Slashdot Mirror
Apple and Microsoft Release Critical Patches
SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
> Probably the most surprising element of the
> Apple update is the overall size of it
Actually, the MOST surprising thing is that Apple didn't charge $150 for it!
I have a feeling that the microsoft patch is a little more serious.
If a patch is important enough to be on Slashdot I apply it? (well not really) Keep up the work /. and remember the internet depends on you.
Think Deeply.
[...] but this mega-update-in-a-patch is still interesting for other reasons.
Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.
Do you have any idea how much legal copy would be involved to release concurrent patches for all those vulnerabilities? The mere thought boggles the mind.
"To surrender to ignorance and call it God has always been premature, and it remains premature today." -Isaac Asimov
Thanks, A Noways Cum Donor
> Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
Well, the Server version of the Combo updater runs close to the whole GB. In other words, it would seem the patch is virtually overwriting the entire OS.
Wonder if the the Vista patch is doing the same, overwriting with Windows 7? :D
The update for OSX is huge. What's the surprise? OSX has tons of bugs and problems to fix as well. Actually, that's a bigger minor update than I've ever seen on Windows. Makes you think.
Don't believe the Mac zealots or Apple marketing hype.
Yeah the size of the update was a shock this morning, let me miss my usual train too. From what i've read http://www.macworld.com/article/140578/2009/05/1057update.html the update does a lot more than is actually said (big surprise with the size), even though most of those things aren't directly visible. What i have found is that my dashboard updates a lot faster than before, as i have two standard weather widgets open at all times i guess they really optimized the code there. Normally it would take at least 5-10 seconds to update the display after opening the dashboard, now it's almost instantenous. Anyone else notice this too?
I'll bet that's why Linux users get so many viruses.
More than 60,000 Windows programs won't run on Linux.
Granted it is bigger then the ones you normally get. But it has been a rather long time since we got an update to the OS. Almost twice as long for this one and oddly enough it is about twice the size.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
So it's snappier?
The MS patch is going to be more serious for several reasons. One is the fact that people will actually exploit MS's holes with large automated botnets.
But the other reason, is while Apple may have patched Apache, BIND, the kitchen sink and my left sock, most of those ARE NOT enabled by default.
Using some super-rough numbers, lets suppose The OSX install base is 10%
Suppose even 5% have Apple or BIND, etc enabled. Heck, lets suppose 5% have EVERYTHING enabled....
and if 1 in 5 of those machines actually has a public IP or forwarded ports,
then you're taking something like 1 in 1000 computers, is a mac, with an exploitable version of bind/apache/whathaveyou with a public IP.
vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?
YES, the OSX patch and security updates are good, welcome improvements, but the sad reality is that windows 98/ME/2000/XP/Vista are all bigger targets and a bigger security threat right now.
Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.
Apple's "everything bundled in the .app" policy may help avoid DLL hell, but this is the price you pay for it.
I am trolling
A bit of a logical fallacy there. Even if we assume that the switch to x86 was the trigger for more exploits (increased popularity of the OS being another possibility), it doesn't necessarily mean x86 is more vulnerable. The vast majority of exploits don't need to rely on processor specific characteristics after all.
What it means is that virus writers have limited time and experience. Ignoring trivial Trojans and the like that any script kiddie can bang out, an effective virus (e.g. worms) requires a lot of skill in the assembly language for the CPU, in order to write code that can fit in the available exploit "space". Writing worms for the Power PC architecture was a losing proposition since you didn't have a lot of targets. Now, if you have knowledge of x86 assembly, you can transfer your skills to Macs more easily.
Of course, porting programs to run in 64 bit mode *is* an effective security obstacle; one example is that since 64 bit addresses (in the current implementation) always contain nulls, buffer overruns are much harder to exploit. So yes, Power PC 64 bit is more secure, but if you wrote for an x86-64 target, you'd have roughly the same benefits.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
All that switching from RISC/PPC to x86_xx should change is "endianness." I hear passing worries of Intel chip-level vulnerabilities, but to my (admittedly limited to hitting up Google just now) knowledge is that these never really end up in mainstream exploits. Maybe, because there are plenty of much more easily exploitable vulnerabilities already known.
Again, not a security researcher or a system arch. expert myself, but what I've heard from those researching OS X vs. Windows vulnerabilities, Address Space Layout Randomization (ASLR) would make it much harder to exploit vulnerabilities on the Apple end. This feature appears to be slated for the next point release ("Snow Leopard") of Mac OS X. Essentially, the exploiter must try much harder to "find" the code planted in the target box's memory, when the vulnerability was exploited, in order to execute it.
Another logical fallacy would be criticizing GP's post without looking at who the author of the post is.
In other words, woosh!
let me miss my usual train too
The next Microsoft commercial: Apple makes you late for work.
My 10.5.7 update was significantly smaller than what's listed in the summary. It was about 290mb for my third generation macbook pro. Why is it so?
The SANS link makes some great points about Microsoft and responsible disclosure. After reading that, I think it's obvious what needs to be done. Quit helping Microsoft cover their rear when they're going to turn around and attempt to use it as a cudgel against their perceived competition.
If you're a security researcher, and you discover a flaw in a Microsoft product - stop buying into the flawed MS version of responsible disclosure. Notify Microsoft right away, certainly; but from now on also announce it to SANS and the other responsible security organizations at the same time. That way the affected users - ALL affected users - can take steps to mitigate their exposure.
#DeleteChrome
There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.
A similar situation applies to old versions of Windows. The California community college where I teach has a whole bunch of student computer labs with machines from about 2001, which all have Windows 2000 on them. MS's support for Win2k ends in July of 2010, and that means no more security patches. We could upgrade to XP, but although our machines do theoretically satisfy XP's hardware requirements, it's not clear whether they'd have acceptable performance with XP. Again, MS's interests are diametrically opposed to ours. They want to keep us on the upgrade treadmill. They're happy to let Win2k become a non-viable platform, so that we'll be forced to buy new hardware, which will come with Vista preinstalled. Except, uh, the California state budget crisis means that we can't afford to buy new hardware. Of course they MS never promised us to support Win2k indefinitely, and our managers should have done a better job of planning ahead so that this wouldn't become a crisis. But it really does strike me that this is the kind of problem that would have never happened with Linux. I can run Ubuntu for as long as I want, and just keep upgrading to the latest version. Linux runs well on old hardware, so there's no upgrade treadmill. No big mystery why it's this way: it's because Linus Torvalds, Mark Shuttleworth, etc. don't have interests that conflict with the user's.
Find free books.
But it wasn't a bad analogy! There were no analogies at all! If I were responding to "LogicalFallacyGuy" I'd feel stupid, but as is, I feel justified.
Of course, if he's a frequent troll I hadn't picked up on before, mea culpa.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
That reminds me of a joke
q: Is CmdrTaco gay?
a: He mos' certainly is!
Another logical fallacy would be criticizing GP's post without looking at who the author of the post is.
Nec hominem fallacy?
Your brain is not a computer.
If anything deserves a +1 Funny, it's unnecessary use of Latin for satiric purposes.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
This localization does not just go down to the level of text strings but also images, icons and even the complete form layout can be different for each language offering a great deal of flexibility.
Jesus was a compassionate social conservative who called individuals to sin no more.
Can you please list other commercial OS'es which are still supported after 10 years?
There are nearly 70 security flaws OS X is patching. The 14 for MS is prominently displayed...
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=217400595&subSection=Macintosh+Platform
Everyone knows how to hit an x86 in its vulnerables.
September 2011: Looking for Cocoa/iOS work in Boston area Cocoa Programmer Quincy, MA
Seriously, this has to be wrong. Every Mac every sold has ZERO security risks and ZERO stability issues.
They've released (long overdue) patches for Acrobat and Acrobat Reader today...
np: Moderat - Porc#1 (Moderat)
"I'm not anti-anything, I'm anti-everything, it fits better." - Sole
This speed boost that you are referring to is of course one of the best things about apple updates.
You call it faster, we (the hive mind of apple fandom) call it "SNAPPIER".
Seems that Dashboard is the recipient of some of Apples secret snappy sauce (ASSS) this time.
music lover since 1969
Clearly your post demonstrates that you don't understand the subject well, but it doesn't *seem* like you're Trolling. Perhaps in context... hrm... over half of your recent posts were up-modded, so you don't appear to be a well known Troll. MODS! Get a grip. Security issues are complex. Obviously you mods don't know the subject any better. Meta moderation will punish you.
Mac OS X has had potential buffer overflow exploits, corrected in security updates and OS updates, Since the Earth Cooled (TM). Apple might be taking them a little more seriously, or they might be receiving more attention from others, now that the assembly language required to exploit them is understood by all the crax0rs, instead of merely 20% of them. Apple isn't suddenly experiencing the same type of security problems. Some defects exist (you typically learn of them when a patch becomes available) but have not yet been exploited by worms and viruses. The relative seriousness and amount of defects between the platforms is a matter of some debate.
Moreover, some of the mechanisms used to propagate malware on Windows rely on tricking the user (social engineering) into installing the malware. Those techniques, independent of exploitable defects, are certainly possible to apply to the Mac. Apparently a few attempts have been made (such as trojans planted in cracked pirate warezs recently). Widespread damage hasn't yet resulted, but isn't out of the question.
To p0wn a million Macs, one need only trick about 3% of Mac users into installing your malware. I've seen a couple clever Windows email viruses which tricked from 1/3 to 1/2 of the users who got the email within the first hour, infecting over 1% of an enterprise network, before the alerts went out and antivirus definitions were updated. I think the success of some of these tricks on Windows indicates pretty clearly that a malware outbreak on the Mac on the scale of a million victims or more is certainly possible, even without finding a defect and engineering the exploit. An email based scam, seeded with a list of known Mac users might do the trick. The Bad Guys (TM) could easily generate such a list by reading the emails on the millions of infected Windows computers, and snarfing the addresses out of received emails which came from known Mac email clients.
Of course, even those malware which relied primarily on social engineering, also rely on their ability to masquerade as a spreadsheet when they are really an exe, in the most popular Windows email clients, so it might be quite a bit harder to exploit social engineering on the Mac. It's hard to say, and I haven't seen any evidence that it's been tried yet.
If it does happen, the Mac community is not really prepared for it. AntiVirus software doesn't appear to be in use by most Mac users. There isn't a legion of companies rushing cleanup tools out the door every day. Mac users are not in the habit of looking for such regardless.
If you mod me down, I shall become more powerful than you could possibly imagine.
I just downloaded the patch. it's 286Mb. Which is still a lot but it's not 729Mb.
Some drink at the fountain of knowledge. Others just gargle.
Is BadAnalogyGuy a well known troll, then? Why so many funny, insightful and other positive mod points raining down on him, then? Oh, this is Slashdot.
If you mod me down, I shall become more powerful than you could possibly imagine.
More vulnerabilities and more exploits aren't quite the same thing though.
Liberte, Egalite, Fraternite (TM)
Apple packages their OS updates based on the delta from the starting position of the users applying it, and wether the platform of the update is known at download time. Updates which include both PowerPC and Intel, and which span more than the most recent OS update tend to be quite large. However, for users this can be quite convenient. Your claim that one can learn something from the security of the platform from the size of an update is bogus, particularly as you don't cite any relevant evidence or provide a chain of argument supporting your claim.
If you mod me down, I shall become more powerful than you could possibly imagine.
Actually, that change was brought up in the patch release notes.
Improves the reliability and accuracy of Unit Converter, Stocks, Weather and Movies Dashboard widgets.
Beware: In C++, your friends can see your privates!
The first load after a login isn't faster, but subsequent loads of Dashboard are really quite zippy.
If you mod me down, I shall become more powerful than you could possibly imagine.
It has come to my attention that the entire Linux community is a hotbed of so called 'alternative sexuality'...
Should... should we mark this as funny?
Internet scofflaw
So MS even gets bashed when they fix security problems. Amazing!
There is already some level of ASLR enabled for some libraries on OSX. OpenBSD has it already. Vista and Server 2008 have it. Even Linux has it to some extent.
Delta updates contain both PPC and Intel code for all changes since the last point release (10.5.6). Combo updates contain all updated code for both platforms since 10.5 was released in 2007. This is why the standalone installers are so huge.
If you install via Software Update, the update will only be delta code for your processor platform - much smaller.
MS does similar with Windows Update/Microsoft Update, which is one of the reasons it takes a longer time to process. In most cases, you can download a version of the update for admins which will be the equivalent of a combo update on Apple, but for only the X86 family.
Apple updaters will shrink with Snow Leopard - Snow Leopard is Intel-only.
-- Josh Turiel
"2. Do not eat iPod Shuffle."
This reminds me of version 17 of the SPSS statistics package. They released SPSS statistics version 17 and then later released a point update (17.0.2) that completely renamed the software to PASW Statistics 17. Not only that, but the point update file was as large as the original program CD!. You could actually just install the point update without even first installing the main version 17 in some cases. Where do these program managers come from ??
I have a display that uses 1920x1200 as its native resolution. After upgrading to 10.5.7, the highest possible resolution was reduced to 1920x1080. Needless to say, this doesn't look particularly good.. See here for details.
Follow your Euro bills at EBT
AntiVirus software doesn't appear to be in use by most Mac users.
It is a chicken and egg problem. Most Mac users don't use anti-virus software because there are no known OS X virus and few known trojans, and because anti-virus software for the Mac has a history of being really bad: i.e. making your Mac slow and unstable while not actually catching any infections. And anti-virus software for the Mac is lousy because so few people use it (i.e. the market is tiny).
no, the SPEED was improved, not accuracy and reliability. also, was the converter inaccurate before, like 2m=201cm? because that would suck. how can you make a converter more accurate?
Wealth is the gift that keeps on giving.
float->double->long doubles->infinite precision decimals
Take the current type, up it to the next, and you can make ever more precise calculation conversions. If the storage type is too small, converting, say, a million miles to micrometers is going to come out wrong.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
I am the original Anon your quoting, anyways, I wasn't trying to troll with that line.
"vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?"
My point is, comparing exploits runnable on non-default OSX installs (user has turned on apache, etc) vs exploits against just about any copy of windows out there, isn't terribly a fair comparison.
Now if you want to compare idiot mac users that are stupid enough to download the malware, type in their password, etc... to the idiot windows users that do the same.... Then I agree! That group of users are ALL clueless.... mac, pc, or linux that someone else set up for them.
In the same regards, how do you protect against that? How do you stop someone from picking up the handgun, loading it, removing the safety, putting it up to their head and shooting it? If they've gone that far, they deserve to be pwnd.
The ICMPv6 Packet too big issue in MacOS X is really bad news.
First, ICMPv6 packet too big is normally allowed in any firewalls from any host so that pMTU discovery can work.
Secondly, without being an expert on the MacOS plattform I guess that the ICMPv6 handler runs in "kernel mode". A buffer overflow will potentially give you root privileges.
More info available at: www.ipv4depletion.com
If you have a web or mail server on the internet that have Ipv6 enabled and runs MacOS X, you are in big trouble.... Patch now.
float->double->long doubles->infinite precision decimals
Take the current type, up it to the next, and you can make ever more precise calculation conversions. If the storage type is too small, converting, say, a million miles to micrometers is going to come out wrong.
how wrong? wrong enough to justify an update to an app that's used for casual conversions and not for designing the next space shuttle.
what i want to convey is that the conversions couldn't have been so unacceptably wrong that any more accuracy was required.
Wealth is the gift that keeps on giving.
I'm upgrading from 10.5.6
Fucking lol. Nicely done.
What's the big deal? Apple has simply decided the optimum resolution for you, and if Apple says it so, who are you to argue against it?
Stop whining already! Join the chorus of Apple whoreshipers now.
Must be the /. effect
"We live in a global world" - Harvey Pitt, former Securities and Exchange Commission Chairman
>>>
Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.
>>>
This is my new sig !!!!!! Best line ever...
Part of the problem with the "exe as a spreadsheet" virus path on a Mac is that when running such things OSX will pop up a warning stating "you have downloaded this application from this source using this application on this date, are you sure you want to run this program?". That right there will cause many to pause to say "wait, I thought that was a spreadsheet, why is this saying it's a program?"...
That is why the Trojans so far have all been hidden in things that require you go run and install anyway (iWork 09 install image, and a video codec, haven't heard of others).
If I heard correctly, Windows is now doing this (either in Vista or 7) so that will help bring down the number of windows exploits... somewhat...
DEMETRIUS: Villain, what hast thou done?
AARON: Villain, I have done thy mother.
Shakespeare invents 'your mom'
I believe ASLR is already in the Mac OS, the 10.5.x Leopard version introduced it. They call it library randomization.
I'm going to commit an act of slashdot heresy now (aka "I'm going to get modded down for this, but I have karma to burn").
But my parent's saying "for profit business" got me thinking.
I don't object to profit; people want material wealth (among other things), and the free market idea of giving it to people who also give it to others has some merit.
But there's a difference between "profitably meeting your customers' needs" and "profiting by exploiting your customers' needs".
I haven't done the numbers; I don't know how much it would cost Microsoft to continue supporting Windows 2000. But I can't help wonder whether they could implement some pricing structure (i.e. charge for security fixes) that would let them continue supporting Windows 2000. If they could, should they?
Going off on a tangent: if ISPs can profit more by limiting service instead of building more capacity, is that really what we want? Even if I hold stock in all the ISPs, all that my money buys me is crappy Internet.
And let's say you can make a factory produce 2% more widgets by stressing out your employees a little more. Say every workplace does this. We're a little richer, materially, at the expense of our well-being. Is that really what we want?
(Is this the longest explanation of a "market failure" you've ever seen?)
Concur - "shielded from complexity" comes to mind. Back when I did that sort of thing, I might get detailed complaints from PC users - but all I ever heard from Apple users was "It is slow." or "It won't work.".
Not to mention, I didn't see my first virus on Windows...it was nVir, on the Mac - which is one of the reasons I always laugh when anybody says things like "inherently more secure".
Orwell: "In a Time of Universal Deceit, telling the Truth is a Revolutionary Act"
I've never heard of Apple using something like bspatch. The combo update is so big because it will work on machines with 10.5.0 installed. It contains everything that has changed from that version to 10.5.7. The incremental updates take you from 10.5.6 to 10.5.7 which is why they are smaller. If you look at the packages it's actually whole applications that are replaced not diffs to the binaries. Also all updates now contain universal binaries meaning they have x86 and PPC code in one binary file.