Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Mac OS X Update For 17 Vulnerabilities

Posted by Zonk on from the enjoy-a-less-wormy-apple dept.

BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."

22 of 259 comments (clear)

  1. Your confusion by SuperKendall · · Score: 5, Insightful

    All systems have vulnerabilities.

    Macs have no EXPLOITS (yet).

    This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.

    You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Your confusion by Anonymous Coward · · Score: 1, Insightful

      If you find Cocoa more difficult than .NET, you're probably doing it wrong. As in: You don't understand the Mac, and you're trying to program Mac applications as though they were PC ports.

      Stop it. Either learn how Mac programs behave, or if you're too inflexible to escape your PC-minded prison, just GTFO. We've seen far too many PC users lately trying to develop for Macs, and to be blunt, we're sick of your shit clogging up what used to be a platform of reliably good software.

    2. Re:Your confusion by pdbaby · · Score: 5, Insightful

      the bubble of no 0-day exploits on OS X is just waiting to burst

      I'm sure it'll happen eventually, but it's curious that there are no viruses on the loose that target OS X

      Mac users don't account for a huge percentage of total users, but it's a large enough group -- and we're usually high-tech enough for it to be highly profitable for spammers/crackers/whatever to work for an exploit - we don't run anti-viruses, and I'm sure most non-developer mac users wouldn't even know how to find the process list, let alone figure out what's not supposed to be running.

      --
      Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
  2. Totally redundant story, please sack someone by milo_a_wagner · · Score: 1, Insightful

    This is just getting dull, dull, dull. I don't know why I'm even bothering to type this. *Please*, no more, "Oh my god! OS X isn't bulletproof! Teh shock!" 'news' items.

    --
    Man wird am besten für seine Tugenden bestraft.
  3. Re:Four fat guys on a crash cart... by RealGrouchy · · Score: 3, Insightful

    Where the hell is the Microsoft comeback ad.?

    Comeback to whom?

    "Hey, you there! Yes, you--the small market share that makes up Apple users."

    If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.

    - RG>
    --
    Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
  4. Re:Not a big deal by Anonymous Coward · · Score: 4, Insightful

    Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.

    Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.

  5. Re:open the gates by Actually,+I+do+RTFA · · Score: 3, Insightful

    Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

    Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?

    --
    Your ad here. Ask me how!
  6. Re:The reboot was not appreciated... by lexarius · · Score: 2, Insightful

    I've never known it to autoreboot. I don't think it has a timer on the dialog or anything like that. I usually don't want to reboot when it wants to, so I just force-quit the updater once it is done. It will reboot when I feel like it.

  7. This could just as well have a different title by Opportunist · · Score: 3, Insightful

    "Macs gain market share"

    Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.

    So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:This could just as well have a different title by mstone · · Score: 3, Insightful

      Define 'nominal'.

      The installed base of Macs is estimated to be between 10% and 15% of the market. That value follows from the sales numbers established in market share, amortized across the 5-7 year functional lifespan of the average Mac.

      "One machine in ten" seems like a reasonably attractive size for a target.

      Besides, you're forgetting the automated nature of malware. You don't create a botnet by hand, one machine at a time. You pump out a massive number of potential attacks and glean the ones that succeed. And having a botnet means having a massively distributed system whose resources can be devoted to making itself even bigger.

      It doesn't even take an infected Mac to compromise another Mac. The attack is just a package of data, so it would be trivially easy to dedicate a Windows botnet to locating and infecting Macs if someone really wanted to.

      The reason malware developers target the Windows platform is that it's so much easier to find a Windows machine with an exploitable hole and take it over. Windows up through XP carries a ton of historical baggage that assumes the existence of an isolated, single-user system: All processes are launched by a user with absolute privilege. Half the processes on any given machine are running at the highest possible level of privilege, and they accept data from sources with lower levels of privilege. The directory that contains system binaries is writable by pretty much anyone, there's no index to say where any given binary came from, and it's standard practice to add or overwrite files in that directory. The absolute-privilege daemons are controlled by the Registry, which again is writeable by almost anyone, and whose format is obscure enough that it's difficult to find tampering even if you know something is wrong with the machine.

      Those were all convenient and effective solutions in the days when 99.9% of the data coming into a machine came from the person at the keyboard. But they don't fare so well against a hostile internet.

      OS X doesn't have that baggage. It inherited unix's experience dealing with multi-user systems in an untrusted network environment. Yes, there are weak spots, but the attack surface is much smaller than that of Windows.

      The people who collect botnets don't care about market share. They care about exploitability, especially exploitability which can be automated. Windows machines offer an easy target in that respect. Macs and unix-alike systems require more work. And there's no reason for them to do the extra work when Windows machines are both so easy to find and so easy to take over.

    2. Re:This could just as well have a different title by suv4x4 · · Score: 1, Insightful

      So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

      So, you'll have to admit then all Jobs said about Windows being an insecure piece of garbage was wrong. It's, you see, just because they have so great market share.

      You Mac users can't have it both ways. When hackers didn't pay attention to OSX and people said "this is because noone cares to attack you yet", you said "bs, it's because OSX is such a great OS, it's unhackable, it's secure *nix baby!".

      Now you the community turns 180 degrees and claim the opposite.

      For me, it *does* have to do with market share, and I believe OSX is an OS as any, and the only thing that pisses me off is the conformist opinion Mac users are ready to adapt at any given point, just to put OSX in a good (or less bad) light.

    3. Re:This could just as well have a different title by Weedlekin · · Score: 2, Insightful

      "If anything this shows that OSX still doesn't have near the market share some people seem to think."

      This would indeed be true if the act of writing malware was a quest that earned a +5 Amulet Of Knowing Real User Numbers which gives them magical abilities that people who don't write malware lack. If however we reluctantly accept the fact that malware writers don't have such wondrous artefacts, then we must also accept that Windows' market dominance and its total dominance of the malware sector are merely a statistical correlation, and correlations do not in and of themselves imply, let alone prove, causality. Exactly the same data could for example be used to support the following hypothesis, which uses the same fallacious logic as your statement:

      Weeklekin's Stupid Malware Hypothesis

      The notable statistical correlation between market share of desktop operating systems and the amount of malware that's available for them shows that users both expect and demand a wide range of high quality malware applications. Microsoft's latest version of Windows, known as Vista, has many documented problems with a large number of popular pieces of malware, and this has resulted in several major OEMs taking the unprecedented step of retrospectively offering their customers the option of Windows XP, which has proven its unrivalled excellence as a malware host over the last six years. UNIX-based and UNIX-like operating systems such as Apple's OS X, FreeBSD, and Linux will therefore continue to be unpopular in both domestic and business settings unless the designers of both the systems themselves, and various programming tools for them, work harder at achieving the level of malware-friendliness that users of Windows XP enjoy.

      --
      I'm not going to change your sheets again, Mr. Hastings.
  8. WHO CARES ABOUT MARKET SHARE by Anonymous Coward · · Score: 1, Insightful

    If it's so important to you what everyone else is doing, GTFO. Fucking beancounter.

  9. So what by SuperKendall · · Score: 4, Insightful

    ...and the bubble of no 0-day exploits on OS X is just waiting to burst.

    Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?

    Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.

    Sometimes. Not always. See last month's patches. None were 0-day.

    That you know of...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  10. Necessary? by Tatsh · · Score: 3, Insightful

    How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.

  11. Re:It's not only about the vulnerabilities... by Jeff+DeMaagd · · Score: 5, Insightful

    I guess it was a hit job which blindsided Telestream's Flip4Mac, Panic's Transmit, Colloquy's Colloquy, Unsanity's Application Enhancer, and the open sourced VLC as innocent bystanders in their vendetta against Apple, so at least six non-Apple branded programs were thrown in to fill out the month. Day 31 has a "filler", meaning that it's just over three weeks' worth of Apple Bugs.

    There may be some legitimacy to the complaints that Apple was unresponsive, but I agree, to bring in flaws in third party products to the mix is beyond irresponsible.

  12. Re:It's not only about the vulnerabilities... by vertigoCiel · · Score: 4, Insightful

    It doesn't matter how long it takes to patch an exploit, as long as it is patched before it's used in a virus or other attack on a system. There are currently no OS X viruses in the wild that can attack a Mac in a meaningful way (there is a proof-of-concept one that requires the user to install it). Compare that to the tens of thousands of Windows OS viruses and worms exploiting security holes without requiring the user. Given that, I'd say that Apple has an excellent track record when it comes to patching vulnerabilities.

  13. Sorry... by BrianRagle · · Score: 5, Insightful

    ...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?

    Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.

  14. Re:DING DING DING by TheRaven64 · · Score: 1, Insightful
    If I write a virus for Windows, then the odds are that any computer it infects will be able to infect a few more on any network it connects to. If I write a virus for Outlook Express, then it is likely that it will be able to infect most of the people in each OE user's address book.

    If I write a virus for OS X, then it may hit a small network of Macs, but then have nowhere to spread. A vulnerability in the JRE would make a good target, since it could potentially be used to write a virus that infected Macs, but spread to Windows and *NIX machines as well.

    The difficult thing about writing a virus for OS X is not writing something that infects Macs, it's writing something that will spread in a population where 95% are immune.

    --
    I am TheRaven on Soylent News
  15. Not too technical, huh? by snowwrestler · · Score: 2, Insightful

    Its people like you stopping me from thinking Macs are worthwhile personal computers.

    So your opinion of computer platforms is driven primarily by anonymous comments on Slashdot? As opposed to any merits of the systems themselves?

    --
    Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
  16. Multiple Mac users by AlpineR · · Score: 4, Insightful

    You Mac users can't have it both ways.

    Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!

  17. Re:It's not only about the vulnerabilities... by gig · · Score: 3, Insightful

    When you're tempted to compare Windows and Mac security all you have to do is point to the fact that there are Unix user accounts on the Mac since 2001. Game over, Mac wins.

    Mac users do not run as root, and in fact root user access is not enabled by default. Just that by itself is much more important than randomized memory paths and UAC prompts and even firewalls.

    Microsoft has people doing office work running as root because their poorly managed third-party software platform has not yet adapted to a networked user model.

    Apple is also way ahead of Microsoft on quality, design, execution, product management. It is a more tightly built boat.