Apple and Microsoft Release Critical Patches

SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

orly?

[gardyloo]

[...] but this mega-update-in-a-patch is still interesting for other reasons.

Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.

Re:orly?

[ShadowRangerRIT]

I suspect there were two reasons for the delay in a Mac patch (I base this on previous experience as an MS programmer):

1. Macs in general have a slightly lower priority for development, and less developers. Note the release years; each version of Office for the Mac is released a year behind the Windows equivalent. If they held off until the Mac team was ready to release, they'd leave Windows vulnerable longer.
2. Pre-Vista versions of Windows are more vulnerable to the exploits than a Mac is. Both Macs and Vista don't grant programs admin privileges by default, so the damage is limited. On XP and earlier OSes, the exploits could root the system on a default home user installation. So leaving Windows vulnerable longer would mean disproportionate damage to pre-Vista Windows users.

Of course, there may be a small bit of reason 3: "Windows customers are more important" in there, but it's a justifiable decision on points 1 and 2 alone.

Re:Software vulnerabilities

[ShadowRangerRIT]

A bit of a logical fallacy there. Even if we assume that the switch to x86 was the trigger for more exploits (increased popularity of the OS being another possibility), it doesn't necessarily mean x86 is more vulnerable. The vast majority of exploits don't need to rely on processor specific characteristics after all.

What it means is that virus writers have limited time and experience. Ignoring trivial Trojans and the like that any script kiddie can bang out, an effective virus (e.g. worms) requires a lot of skill in the assembly language for the CPU, in order to write code that can fit in the available exploit "space". Writing worms for the Power PC architecture was a losing proposition since you didn't have a lot of targets. Now, if you have knowledge of x86 assembly, you can transfer your skills to Macs more easily.

Of course, porting programs to run in 64 bit mode *is* an effective security obstacle; one example is that since 64 bit addresses (in the current implementation) always contain nulls, buffer overruns are much harder to exploit. So yes, Power PC 64 bit is more secure, but if you wrote for an x86-64 target, you'd have roughly the same benefits.

Re:Solution seems straightforward enough

[UnknowingFool]

Also don't trust MS reports on their own security. They deliberately fudge numbers to make their OS look good by redefining metrics. For example, MS says that they actually patch faster than RedHat, Apple, or SuSE. Of course what MS doesn't tell you is that they define "time to patch" as the time between when they publicly disclose a bug and when they patch it. Linux and some parts of Apple systems (the parts based on open source) define "time to patch" as the time between when a bug is verified and when it is patched. Recently MS patched a bug that has been lingering for 7 years. The "time to patch" for this bug was one month according to MS since it was released in Nov. 2008 and fixed in Dec. 2008.

Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different. That bug required conditions that didn't exist until present day conditions: Namely if you are using Samba on BSD and your directory has more than up to 250,000 items. As such the BSD bug has been present for 25 years, but could be not triggered much less verified until recent years. The 7 year old MS bug was verified and has been present on all Windows versions since that time.