Slashdot Mirror
Apple Mac OS X Update For 17 Vulnerabilities
BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."
What's so special about Apple? Why can't I be notified by Slashdot when Microsoft releases patches?
Where the hell is the Microsoft comeback ad.?
Do they care?
668: Neighbour of the Beast
What?
Make Slashdot readable! See journal.
No, most of us just want another overpriced peripheral for our iPods.
Just a hunch, but I'll bet most of your troll mods come from your sig.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
All systems have vulnerabilities.
Macs have no EXPLOITS (yet).
This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.
You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
This is just getting dull, dull, dull. I don't know why I'm even bothering to type this. *Please*, no more, "Oh my god! OS X isn't bulletproof! Teh shock!" 'news' items.
Man wird am besten für seine Tugenden bestraft.
Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.
Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.
... it's also about /how/ they are handled. Some might say more-so.
From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.
Well I make softwares for mac. I was a fresher and I never knew that they will put me up in apple software team. Developing softwares on apple is a nightmare. I like developing softwares more on linux than on mac.
The best art videos collection from YouTube
This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
Good. Please stay as far away from Mac development as possible. Already the Mac community is straining under the weight of application design tragedies from beancounters and linear thinkers. The last thing we need is another tasteless Bill Gates wannabe like you ("Apple would have been number one if they didnt have steve jobs!") littering the Mac application landscape with your PC-minded shit.
I really need to get a USB breathalyzer that prohibits me from:
A. logging in as root
B. sending email
C. posting to slashdot
if my blood alcohol level is higher than 0.15%.
The full sentence was "It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project." To quote Inigo, "I don't think that means what you think it means."
"I was a fresher"
Could you please explain what that means?
Vote monkeys into Congress. They are cheaper and more trustworthy.
That means that I just completed my bachelor degree.
The best art videos collection from YouTube
My bride has a MacBook. She got the notification, it downloaded what seemed like a fairly large file after prompting for a password. Don't know if it asked and she missed it, or if it rebooted after installing the patch - but either way her machine did an unexpected restart. (Not that Microsoft is not guilty of the same thing, as one of my servers installed and rebooted last week at a very inconvenient time - dang thing was set to automatic) Anyhow, it sure made her nervous. She wanders down to my lab-of-doom and tells me her mac just shut down. I asked and she said she had just done an update. Perhaps she missed the dialog asking to restart... don't know. Had not seen a CERT email about it yet.
+++ UGUCAUCGUAUUUCU
A degree on creating "softwares"?
we shall now see the flood of the clueless that run around in circles screaming OMG SEE MACS HAVE BAD SECURITY TOO. To stamp out their fire before it gets beyond the first match I'd like to point out that even if they fixed 1000 things in this update, you can't compare apples (sorry) to oranges. The lion's share of vulns patched in say, Windows, I would classify "big trouble". Exploits that are in the wild (some of which have been running loose for months) that let remote attackers own your box. Even with that we see the antivirus companies coming out with many new patterns every week. Most are for viruses and spyware, but some are for remote code execution, which is arguably the worst thing you can have happen to your computer.
The number of patched remote code execution bugs that have been found and fixed on the mac recently are countable on one hand. Most (all?) of them are LAN originatable only. And it's not that Apple's not plugging existing holes... there weren't many to fix to begin with. The rest of the fixes, as pointed out by an earlier poster, are for things where someone emails you an attachment and you run it. Sorry but if you are assisting the viruses you really shouldn't hold the computer accountable anyway, but Apple still does its best to bulletproof you even in your stupidity. Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.
Any OS that has so many holes to fix that it can justify a weekly scheduled security fix is clearly in a class by itself.
I work for the Department of Redundancy Department.
Gotta say, however, that when the supercilious little Mac f**k opens his mouth, I just want to slap him.
668: Neighbour of the Beast
Judging by the confusion and the lack of understanding that your post created, I think you are better off writing software for Linux. :) /me ducks.
"Developers! Developers! Developers! Developers! Developers! Developers! Developers!"
No passion. Right.
668: Neighbour of the Beast
No one in your circle of loser friends, maybe, but Macs have been commonplace among (for lack of better class terminologies) pioneers and creatives in almost every industry for decades. It sounds snobbish—all right, it is snobbish, I know, and I wish I were able to put it more delicately. But it's true.
Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.
Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.
Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.
I'm talking, of course, about deliberate automatic code execution from web browsers (and in Microsoft's case mail software and any other application that uses the Microsoft HTML control). Not buffer overflows or anything patchable like that, but a design that automatically opens a file or object just as if you'd manually downloaded it and run it from the desktop. I'm talking about daft things like ActiveX in IE, or "Open Safe Files" in Safari...
"Macs gain market share"
Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.
So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
He writes them for the internets.
Windows virus making you irritable? It's okay Mac users understand, it's why we're on Mac. Just take two virus checkers and make sure your firewall is set. Don't install any non Microsoft approved software and stick with Office software until your machine is feeling better. If you need to get some work done just borrow a friends Mac. When I got my first Mac a year ago I looked for a copy of anti spyware for the Mac. A friend pointed out it's like giving a nun birth control. Macs aren't a 100% secure they just seem that way to the users.
I've done some development (GUI and otherwise) on Linux, WIndows, and Macs - including a fair amount of X11, MFC, C, C++, Java, some C#, and some Objective C.
Linux and Macs are nice to develop for for the same reasons - the tools are great. In fact for most of my Mac programming I still use Emacs. But XCode does have a lot of things going for it, and I've been using it more and more...
I guess my main point is, if you like development for Linux I don't see why you wouldn't like Mac development since you can use all the same tools. You don't have to use XCode. You can even sticl to X11 (though frankly I liked that much less than other systems, even if some of the capabilities are nicer.
I have also used Visual Studio but frankly, I don't like how it thnks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
If it's so important to you what everyone else is doing, GTFO. Fucking beancounter.
...and the bubble of no 0-day exploits on OS X is just waiting to burst.
Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?
Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.
Sometimes. Not always. See last month's patches. None were 0-day.
That you know of...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.
There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What is it about developing software for Mac OS X that you dislike compared to Linux ?
Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?
Are you using X-Code, eclipse, something else ?
I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.
No-one cares about cracking Macs? Sounds fine to me. I don't own the system to win any popularity awards or to go with the herd, I just want a computer that works well - which it does. If the criminal element thinks it below them to bother with Macs, all the better...
:-)
My pet theory is that the whole of the russian mafia runs Macs, and the reason we see no exploits is they don't want to foul thier own nest so to speak.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
The denial in the Apple community is so much like AIDS was with the gays at first. There was so much misinformation back then...
If you are going to live the Mac lifestyle then you need to be aware and practice safe security.
If anyone cares.... Can't get to technical cause I am quite drunk n' I wasn't payin full up close attention to the verbosity of the reboot after the installation... But I ended up getting a second reboot... On both my machines I have updated so far... This has got to be the most updates in a year ever with Apple, to my best recollection... Is it cause the user base is getting bigger, or the nIx flavoured underpinnings allow for so much more fine tuning, tweaking, n' progging finesse, or is it just that more employees @ Apple == more updates/visibilities into holes??';!$I think I found something of a lil bit of interest... A story about someone elses blogging, linkin, on macobserver, about sec fixes and apporximately how long it takes apple to fix them.. According to the research that Brian Krebs did into Apples security fixin's... He foudn that the average company took 91 days to fix n' meanwhile apple took around 50 for most.. He discovered this from Bud Tribble, VP of software technology over at Apple.. He was then quoted to say, " "[A Mac user] simply expects things to work with single button click, and that means we have to take time to do that correctly,""... I dunno why but that makes me gigg.le... Heres a direct link to the article... http://www.macobserver.com/article/2006/05/02.10.s html Here...
So if anyone would like, I can post the reboot logs from the install, to allow people to know what exactrly happened rat eboot... Hope I taint oo f thopic...
Peace n Grease.:
TeH Daem.On.
Oh great, here we go: dialectical pluralisms... :)
How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.
Your wife missed it at multiple points. First it tells you that it will require a restart before you accept it to install. Second once the install is complete it puts up a big dialog asking if you want to Shutdown or Restart. There is no time limit. I am in fact posting this with the dialog in the background.
The "monocrop argument" is a logical fallacy. According to your false reasoning "security" is a non-existent concept and the only thing that defines how many holes are patched in an OS is the market share of that OS. Of course spreading such garbage helps get modded up by some **-fans for such an oversimplication would explain the miserable security track record of a certain OS.
This is wrong on so many accounts.
Except for Server, OS X defaults to no, zero, nadda, ports open by default. That means there's zero chance of a remote root exploit. The only chance of remote exploit is really by exploiting something like safari or Mac Mail. However, such an exploit would be dramatically limited in scope as compare to, for example, Windows XP. Vista has made things a lot better, but UAC's effectiveness is not proved. A root exploit is highly unlikely, although you can argue a local user exploit is as destructive--after all that's where your data is.
I think I'll still be trusting my OS X machine over Windows still. Viruses and spyware are very difficult to make viable on OS X (and Linux also).
I'm reminded of song by Three Dead Trolls in a Baggie called "Every OS Sucks."
It's not vulnerabilities. It's viruses. There is a difference.
Certainly not one creating English.
--
WHO ATE MY BREAKFAST PANTS?
I'll believe "Developers, developers, developers..." when I can get decent documentation from them -- without having to pay for it.
Hmm... more secure?
Let's see what an authoritative source has to say....
Windows?
OS X?
Windows XP is obviously the more secure OS.
Here's a hint: "lets remote users execute arbitary code"... I think we can safely label that one an "exploit", in your terminology. Welcome to the real world, pal.
Vulnerabilities are just pillow talk to them... :)
C'mon folks! Software (including OSes) are written by people. Microsoft has people. Apple has people. Linux has people. All people suck. All people make mistakes. All OSes have vulnerabilities and other bugs. Microsoft just get more notice because of market share -- PERIOD. Hackers, phishers, etc will start targeting Apple and Linux as soon as their market share gets high enough. You'll probably see Firefox hit first because it has more of a chance to steal marketshare away from Internet Explorer (and I say that without Firefox installed on any of my PCs).
When the Mac and Linux finally get some market share I can already hear their users saying "remember when the Mac [Linux] used to be sooooo secure..." The "security" both enjoy is such an illusion today soley because people just aren't interested in targeting them... And don't kid yourself thinking that it's because hackers hate Microsoft more. It's all about where they can do the most damage.
Good thing I'm using Windows! Oh wait...
w00t
You must be around 12 years old if you find something "funny" about labeling two people gay. Please let us know what middle school you attend, so we can ask your administrator to add Slashdot to the Net Nanny filter.
It's dull as shit. There's nothing interesting or exciting about it.
Compared to even the most run of the mill PC games, it's tedious wank.
This is how I always get Mac bashers to STFU. Regardless of Apple's smaller market share, _somebody_ would want to have bragging rights to be the first l33t to Pwn OS X. If it were so easy to do so, at least. And you bring up something I hadn't considered before - the Mac user base is so complacent about not getting r00ted or viruses, that they are a ripe target for attack. Personally, I don't patch my OS X system immediately....I do it every few months at my leisure. I bet there are plenty of other Mac users out there. We are perfect targets in theory, yet to this day nobody has seriously tried.
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
I installed this update and rebooted and now it kernel panics every time I try to boot! It happens early enough that I can't even boot into single user. Grrr.....
-David
There. Now go play some cool javascript games!
...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?
Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.
by Anonymous Coward
Seriously, own up to what you are saying. Its people like you stopping me from thinking Macs are worthwhile personal computers.
Windows.Forms,WPF,WCF
"More than one of the affected flaws were called 'critical' or 'dangerous'."
5 530. How many "more than one" of the flaws were called 'critical' or 'dangerous', and by whom? Stop trying to sensationalize these mundane news items.
I didn't see the words 'critical' or 'dangerous' anywhere in Apple's description of the security update: http://docs.info.apple.com/article.html?artnum=30
http://en.wikipedia.org/wiki/Weasel_word
Its people like you stopping me from thinking Macs are worthwhile personal computers.
So your opinion of computer platforms is driven primarily by anonymous comments on Slashdot? As opposed to any merits of the systems themselves?
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
The british meaning for fresher is the opposite it means someone on the first semester of a bachelors degree.
Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!
Dude, I think this is just another incarnation of the anti-Mac trolls who pose as arrogant Mac users. They used to always have a standard post whining about how Macs were only meant for artistic types and other such nonsense in the same vein, followed by an exhortation for people who didn't fit in not to use Macs.
In Repressive Burma, it's not just your connection that dies. slashdot.org/comments.pl?sid=314547&cid=20819199
Nice "positive" comment, Fucktard.
I guess your "rules" don't apply to you, do they?
I want to publicly state that the posting that appears under this title was modified by Slashdot. It is not what I had submitted. I find it reprehensible that this can happen with no notification to me or to the readers.
Mmm, hands not connected with head :)
Where do you think patches come from? Just because no exposures are listed, does not mean there are none (as people rghtfully say of the Mac). Only in the case of Vista and XP, there are exploites today that are very real and able to compromise your system.
There are always exposures. It's just a question of exploits.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
No exploits, eh? Ever search on milw0rm.com? Quite a few exploits there. Do you monitor any security lists at all? BugTraq?
Yes, I montior such lists.
Have you ever actually seen any exploits in the wild for the Mac? No? Then what was your point exactly? I said repeatedly there are always vulnerabilities, which mean that people can make exploits. But not of these proto-exploits has been used in the wild.
Mac hackers might make exploits, but they don't seem to be actually unleashing them the way we see with Windows exploits.
Part of the reason could be the switch to intel - many exploits take advantage of code insertion, that is generally processor specific. So right now you could either infect tens of millions of Macs with a PPC exploit, or a smaller but quickly growing number of Intel macs. That probably gives OS X about two more years of realistic exploit-free life. I know I'll enjoy those two years.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Well, the dialog is "modal" within the context of the ASU application. It blocks the rest of ASU, and prevents you from doing anything else within it, until you respond.
It doesn't block the rest of the OS, or prevent you from switching to a different application, like old OS 9 modal dialogs did. (With the exception of a few special-case system messages, I don't think anything can do that anymore, thank god.) However, I still think it's appropriate to talk about a "modal dialog" within an application; i.e. it blocks you from working on the document / main window until you respond. Not that it's authoritative, but Wikipedia seems to also be OK with this description.
I didn't mean to imply that ASU blocked all user input, as OS 9 seemed to do from time to time, or Windows still does occasionally -- I'm firmly with you in saying that sucks. Furthermore I think that modality within applications also sucks, if the dialog blocks the user from accessing other documents besides the one the dialog is related to.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
... it's also about /how/ they are handled. Some might say more-so.
Apple TV Converter
http://www.apple-tv-converter.net/
I find your response informative but it distorts the facts a bit by casting Apple as having an "irresponsible" attitude towards security.
You say: "Apple has a terrible track record..."
And: "Apple has historically been terribly irresponsible..."
For evidence you quote their response time to bug-fixing, and imply (without stating it outright), that Apple may also have lied about the existence of bugs in their software in the past. Since the lying part is not backed up in your post and I can find no evidence of it anywhere else, I will ignore that part.
I would suggest however, that a simple tracking of the turnaround time between bug being discovered and bug being patched is hardly a good measure of an operating system vendor's overall security performance. It's certainly a bit of a push to describe the company as "terribly irresponsible" based merely on that fact.
At the end of the day, there has never been a serious Mac security breach of any kind and (so-far) no remote exploits at all. Windows on the other hand has had many of both varieties. Windows has beenm and still is in some respects "insecure by design," which is a far more serious thing than just not being timely with patches. Add to that the undeniable fact that Windows operating systems have suffered from bugs and exploits that have not only not been fixed by Microsoft, but have been allowed to re-occur in later versions of the operating system and you have a recipe for "irresponsible" behavior in regards securing an operating system.
The only problem is the irresponsible party is Microsoft, not Apple.
He's a plumber, then?
If you spell "Mac" with a 'k' GTFO
If you have a desktop background besides the aqua color GTFO
If you auto hide the dock GTFO
If your Mac is not white GTFO
If your iPod is black GTFO
If you have cable or satellite TV GTFO
If you do not watch the Mac ads on Youtube on a daily basis GTFO
If you use a two-button mouse GTFO
If you refer to Apple as Apple Computers GTFO
If you do not keep a picture of Steve Jobs in your wallet GTFO
If you have any game console GTFO
If you have fewer than 11 Macs GTFO
If you have not applied for a job at the Apple store GTFO
If you are not going to legally change your first name to Mac GTFO
If you respond with a "In Soviet Russia" joke GTFO
And THAT'S how you troll.
Now back to my PC...
You are reading a sig. Cancel or allow?
I don't condone it, but I can at least understand the case where there's a flaw in some old legacy code written well before ignoring security meant your system would be riddled with malware the first time you logged in. What I don't get is how there can be so many NEW vulnerabilities affecting relatively NEW products.
I'm pretty sure the developer culture at Microsoft is at least conscious of security and vulnerabilities by now - as well they should be after taking a severe beating the last few years. Seems like Apple should take another crack at making me feel secure - a shiny white case just isn't doing it any more.
Okay, I'll bite. Which part is worse?
/proc.
No really. What toolkit does Linux have that's better than Cocoa? Certainly the only thing that's even _close_ is Qt, and their tech for GUI applications is still a few years behind. The way you build out an app in InterfaceBuilder as a serialized collection of objects that "wakes up" into an application state is absolutely brilliant, and mirror some of the (engineering-wise) best platforms ever devised.
Sure, there are some bugs and undocumented edges, but Qt isn't really different in that regard. So I would be hard pressed to believe anyone who knows both Cocoa and Qt could express some kind of longing for Qt.
Maybe you're upset about Objective-C? Sometimes people seem to think that Objective-C is bad, and this is an opinion that's not directly refutable... but in general Objective-C (and in particular Apple's implemention of it) is a pretty frikkin' awesome. I'm not sure what there is to complain about. So I'm going to rule that out.
Maybe you're pissed about Carbon. Here you have a legit and common complaint. Fortunately, every year (and more importantly, every major OS release) Carbon is driven back by fire into the dank hole of history from whence it came. So it does suck a little, but it's going away. I'm sure you can find at least one important API on linux that sucks to use, so this is a gimme.
What's left? CoreFoundation is a little weird, but not bad. Apple's IOKit is actually a really big step in the right direction. Nearly every library you could want from linux works on a mac already. Like, the only time I really pine for the Fjords-of-Linux is when I wish I had
So why is it so much more awsome on linux? And what apps have you developed, anyways?
Slashdot. It's Not For Common Sense