Slashdot Mirror
Apple Mac OS X Update For 17 Vulnerabilities
BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."
Becuase the patches are all released on the first(?) Tuesday of every month.
Why doesn't Slashdot tell me when Thanksgiving is?
Your ad here. Ask me how!
No, most of us just want another overpriced peripheral for our iPods.
Just a hunch, but I'll bet most of your troll mods come from your sig.
Tags != Comments, and -1 (Troll) != -1 (I Would Respond Angrily To This Poster So They Must Be Trolling)
All systems have vulnerabilities.
Macs have no EXPLOITS (yet).
This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.
You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yeah, Slashdot never makes post like this about Microsoft. Certainly this article from two weeks ago has nothing to do with notable Windows security patches.
Comeback to whom?
"Hey, you there! Yes, you--the small market share that makes up Apple users."
If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.
- RG>
Hey pal, this isn't a pleasantforest, so don't waste my time with pleasantries!
Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.
Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.
... it's also about /how/ they are handled. Some might say more-so.
From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.
This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I really need to get a USB breathalyzer that prohibits me from:
A. logging in as root
B. sending email
C. posting to slashdot
if my blood alcohol level is higher than 0.15%.
A degree on creating "softwares"?
Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?
Your ad here. Ask me how!
Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.
Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.
Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.
I'm talking, of course, about deliberate automatic code execution from web browsers (and in Microsoft's case mail software and any other application that uses the Microsoft HTML control). Not buffer overflows or anything patchable like that, but a design that automatically opens a file or object just as if you'd manually downloaded it and run it from the desktop. I'm talking about daft things like ActiveX in IE, or "Open Safe Files" in Safari...
"Macs gain market share"
Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.
So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
...and the bubble of no 0-day exploits on OS X is just waiting to burst.
Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?
Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.
Sometimes. Not always. See last month's patches. None were 0-day.
That you know of...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.
There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What is it about developing software for Mac OS X that you dislike compared to Linux ?
Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?
Are you using X-Code, eclipse, something else ?
I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.
She must have hit the dialog without realizing it...by default, Apple Software Update won't auto-restart, and I don't think there's any way to even enable that behavior.
By default, this is how it works:
* ASU puts up dialog showing list of installable updates; they're checked by default. Ones with restart required are marked.
* User unchecks items they don't want, presses "Install" or hits Return.
* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.
* User returns to ASU; if an update requiring restart has been installed, a modal dialog is displayed saying "The new software requires that you restart your computer..." with options "Shut Down" and "Restart." Default is 'Restart,' if user presses Return. (However, the dialog is modal only within the ASU application, you can still switch away from ASU and use the computer normally, and after clicking on it once, ASU no longer bounces in the Dock.)
* If Restart is pressed, the computer will begin the reboot process. I *think* that the process will stop if you have an application open with an unsaved document, but I haven't tested this recently.
Unfortunately, I think users are sometimes conditioned to quickly clicking the default option in any dialog they're presented with, that they sometimes don't realize until 1/4 sec after they hit it, that they just rebooted their computer.
As an aside: it's possible to avoid the reboot either by just leaving ASU in the background indefinitely (pressing Cmd-H 'hides' it so that it doesn't clutter up the UI) or by Force Quitting it, although I doubt that's recommended.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
Reminds me of how I used to pick up the cat and place him right in front of the dog :) Cue the Benny Hill music!
What really happened was she was presented with a dialog that clearly showed the machine would need to be rebooted if she proceeded and she then clicked the "Install Items" button. Then she was asked to authenticate as an admin user, then she was give a dialog asking for permission to reboot, which she could have ignored until a better time but didn't.
However, under no circumstances tell her this. She is your wife and this automatically makes the reboot YOUR fault. So just apologize to her and go buy flowers, you insensitive clod.
Namgge
I prefer it to the Windows 'feature' that automatically shuts down your PC whether you want it to or not, even if you tell it you're going to restart later.
...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?
Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.
a modal dialog
Nope, the ASU dialog is non-modal, just like all other dialogs in OS-X. Modal means the user can do no more work on the computer until they respond. Non-Modal means the user can hide the dialog or application or switch focus and continue working. Dialogs can be modal to their application, but this is strongly discouraged as a design philosophy as well.
Yes, I am a veteran of the Modal Wars. The war is mostly over and we non-modalists and computer users everywhere won. It was a major, well understood design decision from the original OS-X architects that nothing could ever be modal in OS-X. Users who switch away from using OS-X to a system that still permits modal dialogs often comment about how jarring it is to have a modal dialog they don't understand, and being forced to make an uninformed decision before being allowed to continue working or unable even to save their work. It is a subtle but very powerful distinction about who is in control of a session, the user or the OS. Modality is just a power trip for those who hate the idea that a person sitting in front of a machine might actually know what they are doing.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
There is a subtle difference.
Faster! Faster! Faster would be better!
Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!