tell apple you're not satisfied with patch time
on
Mac OS X 10.2.8 Available
·
· Score: 4, Interesting
If you're not satisfied that it's taken about a week to patch sendmail and OpenSSH, send them feedback. This is what I sent them (although I don't suggest you say exactly the same!):
I just wanted to make feedback regarding the fact that it's taken a whole week between reports of the OpenSSH and sendmail vulnerabilities and Apple releasing a patch.
As a long-time Unix user just entering the world of OS X (and mostly enjoying it very much), I wanted to note that the FreeBSD project released patches within 24 hours of initial reports, as did many Linux vendors, and that I would expect faster response time from Apple in the future. Delays have a negative effect on the PR image of Apple as well as being a pain for admins and end users!
now, which would you rather have (if you were a virus/worm writer): a few deleted letters to Mom and pictures of the dog or a vast army of zombie systems waiting to do your bidding?
The average system is hardly protected against local root exploits. Once someone has a regular user login, it's going to be pretty easy to install a remote shell backdoor from which an exploit-finding-script can be run to elevate to root.
The only time getting a regular user account is different to getting root is when a box is cracked which is already secured with multi(untrusted)user access in mind, e.g. web host, which does not apply to most home boxes.
Slashdot Mirror
The only time getting a regular user account is different to getting root is when a box is cracked which is already secured with multi(untrusted)user access in mind, e.g. web host, which does not apply to most home boxes.