Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple and Microsoft Release Critical Patches

Posted by Soulskill on from the that-time-of-the-month dept.

SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

7 of 194 comments (clear)

  1. orly? by gardyloo · · Score: 5, Interesting

    [...] but this mega-update-in-a-patch is still interesting for other reasons.

    Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.

    1. Re:orly? by ShadowRangerRIT · · Score: 5, Interesting
      I suspect there were two reasons for the delay in a Mac patch (I base this on previous experience as an MS programmer):
      1. Macs in general have a slightly lower priority for development, and less developers. Note the release years; each version of Office for the Mac is released a year behind the Windows equivalent. If they held off until the Mac team was ready to release, they'd leave Windows vulnerable longer.
      2. Pre-Vista versions of Windows are more vulnerable to the exploits than a Mac is. Both Macs and Vista don't grant programs admin privileges by default, so the damage is limited. On XP and earlier OSes, the exploits could root the system on a default home user installation. So leaving Windows vulnerable longer would mean disproportionate damage to pre-Vista Windows users.

      Of course, there may be a small bit of reason 3: "Windows customers are more important" in there, but it's a justifiable decision on points 1 and 2 alone.

      --
      $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
    2. Re:orly? by mcmaddog · · Score: 3, Interesting

      Yes, they do add features in between, but the development work for each Windows version is reused by the Mac team.

      I was under the impression that the last (and first) time MS used the same code base for both Mac and Windows versions of MS Word was Word 6.0. However, because of the massive outcry by the Mac users because Word 6 did not feel like a Mac application and decided to keep using Word 5.x Microsoft created the Macintosh Business Unit for developing future versions. Also, new features are often introduced in the Mac versions first, like self healing in Office 98, because the risks of pissing off a large user base are reduced, and then they later show up in the next version for Windows.

  2. Re:Software vulnerabilities by ShadowRangerRIT · · Score: 5, Interesting

    A bit of a logical fallacy there. Even if we assume that the switch to x86 was the trigger for more exploits (increased popularity of the OS being another possibility), it doesn't necessarily mean x86 is more vulnerable. The vast majority of exploits don't need to rely on processor specific characteristics after all.

    What it means is that virus writers have limited time and experience. Ignoring trivial Trojans and the like that any script kiddie can bang out, an effective virus (e.g. worms) requires a lot of skill in the assembly language for the CPU, in order to write code that can fit in the available exploit "space". Writing worms for the Power PC architecture was a losing proposition since you didn't have a lot of targets. Now, if you have knowledge of x86 assembly, you can transfer your skills to Macs more easily.

    Of course, porting programs to run in 64 bit mode *is* an effective security obstacle; one example is that since 64 bit addresses (in the current implementation) always contain nulls, buffer overruns are much harder to exploit. So yes, Power PC 64 bit is more secure, but if you wrote for an x86-64 target, you'd have roughly the same benefits.

    --
    $_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
  3. Re:I agree, (And have reasons) by ivucica · · Score: 3, Interesting

    Simple. Botnets don't generate all that great loads of upload traffic like BitTorrent does. Sure, the outgoing mails is irritating, but it's not exactly completely continuous and it's not exactly of such concentrated volume.

  4. Re:Solution seems straightforward enough by UnknowingFool · · Score: 5, Interesting

    Also don't trust MS reports on their own security. They deliberately fudge numbers to make their OS look good by redefining metrics. For example, MS says that they actually patch faster than RedHat, Apple, or SuSE. Of course what MS doesn't tell you is that they define "time to patch" as the time between when they publicly disclose a bug and when they patch it. Linux and some parts of Apple systems (the parts based on open source) define "time to patch" as the time between when a bug is verified and when it is patched. Recently MS patched a bug that has been lingering for 7 years. The "time to patch" for this bug was one month according to MS since it was released in Nov. 2008 and fixed in Dec. 2008.

    Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different. That bug required conditions that didn't exist until present day conditions: Namely if you are using Samba on BSD and your directory has more than up to 250,000 items. As such the BSD bug has been present for 25 years, but could be not triggered much less verified until recent years. The 7 year old MS bug was verified and has been present on all Windows versions since that time.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  5. Re:10 years by Anonymous+Psychopath · · Score: 3, Interesting

    Can you please list other commercial OS'es which are still supported after 10 years?

    No, I can't. I didn't intend to imply that MS was worse than other proprietary OS vendors. I just meant that proprietary OS vendors were worse than open-source OS vendors.

    Do you believe you could purchase a support contract for a 10-year-old distribution of Linux today? I don't mean a guy with a pony tail and beard who will help you out and charges by the hour, I mean a support contract from a stable provider with multiple levels of escalation, 24x7 call center, etc.

    I think you're comparing apples and oranges. It's no problem to purchase a support contract for any current and popular Linux distribution because upgrades are free (as in beer). If Microsoft upgrades were also free (as in beer) you'd have no problem obtaining support for the current version of software from them either.

    I don't mean to imply that you should be running a MS OS instead of Ubuntu, or vice-versa. Pick whatever tool suites your requirements. I think that your analysis of the reasons for doing one or the other appears to be flawed, though.

    --

    Eagles may soar, but weasels don't get sucked into jet engines.