Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Mac OS X Update For 17 Vulnerabilities

Posted by Zonk on from the enjoy-a-less-wormy-apple dept.

BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."

17 of 259 comments (clear)

  1. Your confusion by SuperKendall · · Score: 5, Insightful

    All systems have vulnerabilities.

    Macs have no EXPLOITS (yet).

    This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.

    You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Your confusion by pdbaby · · Score: 5, Insightful

      the bubble of no 0-day exploits on OS X is just waiting to burst

      I'm sure it'll happen eventually, but it's curious that there are no viruses on the loose that target OS X

      Mac users don't account for a huge percentage of total users, but it's a large enough group -- and we're usually high-tech enough for it to be highly profitable for spammers/crackers/whatever to work for an exploit - we don't run anti-viruses, and I'm sure most non-developer mac users wouldn't even know how to find the process list, let alone figure out what's not supposed to be running.

      --
      Global symbol "$deity" requires explicit package name at line 2. - If only $scripture started "use strict;"
  2. Re:Four fat guys on a crash cart... by RealGrouchy · · Score: 3, Insightful

    Where the hell is the Microsoft comeback ad.?

    Comeback to whom?

    "Hey, you there! Yes, you--the small market share that makes up Apple users."

    If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.

    - RG>
    --
    Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
  3. Re:Not a big deal by Anonymous Coward · · Score: 4, Insightful

    Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.

    Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.

  4. Re:open the gates by Actually,+I+do+RTFA · · Score: 3, Insightful

    Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

    Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?

    --
    Your ad here. Ask me how!
  5. Re:The reboot was not appreciated... by lexarius · · Score: 2, Insightful

    I've never known it to autoreboot. I don't think it has a timer on the dialog or anything like that. I usually don't want to reboot when it wants to, so I just force-quit the updater once it is done. It will reboot when I feel like it.

  6. This could just as well have a different title by Opportunist · · Score: 3, Insightful

    "Macs gain market share"

    Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.

    So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:This could just as well have a different title by mstone · · Score: 3, Insightful

      Define 'nominal'.

      The installed base of Macs is estimated to be between 10% and 15% of the market. That value follows from the sales numbers established in market share, amortized across the 5-7 year functional lifespan of the average Mac.

      "One machine in ten" seems like a reasonably attractive size for a target.

      Besides, you're forgetting the automated nature of malware. You don't create a botnet by hand, one machine at a time. You pump out a massive number of potential attacks and glean the ones that succeed. And having a botnet means having a massively distributed system whose resources can be devoted to making itself even bigger.

      It doesn't even take an infected Mac to compromise another Mac. The attack is just a package of data, so it would be trivially easy to dedicate a Windows botnet to locating and infecting Macs if someone really wanted to.

      The reason malware developers target the Windows platform is that it's so much easier to find a Windows machine with an exploitable hole and take it over. Windows up through XP carries a ton of historical baggage that assumes the existence of an isolated, single-user system: All processes are launched by a user with absolute privilege. Half the processes on any given machine are running at the highest possible level of privilege, and they accept data from sources with lower levels of privilege. The directory that contains system binaries is writable by pretty much anyone, there's no index to say where any given binary came from, and it's standard practice to add or overwrite files in that directory. The absolute-privilege daemons are controlled by the Registry, which again is writeable by almost anyone, and whose format is obscure enough that it's difficult to find tampering even if you know something is wrong with the machine.

      Those were all convenient and effective solutions in the days when 99.9% of the data coming into a machine came from the person at the keyboard. But they don't fare so well against a hostile internet.

      OS X doesn't have that baggage. It inherited unix's experience dealing with multi-user systems in an untrusted network environment. Yes, there are weak spots, but the attack surface is much smaller than that of Windows.

      The people who collect botnets don't care about market share. They care about exploitability, especially exploitability which can be automated. Windows machines offer an easy target in that respect. Macs and unix-alike systems require more work. And there's no reason for them to do the extra work when Windows machines are both so easy to find and so easy to take over.

    2. Re:This could just as well have a different title by Weedlekin · · Score: 2, Insightful

      "If anything this shows that OSX still doesn't have near the market share some people seem to think."

      This would indeed be true if the act of writing malware was a quest that earned a +5 Amulet Of Knowing Real User Numbers which gives them magical abilities that people who don't write malware lack. If however we reluctantly accept the fact that malware writers don't have such wondrous artefacts, then we must also accept that Windows' market dominance and its total dominance of the malware sector are merely a statistical correlation, and correlations do not in and of themselves imply, let alone prove, causality. Exactly the same data could for example be used to support the following hypothesis, which uses the same fallacious logic as your statement:

      Weeklekin's Stupid Malware Hypothesis

      The notable statistical correlation between market share of desktop operating systems and the amount of malware that's available for them shows that users both expect and demand a wide range of high quality malware applications. Microsoft's latest version of Windows, known as Vista, has many documented problems with a large number of popular pieces of malware, and this has resulted in several major OEMs taking the unprecedented step of retrospectively offering their customers the option of Windows XP, which has proven its unrivalled excellence as a malware host over the last six years. UNIX-based and UNIX-like operating systems such as Apple's OS X, FreeBSD, and Linux will therefore continue to be unpopular in both domestic and business settings unless the designers of both the systems themselves, and various programming tools for them, work harder at achieving the level of malware-friendliness that users of Windows XP enjoy.

      --
      I'm not going to change your sheets again, Mr. Hastings.
  7. So what by SuperKendall · · Score: 4, Insightful

    ...and the bubble of no 0-day exploits on OS X is just waiting to burst.

    Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?

    Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.

    Sometimes. Not always. See last month's patches. None were 0-day.

    That you know of...

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
  8. Necessary? by Tatsh · · Score: 3, Insightful

    How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.

  9. Re:It's not only about the vulnerabilities... by Jeff+DeMaagd · · Score: 5, Insightful

    I guess it was a hit job which blindsided Telestream's Flip4Mac, Panic's Transmit, Colloquy's Colloquy, Unsanity's Application Enhancer, and the open sourced VLC as innocent bystanders in their vendetta against Apple, so at least six non-Apple branded programs were thrown in to fill out the month. Day 31 has a "filler", meaning that it's just over three weeks' worth of Apple Bugs.

    There may be some legitimacy to the complaints that Apple was unresponsive, but I agree, to bring in flaws in third party products to the mix is beyond irresponsible.

  10. Re:It's not only about the vulnerabilities... by vertigoCiel · · Score: 4, Insightful

    It doesn't matter how long it takes to patch an exploit, as long as it is patched before it's used in a virus or other attack on a system. There are currently no OS X viruses in the wild that can attack a Mac in a meaningful way (there is a proof-of-concept one that requires the user to install it). Compare that to the tens of thousands of Windows OS viruses and worms exploiting security holes without requiring the user. Given that, I'd say that Apple has an excellent track record when it comes to patching vulnerabilities.

  11. Sorry... by BrianRagle · · Score: 5, Insightful

    ...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?

    Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.

  12. Not too technical, huh? by snowwrestler · · Score: 2, Insightful

    Its people like you stopping me from thinking Macs are worthwhile personal computers.

    So your opinion of computer platforms is driven primarily by anonymous comments on Slashdot? As opposed to any merits of the systems themselves?

    --
    Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
  13. Multiple Mac users by AlpineR · · Score: 4, Insightful

    You Mac users can't have it both ways.

    Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!

  14. Re:It's not only about the vulnerabilities... by gig · · Score: 3, Insightful

    When you're tempted to compare Windows and Mac security all you have to do is point to the fact that there are Unix user accounts on the Mac since 2001. Game over, Mac wins.

    Mac users do not run as root, and in fact root user access is not enabled by default. Just that by itself is much more important than randomized memory paths and UAC prompts and even firewalls.

    Microsoft has people doing office work running as root because their poorly managed third-party software platform has not yet adapted to a networked user model.

    Apple is also way ahead of Microsoft on quality, design, execution, product management. It is a more tightly built boat.