Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Patch Released, But Is It Enough?

Zonk posted more than 8 years ago | from the conflicting-viewpoints dept.

338

entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."

cancel ×

338 comments

Sorry! There are no comments related to the filter you selected.

Stupidity (5, Insightful)

Phroggy (441) | more than 8 years ago | (#15325651)

and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.

Let's settle this debate.

No.

Changing CPU architectures will have absolutely effect on security.

Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).

Re:Stupidity (5, Insightful)

Anonymous Coward | more than 8 years ago | (#15325698)

I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

You have to make the initial exploit to get "in." Once you are in you can use most standard unix libraries to do whatever you want. The hard part with PPC was finding someone who knew how to code the inital exploiit and the carefully crafted shellcode (with no null bytes, etc.). With Mac moving to Intel this part is MUCh easier for the people who know x86 ASM.

Re:Stupidity (5, Insightful)

CODiNE (27417) | more than 8 years ago | (#15325797)

You mentioned avoiding null bytes, I seem to recall reading that on PPC that's much harder to pull off because of many RISC ops tend to have a byte of null padding that smaller CISC ops don't need. So besides having to learn a new asm, its also much harder to exploit... PPC did have a real advantage here.

x86 is coherent (1)

r00t (33219) | more than 8 years ago | (#15325798)

On x86, you can reliably execute code that has been freshly written to memory. This is because the CPU invalidates the instruction cache automatically as needed.

PowerPC chips don't do this. If you try to execute something freshly written to memory, you may instead execute the prior data.

Only learning that first assembly language is hard (5, Insightful)

AHumbleOpinion (546848) | more than 8 years ago | (#15325828)

I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.

No overestimate, it is a real barrier (2, Informative)

Anonymous Coward | more than 8 years ago | (#15325934)

Back in 1999, LinuxPPC decided to mock Microsoft's putting a Windows 2000 machine on the internet to see who would break into it by putting their own up and saying that whoever cracked it first would get the machine.

Their machine had a default install, with default sets of applications.

It took months before anyone cracked the machine. When it was cracked, the hole used to do it was a well-known buffer overflow that had widely known x86 exploits at the time they put the machine up. An Intel machine treated that way would have been instant toast. What took time was that nobody had written a PPC exploit. Therefore none of the automated tools that the script kiddies had would crack the machine.

Sure, for someone knowledgable, it wasn't a hard transition. But the major outside security threat for most of us is not from someone knowledgable, it is from people who are not knowledgable using tools written by people that are. Those people are NOT going to be able to make the transition easily.

It used to be that people would write an application for Windows then recompile for Macs. The result is that the exploit that worked against a Windows version of the application would likely not work on the Mac version. Since there are more Intel machines, odds were pretty good that nobody would get around to writing a Mac version of the exploit for some time. But now the odds are much better that the Windows exploit which the script kiddies are likely to have will work against the same application running on a Mac. Which does make the Mac less secure in practice going forward.

Re:No overestimate, it is a real barrier (1)

cnettel (836611) | more than 8 years ago | (#15326112)

Well, a prepared exploit is of course dependent on the architecture. But that's not the ONLY thing it needs. It would reasonably also need some system call (or be highly dependent on the specific calling convention the application was compiled with, to modify the stack to indirectly trick other code into full exploitation). Those will generally still be different.

What about NX? (1)

DaHat (247651) | more than 8 years ago | (#15325750)

You don't think that NX support [wikipedia.org] within the CPU could help at all?

Sure it's not a complete solution, it is at least another layer of protection to keep users safe and is more than what they had with PPC's... provided they are using it today.

Re:What about NX? (0)

Anonymous Coward | more than 8 years ago | (#15325778)

Didn't PPC already have technology like NX for a long time?

Re:What about NX? (1)

Phroggy (441) | more than 8 years ago | (#15325786)

Although this sort of mechanism has been around for years in various other processor architectures such as Sun's SPARC, Alpha, IBM's PowerPC, and even Intel's IA-64 architecture...

NX on PowerPC (1)

r00t (33219) | more than 8 years ago | (#15325790)

The standard desktop chips provide it with 256 MB resolution. This is decent. You could make the stack unexecutable this way, and probably the heap too.

Re:Stupidity (0)

suv4x4 (956391) | more than 8 years ago | (#15325793)

Let's settle this debate.

No.

Changing CPU architectures will have absolutely effect on security.


The FAQ says that people frequently get modded insightful just because they seem confident, and apparently you prove them right.

The truth is the Intel processor is a lot more prone to buffer overflow attacks, which is what most exploits on Windows are based on. This is why the no-execute command was introduced in later chips but OSX doesn't take a lot (if any) advantage of it.

Also don't forget: most hackers have self-assembled Intel/AMD machines... that certainly counts.

Re:Stupidity (4, Informative)

Have Blue (616) | more than 8 years ago | (#15325840)

The truth is the Intel processor is a lot more prone to buffer overflow attacks

Bullshit. Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.

And building your own PC teaches you absolutely nothing about discovering vulnerabilities.

Re:Stupidity (5, Funny)

ImaNihilist (889325) | more than 8 years ago | (#15325884)

And building your own PC teaches you absolutely nothing about discovering vulnerabilities. Sure it does. It teaches you that all systems, regardless of CPU and OS, are vunerable to static electricity. Thus, the best "hacks" are to break into someones house with a ballon, find their PC, open it, rub the ballon on their head, and then start touching the motherboard.

Re:Stupidity (0)

morgan_greywolf (835522) | more than 8 years ago | (#15325902)

What the parent poster is trying to say is this:

If you have a hand-build Intel or AMD box, what chip do you have the most access to? The chip that's in your box! If you're building and trying out exploits that use fuzzing techniques, the best way to do that is with your own equipment. It gives you a playground with which you can run the target OS and/or app in a debugger and watch what happens in realtime when you send different types of data.

So in that respect, you gained a little bit of security through obscurity by running on PPC. Now that Macs are running Intel, all bets are off -- these same crackers can now just run Mac OS X on their own box and they've got they're own playground even without having a Mac.

Re:Stupidity (1, Interesting)

suv4x4 (956391) | more than 8 years ago | (#15325922)

Bullshit. Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.

PPC makes it much harder (thought not impossible) to run code after overflow since it'll clear the stack.

And building your own PC teaches you absolutely nothing about discovering vulnerabilities.

I'm saying they have (hacked) OSX compatible machines, where previously they didn't.
The fact they are self assembled is just because they are cheap (which Apple computers are not).

I wish people don't just jump to quick conclusions and call "bullshit" without thinking through.

Re:Stupidity (3, Interesting)

Ulrich Hobelmann (861309) | more than 8 years ago | (#15326022)

PPC makes it much harder ... to run code after overflow since it'll clear the stack.

Clear what stack? The only meaningful difference between PPC and x86 regarding buffer overflows is that PPC has more registers (including a link register which won't be saved by leaf procedures), and that the x86 CALL instruction pushes its value on the stack.

A buffer overflow would simply overflow some buffer, and be engineered so that it will overwrite the stack frame's return address to call some other code (which is also in the overflowed buffer).

Now on Intel every procedure has a return location on the stack, while on PPC only non-leaf procedures do, but since all computation happens in the context of *some* call stack, there will always be a parent procedure that has a return value that just waits to be overwritten.

I'm not sure how PPC can "clear" the stack, or with what purpose.

Re:Stupidity (0)

Anonymous Coward | more than 8 years ago | (#15326030)

Actually, stupid, x86 is more succeptible. E.g., for string overflows, try and write a non-trivial piece of code on a non-x86 architecture that doesn't contain a single null byte. Go on, try it.

buffer overflow (1)

falconwolf (725481) | more than 8 years ago | (#15326084)

Bullshit. Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.

Can a buffer overflow be a cpu as well as a software problem? According to this wiki article NX bit [wikipedia.org] if a cpu designates the data area of memory with an NX attribute then no code can run from within that memory thus proeventing buffer overflows from executing code. If thye have it wrong then maybe you can help them edit this article., well that is if someone else didn't already edit it to give false info.

Falcon

non-NX CPUs irrelevant, not shipped by Apple (1)

AHumbleOpinion (546848) | more than 8 years ago | (#15325893)

The truth is the Intel processor is a lot more prone to buffer overflow attacks, which is what most exploits on Windows are based on. This is why the no-execute command was introduced in later chips but OSX doesn't take a lot (if any) advantage of it.

Sorry, but no. The historical problems with x86 are irrelevant. Apple did not ship retail computers with those CPUs. The Core Duo and Solo CPUs support no-execute. The vulnerability does not lie with the CPU, it lies with Apple failing to use that capability of the CPU.

Also don't forget: most hackers have self-assembled Intel/AMD machines... that certainly counts.

Sorry, but again, no. What mischief occurs on these machines is irrelevant to Apple and the Apple market in general. These machines are running a hacked Mac OS X that requires skill beyond that of nearly all PC users and it will likely be a fairly unreliable system as it may break every software update. Having to rely on hacks from a 3rd party is a bit of a security risk itself. Sure it will be loads of fun to get Mac OS X running on a homebrew system, but these system will be novelties and fun topics of conversation, very rarely will they have serious users.

The FAQ says that people frequently get modded insightful just because they seem confident, and apparently you prove them right.

Actually you just proved them right as well.

Re:non-NX CPUs irrelevant, not shipped by Apple (0, Offtopic)

suv4x4 (956391) | more than 8 years ago | (#15325950)

The Core Duo and Solo CPUs support no-execute. The vulnerability does not lie with the CPU, it lies with Apple failing to use that capability of the CPU.

I love it when people repeat what I said in attempt to argue :) See again what I said and compare it to what I quoted from you.

Having to rely on hacks from a 3rd party is a bit of a security risk itself. Sure it will be loads of fun to get Mac OS X running on a homebrew system, but these system will be novelties and fun topics of conversation, very rarely will they have serious users.

I'd say put your shit together. We're talking hackers here. You think they will be confused in installing and using OSX when there a simple quide with steps and installations all over the web? My dog can install it.

And you can bet that if they find an exploit in Safari from hacked OSX 10.4, it'll work on Safari from original OSX 10.4, since the hacked components are related to the BIOS support and the TPM chip, and nothing to do with 99.99% of the OS.

Re:Stupidity (1)

Aqua OS X (458522) | more than 8 years ago | (#15325915)

"Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac."

Actually, no.

For the time being it means developers must make universal binaries of games. Many Mac game developers have noted that ports will have increased development times for the next few years.

Porting will speed up when PPC hardware is irrelevant and Intel only builds are acceptable.

Re:Stupidity (1)

Phroggy (441) | more than 8 years ago | (#15325985)

I didn't say that switching to Intel has made it easier, I said it will make it easier; I expect to start seeing Intel-only games pretty soon, while other apps will be universal for a long time.

Re:Stupidity (2, Informative)

neonstz (79215) | more than 8 years ago | (#15325931)

Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac.
No. Most, if not all, games today are coded in C/C++ (with maybe a tiny bit of assembler). The problem with porting games to the Mac is not the CPU instruction set but the available APIs. There is no DirectX on Mac. In addition many games are using 3rd party libraries so these have to be available for Mac too.

Re:Stupidity (1)

cnettel (836611) | more than 8 years ago | (#15326130)

On the other hand, it's easy to introduce endian dependencies in C/C++ code. Those will be a non-issue for a MacTel-only port.

Re:Stupidity (0)

Anonymous Coward | more than 8 years ago | (#15325961)

As others have said, you aren't totally correct:
1) architectures with variable-length instruction words are easier to exploit since it is easier to write code sequences which don't include null bytes
2) changing architectures will have essentially no effect on ease of portability of existing applications. As has been pointed out already, portability has more to do with API than architecture (in almost all modern code, endian is the only aspect of architecture which effects the architecture-dependent side of portability)

Wrong and wrong. (1)

LKM (227954) | more than 8 years ago | (#15326027)

Changing CPU architectures will have absolutely effect on security.

Wrong. For example, to exploit buffer overflows, you need to write assembly. More people know Intel assembly than PPC assembly. That makes attacks on Intel Macs more likely than on PPC Macs. This is most definitely "an effect on security."


Switching to Intel will make it easier for game developers to port their code

Wrong. Most modern games contain no or very little assembly code. The chipset doesn't matter when porting games. DirectX would matter, but it's not available on Macs either way.


eventually the ability to run Windows apps through virtualization

Eventualy? It's already here [parallels.com] , running on my Mac right now.

What purpose? (1)

samkass (174571) | more than 8 years ago | (#15325656)

What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

Re:What purpose? (3, Insightful)

Phroggy (441) | more than 8 years ago | (#15325681)

What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

In theory, it's possible that black-hats have already discovered the flaw, and will exploit it without telling anyone. If they've already figured it out, then releasing details to the public won't make the situation significantly worse. However, public embarassment will prompt the company to release a fix more quickly.

I'm not saying I agree with this theory.

Re:What purpose? (1)

Catbeller (118204) | more than 8 years ago | (#15325732)

then the test of this is the presence of exploits, and soon. if none arise, then something is amiss in the calculations of risk.

Re:What purpose? (1)

Phroggy (441) | more than 8 years ago | (#15325775)

And if none arise even after the vulnerabilities are made public..?

Re:What purpose? (1)

Catbeller (118204) | more than 8 years ago | (#15325796)

Then apparently Apple has divine protection, or the exploits are worthless. Someone would have used them by now, even if just to be the first to succeed.

Re:What purpose? (1)

flooey (695860) | more than 8 years ago | (#15325693)

What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

The theory is that a policy of reporting security vulnerabilities to vendors and then revealing them publicly after a reasonable amount of time, regardless of if a patch is available, will encourage vendors to patch holes more quickly (since they know they're working against the clock). Of course, there are debates about whether this is effective, whether it's a good thing overall, and what constitutes a reasonable amount of time.

Re:What purpose? (5, Informative)

lancejjj (924211) | more than 8 years ago | (#15325726)

Purpose? Easy... he makes money by promoting himself.

If you check out his web site, it seems that he's trying to maximize advertising revenue. Not only does he have many ads, he also has many Amazon referal links. In addition, he is directly selling advertising:

From his website:

Want to advertise on the Security-Protocols website?

Below are our rates:
Banner Advertising:
10,000 impressions = $75
20,000 impressions = $135
30,000 impressions = $180

Re:What purpose? (4, Funny)

flobberchops (971724) | more than 8 years ago | (#15325885)

Banner Advertising: 10,000 impressions = $75 20,000 impressions = $135 30,000 impressions = $180 Slashdotting = Priceless

Re:What purpose? (0)

Anonymous Coward | more than 8 years ago | (#15325887)

So why can't Apple pay him a sum and make him sign an NDA.

Relativity (5, Funny)

ImaNihilist (889325) | more than 8 years ago | (#15325662)

Good thing I use Microsoft® Windows XP so I don't have to worry about things like this.

Re:Relativity (0)

Anonymous Coward | more than 8 years ago | (#15325718)

I thought the obvious sarcasm in that post was amusing. I would have given you a +1 funny. Apparently there is an overzealous moderator out there who needs a humor injection stat.

Re:Relativity (5, Insightful)

Golias (176380) | more than 8 years ago | (#15325734)

Whoever modded you down "Troll" has obviously not heard of sarcasm.

Anyway. The difference between Mac OS X and XP can be summarized thus:

Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.

If a new actual virus or worm comes along for Windows, making it ever more sure that you still can't even put a new Windows box online to download patches until after the patches you need are already installed... it's business as usual.

Windows users concerned about they penis size go on chanting "B B B But that's only because the Mac is less popular, so nobody bothers to write malware for it. Wait until the Mac gets more popular, then you'll be in a world of hurt!!!1!"

Whatever. The Mac is probably never going to see double-digit market share, and even if it does, it's still vastly more secure than Windows is, and you all know it. So there's no need to worry about such a scenario ever happening.

So I use Macs.

If the market dominance of Windows has anything to do with Macs being relatively free of haX0r attention, then I just gotta say to all you stubborn Windows users out there:

Hey man, thanks for taking one for the team.

Re:Relativity (1)

Haeleth (414428) | more than 8 years ago | (#15326049)

Hey man, thanks for taking one for the team.

You can thank me when I've actually taken one. I've been a Windows user for going on 15 years now, and I still haven't ever been hacked, rooted, afflicted with spyware, or even infected by a single virus of any sort.

I wonder what I'm doing wrong...

Re:Relativity (1)

ImaNihilist (889325) | more than 8 years ago | (#15326092)

Then how the hell are you posting this message? Let's look at this seriously. The probability that you have never been, "hacked, rooted, afflicted with spyware, or even infected by a single virus of any sort" in 15 years of using Windows is (or ANY platform for that matter), effectively, zero. Come on. No spyware? Be realistic. I'm a Windows user too, but let's be realistic. Unless today is the first day you put your computer on the internet, what you say is impossible.

Re:Relativity (0)

Anonymous Coward | more than 8 years ago | (#15326100)

I have a friend who keeps trying to convince me he's never had a problem with Windows. Every time he does, I have to remind him of that time I was at his place when his XP box was rooted and netstat showed thousands of open connections.

Now don't get me wrong, I'm not trying to associate you with this behavior, I just think it's funny how he always conveniently forgets that whenever we talk about Windows "security."

Re:Relativity (1)

CaymanIslandCarpedie (868408) | more than 8 years ago | (#15326126)

Apparently your not visiting enough warez and shaddy porn sites. Get with it man! ;-)

Hah! (-1, Offtopic)

TechnoGuyRob (926031) | more than 8 years ago | (#15325669)

I'd like to see you take a bite from the Apple now, evil hackers! MY MOUSE IS MOVING BY ITSELF!

what a ego (4, Insightful)

falcon5768 (629591) | more than 8 years ago | (#15325670)

Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.

I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.

Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

Re:what a ego (0)

Anonymous Coward | more than 8 years ago | (#15325700)

You just don't get it,

I'd explain but you won't read it. (as you obviously never have in the past).

Re:what a ego (2, Insightful)

0racle (667029) | more than 8 years ago | (#15325702)

Yet when MS, Oracle or Cisco ask that security researchers hold back found flaws until they can fix them Slashdot gets all up in arms about them trying to stifle researchers.

I guess Apple is still small enough that they can do no wrong.

Re:what a ego (1)

falcon5768 (629591) | more than 8 years ago | (#15325760)

no I feel the same way there too. Its not stifling research its preventing exploits from happening before they are ready to patch them. All releasing these things does is cause a exploit to happen much faster than a patch can be made to fix it.

Now if the SAME people coded a patch AND released the exploit, then I wouldnt feel the way I do. But they arnt, they are just feeling smug in proving something doesnt work while not helping in any wya to address it.

Re:what a ego (1)

giorgiofr (887762) | more than 8 years ago | (#15325843)

But you need to put a bit of pressure onto the company, otherwise they will wait forever because after all, it's not like anyone's gonna know about this. Meanwhile blackhats discover and exploit the vuln. Zero-days would look god-sent in comparison.

doing something (1)

falconwolf (725481) | more than 8 years ago | (#15325896)

Now if the SAME people coded a patch AND released the exploit, then I wouldnt feel the way I do. But they arnt, they are just feeling smug in proving something doesnt work while not helping in any wya to address it.

So you don't think letting users know there's a problem is helpful? Nobody should ever say anything, because someone else will exploit the knowledge? More than likely if there's a problem more than one person can find it and it's not just the good guys who find them.

Falcon

Re:what a ego (0)

Anonymous Coward | more than 8 years ago | (#15325852)

Damn, you beat to me to easiest +5 insightful post imaginable. As soon as I read the headline I knew your post would rear its obvious head in response to Apple apologists.

Re:what a ego (4, Insightful)

PhrackCreak (136718) | more than 8 years ago | (#15325965)

Puh-lease.

1. Falco5768 is not slashdot.
2. There are at at least [slashdot.org] a few [slashdot.org] articles [slashdot.org] which are critical of Apple's security policies.
3. Apple has not actually stifled this person. They patched something. They may have failed to patch other holes. I hope they will work as quickly as possible to patch all exploits they know.
4. Note that the grandparent post is not yet modded very highly.

In future posts, please do not clump everyone on slashdot in to one unified entity.
In future posts, only include actual facts instead of implied conjecture into actions that have not occurred.

the alternative (1)

r00t (33219) | more than 8 years ago | (#15325819)

He could sell the exploits to:

a. spammers
b. Chinese government
c. US government
d. credit card fraud groups (mafia-like)
e. Israeli government
f. French government
g. Russian government

It all depends: does he like dollars, euros, credit card numbers, whores...?

Re:the alternative (0)

Anonymous Coward | more than 8 years ago | (#15325955)

Nobody's going to pay a dime for Mac exploits because nobody gives a shit about the Apple platform.

Re:the alternative (1)

tuxedobob (582913) | more than 8 years ago | (#15325956)

Just out of curiositity, which of those options results in whores?

Re:what a ego (1)

falconwolf (725481) | more than 8 years ago | (#15325875)

I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.

Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

You may not like someone releasing details about security holes before a vender does but I look at as allowing users with the ability to correct a problem to know about it to begin with. I'd rather have the info so I can take some sort of action to protect myself rather than have only some miscreaton or vandel know about it. It's not knowledge that's dangerous it's knowledge that only a few have that is dangerous, a twist on open source's idea of many working on something.

Falcon

Re:what a ego (1)

kfg (145172) | more than 8 years ago | (#15325892)

I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes . . .

You're a very confused person, ain'tcha? I've tried three times to formulate a reasonable response to the above; and failed due to the lack of reasoning in the source material.

I've been pretty much left with, "Wa'choo talkin' 'bout, Willis?"

. . .and make everyones life misserable.

Ignorance is bliss I guess. Don't worry, be happy. Just close your eyes and make the bad guys disappear. Every two year old knows that trick.

Funny how three years olds forget it, isn't it?

KFG

Re:what a ego (1)

mindstormpt (728974) | more than 8 years ago | (#15325901)

I remember reading he warned Apple of some vulnerabilites in January. If these are still the same ones, then he already waited too long.

Grow up kids! (4, Insightful)

Deorus (811828) | more than 8 years ago | (#15325999)

> Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.

Here goes my karma... ;-)

Since I hate smug Mac users, let me be the first (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15325679)

. . .to say hahahaha hahahaha ha ha ha ha ha hahaha hah ha hahahahahahaha HA!!

Re:Since I hate smug Mac users, let me be the firs (5, Funny)

noidentity (188756) | more than 8 years ago | (#15325707)

"Since I hate smug Mac users, let me be the first. . .to say hahahaha hahahaha ha ha ha ha ha hahaha hah ha hahahahahahaha HA!!"

Yeah, us Mac users and our potential vulnerabilities. All the potential data I haven't lost has really cost me.

And smug people suck, no matter what computer they choose.

Re:Since I hate smug Mac users, let me be the firs (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15326005)

>>And smug people suck, no matter what computer they choose.

And the point of GP was that Mac Users Are Always Smug.

But you failed to see that, proving his point!

Re:Since I hate smug Mac users, let me be the firs (3, Insightful)

ZachPruckowski (918562) | more than 8 years ago | (#15325995)

So 100,000 birds in the hand are worth 20 in the bush?

I mean, note the word "potential". There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal? The day you'll trade me 100,000 dollars for a chance at 20 bucks is the day I'll toss my Apple in the trash.

Tom Ferris (0)

Anonymous Coward | more than 8 years ago | (#15325685)

Who exactly is "[i]ndependent researcher Tom Ferris" (and why was independent capitalized in the original quote)? And why should we listen to him?

Re:Tom Ferris (2, Funny)

rackrent (160690) | more than 8 years ago | (#15325749)

My only experience with someone named "Ferris" who happened to know computers was someone who changed his excessive high school absences from nine times (nine times?) to 0

Re:Tom Ferris (0)

Anonymous Coward | more than 8 years ago | (#15325900)

In this context i think it's important to note that Ferris Bueller used a Mac to perform that feat. Not that i think that helped him do so in some way, i just thought it was interesting.

Re:Tom Ferris (1)

generic-man (33649) | more than 8 years ago | (#15326077)

He used a computer with a monochrome full-screen terminal emulator. Later in the movie I remember him using a program that reminded me very much of Deluxe Paint, an Amiga program. I don't think Bueller was a Mac guy, but his family was certainly wealthy enough to afford one of those expensive 1986-era Macs anyway. :)

extortion? (4, Interesting)

v1 (525388) | more than 8 years ago | (#15325690)

I'd like to see Apple fix security problems as quickly as possible, but this guy threatening to release exploit information a few days after the first patch to go out after the notification? That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things. Apple should not be forced to make an ill-prepared and possibly buggy patch release due to the threats of this "analyst". If he had given several months of warning I could see the justification, but it looks like he is doing this to get some publicity because he knows Apple won't rush something like this, not to the degree this fellow is demanding.

Re:extortion? (1)

flooey (695860) | more than 8 years ago | (#15325737)

If he had given several months of warning I could see the justification,...

Well, the article says the vulnerabilities he's considering disclosing were reported to Apple before this patch, though when isn't specified. So it's possible Apple's had the info for some time.

Re:extortion? (1)

suv4x4 (956391) | more than 8 years ago | (#15325811)

That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things.

No shit, eh. I wonder how it's expecting an awful lot from Apple, but when Microsoft is in the same situation we have the default thread with posts about how Microsoft is slow and sucks.

Also isn't everyone sick of having the same discussion over and over and over when someone mentions "Microsoft" or "Apple" (or both).

They'll just release the patch when they release it.

Re:extortion? (2, Insightful)

I'm Don Giovanni (598558) | more than 8 years ago | (#15325880)

"That seems like they are expecting an awful lot from Apple "

Well, Apple *is* advertising their security in their latest ads, so they should have no problems meeting these expectations.

Re:extortion? (0)

Anonymous Coward | more than 8 years ago | (#15325990)

certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things.

You know, I hear this excuse trotted out all the time, and to be honest I think it's complete bullshit. The vast majority of vulnerabilities are simple programmer oversights, not design flaws. I can understand why a design flaw would require lots of testing, but why would a simple patch to stop a buffer from overflowing break anything? Surely anything that broke would already be overflowing the buffer and corrupting memory without the patch?

Quicktime? (0, Offtopic)

DeadPrez (129998) | more than 8 years ago | (#15325697)

Its all about VLC [videolan.org] . It sometimes works kinda weird on my mactel but its a pretty good Quicktime replacement.

Re:Quicktime? (1, Informative)

John Nowak (872479) | more than 8 years ago | (#15325743)

Quicktime is much more than the Player. It is a very rich API that lets you do some great things, albeit often with some suffering, as it is getting a bit old...

Even if you use VLC (I do), there's no chance of escaping Quicktime.

oh for god sakes (1)

John Nowak (872479) | more than 8 years ago | (#15325941)

How is responding to an "I'll avoid Quicktime issues by using VLC" post with a brief explaination of why that won't work offtopic? There's a serious lack of reading comprehension skills being shown here.

Re:Quicktime? (0)

Anonymous Coward | more than 8 years ago | (#15326074)

>>Quicktime is much more than the Player

Yes. Like the feature they have provided for the Windows port - that it reinserts itself in the system startup even if you explicitly set it not to do that.

VLC definitely lacks that feature.

Hats off to Mac Zealotry!

Re:Quicktime? (0, Offtopic)

ImaNihilist (889325) | more than 8 years ago | (#15325746)

But what if you *gasp* really like QuickTime? It's strange, as a Windows user, that I actually like QuickTime despite the fact it constantly crashes in Windows, on websites, and is slow as crap on Windows XP. It's very streamlined and simple. I prefer it loads over WMP. The lack of draconian DRM is a plus too.

Re:Quicktime? (1)

LocoMan (744414) | more than 8 years ago | (#15325899)

I personally like quicktime (even on PC) for two things. One is movie trailers. My net connection is kinda "fast" (for venezuelan standards), but it's not very constant, so I always get buffering stops on streamed media. I much prefer quicktime's way to present them (at least on the trailers in quicktime.com) where I can select the highest quality trailer, leave it leading in a tab in the background while I do something else, and then come back once it's fully loaded and watch it without interruption.

The other thing is when I'm doing 3D animations. So far no other video codec allows natively so easily to go frame by frame (left and right arrow), so I like to render quick previews in quicktime format, see it at normal speed until something pops up as wrong and then go frame by frame to see what it is.. :)

Re:Quicktime? (3, Funny)

ATPTourFan (898906) | more than 8 years ago | (#15325925)

The latest version of VLC, 0.8.5, is Intel native as a universal binary. You may want to upgrade.

Mac's Rule! (-1, Offtopic)

Anonymous Coward | more than 8 years ago | (#15325724)

There are no vulnerabilities there are no vulnerabilities there are no vulnerabilities there are no vulnerabilities there are no vulnerabilities there are no vulnerabilities

or

It is the vulnerabilities that are vulnerable to the Mac. We are not vulnerable. There are no virii. The virii come to Apple HQ to commit suicide at the very feet of the bronze bust of Steve Jobs, God be praised. Every mention of a Mac vulnerability is a lie of the Gatesian PC infidels. Or even worse, the Linixian crackers who will defile any and every holy Mac simply quench their bloods lust for Mac rape. I repeat There are no vulnerabilities there are no vulnerabilities there are no vulnerabilities there are no vulnerabilities there are no vulnerabilities there are no vulnerabilities

Open "safe" files strikes again (4, Insightful)

noidentity (188756) | more than 8 years ago | (#15325728)

from the updater notes: " When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."

OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!

Re:Open "safe" files strikes again (1)

tuxedobob (582913) | more than 8 years ago | (#15325948)

You're right. Safe is in quotes. And that means exactly what it should. The files in question are probably safe, but you really can't be sure.

Re:Open "safe" files strikes again (1)

tvjunky (838064) | more than 8 years ago | (#15326107)

Buy our "free" product for only $9.95!
Why not buy it for $18,000 [redhat.com] ?

Its been stated before but... (-1, Troll)

Anonymous Coward | more than 8 years ago | (#15325736)

If this article was about Microsoft, there would already be well over 100 comments blasting the company. That will never happen when it is about Apple. Just proves how terrible the bias on this site has gotten. And for the record I use Linux.

Re:Its been stated before but... (0)

Anonymous Coward | more than 8 years ago | (#15325748)

Silly person, what's the point in doing the "omg you guyz so biased" karma whore if you're not logged in.

Re:Its been stated before but... (2, Insightful)

heinousjay (683506) | more than 8 years ago | (#15325883)

Perhaps he chose to post AC because anything that goes against groupthink is inevitably modded down? Typically as Troll (Slashdot definition: I disagree with your opinion) or Flamebait (Slashdot definition: I disagree with your opinion)

Is it enough? Yes. (3, Insightful)

sootman (158191) | more than 8 years ago | (#15325741)

Considering that there has not been one real, severe, in-the-wild, massively spread, substantial, damage-causing virus in the five year history of Mac OS X, I would say yes, the boys and girls in Cupertino are doing just fine. Thank you very much for all your hard work, and all naysaying columnists and pundits can go screw.

MacOS X Server (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15325873)

== Swiss Cheese. All the usual Unix deamon faults plus the worst patch policy in the industry this side of SCO.

Sue Sue Sudio (1, Insightful)

Frankie70 (803801) | more than 8 years ago | (#15325745)

Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.


Apple will then just have to take him to court like they do with everybody else, won't they?

Re:Sue Sue Sudio (1)

mindstormpt (728974) | more than 8 years ago | (#15325909)

Of course not. It's a website instead of a blog and he's not an Apple fan.

Cease and Desist (1)

simpl3x (238301) | more than 8 years ago | (#15325944)

Well at least they know when to get the cease and desist order out by. It's always nice to have a heads up!

Would it be better if they waited another month? (3, Insightful)

ShyGuy91284 (701108) | more than 8 years ago | (#15325747)

The way I see it, they probably intend on patching the other problems, but they decided to get a decent amount done, and then release the update. Much like how Microsoft's once-a-month releases could give some time for the vulnerabilities to be taken advantage of (I recall that release cycle, I'm not sure if they are still done anymore though), if they waited for all patches to be done in this case, it may have prolonged the wait by quite a bit longer.

Not surprised (4, Interesting)

frostilicus2 (889524) | more than 8 years ago | (#15325777)

I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD [openbsd.org] , its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made.

Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.

Re:Not surprised (1)

Homology (639438) | more than 8 years ago | (#15325826)

Conversely, take OpenBSD, its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code.

Depends what you mean by "slow", since it's a question of scope. Apple does alot of graphical userland applications, the most visible part to most users, but that is clearly not a priority of OpenBSD (unluss you want them to develop their own "KDE" look-alike). Apple development hardware drivers are limited to the limited selection hardware they support, and the binary blobs (or surce code/docs under NDA) given to them by their partners. For an open source OS like OpenBSD, development of drivers is a very big part of what they do.

Re:Not surprised (1, Troll)

just_forget_it (947275) | more than 8 years ago | (#15326011)

I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share.

I don't think Apple has much to worry about in the features department. It's Microsoft that has been playing a long, slow game of catch-up-to-apple for the last 20 years. Windows came out a year after Mac OS and it wasn't as good (couldn't have overlapping Windows, etc). It took ten years for Windows users to get a trash can, another six to get desktop icons that snap to a predifined "grid."

Apple's operating systems are consistently 5-10 years ahead of Microsoft in the feature category. I used to laugh at all the Windows/PC fanboys that would make fun of Apple, labelling their solutions as something for children. In 2001, the joke was on them, when Windows XP, the most kiddie, fisher-price-y looking OS that has ever existed came out. The color scheme is horrible, the OS itself is plagued with security holes which revealed that XP is merely a new, colorful dress on the same old skank.

Apple has released 4 distinct versions of OS X, Microsoft has released 1, and it looks like the next one is going to be another year still. Apple keeping up with Microsoft? What a joke.

Re:Not surprised (2, Funny)

Deltaspectre (796409) | more than 8 years ago | (#15326095)

Microsoft released a version of OS X!?

No wonder Windows is suffering if they're spending so much time on OS X...

Yay! (-1, Flamebait)

Anonymous Coward | more than 8 years ago | (#15325795)

Apple is ensuring Linux will not be the target for future malware.
Thanks Apple! Go this way!

Talk about timing... (4, Funny)

UOZaphod (31190) | more than 8 years ago | (#15325829)

I enjoyed today's (semi-relevant) Ctrl+Alt+Del comic [ctrlaltdel-online.com]
 

Re:Talk about timing... (1)

tuxedobob (582913) | more than 8 years ago | (#15325924)

Heh. Okay, granted, the Apple commercials are pretty transparent, but I doubt a comic called Ctrl+Alt+Del is going to have an objective opinion of them.

It also looks like the classic "if you have no rebuttal, just make fun of them" deal.

Mac vulnerable == panicking =:E (1)

BadassJesus (939844) | more than 8 years ago | (#15326063)

On XP I have bunch of monitoring and firewalling software. On Mac I only have the knowledge that my OS is bullet proof. Now the second is not valid anymore. Oh my...
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>