoid reading TFA by 140Mandak262Jamuna · · Score: 5, Informative
    10 of the 25 are local privilege escalations. A few more require physical access to the machine like loading a malformed disk. Some require authenticated access to the machine. (disk access, clear text password exchange, ftp user privilege escalation, untaring a malformed tar file, opening a malformed help file, etc).

    The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes. One hole each in libinfo, portmap, ichat.

    --
    sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    1. Re:Quick summary to avoid reading TFA by Whiney+Mac+Fanboy · · Score: 5, Insightful

      The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes.

      That's the beauty of Open Source (from Apple's POV).

      When things go well: Hey - look at us! We 'support' OSS by leveraging all that free software.
      When things go bad: Oh well - it's MIT's software! Not ours...

      Seriously - I for one am really glad that one closed O/S vendorout there lets OSS do the heavy lifting security wise on their products. Apple users are left in a far less leaky boat. Thanks MIT, Thanks FOSS, Thanks Apple!

      --
      There are shills on slashdot. Apparently, I'm one of them.
    2. Re:Quick summary to avoid reading TFA by ClosedSource · · Score: 4, Insightful

      Well, some FOSS supporters on Slashdot are known to equivocate about what "Linux" consists of. When trying to compare functionality with other OS's they consider the entire distro, when comparing stability or security the definition shrinks down to only the kernel.

  4. Why is this news? by reality-bytes · · Score: 5, Informative

    As an Apple 'outsider' I'm not certain why this is news.

    Is it because these issues/vulnerabilities have been outstanding for a long time? Or perhaps Apple does not patch things often?

    It's an honest question, my Ubuntu systems at home have frequent patches rolled out and the staff at work are always talking about another update on their Windows desktops.

    Isn't Apple the same?

    --
    Ripping an new rectum in the fabric of spacetime.
    1. Re:Why is this news? by 140Mandak262Jamuna · · Score: 4, Interesting
      Also the vulnerability notes very clearly spell out what is affected. I am not a mac user. Still I could make sense of what is broken, whether or not I am running a vulnerable service, whehter or not I need this update.

      Compare this to the dense hole descriptions by MSFT. Almost everything affects everything. Even if the bug in Windows is such that "If you dont user IE you are not vulnerable" they cant/wont say it. Wont say it because it will drive FireFox usage up. Cant say it because IE can be invoked by any part of any code. Similarly when a hole in Windows is found, no one seems to know what/who would be affected. Another reason why they dont describe it better is allegedly their fear that the hackers will use it to attack yet unupdated systems. But most hackers use reverse-engineering tools like BlackIce and deconstruct the patch and know precisely how to attack unpatched systems. On the other hand people who might be persuaded to patch their systems faster if the hole description was more specific and pertinent wait because they cant determine whether they are affected. Add to it MSFT's practice of downplaying the bug severity, no wonder MSFT updates are becoming more of a problem than solution.

      --
      sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
    2. Re:Why is this news? by 644bd346996 · · Score: 4, Informative

      Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong. I get pestered by Windows update at least twice as often as by OS X Software Update, and I use both operating systems regularly.

  5. In other news... by c0d3h4x0r · · Score: 5, Funny

    Microsoft Issues Holes for 25 Security Patches

    --
    Moderator hint: a comment is neither "Flamebait" nor "Troll" if it is true.
  6. Re:Why by aicrules · · Score: 5, Insightful

    I think because no one really believes that Apple software is completely bulletproof. No software is completely bulletproof. I'm sure someone could find an exploit even for a Hello World program. Windows gets the majority of the "bad press" from flaws because it has a gigantic market share compared to Apple, so the security holes and related patches affect many more people.

    Yes, some Windows folks will see this as a "haha" nelson moment. However, it isn't a haha moment until the headline reads that someone found 25 Apple exploits and released a huge virus to exploit them. And while I am firmly planted in my Windows environment, I will not be interested in laughing at my Apple compadres when or if that happens.

  7. 10.3.9 also patched by kybred · · Score: 5, Informative

    Apple is providing some patches for 10.3.9 as well. Good to see that they are still providing security related updates for the previous system.

  8. Re:I'll tell you what's news: by 99BottlesOfBeerInMyF · · Score: 5, Insightful

    They rolled out these patches all at once. But the patches were almost certainly not done all at the same time. That's right, Apple has deliberately left you (and me! although I only have one mac to deal with and it's not my primary machine) vulnerable so that they could roll out a bunch of patches at the same time instead of one at a time.

    Sigh. Have you ever worked in the software development industry. There is this thing called "testing" that some people find important. If you work on Kereberos and find a bug and patch it, you then test just it before distributing. If you work at Apple or Redhat where you are shipping an entire OS with a bunch of packages, it is impossible to patch and test those patches in conjunction with all other hardware in the same timeframe because you have multiple things to patch at once. Thus, the only real solution s to do it in bundles, where you stick a group of patches together then QA them all at once. This results in longer delays for some fixes, but it also means the patch is actually tested in conjunction with the other patches so one does not break another. Any responsible vendor uses this method for dealing with bugs.

    Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)

    Individual developers roll out patches and you could have patched your OS X box from them if you felt it was an emergency for you. As for what Linux vendors do, I don't know of any who roll one-off fixes into the stable branch intended for real use, instead of testing patches in bundles. You don't seem to know what you're talking about.

  9. Just the facts by ad0gg · · Score: 4, Interesting
    By constantly you mean, every 3 months or so. Some of the holes had been open for over 3 months with a rating of highly critical on secunia. Secunia still list 6 unpatched holes for OSX, highest being moderately critical. Quick comparision to vista which has two unpatched holes which have a rating of not critical.

    Vista
    OS X

    --

    Have you ever been to a turkish prison?

    1. Re:Just the facts by larkost · · Score: 4, Informative

      One thing to note: the one bug that Secunia is rating as "moderately critical" is on FTP, and it is not enabled by default.