Slashdot Mirror
Apple Mac OS X Update For 17 Vulnerabilities
BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."
Becuase the patches are all released on the first(?) Tuesday of every month.
Why doesn't Slashdot tell me when Thanksgiving is?
Your ad here. Ask me how!
All systems have vulnerabilities.
Macs have no EXPLOITS (yet).
This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.
You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yeah, Slashdot never makes post like this about Microsoft. Certainly this article from two weeks ago has nothing to do with notable Windows security patches.
Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.
Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.
"From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain."
Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.
Apple has historically been terribly irresponsible with found vulnerabilities. This article says this is the first exploit fixed that hasn't been logged on the MOAB project.
Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found.
You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. It looks like they are making progress.
This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.
Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
I really need to get a USB breathalyzer that prohibits me from:
A. logging in as root
B. sending email
C. posting to slashdot
if my blood alcohol level is higher than 0.15%.
A degree on creating "softwares"?
MOAB was founded by security researchers who wanted publicity. Among other issues was a bug in OmniWeb, which was never reported to The Omni Group. How would being frustrated at Apple possibly justify that one?
...and the bubble of no 0-day exploits on OS X is just waiting to burst.
Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?
Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.
Sometimes. Not always. See last month's patches. None were 0-day.
That you know of...
"There is more worth loving than we have strength to love." - Brian Jay Stanley
All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.
There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What is it about developing software for Mac OS X that you dislike compared to Linux ?
Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?
Are you using X-Code, eclipse, something else ?
I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.
She must have hit the dialog without realizing it...by default, Apple Software Update won't auto-restart, and I don't think there's any way to even enable that behavior.
By default, this is how it works:
* ASU puts up dialog showing list of installable updates; they're checked by default. Ones with restart required are marked.
* User unchecks items they don't want, presses "Install" or hits Return.
* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.
* User returns to ASU; if an update requiring restart has been installed, a modal dialog is displayed saying "The new software requires that you restart your computer..." with options "Shut Down" and "Restart." Default is 'Restart,' if user presses Return. (However, the dialog is modal only within the ASU application, you can still switch away from ASU and use the computer normally, and after clicking on it once, ASU no longer bounces in the Dock.)
* If Restart is pressed, the computer will begin the reboot process. I *think* that the process will stop if you have an application open with an unsaved document, but I haven't tested this recently.
Unfortunately, I think users are sometimes conditioned to quickly clicking the default option in any dialog they're presented with, that they sometimes don't realize until 1/4 sec after they hit it, that they just rebooted their computer.
As an aside: it's possible to avoid the reboot either by just leaving ASU in the background indefinitely (pressing Cmd-H 'hides' it so that it doesn't clutter up the UI) or by Force Quitting it, although I doubt that's recommended.
"Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."
This article says this is the first exploit fixed that hasn't been logged on the MOAB project.
You misunderstand. This is the first update that doesn't patch anything listed by MOAB. That doesn't mean that everything patched before was. MOAB only listed 31 bugs, whereas dozens of potential vulnerabilities have been patched by Apple in that time.
The MOAB project was started by security researchers who decided to release their findings publicly because they got mad when Apple outright denied some existing vulnerabilities they found.
That doesn't explain why they chose to give the same treatment to VLC, OmniGroup, and Panic.
Don't become a regular here -- you will become retarded.
I guess it was a hit job which blindsided Telestream's Flip4Mac, Panic's Transmit, Colloquy's Colloquy, Unsanity's Application Enhancer, and the open sourced VLC as innocent bystanders in their vendetta against Apple, so at least six non-Apple branded programs were thrown in to fill out the month. Day 31 has a "filler", meaning that it's just over three weeks' worth of Apple Bugs.
There may be some legitimacy to the complaints that Apple was unresponsive, but I agree, to bring in flaws in third party products to the mix is beyond irresponsible.
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
It doesn't matter how long it takes to patch an exploit, as long as it is patched before it's used in a virus or other attack on a system. There are currently no OS X viruses in the wild that can attack a Mac in a meaningful way (there is a proof-of-concept one that requires the user to install it). Compare that to the tens of thousands of Windows OS viruses and worms exploiting security holes without requiring the user. Given that, I'd say that Apple has an excellent track record when it comes to patching vulnerabilities.
What really happened was she was presented with a dialog that clearly showed the machine would need to be rebooted if she proceeded and she then clicked the "Install Items" button. Then she was asked to authenticate as an admin user, then she was give a dialog asking for permission to reboot, which she could have ignored until a better time but didn't.
However, under no circumstances tell her this. She is your wife and this automatically makes the reboot YOUR fault. So just apologize to her and go buy flowers, you insensitive clod.
Namgge
...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?
Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.
Which Microsoft vulnerability are you referring to as being over 10 years old?
Well, they started out caling it "Active Desktop". It's had other names, but that's where it started.
The vulnerability is that when you combine ActiveX with the API that applications use to call the HTML control the resulting design is fundamentally impossible even in principle to secure. The problem is that the HTML control is given the responsibility for deciding whether an object its called on to display should be trusted or not, but there the HTML control does not have enough information to make that determination. It's arguable whether the application calling it does, but in every exploit I'm aware of that has made use of this vulnerability to infect the computer giving the application responsibility for that decision would have prevented it.
The changes required to the API could be:
(1) Making the control would call back to the application to follow links, access embedded objects, and so on.
(2) Making the control by itself purely a display mechanism, and requiring explicit installation of extensions by the application.
(3) Making the sandbox the control uses "hard", and requiring the user or the application to explicitly install plugins based on roles, and making the application explicitly specify the role that the instance of the control takes.
In addition, in all cases:
(4) Make the inheritence of the environment absolute. If you follow a link from an application then the target of the link MUST be displayed under the control of the same application. That application can display it by running a more restricted helper application if appropriate (so Windows Explorer could call Internet Explorer) but that decision MUST be made by the application, not the HTML control.
Except in VERY limited circumstances (such as the default "open safe files after downloading" option in Safari, which CAN BE TURNED OFF) every other browser or mail software follows some variant of these rules (for example, the KHTML/Webkit "IO slaves" follow rule 2). The idea that a program failing to implement one of these rules would be treated as anything less than a critical bug to be fixed as soon as it was discovered was literally a bad joke before 1997. I mean, there were jokes going around about it, because everyone knew nobody would be so stupid as to implement something like Active Desktop.
Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!