Slashdot Mirror
Apple and Microsoft Release Critical Patches
SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
I'll bet that's why Linux users get so many viruses.
More than 60,000 Windows programs won't run on Linux.
Granted it is bigger then the ones you normally get. But it has been a rather long time since we got an update to the OS. Almost twice as long for this one and oddly enough it is about twice the size.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
The MS patch is going to be more serious for several reasons. One is the fact that people will actually exploit MS's holes with large automated botnets.
But the other reason, is while Apple may have patched Apache, BIND, the kitchen sink and my left sock, most of those ARE NOT enabled by default.
Using some super-rough numbers, lets suppose The OSX install base is 10%
Suppose even 5% have Apple or BIND, etc enabled. Heck, lets suppose 5% have EVERYTHING enabled....
and if 1 in 5 of those machines actually has a public IP or forwarded ports,
then you're taking something like 1 in 1000 computers, is a mac, with an exploitable version of bind/apache/whathaveyou with a public IP.
vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?
YES, the OSX patch and security updates are good, welcome improvements, but the sad reality is that windows 98/ME/2000/XP/Vista are all bigger targets and a bigger security threat right now.
Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.
All that switching from RISC/PPC to x86_xx should change is "endianness." I hear passing worries of Intel chip-level vulnerabilities, but to my (admittedly limited to hitting up Google just now) knowledge is that these never really end up in mainstream exploits. Maybe, because there are plenty of much more easily exploitable vulnerabilities already known.
Again, not a security researcher or a system arch. expert myself, but what I've heard from those researching OS X vs. Windows vulnerabilities, Address Space Layout Randomization (ASLR) would make it much harder to exploit vulnerabilities on the Apple end. This feature appears to be slated for the next point release ("Snow Leopard") of Mac OS X. Essentially, the exploiter must try much harder to "find" the code planted in the target box's memory, when the vulnerability was exploited, in order to execute it.
The SANS link makes some great points about Microsoft and responsible disclosure. After reading that, I think it's obvious what needs to be done. Quit helping Microsoft cover their rear when they're going to turn around and attempt to use it as a cudgel against their perceived competition.
If you're a security researcher, and you discover a flaw in a Microsoft product - stop buying into the flawed MS version of responsible disclosure. Notify Microsoft right away, certainly; but from now on also announce it to SANS and the other responsible security organizations at the same time. That way the affected users - ALL affected users - can take steps to mitigate their exposure.
#DeleteChrome
There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.
A similar situation applies to old versions of Windows. The California community college where I teach has a whole bunch of student computer labs with machines from about 2001, which all have Windows 2000 on them. MS's support for Win2k ends in July of 2010, and that means no more security patches. We could upgrade to XP, but although our machines do theoretically satisfy XP's hardware requirements, it's not clear whether they'd have acceptable performance with XP. Again, MS's interests are diametrically opposed to ours. They want to keep us on the upgrade treadmill. They're happy to let Win2k become a non-viable platform, so that we'll be forced to buy new hardware, which will come with Vista preinstalled. Except, uh, the California state budget crisis means that we can't afford to buy new hardware. Of course they MS never promised us to support Win2k indefinitely, and our managers should have done a better job of planning ahead so that this wouldn't become a crisis. But it really does strike me that this is the kind of problem that would have never happened with Linux. I can run Ubuntu for as long as I want, and just keep upgrading to the latest version. Linux runs well on old hardware, so there's no upgrade treadmill. No big mystery why it's this way: it's because Linus Torvalds, Mark Shuttleworth, etc. don't have interests that conflict with the user's.
Find free books.
If anything deserves a +1 Funny, it's unnecessary use of Latin for satiric purposes.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Clearly your post demonstrates that you don't understand the subject well, but it doesn't *seem* like you're Trolling. Perhaps in context... hrm... over half of your recent posts were up-modded, so you don't appear to be a well known Troll. MODS! Get a grip. Security issues are complex. Obviously you mods don't know the subject any better. Meta moderation will punish you.
Mac OS X has had potential buffer overflow exploits, corrected in security updates and OS updates, Since the Earth Cooled (TM). Apple might be taking them a little more seriously, or they might be receiving more attention from others, now that the assembly language required to exploit them is understood by all the crax0rs, instead of merely 20% of them. Apple isn't suddenly experiencing the same type of security problems. Some defects exist (you typically learn of them when a patch becomes available) but have not yet been exploited by worms and viruses. The relative seriousness and amount of defects between the platforms is a matter of some debate.
Moreover, some of the mechanisms used to propagate malware on Windows rely on tricking the user (social engineering) into installing the malware. Those techniques, independent of exploitable defects, are certainly possible to apply to the Mac. Apparently a few attempts have been made (such as trojans planted in cracked pirate warezs recently). Widespread damage hasn't yet resulted, but isn't out of the question.
To p0wn a million Macs, one need only trick about 3% of Mac users into installing your malware. I've seen a couple clever Windows email viruses which tricked from 1/3 to 1/2 of the users who got the email within the first hour, infecting over 1% of an enterprise network, before the alerts went out and antivirus definitions were updated. I think the success of some of these tricks on Windows indicates pretty clearly that a malware outbreak on the Mac on the scale of a million victims or more is certainly possible, even without finding a defect and engineering the exploit. An email based scam, seeded with a list of known Mac users might do the trick. The Bad Guys (TM) could easily generate such a list by reading the emails on the millions of infected Windows computers, and snarfing the addresses out of received emails which came from known Mac email clients.
Of course, even those malware which relied primarily on social engineering, also rely on their ability to masquerade as a spreadsheet when they are really an exe, in the most popular Windows email clients, so it might be quite a bit harder to exploit social engineering on the Mac. It's hard to say, and I haven't seen any evidence that it's been tried yet.
If it does happen, the Mac community is not really prepared for it. AntiVirus software doesn't appear to be in use by most Mac users. There isn't a legion of companies rushing cleanup tools out the door every day. Mac users are not in the habit of looking for such regardless.
If you mod me down, I shall become more powerful than you could possibly imagine.
It has come to my attention that the entire Linux community is a hotbed of so called 'alternative sexuality'...
Should... should we mark this as funny?
Internet scofflaw
AntiVirus software doesn't appear to be in use by most Mac users.
It is a chicken and egg problem. Most Mac users don't use anti-virus software because there are no known OS X virus and few known trojans, and because anti-virus software for the Mac has a history of being really bad: i.e. making your Mac slow and unstable while not actually catching any infections. And anti-virus software for the Mac is lousy because so few people use it (i.e. the market is tiny).
Drunk the kool-aid much? Hint, "improves overall reliability" != Enhancement. = BUG fix. What made the software unreliable? It contains fixes and fixes, not "fixes and enhancements". A new feature is an enhancement. No longer crashes / acts in an unspecified manner is not an enhancement.
Let's not get too carried away. It's 10.5.7, not 10.6.
ahem
bandwidth caps
With the first link, the chain is forged.
I'm going to commit an act of slashdot heresy now (aka "I'm going to get modded down for this, but I have karma to burn").
But my parent's saying "for profit business" got me thinking.
I don't object to profit; people want material wealth (among other things), and the free market idea of giving it to people who also give it to others has some merit.
But there's a difference between "profitably meeting your customers' needs" and "profiting by exploiting your customers' needs".
I haven't done the numbers; I don't know how much it would cost Microsoft to continue supporting Windows 2000. But I can't help wonder whether they could implement some pricing structure (i.e. charge for security fixes) that would let them continue supporting Windows 2000. If they could, should they?
Going off on a tangent: if ISPs can profit more by limiting service instead of building more capacity, is that really what we want? Even if I hold stock in all the ISPs, all that my money buys me is crappy Internet.
And let's say you can make a factory produce 2% more widgets by stressing out your employees a little more. Say every workplace does this. We're a little richer, materially, at the expense of our well-being. Is that really what we want?
(Is this the longest explanation of a "market failure" you've ever seen?)