Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Patches Massive Holes In OS X

timothy posted more than 4 years ago | from the well-it-wouldn't-be-polite-to-patch-windows dept.

OS X 246

Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.

cancel ×

246 comments

HAHA! (1, Funny)

Anonymous Coward | more than 4 years ago | (#30837844)

"if a Mac user is tricked into opening audio files or surfing to a rigged Web site."

I own a Mac G3, and STILL haven't been tricked into using OS X!

I just patched a massive hole (-1, Troll)

exley (221867) | more than 4 years ago | (#30837898)

in your mom.

(May as well just get that one out of the way)

Re:I just patched a massive hole (5, Funny)

Anonymous Coward | more than 4 years ago | (#30837970)

I'm afraid your patch provides insufficient coverage.

Re:I just patched a massive hole (1)

maxume (22995) | more than 4 years ago | (#30838002)

A lot of the people that read the site are in their 40s, 50s and 60s (I'm not). That makes their moms mostly 60+.

Go dude, go.

Re:I just patched a massive hole (1)

tiberus (258517) | more than 4 years ago | (#30838004)

More like you fell in...

(Well, like exley said...)

Re:I just patched a massive hole (0)

Anonymous Coward | more than 4 years ago | (#30838030)

I just want to know when they're going to patch that damn hole in their logo. It's been there for decades!

Re:I just patched a massive hole (0, Flamebait)

e2d2 (115622) | more than 4 years ago | (#30838178)

I noticed. But where on earth did you find that helmet shaped like a wookie head from? ..Oh snap, that's not a helmet. My bad!

Also dude, the preferred nomenclature is vaginal-space challenged.

Re:I just patched a massive hole (0, Offtopic)

ushering05401 (1086795) | more than 4 years ago | (#30838624)

Also dude, the preferred nomenclature is vaginal-space challenged.

I thought 'switcher' was the preferred nomenclature.

Re:I just patched a massive hole (0, Troll)

Anonymous Coward | more than 4 years ago | (#30839254)

in your mom.

(May as well just get that one out of the way)

This is Apple we're talking about. Mac users have no interest in that type of hole...

Re:I just patched a massive hole (2, Insightful)

Anonymous Coward | more than 4 years ago | (#30839830)

At least we're getting some...

Cover your eyes (-1, Troll)

mwvdlee (775178) | more than 4 years ago | (#30837902)

Quick Apple fan-boys, cover your eyes and do not read any further.
It's the only way you can continue claiming OS-X is soooooo much more safe and secure than that certain other OS.

Re:Cover your eyes (1, Interesting)

Anonymous Coward | more than 4 years ago | (#30838038)

Let me put it to you this way: None of the malware-infested machines I have cleaned up in the last few days were running OS X, just Windows.

There has been a huge spike in infections since that exploit that hit Google was made public-- we're seeing the return of drive-by infections on Windows, it's a whole lot of fun.

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

Re:Cover your eyes (5, Informative)

tacarat (696339) | more than 4 years ago | (#30838870)

Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.

Before you flame, I will say that if you're on /. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.

Re:Cover your eyes (4, Insightful)

EvanED (569694) | more than 4 years ago | (#30839398)

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.

Re:Cover your eyes (4, Insightful)

shutdown -p now (807394) | more than 4 years ago | (#30839888)

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.

Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).

If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.

Re:Cover your eyes (2, Insightful)

amicusNYCL (1538833) | more than 4 years ago | (#30839194)

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.

The point? You don't need to run something other than Windows if you want to avoid infection, you just need to use your computer intelligently. It seems like you're saying that OSX is the platform for people to be as stupid as they want and still manage to avoid infection. That, my friend, is changing (as evidenced by the 7 patched vulnerabilities in Flash player).

Re:Cover your eyes (2, Informative)

DJRumpy (1345787) | more than 4 years ago | (#30840110)

Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.

* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
            Seems this could crash your audio player.

* CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination.
            A remote attacker may cause an unexpected application termination of cupsd. I don't see this happening on a home network, and unlikely on a firewalled work network. In any case, an irritant and nothing more.

* Flash Player plug-in (7 vulnerabilities) -- Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42.
            This one unfortunately is serious. Its also due to a flaw in the Adobe Flash Player plug-in.

* ImageIO (CVE-2009-2285) -- A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution.
            Crashes your Preview or whatever image viewing app your using.

* Image RAW (CVE-2010-0037) -- A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution.
            I seriously had to look this one up. DNG is apparently an Adobe raw image format. I don't see this one as massive either.

* OpenSSL (CVE-2009-3555) -- A man-in-the-middle vulnerability exists in the SSL and TLS protocols. A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation.
            This one appears to affect everyone, from OS X, to Windows, to Apache: The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.

Re:Cover your eyes (4, Insightful)

amicusNYCL (1538833) | more than 4 years ago | (#30838160)

You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.

Re:Cover your eyes (1, Informative)

RyuuzakiTetsuya (195424) | more than 4 years ago | (#30838170)

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

Re:Cover your eyes (3, Insightful)

e2d2 (115622) | more than 4 years ago | (#30838222)

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

How would you know? Zero-day means a non-public exploit.

Re:Cover your eyes (3, Interesting)

AHuxley (892839) | more than 4 years ago | (#30838516)

Anything posted on some forum, whispers in an irc chat?
Anything new floating around for a Mac running 10.6 that will do an IE and pop the browser/OS from a remote site?
Most still need the user to enter his/her password as a application/codec.
Mac are still safe to surf with for now.
Macs have a list of malware and loggers, the pre OS 10 had lots too.
But nothing in the wild to infect just yet with a site visit.
If anything existed outside law enforcement, spooks and one off professional solutions, every Mac AV vendor would have a youtube vid up.
A link to buy protection at a fair price after the 2 to 3 mins of safari getting infected after following a link and their product saving the day.

Re:Cover your eyes (1)

TrancePhreak (576593) | more than 4 years ago | (#30839228)

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Re:Cover your eyes (0, Flamebait)

Capt.DrumkenBum (1173011) | more than 4 years ago | (#30839664)

There are 2 computers sitting on a table one costs $1199, and the other costs $729. Which are you going to try to hack?
$1199 = Cheepest MacBook Pro.
$729 = Dell Vostro with comparable specs.

Re:Cover your eyes (2, Informative)

prockcore (543967) | more than 4 years ago | (#30839938)

You hack whichever's easiest, considering pwn2own had $10k cash prizes.

Re:Cover your eyes (0)

SSpade (549608) | more than 4 years ago | (#30838544)

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

How would you know? Zero-day means a non-public exploit.

Safari was released in early 2003.

Internet Explorer 6 was released in August 2001.

So the unfixed Internet Explorer bugs have been around quite a bit longer than Safari has. So Safari is unlikely have any bugs older than this IE bug, zero-day or otherwise.

(OK, there could be crusty KHTML era bugs left in the Safari code-base, but there's not much of that code left untouched)

Re:Cover your eyes (1)

e2d2 (115622) | more than 4 years ago | (#30838932)

LOL, ok now i get it. OP's point was valid. IE6 really does have bugs in the wild that are older than firefox itself. Mozilla is pretty old so that would be possible, but not FF technically.

Re:Cover your eyes (0)

Erikderzweite (1146485) | more than 4 years ago | (#30838618)

Vupen Security has confirmed code execution on IE7 and IE8 as well, even in sandboxed mode.

Re:Cover your eyes (1)

recoiledsnake (879048) | more than 4 years ago | (#30838804)

Link?

Re:Cover your eyes (2, Informative)

Erikderzweite (1146485) | more than 4 years ago | (#30839144)

Re:Cover your eyes (2, Insightful)

mystikkman (1487801) | more than 4 years ago | (#30840124)

That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?

Re:Cover your eyes (4, Informative)

chentiangemalc (1710624) | more than 4 years ago | (#30839278)

With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection. Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability) so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.

Re:Cover your eyes (3, Informative)

Dumnezeu (1673634) | more than 4 years ago | (#30838532)

No, it can't. Well technically, it can be exploited, but IE runs sandboxed in Win 7 so the exploiter can't really do much.

Re:Cover your eyes (1)

h4rr4r (612664) | more than 4 years ago | (#30838902)

Could it use/harvest saved passwords? Open new browser tabs? Launch perhaps an app that would run the escalation exploit from this morning?

Re:Cover your eyes (1, Interesting)

amicusNYCL (1538833) | more than 4 years ago | (#30838632)

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.

Re:Cover your eyes (1)

daveime (1253762) | more than 4 years ago | (#30839706)

that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday

What kind of fanboi drivel is this ?

They've just patched 12 serious vulnerabilities, how could it NOT be less secure yesterday before the patch than it is now after the patch ?

Re:Cover your eyes (1)

amicusNYCL (1538833) | more than 4 years ago | (#30839816)

That's exactly my point - read the first post in the thread and my reply. Someone responded to that with a non-sequitor about IE and you saw my reply. The original poster seemed to imply that Apple releasing an update somehow decreased the perceived security of OSX.

"Fanboi", huh? Exactly which company do you think I'm a huge fan of?

Re:Cover your eyes (1, Funny)

daveime (1253762) | more than 4 years ago | (#30840012)

You *have* to be a fanboi to post here ... you must take a side, there is no fence-sitting allowed on Slashdot.

You can take the "M$ sucks" route for infinite karma heaven, or the "A$$le sucks" route for instant karma hell. The "Linux (no dollar sign of course, this is FOSS) sucks" route simply leads to much debate and handwringing, with unknown karma effects ... look on that path as something like Buddhism.

Where we go from here, that's a choice I leave up to you. (oblig. Matrix reference)

Can we get this stickied ? Oh, damnit, I thought we were on a forum for a minute :-(

Re:Cover your eyes (1)

Tim C (15259) | more than 4 years ago | (#30839046)

Not in the default configuration it can't.

Re:Cover your eyes (0)

Anonymous Coward | more than 4 years ago | (#30839952)

It's only secure until its cracked.

Re:Cover your eyes (4, Informative)

jo_ham (604554) | more than 4 years ago | (#30838786)

But it is.

And patching vulnerabilities that are found just makes it more so.

Sorry, what was your point again?

Re:Cover your eyes (1)

shutdown -p now (807394) | more than 4 years ago | (#30839928)

His point is that you can't take a Windows vulnerability, and write a /. comment around it that basically amounts to "and that's why Windows security sucks", but when a similar vulnerability is found in OS X, write another /. comment around it that amounts to "well, shit happens, but anyway, now it's even more secure than ever" - it's hypocritical. Either both vulnerabilities indicate systemic problems, or neither one does.

Re:Cover your eyes (1)

jo_ham (604554) | more than 4 years ago | (#30840072)

Well, it really depends *who* says it - the marketing departments at MS and Apple both tout "OS X/Windows is more secure than ever" - from a marketing standpoint they obviously aren't going to say anything else. From a certain perspective both are true - both Windows and OS X are more secure than ever, since they have been patched up - whether there are still a thousand other holes doesn't really change that, it just infers that there are no other problems which is where it gets muddy.

The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities. No one is really claiming that there won;t be vulnerabilities found, but it doesn't negate a claim that the OS itself is pretty good when it comes to security. Not immune, and not perfect, but not bad.

While we're on it of course, I do take issue with the headline. "Massive Holes" really isn't accurate - at least, not in the context of other security updates. These are no better or worse than other security holes that have been fixed in OS X before, but the summary and headline dress it up like they just discovered that half the fence was missing and your troops are giving free bagels to the enemy as they usher them in through the gaps.

It is good that critical flaws are being corrected though, regardless of how they are reported.

Twelve? (5, Informative)

Spyware23 (1260322) | more than 4 years ago | (#30837956)

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:

Security Update 2010-001

        *

            CoreAudio

            CVE-ID: CVE-2010-0036

            Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

            Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution

            Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.

        *

            CUPS

            CVE-ID: CVE-2009-3553

            Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

            Impact: A remote attacker may cause an unexpected application termination of cupsd

            Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.

        *

            Flash Player plug-in

            CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951

            Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

            Impact: Multiple vulnerabilities in Adobe Flash Player plug-in

            Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html [adobe.com] Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).

        *

            ImageIO

            CVE-ID: CVE-2009-2285

            Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

            Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

            Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.

        *

            Image RAW

            CVE-ID: CVE-2010-0037

            Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

            Impact: Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution

            Description: A buffer overflow exists in Image RAW's handling of DNG images. Viewing a maliciously crafted DNG image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Jason Carr of Carnegie Mellon University Computing Services for reporting this issue.

        *

            OpenSSL

            CVE-ID: CVE-2009-3555

            Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

            Impact: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL

            Description: A man-in-the-middle vulnerability exists in the SSL and TLS protocols. Further information is available at http://www.phonefactor.com/sslgap [phonefactor.com] A change to the renegotiation protocol is underway within the IETF. This update disables renegotiation in OpenSSL as a preventive security measure. The issue does not affect services using Secure Transport as it does not support renegotiation. Credit to Steve Dispensa and Marsh Ray of PhoneFactor, Inc. for reporting this issue.

Re:Twelve? (5, Insightful)

mjschultz (819188) | more than 4 years ago | (#30838010)

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?

The Flash update is actually 7 vulnerabilities.

Re:Twelve? (5, Insightful)

Graff (532189) | more than 4 years ago | (#30838262)

The Flash update is actually 7 vulnerabilities.

Moral of this story:
Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

Re:Twelve? (1, Insightful)

Anonymous Coward | more than 4 years ago | (#30839440)

And you can avoid most of the internet at the same time.

Re:Twelve? (2)

PitaBred (632671) | more than 4 years ago | (#30839722)

Just the really shitty parts. Only turn flash on when you need it, youtube and the like

Re:Twelve? (1)

_merlin (160982) | more than 4 years ago | (#30839926)

Really? I've gone without Flash on my work PC for three months, and the only things it stops me from using that I actually care about are funny videos that people send around the office, and the web site of the company that made the hardcore orange juicing machine in the kitchen (we'd lost the manual). Most of the stuff that's actually useful doesn't need Flash.

Re:Twelve? (0)

Anonymous Coward | more than 4 years ago | (#30838014)

From the article: "Flash Player plug-in (7 vulnerabilities)"

7 + 5 = 12

Re:Twelve? (0)

Anonymous Coward | more than 4 years ago | (#30838058)

There are 12 different CVE's, representing 12 unique vulnerabilities.

Therefore, there are 7 unique vulns fixed in the one Flash Advisory

Re:Twelve? (1)

zippthorne (748122) | more than 4 years ago | (#30839118)

The SSL vulnerability is somewhat disturbing. Read the date on the linked article.

Re:Twelve? (0)

Anonymous Coward | more than 4 years ago | (#30839596)

I was really hoping someone on here would have commented on the OpenSSL renegotiation blocking breaking Vidalia / Tor connectivity. Tor relies on OpenSSL, and can't complete a handshake after the update. Anybody know a workaround?

Re:Twelve? (0)

CaptDeuce (84529) | more than 4 years ago | (#30839768)

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:

"Massive security holes" or "serious vulnerabilities" are worth two "ordinary" vulnerabilities.

Re:Twelve? (1)

ekhben (628371) | more than 4 years ago | (#30840052)

May all of OS X's "massive holes" be so insignificant to me.

The most concerning is the TIFF vulnerability; fortunately that's a 10.5 issue, not a 10.6 issue. The second most concerning is the SSL vulnerability, but I've not trusted SSL alone for a while now. Still tossing up throwing out Firefox's trust anchor code and replacing it with an SSH style known-hosts setup... but the FF code is a total dog to work with. And I don't care. Mostly, I guess, I don't care. Thank you, my bank, for two-factor authentication.

Must be running bootcamp (4, Funny)

Anonymous Coward | more than 4 years ago | (#30837962)

The Apple commercials have told me that viruses and security holes are only possible in Windows, so I gather they are patching boot camp installs now

Re:Must be running bootcamp (3, Insightful)

recoiledsnake (879048) | more than 4 years ago | (#30838658)

It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?

Re:Must be running bootcamp (2, Funny)

dunezone (899268) | more than 4 years ago | (#30838910)

Oh Sorry...

LOL A$$LE can't code

Wait, that doesn't look right.

Re:Must be running bootcamp (0)

Anonymous Coward | more than 4 years ago | (#30839362)

Looks about right to me.

Re:Must be running bootcamp (0)

Anonymous Coward | more than 4 years ago | (#30839356)

Where are all the 'LOL M$ can't code' posters here?

I guess they are busy making security patches for OS X.

Re:Must be running bootcamp (5, Funny)

binary paladin (684759) | more than 4 years ago | (#30839834)

LOL M$ can't code

Re:Must be running bootcamp (4, Funny)

Anonymous Coward | more than 4 years ago | (#30838672)

No - the Apple commercials tell you that viruses are a problem for Windows. Viruses tend to find MacOS too arrogant an environment to survive in.

Re:Must be running bootcamp (3, Insightful)

LihTox (754597) | more than 4 years ago | (#30839140)

Viruses tend to find MacOS too arrogant an environment to survive in.

Making our arrogance is an adaptive self-defense mechanism. So shove off, Windoze loser. :)

Re:Must be running bootcamp (1, Funny)

gig (78408) | more than 4 years ago | (#30838700)

It's viruses that are only possible on Windows. All operating systems have security holes, but only Microsoft systems get viruses. The Apple commercials very clearly refer only to viruses. The PC sneezes and acts like he has a cold, he's caught something, and the Mac can't catch it from him, he's immune to the viruses. Security holes are not covered at all.

Re:Must be running bootcamp (1)

that this is not und (1026860) | more than 4 years ago | (#30840102)

You're kidding, right? Viruses actually were far worse in the past on other platforms. They were everywhere on the Amiga, for instance.

Security holes are not covered at all.

No, they're covered on a piecemeal basis. Whenever Apple's Marketing signs off on a bug fix it can be released.

Re:Must be running bootcamp (0, Troll)

Anonymous Coward | more than 4 years ago | (#30838888)

The Apple commercials have told me that viruses and security holes are only possible in Windows

[citation needed]

Never have I seen an Apple ad say that.

No OS X user I've ever known has ever had a malware problem, whereas nearly every windows user I have ever known has had chronic multiple malware problems. No matter what the MS fanbois say, it's obvious to anyone in the know that OS X is quite secure compared to wind'ohs.

BTW, love the hyperbole ("Massive", LOL) of TFS' headline.

Re:Must be running bootcamp (1)

PitaBred (632671) | more than 4 years ago | (#30839800)

The Apple commercials have told me that viruses and security holes are only possible in Windows

[citation needed]

http://www.youtube.com/watch?v=XiBLIGy_mpk [youtube.com]

That citation enough for ya? It's not outright stated, but it sure as hell is very strongly implied

Very interesting the holes they patched (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30837964)

Re:Very interesting the holes they patched (0)

Anonymous Coward | more than 4 years ago | (#30839102)

What...what is this?

A refund? (5, Funny)

Monkeedude1212 (1560403) | more than 4 years ago | (#30837988)

The only hole I want Apple to fix is the one they put in my wallet.

Re:A refund? (0, Troll)

Anonymous Coward | more than 4 years ago | (#30838224)

Security holes aside, isn't it a little bit backwards to bitch about the price of something that you voluntarily paid for?

Re:A refund? (4, Interesting)

jgtg32a (1173373) | more than 4 years ago | (#30838294)

buyers remorse?

Re:A refund? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30838280)

you must be some democrat/liberal, wanting someone else to fix something you did...which was buy a mac.

Re:A refund? (0, Troll)

Red Flayer (890720) | more than 4 years ago | (#30838584)

And you must be some current-day republican/asshat (there are no conservatives left), bitching and moaning in a non sequitur in the hope it'll get you some popularity points.

Re:A refund? (0)

Anonymous Coward | more than 4 years ago | (#30838640)

and you must be some sort of republican/conservative troll, so it doesnt matter what i type here, youre too stubborn to read it, so flibbeldy woogledy tofu bean silicon murfreesboro turkey bolts plumb burnfreeze tacobomb.

Re:A refund? (0, Flamebait)

geoffrobinson (109879) | more than 4 years ago | (#30838324)

Did they put a gun to your head and tell you to buy something you didn't want? Or was it your wife or girlfriend?

Hopefully, you have just one of the two or you'll be paying for something far more expensive than a Mac.

Re:A refund? (0)

Anonymous Coward | more than 4 years ago | (#30838376)

I agree, these twats who are commenting on you are a bunch of steve jobs anus lickers

Re:A refund? (0)

Anonymous Coward | more than 4 years ago | (#30839130)

If you had to make a choice which Steve's anus would you rather lick you choose Jobs' or Ballmer's?

Ballmer might have had some nasty tacos for lunch, but with Steve's health problems I bet he eats really well now.

Jobs all the way!!!

Re:A refund? (-1, Flamebait)

Anonymous Coward | more than 4 years ago | (#30839022)

How about making a new big hole in your retarded head?

I can lend you my gun.

Security Well (0, Redundant)

Noelnonymous Coward (1725914) | more than 4 years ago | (#30838000)

I've got a Mac G3, and have yet to be tricked into installing Mac OS X!

Re:Security Well (4, Funny)

amicusNYCL (1538833) | more than 4 years ago | (#30838192)

You already posted that in the first comment anonymously, and it wasn't funny then either.

Re:Security Well (1)

Noelnonymous Coward (1725914) | more than 4 years ago | (#30838678)

Being that there are many reasons to post things, and to post anonymously, "funny" isn't always the primary intent. What was my primary intent? If you don't know, don't worry about it, and withhold comment. :) Besides, you're not a boor, and I didn't say something funny... But it's possible I might say something funny.

Re:Security Well (0)

Anonymous Coward | more than 4 years ago | (#30838922)

Just shut the fuck up.

Re:Security Well (0)

Anonymous Coward | more than 4 years ago | (#30839306)

The original was correctly modded offtopic. As it is neither insightful, interesting, funny, underrated, or overrated. Its our way of saying, it should not have been posted regardless of the author's intent.

Re:Security Well (1)

amicusNYCL (1538833) | more than 4 years ago | (#30839310)

Being that there are many reasons to post things, and to post anonymously, "funny" isn't always the primary intent. What was my primary intent?

If it's necessary to have a discussion about your intent, how successful do you think you were in conveying it?

But it's possible I might say something funny.

Tell me a joke!

Re:Security Well (1)

Arcady13 (656165) | more than 4 years ago | (#30839064)

I have a Mac G3. It is sitting in my basement collecting dust, because it is a worthless piece of shit.

Buy a computer from this century.

Don't bother looking if you have X.4 or earlier (1)

oDDmON oUT (231200) | more than 4 years ago | (#30838132)

Sometimes newer isn't better.

Re:Don't bother looking if you have X.4 or earlier (2, Insightful)

0racle (667029) | more than 4 years ago | (#30838202)

It is when you want security updates from Apple.

image format bugs (3, Informative)

phantomfive (622387) | more than 4 years ago | (#30838290)

Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.

Re:image format bugs (3, Interesting)

TrancePhreak (576593) | more than 4 years ago | (#30838708)

Other companies got hit by those a long time ago and have since patched up their image libraries. Apple must have ignored it then and is now paying the price.

Re:image format bugs (1)

eulernet (1132389) | more than 4 years ago | (#30838934)

A few years ago, when Microsoft's Windows source code was leaked, a hacker found a problem in the handling of the standard BMP format (IIRC, it was an integer that was not considered signed, and it contained the size of the picture), which could allow arbitrary code execution.

What bothers me is that Apple's developers don't check if they have the same problems as their direct competitor.

Re:image format bugs (1)

ruiner13 (527499) | more than 4 years ago | (#30839932)

Speculate much? How do you know it is the same issue, especially considering you can't even seem to remember what the Windows bug actually was?

Re:image format bugs (2, Insightful)

DJCouchyCouch (622482) | more than 4 years ago | (#30839082)

Using random data doesn't work if some structured data needs to be read first.

So you need non-random random data. :)

Re:image format bugs (1)

twidarkling (1537077) | more than 4 years ago | (#30839650)

But computers can't generate truly random data, it's always at least partially procedurally generated. Thus, any data from a computer you feed to it is non-random random data :p

Re:image format bugs (1)

drinkypoo (153816) | more than 4 years ago | (#30840150)

These sophomoric no-input-sanitization errors are the most common kind. didn't apple make one before with the iPhone and SMS or something? We've seen cellphones that don't check to make sure bluetooth data is valid. Firewire is a big mess because the hardware permits access to things it shouldn't.

Different Day, Same Crap (4, Insightful)

His Shadow (689816) | more than 4 years ago | (#30839078)

Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

You forget one simple thing... (0)

Anonymous Coward | more than 4 years ago | (#30839184)

There aren't enough macs out there to make the average scriptkiddie drool in anticipation.
They want the big score, and apple doesn't have enough market share to count.
That's not something to be proud of.

Re:You forget one simple thing... (3, Insightful)

jo_ham (604554) | more than 4 years ago | (#30839394)

There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.

If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.

It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.

Huh? What? Erg? (-1, Troll)

Anonymous Coward | more than 4 years ago | (#30839124)

Why the need for patches? Didn't the Steve Jobs fanbois tell us over and over again OSX was secure, it can never be hacked? It was so well coded it never crashes? I don't understand how the MOST SECURE OS EVER needs patching.

Re:Huh? What? Erg? (0)

Anonymous Coward | more than 4 years ago | (#30839336)

I like to call it 'Rainbows, Unicorns, and Bullshit'

RUB and FUD are two sides of the same coin, and if you believe either: you're an idiot.

"MASSIVE"? (3, Interesting)

jjoelc (1589361) | more than 4 years ago | (#30840108)

I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??

More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.

The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)

Now to start the debate over which company is more in the business of marketing to stupid people...

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...