Slashdot Mirror
Apple Mac OS X Update For 17 Vulnerabilities
BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."
Because your M$ updates might have spyware, viri, trojans, etc, so it would be dangerous to notify you.
* Carthago Delenda Est *
Becuase the patches are all released on the first(?) Tuesday of every month.
Why doesn't Slashdot tell me when Thanksgiving is?
Your ad here. Ask me how!
No, most of us just want another overpriced peripheral for our iPods.
Just a hunch, but I'll bet most of your troll mods come from your sig.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
All systems have vulnerabilities.
Macs have no EXPLOITS (yet).
This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.
You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yeah, Slashdot never makes post like this about Microsoft. Certainly this article from two weeks ago has nothing to do with notable Windows security patches.
Comeback to whom?
"Hey, you there! Yes, you--the small market share that makes up Apple users."
If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.
Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.
... it's also about /how/ they are handled. Some might say more-so.
From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.
This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I really need to get a USB breathalyzer that prohibits me from:
A. logging in as root
B. sending email
C. posting to slashdot
if my blood alcohol level is higher than 0.15%.
"I was a fresher"
Could you please explain what that means?
Vote monkeys into Congress. They are cheaper and more trustworthy.
A degree on creating "softwares"?
we shall now see the flood of the clueless that run around in circles screaming OMG SEE MACS HAVE BAD SECURITY TOO. To stamp out their fire before it gets beyond the first match I'd like to point out that even if they fixed 1000 things in this update, you can't compare apples (sorry) to oranges. The lion's share of vulns patched in say, Windows, I would classify "big trouble". Exploits that are in the wild (some of which have been running loose for months) that let remote attackers own your box. Even with that we see the antivirus companies coming out with many new patterns every week. Most are for viruses and spyware, but some are for remote code execution, which is arguably the worst thing you can have happen to your computer.
The number of patched remote code execution bugs that have been found and fixed on the mac recently are countable on one hand. Most (all?) of them are LAN originatable only. And it's not that Apple's not plugging existing holes... there weren't many to fix to begin with. The rest of the fixes, as pointed out by an earlier poster, are for things where someone emails you an attachment and you run it. Sorry but if you are assisting the viruses you really shouldn't hold the computer accountable anyway, but Apple still does its best to bulletproof you even in your stupidity. Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.
Any OS that has so many holes to fix that it can justify a weekly scheduled security fix is clearly in a class by itself.
I work for the Department of Redundancy Department.
I've never known it to autoreboot. I don't think it has a timer on the dialog or anything like that. I usually don't want to reboot when it wants to, so I just force-quit the updater once it is done. It will reboot when I feel like it.
You didn't get the media spin memo, right? The former is now called "life threatening" and the latter "potentially deadly".
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.
Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.
Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.
I'm talking, of course, about deliberate automatic code execution from web browsers (and in Microsoft's case mail software and any other application that uses the Microsoft HTML control). Not buffer overflows or anything patchable like that, but a design that automatically opens a file or object just as if you'd manually downloaded it and run it from the desktop. I'm talking about daft things like ActiveX in IE, or "Open Safe Files" in Safari...
"Macs gain market share"
Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.
So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Windows virus making you irritable? It's okay Mac users understand, it's why we're on Mac. Just take two virus checkers and make sure your firewall is set. Don't install any non Microsoft approved software and stick with Office software until your machine is feeling better. If you need to get some work done just borrow a friends Mac. When I got my first Mac a year ago I looked for a copy of anti spyware for the Mac. A friend pointed out it's like giving a nun birth control. Macs aren't a 100% secure they just seem that way to the users.
I've done some development (GUI and otherwise) on Linux, WIndows, and Macs - including a fair amount of X11, MFC, C, C++, Java, some C#, and some Objective C.
Linux and Macs are nice to develop for for the same reasons - the tools are great. In fact for most of my Mac programming I still use Emacs. But XCode does have a lot of things going for it, and I've been using it more and more...
I guess my main point is, if you like development for Linux I don't see why you wouldn't like Mac development since you can use all the same tools. You don't have to use XCode. You can even sticl to X11 (though frankly I liked that much less than other systems, even if some of the capabilities are nicer.
I have also used Visual Studio but frankly, I don't like how it thnks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
...and the bubble of no 0-day exploits on OS X is just waiting to burst.
Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?
Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.
Sometimes. Not always. See last month's patches. None were 0-day.
That you know of...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.
There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What is it about developing software for Mac OS X that you dislike compared to Linux ?
Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?
Are you using X-Code, eclipse, something else ?
I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.
She must have hit the dialog without realizing it...by default, Apple Software Update won't auto-restart, and I don't think there's any way to even enable that behavior.
By default, this is how it works:
* ASU puts up dialog showing list of installable updates; they're checked by default. Ones with restart required are marked.
* User unchecks items they don't want, presses "Install" or hits Return.
* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.
* User returns to ASU; if an update requiring restart has been installed, a modal dialog is displayed saying "The new software requires that you restart your computer..." with options "Shut Down" and "Restart." Default is 'Restart,' if user presses Return. (However, the dialog is modal only within the ASU application, you can still switch away from ASU and use the computer normally, and after clicking on it once, ASU no longer bounces in the Dock.)
* If Restart is pressed, the computer will begin the reboot process. I *think* that the process will stop if you have an application open with an unsaved document, but I haven't tested this recently.
Unfortunately, I think users are sometimes conditioned to quickly clicking the default option in any dialog they're presented with, that they sometimes don't realize until 1/4 sec after they hit it, that they just rebooted their computer.
As an aside: it's possible to avoid the reboot either by just leaving ASU in the background indefinitely (pressing Cmd-H 'hides' it so that it doesn't clutter up the UI) or by Force Quitting it, although I doubt that's recommended.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.
Certainly not one creating English.
--
WHO ATE MY BREAKFAST PANTS?
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
Reminds me of how I used to pick up the cat and place him right in front of the dog :) Cue the Benny Hill music!
What really happened was she was presented with a dialog that clearly showed the machine would need to be rebooted if she proceeded and she then clicked the "Install Items" button. Then she was asked to authenticate as an admin user, then she was give a dialog asking for permission to reboot, which she could have ignored until a better time but didn't.
However, under no circumstances tell her this. She is your wife and this automatically makes the reboot YOUR fault. So just apologize to her and go buy flowers, you insensitive clod.
Namgge
I prefer it to the Windows 'feature' that automatically shuts down your PC whether you want it to or not, even if you tell it you're going to restart later.
I am totally offended by your remarks! I AM gay and thought Bill & Steve would make a great looking couple. Who are you to chastise me for expressing my feelings! It would be one thing if you were debating on the content of my remarks; it's a whole other thing to bash me and my sexuality. You must be some sort of homophobe who hides behind the false precept of being mature. Hater!
I installed this update and rebooted and now it kernel panics every time I try to boot! It happens early enough that I can't even boot into single user. Grrr.....
-David
There. Now go play some cool javascript games!
...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?
Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.
a modal dialog
Nope, the ASU dialog is non-modal, just like all other dialogs in OS-X. Modal means the user can do no more work on the computer until they respond. Non-Modal means the user can hide the dialog or application or switch focus and continue working. Dialogs can be modal to their application, but this is strongly discouraged as a design philosophy as well.
Yes, I am a veteran of the Modal Wars. The war is mostly over and we non-modalists and computer users everywhere won. It was a major, well understood design decision from the original OS-X architects that nothing could ever be modal in OS-X. Users who switch away from using OS-X to a system that still permits modal dialogs often comment about how jarring it is to have a modal dialog they don't understand, and being forced to make an uninformed decision before being allowed to continue working or unable even to save their work. It is a subtle but very powerful distinction about who is in control of a session, the user or the OS. Modality is just a power trip for those who hate the idea that a person sitting in front of a machine might actually know what they are doing.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
No, you're wrong. Bonjour (aka rendezvous aka mdns[responder]) listens on UDP port 5353 by default on a client install - that's how iTunes/iChat/AFP sharing find other computers. And guess what - it's one of the apps that has a local root exploit in this security update.
Its people like you stopping me from thinking Macs are worthwhile personal computers.
So your opinion of computer platforms is driven primarily by anonymous comments on Slashdot? As opposed to any merits of the systems themselves?
Build a man a fire, he's warm for one night. Set him on fire, and he's warm for the rest of his life.
This is normail behavior. Mac OS X had to rebuild its kernel extension cache and also had to load in new kexts, redo the prebinding, permissions, etc. Just like MS wants you to restart after installing every little piece of software, Apple wants you to do it whenever you make modifications to the system.
There is a subtle difference.
Faster! Faster! Faster would be better!
Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!