Slashdot Mirror
Apple and Microsoft Release Critical Patches
SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
If a patch is important enough to be on Slashdot I apply it? (well not really) Keep up the work /. and remember the internet depends on you.
Think Deeply.
[...] but this mega-update-in-a-patch is still interesting for other reasons.
Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.
Thanks, A Noways Cum Donor
> Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
Well, the Server version of the Combo updater runs close to the whole GB. In other words, it would seem the patch is virtually overwriting the entire OS.
Wonder if the the Vista patch is doing the same, overwriting with Windows 7? :D
Yeah the size of the update was a shock this morning, let me miss my usual train too. From what i've read http://www.macworld.com/article/140578/2009/05/1057update.html the update does a lot more than is actually said (big surprise with the size), even though most of those things aren't directly visible. What i have found is that my dashboard updates a lot faster than before, as i have two standard weather widgets open at all times i guess they really optimized the code there. Normally it would take at least 5-10 seconds to update the display after opening the dashboard, now it's almost instantenous. Anyone else notice this too?
The MS patch is going to be more serious for several reasons. One is the fact that people will actually exploit MS's holes with large automated botnets.
But the other reason, is while Apple may have patched Apache, BIND, the kitchen sink and my left sock, most of those ARE NOT enabled by default.
Using some super-rough numbers, lets suppose The OSX install base is 10%
Suppose even 5% have Apple or BIND, etc enabled. Heck, lets suppose 5% have EVERYTHING enabled....
and if 1 in 5 of those machines actually has a public IP or forwarded ports,
then you're taking something like 1 in 1000 computers, is a mac, with an exploitable version of bind/apache/whathaveyou with a public IP.
vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?
YES, the OSX patch and security updates are good, welcome improvements, but the sad reality is that windows 98/ME/2000/XP/Vista are all bigger targets and a bigger security threat right now.
Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.
A bit of a logical fallacy there. Even if we assume that the switch to x86 was the trigger for more exploits (increased popularity of the OS being another possibility), it doesn't necessarily mean x86 is more vulnerable. The vast majority of exploits don't need to rely on processor specific characteristics after all.
What it means is that virus writers have limited time and experience. Ignoring trivial Trojans and the like that any script kiddie can bang out, an effective virus (e.g. worms) requires a lot of skill in the assembly language for the CPU, in order to write code that can fit in the available exploit "space". Writing worms for the Power PC architecture was a losing proposition since you didn't have a lot of targets. Now, if you have knowledge of x86 assembly, you can transfer your skills to Macs more easily.
Of course, porting programs to run in 64 bit mode *is* an effective security obstacle; one example is that since 64 bit addresses (in the current implementation) always contain nulls, buffer overruns are much harder to exploit. So yes, Power PC 64 bit is more secure, but if you wrote for an x86-64 target, you'd have roughly the same benefits.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
All that switching from RISC/PPC to x86_xx should change is "endianness." I hear passing worries of Intel chip-level vulnerabilities, but to my (admittedly limited to hitting up Google just now) knowledge is that these never really end up in mainstream exploits. Maybe, because there are plenty of much more easily exploitable vulnerabilities already known.
Again, not a security researcher or a system arch. expert myself, but what I've heard from those researching OS X vs. Windows vulnerabilities, Address Space Layout Randomization (ASLR) would make it much harder to exploit vulnerabilities on the Apple end. This feature appears to be slated for the next point release ("Snow Leopard") of Mac OS X. Essentially, the exploiter must try much harder to "find" the code planted in the target box's memory, when the vulnerability was exploited, in order to execute it.
let me miss my usual train too
The next Microsoft commercial: Apple makes you late for work.
The SANS link makes some great points about Microsoft and responsible disclosure. After reading that, I think it's obvious what needs to be done. Quit helping Microsoft cover their rear when they're going to turn around and attempt to use it as a cudgel against their perceived competition.
If you're a security researcher, and you discover a flaw in a Microsoft product - stop buying into the flawed MS version of responsible disclosure. Notify Microsoft right away, certainly; but from now on also announce it to SANS and the other responsible security organizations at the same time. That way the affected users - ALL affected users - can take steps to mitigate their exposure.
#DeleteChrome
There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.
A similar situation applies to old versions of Windows. The California community college where I teach has a whole bunch of student computer labs with machines from about 2001, which all have Windows 2000 on them. MS's support for Win2k ends in July of 2010, and that means no more security patches. We could upgrade to XP, but although our machines do theoretically satisfy XP's hardware requirements, it's not clear whether they'd have acceptable performance with XP. Again, MS's interests are diametrically opposed to ours. They want to keep us on the upgrade treadmill. They're happy to let Win2k become a non-viable platform, so that we'll be forced to buy new hardware, which will come with Vista preinstalled. Except, uh, the California state budget crisis means that we can't afford to buy new hardware. Of course they MS never promised us to support Win2k indefinitely, and our managers should have done a better job of planning ahead so that this wouldn't become a crisis. But it really does strike me that this is the kind of problem that would have never happened with Linux. I can run Ubuntu for as long as I want, and just keep upgrading to the latest version. Linux runs well on old hardware, so there's no upgrade treadmill. No big mystery why it's this way: it's because Linus Torvalds, Mark Shuttleworth, etc. don't have interests that conflict with the user's.
Find free books.
Another logical fallacy would be criticizing GP's post without looking at who the author of the post is.
Nec hominem fallacy?
Your brain is not a computer.
Insightful? Absolute nonsense. This patch is entirely for Apple-supplied software. This all links against the system frameworks, and does not include its own version of anything. Frameworks shared between more than one Apple app are bundled in to the global frameworks directory. Also, most of the stuff being updated (e.g. Apache, which has had several security holes fixed in this update) isn't in a .app bundle.
I am TheRaven on Soylent News
If anything deserves a +1 Funny, it's unnecessary use of Latin for satiric purposes.
$_ = "wftedskaebjgdpjgidbsmnjgcdwatb"; tr/a-z/oh, turtleneck Phrase Jar!/; print
Clearly your post demonstrates that you don't understand the subject well, but it doesn't *seem* like you're Trolling. Perhaps in context... hrm... over half of your recent posts were up-modded, so you don't appear to be a well known Troll. MODS! Get a grip. Security issues are complex. Obviously you mods don't know the subject any better. Meta moderation will punish you.
Mac OS X has had potential buffer overflow exploits, corrected in security updates and OS updates, Since the Earth Cooled (TM). Apple might be taking them a little more seriously, or they might be receiving more attention from others, now that the assembly language required to exploit them is understood by all the crax0rs, instead of merely 20% of them. Apple isn't suddenly experiencing the same type of security problems. Some defects exist (you typically learn of them when a patch becomes available) but have not yet been exploited by worms and viruses. The relative seriousness and amount of defects between the platforms is a matter of some debate.
Moreover, some of the mechanisms used to propagate malware on Windows rely on tricking the user (social engineering) into installing the malware. Those techniques, independent of exploitable defects, are certainly possible to apply to the Mac. Apparently a few attempts have been made (such as trojans planted in cracked pirate warezs recently). Widespread damage hasn't yet resulted, but isn't out of the question.
To p0wn a million Macs, one need only trick about 3% of Mac users into installing your malware. I've seen a couple clever Windows email viruses which tricked from 1/3 to 1/2 of the users who got the email within the first hour, infecting over 1% of an enterprise network, before the alerts went out and antivirus definitions were updated. I think the success of some of these tricks on Windows indicates pretty clearly that a malware outbreak on the Mac on the scale of a million victims or more is certainly possible, even without finding a defect and engineering the exploit. An email based scam, seeded with a list of known Mac users might do the trick. The Bad Guys (TM) could easily generate such a list by reading the emails on the millions of infected Windows computers, and snarfing the addresses out of received emails which came from known Mac email clients.
Of course, even those malware which relied primarily on social engineering, also rely on their ability to masquerade as a spreadsheet when they are really an exe, in the most popular Windows email clients, so it might be quite a bit harder to exploit social engineering on the Mac. It's hard to say, and I haven't seen any evidence that it's been tried yet.
If it does happen, the Mac community is not really prepared for it. AntiVirus software doesn't appear to be in use by most Mac users. There isn't a legion of companies rushing cleanup tools out the door every day. Mac users are not in the habit of looking for such regardless.
If you mod me down, I shall become more powerful than you could possibly imagine.
That is being bundled with fixes and enhancements to their own software like "iCal: Improves overall reliability with CalDav." The MS update is all labeled "Vulnerability to . . ."
Well, there's spam egg sausage and spam, that's not got much spam in it.
Wow! It is amazing how those numbers look like the minimal and maximum iso install downloads for a Linux distro.
Having to work for a living is the root of all evil.
It has come to my attention that the entire Linux community is a hotbed of so called 'alternative sexuality'...
Should... should we mark this as funny?
Internet scofflaw
No, I can't. I didn't intend to imply that MS was worse than other proprietary OS vendors. I just meant that proprietary OS vendors were worse than open-source OS vendors.
Do you believe you could purchase a support contract for a 10-year-old distribution of Linux today? I don't mean a guy with a pony tail and beard who will help you out and charges by the hour, I mean a support contract from a stable provider with multiple levels of escalation, 24x7 call center, etc.
I think you're comparing apples and oranges. It's no problem to purchase a support contract for any current and popular Linux distribution because upgrades are free (as in beer). If Microsoft upgrades were also free (as in beer) you'd have no problem obtaining support for the current version of software from them either.
I don't mean to imply that you should be running a MS OS instead of Ubuntu, or vice-versa. Pick whatever tool suites your requirements. I think that your analysis of the reasons for doing one or the other appears to be flawed, though.
Eagles may soar, but weasels don't get sucked into jet engines.
It's 729 MB for the complete, standalone, works-on-both-architectures, includes-10.5.1-forward patch. If you download via Software Update you'll see a smaller download (since you'll only download for PowerPC or x86, and you'll only download the needed bits instead of all the point updates rolled together).
Benford's Corollary to Clarke's Law: "Any technology distinguishable from magic is insufficiently advanced."