Apple and Microsoft Release Critical Patches

SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

Re:I agree, (And have reasons)

[inject_hotmail.com]

vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?

Nice troll. I wonder how many of the Apple users can tell?

Actually, I don't. My experience (which is 2 decades in the field) is the Apple users are just as clueless as to the operation of their computer as PC users.

Being 0wn3d has nothing to do with the platform, it's about the behavior/knowledge/understanding of the user.

security is complex (MODS: get a grip)

[Gary+W.+Longsine]

Clearly your post demonstrates that you don't understand the subject well, but it doesn't *seem* like you're Trolling. Perhaps in context... hrm... over half of your recent posts were up-modded, so you don't appear to be a well known Troll. MODS! Get a grip. Security issues are complex. Obviously you mods don't know the subject any better. Meta moderation will punish you.

Mac OS X has had potential buffer overflow exploits, corrected in security updates and OS updates, Since the Earth Cooled (TM). Apple might be taking them a little more seriously, or they might be receiving more attention from others, now that the assembly language required to exploit them is understood by all the crax0rs, instead of merely 20% of them. Apple isn't suddenly experiencing the same type of security problems. Some defects exist (you typically learn of them when a patch becomes available) but have not yet been exploited by worms and viruses. The relative seriousness and amount of defects between the platforms is a matter of some debate.

Moreover, some of the mechanisms used to propagate malware on Windows rely on tricking the user (social engineering) into installing the malware. Those techniques, independent of exploitable defects, are certainly possible to apply to the Mac. Apparently a few attempts have been made (such as trojans planted in cracked pirate warezs recently). Widespread damage hasn't yet resulted, but isn't out of the question.

To p0wn a million Macs, one need only trick about 3% of Mac users into installing your malware. I've seen a couple clever Windows email viruses which tricked from 1/3 to 1/2 of the users who got the email within the first hour, infecting over 1% of an enterprise network, before the alerts went out and antivirus definitions were updated. I think the success of some of these tricks on Windows indicates pretty clearly that a malware outbreak on the Mac on the scale of a million victims or more is certainly possible, even without finding a defect and engineering the exploit. An email based scam, seeded with a list of known Mac users might do the trick. The Bad Guys (TM) could easily generate such a list by reading the emails on the millions of infected Windows computers, and snarfing the addresses out of received emails which came from known Mac email clients.

Of course, even those malware which relied primarily on social engineering, also rely on their ability to masquerade as a spreadsheet when they are really an exe, in the most popular Windows email clients, so it might be quite a bit harder to exploit social engineering on the Mac. It's hard to say, and I haven't seen any evidence that it's been tried yet.

If it does happen, the Mac community is not really prepared for it. AntiVirus software doesn't appear to be in use by most Mac users. There isn't a legion of companies rushing cleanup tools out the door every day. Mac users are not in the habit of looking for such regardless.