Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Issues Patches For 25 Security Holes

CmdrTaco posted more than 7 years ago | from the it's-much-better-now-trust-me dept.

Security 241

TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site. All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected. Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."

cancel ×

241 comments

Sorry! There are no comments related to the filter you selected.

Good (-1, Troll)

teknopurge (199509) | more than 7 years ago | (#18810905)

They are being proactive at least. Please don't bring up the MOAB debacle from earlier in the year. When was the last time MS released any sort of patch before there was an exploit in the wild?

Re:Good (-1, Flamebait)

Mockylock (1087585) | more than 7 years ago | (#18811075)

When was the last time anyone really wanted to hack a mac?

I'd like to propose a tag (0, Troll)

PFI_Optix (936301) | more than 7 years ago | (#18811341)

defectivebydesign

Hey, it shows up on every article about MS updates, let's give Mac the same treatment.

Come on, all you non-fanboys. Get to tagging.

Re:I'd like to propose a tag (3, Informative)

Aladrin (926209) | more than 7 years ago | (#18811613)

I think you have totally misunderstood what that tag means. It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.

These were bugs, not by design. Apple didn't not specifically intend for them to exist, and has now fixed them.

Re:I'd like to propose a tag (0, Flamebait)

PFI_Optix (936301) | more than 7 years ago | (#18812353)

But I see that tag stuck on everything remotely relating to bugs in Windows.

I make the comment mostly to bug the "Apple can do no wrong" fanboys more than anything. They're the ones (and the Linux fanboys to a lesser extent) who are tagging that on *everything* they see about MS.

Re:I'd like to propose a tag (2, Insightful)

drsmithy (35869) | more than 7 years ago | (#18812603)

It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.

Ah. So you mean like a media player that can't display full screen videos ?

(It would be interesting to see what you thinkg DR, Clippy and UAC are stopping you doing that is "normally expected", as well.)

Huh? (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#18810931)

Apple does it, and they are just staying ahead of the curve and being proactive. Microsoft does it and they released a crappy product that shouldn't of been released until these security holes were fixed.

Re:Huh? (0)

Anonymous Coward | more than 7 years ago | (#18810959)

Welcome to /.

And Apple fanoboys with mod points are already standing by. Just wait.

Re:Huh? (1)

newbish (909313) | more than 7 years ago | (#18811081)

Got Mod?

Re:Huh? (1)

Lars T. (470328) | more than 7 years ago | (#18811823)

Linux does it, and the guy who found the bug is of course the first to do so.

Re:Huh? (2)

Chris whatever (980992) | more than 7 years ago | (#18811947)

Heu!!!! how can you say that they are proactive if the patches fixes issue that are already there and they know about it.

proactive is seeing for potential threat in the future and taking steps to correct them before they happen

There are no more proactive than any other company when it comes to bugs and patches.

Re:Huh? (1, Funny)

Anonymous Coward | more than 7 years ago | (#18812359)

It's "shouldn't have," not "shouldn't of". Jackass.

Cue Apologists (0, Flamebait)

Grashnak (1003791) | more than 7 years ago | (#18810955)

I predict:

- Apple apologist posts explaining that Apple is proactively improving security
- MS defender posts wondering why /. doesn't savage Apple the same way it does MS for security holes
- Linux fanbois taunting both

In other words, nothing to see here.

Re:Cue Apologists (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18811133)

It seems apple's MacOS X is not totally secure as is the usual untruths stated at slashdot by the pro linux/unix/mac/bsd crowd here constantly as they attack Windows. Unix and its derivants like Linux, BSD, and MacOS X are not going to topple Microsoft because we've all been hearing your pro unix line of b.s. for over 15 years now online and all the crap that comes with it like "Linux is more secure than Windows" or "MacOS X is more secure than Windows". Newsflash: None of them are 100% secure out of the box and require hardening or special builds to be even remotely considered so, if not specialized hand tuning/tweaking for security. If the Linux/Unix crowd here would come clean and admit this you'd seem more credible, in addition to not misinforming readers worldwide with that line of bullshit you people constantly spout online. Once it is noted that the things you people say are not true, how credible do you look? Others do use your words (those less informed in this field) and end up looking like fools because of such misinformation.

Re:Cue Apologists (1)

nevali (942731) | more than 7 years ago | (#18811399)

Generally when they say 'secure' they mean 'susceptible to attack'.

Windows is, in its default configuration. FreeBSD, Linux and Mac OS X (not to mention a fair few others) aren't.

Some local privilege escalations that nobody beyond a couple of security researchers have paid attention to is nothing compared to the stuff a Windows user has to put up with.

For average Joe on the street who connects his computer to the Internet and browses the web and so forth, the vulnerabilities mean approximately squat.

Re:Cue Apologists (-1, Troll)

Anonymous Coward | more than 7 years ago | (#18811583)

Happy Birthday Hitler. April will forever be honored with the blood of victims in your honor. Heil Hitler.

Re:Cue Apologists READ MY ENTIRE POST NEXT TIME (0)

Anonymous Coward | more than 7 years ago | (#18811607)

You stated this:

"Windows is, in its default configuration. FreeBSD, Linux and Mac OS X (not to mention a fair few others) aren't." - by nevali (942731) on Friday April 20, @10:30AM (#18811399)

And, do note that the holes found in Apple's MacOS X are remotely exploitable, and had to be patched. Unix derivants ARE just as likely to be exploited by bugs as Windows is, else why did the MacOS X need patchwork, period? BSD based or not, this illustrates that your statement untrue in & of itself.

(Also, the fact that Apple's commercials insinuate their OS is anymore than Windows on the television as of late is outright b.s. period, just by the fact they had to issue these patches which this posting on slashdot is about.)

I also have to point out to you that I stated this in my first post, and per my subject line? I stated this to you, so please, read my entire post next time:

"Newsflash: None of them are 100% secure out of the box and require hardening or special builds to be even remotely considered so, if not specialized hand tuning/tweaking for security" - by Anonymous Coward on Friday April 20, @10:03AM (#18811133)

Thanks, and that is so you do not restate what I did as a defense of your words.

Re:Cue Apologists (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#18812025)

"Some local privilege escalations that nobody beyond a couple of security researchers have paid attention to is nothing compared to the stuff a Windows user has to put up with." - by nevali (942731) on Friday April 20, @10:30AM (#18811399)

Untrue. Here are some from the article itself, verbatim, which indicate remote exploits that were present:

http://docs.info.apple.com/article.html?artnum=305 391 [apple.com]

Libinfo

CVE-ID: CVE-2007-0736

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if the portmap service is enabled

AND

network_cmds

CVE-ID: CVE-2007-0741

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if Internet Sharing is enabled

AND

Libinfo

CVE-ID: CVE-2007-0736

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.9, Mac OS X Server v10.4.9

Impact: Remote attackers may be able to cause a denial of service or arbitrary code execution if the portmap service is enabled

Not all the commercials in the world saying "Windows is less secure than Apple" can counter the facts noted above. If the Pro Linux/Unix/MacOS X/BSD people here at slashdot would come clean and be straight about this? They would be less guilty of misinformation, which shoots their credibility down because of outright misinformation stated constantly by them in this regard, security.

Suggestion: Read the article completely before stating yet more Linux/Unix/BSD/MacOS X misinformation online. Right now, after tuning my Windows Server 2003 SP#2 setup, I can score a 84.735 on CIS Tool 1.0 (center for internet security). It took me 30 minutes, tops, to apply some registry hacks, default services cutoffs and logon entity alterations (from System to lesser ones like Local or Network Service), and use of the SCW + security configuration and analysis tools for security policies work to make Windows VERY secure, which is not much work to do.

Also, the fact remains that hardened builds of UNIX variants are available as well.

Thus, if Linux/Unix/BSD/MacOS X are "so secure out of the box" as you state? Then why on earth are their hardened builds of them period (SELinux, for example)?? Nuff said... none of them are 100% secure, even vs. local OR remote exploits, out of the box period.

Re:Cue Apologists (1)

fatcock84 (311224) | more than 7 years ago | (#18811789)

Here we go, another uptight suit fretting that that competition has just improved while their own latest attempt at imitation continues to flop.

Aren't you late for you colonic ?

Re:Cue Apologists (0, Flamebait)

SCHecklerX (229973) | more than 7 years ago | (#18811155)

And yet, our biggest problems (botnets) are not usually from any particular vulnerability, but rather from stupid users running that great attachment they got from 'their friend'. Don't the M$ fanboys claim that Macs are for the clueless? If so, then why aren't Macintoshes part of the botnet problem?

Re:Cue Apologists (0)

Anonymous Coward | more than 7 years ago | (#18811231)

Because you'll get a bigger botnet if you write the hacks for windows. Same reason there's not much virus/malware/etc on the non-windows OS's.

Re:Cue Apologists (1)

Lars T. (470328) | more than 7 years ago | (#18811891)

Because you'll get a bigger botnet if you write the hacks for windows. Same reason there's not much virus/malware/etc on the non-windows OS's.
That's your answer to somebody who says that most botnets don't use any "hacks"?

Re:Cue Apologists (3, Insightful)

thejynxed (831517) | more than 7 years ago | (#18811893)

Not to be to flameable here, but who says they aren't part of botnets? The various Unix flavours and derivatives are the reason why we know what a rootkit is.

As my CS professor said once, "With Windows, you know it's broken right up front, and that you have to take certain steps right away to fix it. such as slap an AV program on. With the various Unix-based OSes, you have to go over every little detail with a fine-toothed comb, putz around in the code, recompile, and all of that other hassle because they put the Root into Rootkit."

If you ask me, the only botnet secure OS is the one not sitting with an allowed/established connection to the internet to begin with. If it's human-created code, it's vulnerable, period.

cue doodly piano music (5, Funny)

stratjakt (596332) | more than 7 years ago | (#18810961)

Mac: Hi, I'm a mac!

PC: And I'm a PC.

Mac: Steve Jobs just plugged up all my holes

PC: GOODNIGHT! (tapdances off stage)

Re:cue doodly piano music (3, Funny)

CowTipperGore (1081903) | more than 7 years ago | (#18811035)

Mac: Steve Jobs just plugged up all my holes
Way to go. You've just taken all the Apple fanbois away from their keyboards, as they think about Steve Jobs plugging up their holes.

Re:cue doodly piano music (0, Flamebait)

Anonymous Coward | more than 7 years ago | (#18811177)

Way to go. You've just taken all the Apple fanbois away from their keyboards, as they think about Steve Jobs plugging up their holes.

Well.... at least one hand is off their keyboards ;-)

Re:cue doodly piano music (5, Funny)

Bullfish (858648) | more than 7 years ago | (#18812187)

My own take on one of those ads is the upgrade ad...

First day, Mac approaches PC wearing hospital smock

Mac: What's with the smock PC?
PC: I have to upgrade for Vista. I'm a bit scared
Mac: Okay, be cool. I'll send you flowers in the hospital.

Next day: Robust looking PC stands there smiling while Mac runs up in panic.

Mac: Hide me PC! Hide me!
PC: Why, what's up?
Mac: They want to upgrade me!!
PC: Don't be afraid, look at me! Upgrading is great!
Mac: You don't understand!!!

Three guys run up, one shoots Mac dead while PC stands there stunned. Two of them drag off Mac. Third guy in natty sweater stands beside PC

PC: Who are you?
Mac: I'm Mac.

Appropriate? (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#18810965)

Would it be appropriate to tag this:
"Haha"
"defectivebydesign"

Oh wait, ONLY when it applies to microsoft/windows, but when a security hole/bug happens within Apple/Linux it's no longer haha, it's "serious".

Re:Appropriate? (1)

Speare (84249) | more than 7 years ago | (#18811057)

The "defectivebydesign" tag is intended for use whenever discussing DRM and the way that technology can and will be changed to further restrict or disenfranchise you from using content on your own hardware, even if you are otherwise completely in the clear by your rights as a consumer and citizen of your particular country. It's defective, but it was intentionally designed to be that way.

Not that it's not misused occasionally by idiots and zealots, but there you are.

Re:Appropriate? (1)

Graff (532189) | more than 7 years ago | (#18811315)

This is why the whole tags system is worthless. The article has already been placed into one or more sections and has thus been "tagged" by the administrators. You have the title and the article itself to get more information about the article. Having user-applied tags is superfluous and can be misleading - either by accident or on purpose.

Personally I ignore all tags and I think it's a waste of time to have the whole tagging system. Either the moderators should tag the article or there should be no tagging. User-applied tags are just extra fluff that have little relevance to the actual article.

Re:Appropriate? (1)

elrous0 (869638) | more than 7 years ago | (#18811871)

If it's not hurting you, why do you care?

A lot of us like the tagging system.

Re:Appropriate? (1)

Graff (532189) | more than 7 years ago | (#18812257)

I care because it is a waste of coding effort and time. I also care because it is being used to misrepresent what the actual article is about. The "defectivebydesign" tag that was being discussed further up in this thread is a good example of that.

How many times have you seen an article tagged with "yes", "no", "maybe" and all other sort of contradictory nonsense. Tags literally mean nothing when this sort of thing happens and they now serve no purpose other than being a kind of high-tech graffiti that gets sprayed onto the article. If people want to comment on the submission then do so in the comments, if you want a quick idea of what the submission is about then read the title, summary, or look at what sections it is in.

Tags as they are now serve no good purpose other than being part of the "Web 2.0" fad that is in vogue right now. I was kind-of hoping that Slashdot wouldn't get sucked into its void.

Re:Appropriate? (1)

jimstapleton (999106) | more than 7 years ago | (#18812607)

Given the smug "it's so secure" comments from Mac users, I would agree the 'haha' would be appropriate. However, defectivebydesign insinuates that it is intended to be problematic or broken, and is not appropriate in this case. It's not appropriate in similar cases on MS news articles either, but /. is hardly an unbiased group. Additonally, many people want to lash out at MS, making them a good target. Few people care enough about Apple to give a damn.

OMG (-1, Troll)

Frosty Piss (770223) | more than 7 years ago | (#18810995)

OMG! What a hunk of junk! What, with all those security holes. How these people in Redmond continue to sell software is beyond me.

but ... (4, Funny)

Anonymous Coward | more than 7 years ago | (#18810997)

those apples commercials tell me they don't have security issues?

Re:but ... no but about it, you are correct (0)

Anonymous Coward | more than 7 years ago | (#18811383)

http://apple.slashdot.org/comments.pl?sid=231607&c id=18811133 [slashdot.org]

Read that url and its statements and understand this: The Pro Linux/Unix/BSD/MacOS X line of bullshit constantly spouted on slashdot and other very "pro unix and its derivants" sites is not only restricted to the internet, but is also cascading to their advertisements because they know 9/10 folks are not security saavy out there. The bigger the lie you tell, the more apt it is to be believed is what they operate on. If Unix and its progeny were indeed the best platform to use they should have ousted windows dominance 5-8 years ago, and still have not. I wager it is largely because people are not stupid like they probably think and that people will believe anything they read without researching it first and checking opposing views and sources verifying statements like "Unix/Linux/MacOS X/BSD is more secure than Windows". I know that when I shop for any high priced items I do my research, because it is my monies on the line. The reason for this line of b.s. is that the Unix (and its variants) camp is fearful they will be totally phased out at some point imo. They have lost a lot of marketshare to Windows and this trend continues, hence their b.s. campaigns vs. Windows, period. Misinformation? It is as powerful as good information when people don't look deeper and they know it.

Re:but ... (5, Insightful)

tji (74570) | more than 7 years ago | (#18811457)

No, there are no OS's without security issues. Even OpenBSD has had a few. Since Mac OS X uses many open standards / open source components, they benefit from the wide deployment, review, and testing that turns up bugs in that code and generates fixes. In closed OS's, the holes are still there, they just cannot be easily analyzed, so it's mostly the highly motivated "black hat" types that discover them and use them for their devious purposes.

The Mac ads clearly referred to all the viruses, worms, spyware, etc. Which are VERY common on Windows PCs, and for whatever reason, are very uncommon on Macs. (I don't really care why they are not prevalent on Macs, I just care that my MacBook Pro is free of exploits, as are my Linux servers.)

Patched bugs are a good thing. Bugs are practically unavoidable. Unpatched bugs, as evidenced by rampant exploits, are the real problem.

Quick summary to avoid reading TFA (5, Informative)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18810999)

10 of the 25 are local privilege escalations. A few more require physical access to the machine like loading a malformed disk. Some require authenticated access to the machine. (disk access, clear text password exchange, ftp user privilege escalation, untaring a malformed tar file, opening a malformed help file, etc).

The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes. One hole each in libinfo, portmap, ichat.

Re:Quick summary to avoid reading TFA (5, Insightful)

Whiney Mac Fanboy (963289) | more than 7 years ago | (#18811113)

The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes.

That's the beauty of Open Source (from Apple's POV).

When things go well: Hey - look at us! We 'support' OSS by leveraging all that free software.
When things go bad: Oh well - it's MIT's software! Not ours...

Seriously - I for one am really glad that one closed O/S vendorout there lets OSS do the heavy lifting security wise on their products. Apple users are left in a far less leaky boat. Thanks MIT, Thanks FOSS, Thanks Apple!

Re:Quick summary to avoid reading TFA (1, Redundant)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18811379)

They are not blaming MIT, nor am I but my quick description might leave that impression.

That MIT developed it is relevant because, some admins might be running a home grown versions or ruggadized versions sold by other specialist vendors. Infact every hole clearly says which module is affected to help you decide whether or not you need to update your system. Wish MSFT also would clearly say what is not affected by the hole.

Re:Quick summary to avoid reading TFA (1)

Afecks (899057) | more than 7 years ago | (#18811985)

Wish MSFT also would clearly say what is not affected by the hole.

You mean like how every MS security bulletin has a list of "Affected Software" and then lists each specific operating system version and service pack?

Re:Quick summary to avoid reading TFA (4, Insightful)

ClosedSource (238333) | more than 7 years ago | (#18812261)

Well, some FOSS supporters on Slashdot are known to equivocate about what "Linux" consists of. When trying to compare functionality with other OS's they consider the entire distro, when comparing stability or security the definition shrinks down to only the kernel.

Re:Quick summary to avoid reading TFA (1)

delire (809063) | more than 7 years ago | (#18812295)

So true. Frankly I would be quite anxious use OS X as my primary OS for this reason alone.

In the context of Linux distributions if it's packaged it is the distributions problem: without smoking incense here, the ecology of the whole distribution is considered to be at risk if there is a security vulnerability in one of the packages in the distribution. You can then rest assured that if you download software beyond what's offered in the already comprehensive repositories, security audited with each update in the software lifecycle, it's at your own risk.

That's the kind of separation of responsibility I like and it's a relief, especially in light of news like this. News so late for all those users.. Ouch.

Re:Quick summary to avoid reading TFA (1)

geekoid (135745) | more than 7 years ago | (#18812345)

YOu do know that apple has many, many OSS packages they created and support, right?

Re:Quick summary to avoid reading TFA (2, Informative)

Fulkkari (603331) | more than 7 years ago | (#18811357)

Washingtonpost:

including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected.

Apple [apple.com] :

A buffer overflow vulnerability exists in the AirPortDriver module which processes control commands for AirPort. By sending malformed control commands, a local user could trigger the overflow which may lead to arbitrary code execution with elevated privileges. This issue affects eMac, iBook, iMac, PowerBook G3, PowerBook G4, and Power Mac G4 systems equipped with an original AirPort card. This issue does not affect systems with the AirPort Extreme card. This update addresses the issue by performing proper bounds checking.

Forgot to mention its local an exploit? Sounds like FUD spreading to me.

Re:Quick summary to avoid reading TFA (1)

Afecks (899057) | more than 7 years ago | (#18812167)

FUD? I doubt that was the intention.

I think The Washington Post is just a little shocked. Especially since the Mac "just works" so there shouldn't be any bugs. Plus since OS X is so secure there should never be any exploits either, remote or local.

Why is this news? (5, Informative)

reality-bytes (119275) | more than 7 years ago | (#18811001)

As an Apple 'outsider' I'm not certain why this is news.

Is it because these issues/vulnerabilities have been outstanding for a long time? Or perhaps Apple does not patch things often?

It's an honest question, my Ubuntu systems at home have frequent patches rolled out and the staff at work are always talking about another update on their Windows desktops.

Isn't Apple the same?

Re:Why is this news? (3, Insightful)

falcon5768 (629591) | more than 7 years ago | (#18811045)

ITs not news, but people like to make it new. Just like Ubuntu Apple updates and patches their system constantly compared to Microsoft. But people like to say that means the computer is LESS secure than a windows machine.

The truth is more Apple is willing and able to patch its software in a timely manner, while Microsoft waits for big chunk updates and service packs to do it.

Re:Why is this news? (4, Interesting)

140Mandak262Jamuna (970587) | more than 7 years ago | (#18811175)

Also the vulnerability notes very clearly spell out what is affected. I am not a mac user. Still I could make sense of what is broken, whether or not I am running a vulnerable service, whehter or not I need this update.

Compare this to the dense hole descriptions by MSFT. Almost everything affects everything. Even if the bug in Windows is such that "If you dont user IE you are not vulnerable" they cant/wont say it. Wont say it because it will drive FireFox usage up. Cant say it because IE can be invoked by any part of any code. Similarly when a hole in Windows is found, no one seems to know what/who would be affected. Another reason why they dont describe it better is allegedly their fear that the hackers will use it to attack yet unupdated systems. But most hackers use reverse-engineering tools like BlackIce and deconstruct the patch and know precisely how to attack unpatched systems. On the other hand people who might be persuaded to patch their systems faster if the hole description was more specific and pertinent wait because they cant determine whether they are affected. Add to it MSFT's practice of downplaying the bug severity, no wonder MSFT updates are becoming more of a problem than solution.

Re:Why is this news? (4, Informative)

644bd346996 (1012333) | more than 7 years ago | (#18811201)

Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong. I get pestered by Windows update at least twice as often as by OS X Software Update, and I use both operating systems regularly.

Re:Why is this news? (2, Interesting)

Jeff DeMaagd (2015) | more than 7 years ago | (#18811497)

I think what was meant was that a fix is worked on as soon as possible, but I don't think that's always true. An inability to get Apple's attention on a bug is why that one guy did the Month of Apple Bugs, rightly or wrongly.

Microsoft's security fixes seem to fix smaller numbers of bugs per update. Recently, they were mostly updates to the malware removal tool, not security fixes.

Re:Why is this news? (1)

GreggBz (777373) | more than 7 years ago | (#18811401)

Just like Ubuntu Apple updates and patches their system constantly compared to Microsoft.


As a user of Linux (although I can't speak for Ubuntu), Mac OS and Windows all I can say is.. ehh.. no.

Re:Why is this news? (2, Informative)

clintre (1078849) | more than 7 years ago | (#18811935)

Actually that is far from the truth.

I am no M$ fanboy, but they used to push out patches constantly, but most IT shops do not want that. Generally IT shops like to validate the patches before applying them to their machines to make sure poorly written software does not have issues with a patch.

No on in their right mind would push patches out directly to the corporate computers without testing them. By having the patches come out on the same day every month you allow preparation and planning.

Really Apple is no more secure than Windows, Linux yes Apple no. It all comes down to how you configure it after you get it in any case. I have done plenty of penetration tests on Apple, M$, and several Linux distros. M$ is no where near as bad as it once was.

Just the facts (4, Interesting)

ad0gg (594412) | more than 7 years ago | (#18812301)

By constantly you mean, every 3 months or so. Some of the holes had been open for over 3 months with a rating of highly critical on secunia. Secunia still list 6 unpatched holes for OSX, highest being moderately critical. Quick comparision to vista which has two unpatched holes which have a rating of not critical.

Vista [secunia.com]
OS X [secunia.com]

Re:Just the facts (4, Informative)

larkost (79011) | more than 7 years ago | (#18812589)

One thing to note: the one bug that Secunia is rating as "moderately critical" is on FTP, and it is not enabled by default.

Re:Why is this news? (1)

teknopurge (199509) | more than 7 years ago | (#18811067)

No - apple does not release patches very often. This does not imply they have fewer problem, though it may.

I own a macbook pro and run the software update once a week for shits-and-giggles. I've seen ~3 OS updates this year - some driver updates.(e.g. for sprint's CDMA EVDO card when it was released.)

Re:Why is this news? (1)

Mockylock (1087585) | more than 7 years ago | (#18811119)

Yes, it is the same. I think that a lot of Windows users just get tired of hearing whining about security from other OS users constantly, so it's their turn to gloat.

Re:Why is this news? (-1)

squiggleslash (241428) | more than 7 years ago | (#18811183)

It wouldn't be but for the fact that there's a dubious assumption that Mac OS X is bulletproof (or close to it) because Windows machines are always being attacked, and, by-and-large, Macs and GNU/Linux are being left alone. The assumption is based upon the false belief that Mac OS X and GNU/Linux distributions have less significant holes.

Windows machines suffer for a variety of reasons, but not really because they have more bugs. It's more the case that a combination of there being a lot of them out in the wild, most of which are "administered" by people who really aren't familiar with the system's internals, not helped by a poor UI which, after Mac OS X and GNOME 2.x, is easily a poor third in the user friendliness/transparent computing front.

It's worth noting that Mac OS 9, which had no security whatsoever, had almost (or none? The point is I've never come across one) no viruses or worms. Users were just more vigilant, and the operating system's transparency (the degree to which the way the system worked was obvious to the end user) meant end users had a better idea of the consequences of their actions. This is a lesson worth noting for those building systems like GNOME: making something secure and user friendly does not mean hiding how it works, it means exposing how it works using legitimate metaphors.

Contrary to myth, Mac OS X has vulnerabilities. If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus. And while that remains the prevailing consensus, the fact Mac OS X (or GNU/Linux) has vulnerabilities will always be news.

Re:Why is this news? (0)

Anonymous Coward | more than 7 years ago | (#18811585)

I didn't read the comments of this thread so that I could see someone bringing a little logic to the table! I came looking for some senseless mac flaming! Honestly, if this had been an announcement about a MSFT update there would have already been 100 "oooh MSFT suxor, I love Mac / Linux" posts.

So... seeing as how we PC folks are refraining from pissing all over your Appple story can you please do the same for us? thanks...

I'll tell you what's news: (0)

drinkypoo (153816) | more than 7 years ago | (#18811439)

They rolled out these patches all at once. But the patches were almost certainly not done all at the same time. That's right, Apple has deliberately left you (and me! although I only have one mac to deal with and it's not my primary machine) vulnerable so that they could roll out a bunch of patches at the same time instead of one at a time. Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)

Apple's convenience is more important than your security.

Re:I'll tell you what's news: (3, Insightful)

frdmfghtr (603968) | more than 7 years ago | (#18811779)

If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches? Didn't feedback from big IT shops compel MS to release patches in bigger batches with less frequency (hence the introduction of "Patch Tuesday")?

I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?

Re:I'll tell you what's news: (1)

drinkypoo (153816) | more than 7 years ago | (#18812107)

If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches?

There's an argument to be made either way. You could argue that it would be better to QA a patch rollup because you only have to do one test. But you could also argue that it's better to be able to test the patches separately so you can apply all the patches that don't bend you over.

Re:I'll tell you what's news: (1)

faloi (738831) | more than 7 years ago | (#18812139)

I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?

It all depends on the shop, but in general it does. The larger the company, the more likely you are to stage your roll out after a decent testing cycle...or at least that's been my experience. My experience has been that small shops tend to have more variety in the hardware that's out there, so it'd be tougher to get a really good test cycle built and running anyway. It's easier to test a patch, make sure nothing deal-breaking is broken with the patch, and then let it go and mop up afterwards. Large shops tend to have the same base hardware installed across the board (or at least across large segments) AND more places you'd have to personally touch if something breaks. Far better to have the patch in house, give it a decent test, then roll it out.

Re:I'll tell you what's news: (1)

misleb (129952) | more than 7 years ago | (#18812367)

I always wondered just how effective IT testing of patches really is and how often it finds stuff that breaks. What do you do, sit there and run through every menu of every single application that the business runs? Is there some kind of automated test suite you can run? Sounds like a huge, tedious pain in the ass to me. I'm glad I've never had to work anywhere that is so paranoid.

-matthew

Re:I'll tell you what's news: (5, Insightful)

99BottlesOfBeerInMyF (813746) | more than 7 years ago | (#18812113)

They rolled out these patches all at once. But the patches were almost certainly not done all at the same time. That's right, Apple has deliberately left you (and me! although I only have one mac to deal with and it's not my primary machine) vulnerable so that they could roll out a bunch of patches at the same time instead of one at a time.

Sigh. Have you ever worked in the software development industry. There is this thing called "testing" that some people find important. If you work on Kereberos and find a bug and patch it, you then test just it before distributing. If you work at Apple or Redhat where you are shipping an entire OS with a bunch of packages, it is impossible to patch and test those patches in conjunction with all other hardware in the same timeframe because you have multiple things to patch at once. Thus, the only real solution s to do it in bundles, where you stick a group of patches together then QA them all at once. This results in longer delays for some fixes, but it also means the patch is actually tested in conjunction with the other patches so one does not break another. Any responsible vendor uses this method for dealing with bugs.

Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)

Individual developers roll out patches and you could have patched your OS X box from them if you felt it was an emergency for you. As for what Linux vendors do, I don't know of any who roll one-off fixes into the stable branch intended for real use, instead of testing patches in bundles. You don't seem to know what you're talking about.

Re:Why is this news? (1)

eggstone (957547) | more than 7 years ago | (#18811467)

Agree, I don't think this is any news, I wonder why it is on slashdot. Also, this security patch is already out yesterday (April 19th), not today. And as before, it requires reboot, and it took somewhat longer to restart the computer. But THAT'S IT! Nothing news worthy...

Re:Why is this news? (2, Insightful)

squiggleslash (241428) | more than 7 years ago | (#18811533)

(I tried posting this earlier, but it has disappeared for some reason, weird. Still, gives me the chance to fix some of the language...)

It wouldn't be but for the fact that there's a dubious assumption that Mac OS X is bulletproof (or close to it) because Windows machines are always being attacked, and, by-and-large, Macs and GNU/Linux are being left alone. The assumption is then combined with the false belief that Mac OS X and GNU/Linux distributions have less significant holes.

Windows machines suffer for a variety of reasons, but not really because they have more bugs. It's more the case that a combination of there being a lot of them out in the wild, most of which are "administered" by people who really aren't familiar with the system's internals, not helped by a poor UI which, after Mac OS X and GNOME 2.x, is easily a poor third in the user friendliness/transparent computing front.

It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms. Users were just more vigilant, and the operating system's transparency (the degree to which the way the system worked was obvious to the end user) meant end users had a better idea of the consequences of their actions. This is a lesson worth noting for those building systems like GNOME: making something secure and user friendly does not mean hiding how it works, it means exposing how it works using legitimate metaphors.

Contrary to myth, Mac OS X has vulnerabilities. If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus. And while that remains the prevailing consensus, the fact Mac OS X (or GNU/Linux) has vulnerabilities will always be news.

Re:Why is this news? (3, Informative)

notthepainter (759494) | more than 7 years ago | (#18812267)

It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.

I can only think of one in recent memory. The Hong Kong worm http://www.makingpages.org/pagemaker/virus.html [makingpages.org] , aka Autostart 9805, was pretty devasting to the pre-press industry which passed around zip cartridges like they were free. This would have been back in 1998.

Paul

Re:Why is this news? (1)

Paulrothrock (685079) | more than 7 years ago | (#18811543)

It's not news, it's Fark... wait, wrong site.

But you're right, this isn't news. Mac OS X has bugs and security holes just like every OS that has ever existed. Apple patches them. It's just that they seem to be able to do it before someone wants to try to exploit them.

Mozilla? (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#18811027)

Google is Mozilla's bigest sponsor ($77M last year).
Google makes money through ads (Doubleclick $3.1bn).
If Mozilla stopped showing ads, Google would be unhappy.

The ten people who form the Mozilla Foundation don't want
to kill the golden goose.

Therefore, you can be sure that the web will be a dumb ads
transmitter even if you kill IE and Mozilla rules.

So, all non-windows users are obliged to use other alternatives.
Konqueror is the only one that has js/css.
Spread Konqueror!

In other news... (5, Funny)

c0d3h4x0r (604141) | more than 7 years ago | (#18811063)

Microsoft Issues Holes for 25 Security Patches

Re:In other news... (0, Troll)

Afecks (899057) | more than 7 years ago | (#18812193)

Insightful too. You've touched upon the reason why this is even news in the first place.

Apple and their fanboys have shot themselves in the foot. It was only a matter of time. You can only gloat and brag about how flawless and secure your operating system is before someone introduces you to their good friend reality and takes you down a peg (or 25).

Why (2, Insightful)

Mockylock (1087585) | more than 7 years ago | (#18811097)

Why isn't this listed under "HaHa" as well? Not trolling, as much as wondering what the reasoning of that was for. Bias?

Re:Why (5, Insightful)

aicrules (819392) | more than 7 years ago | (#18811195)

I think because no one really believes that Apple software is completely bulletproof. No software is completely bulletproof. I'm sure someone could find an exploit even for a Hello World program. Windows gets the majority of the "bad press" from flaws because it has a gigantic market share compared to Apple, so the security holes and related patches affect many more people.

Yes, some Windows folks will see this as a "haha" nelson moment. However, it isn't a haha moment until the headline reads that someone found 25 Apple exploits and released a huge virus to exploit them. And while I am firmly planted in my Windows environment, I will not be interested in laughing at my Apple compadres when or if that happens.

Re:Why (0)

Anonymous Coward | more than 7 years ago | (#18811507)

I think because no one really believes that Apple software is completely bulletproof
Have you met an apple fanboy?

Re:Why (1)

aicrules (819392) | more than 7 years ago | (#18812237)

That's why I say no one REALLY believes it. Even fanboys on both sides know, whether secretly or overtly, that their favorite OS isn't perfect. You'll see it mostly when groups of fanboys on the same side are together in a room with their favorite OS and can be found cursing why it does such and such.

People may pretend that their OS is great and infallible, but they all know better.

Re:Why (0)

Anonymous Coward | more than 7 years ago | (#18812219)

Most hello world implementations don't check the return code from printf().....

Re:Why (1)

Afecks (899057) | more than 7 years ago | (#18812363)

However, it isn't a haha moment until the headline reads that someone found 25 Apple exploits and released a huge virus to exploit them.

I'm sure you meant a worm not a virus.

However, if there's ever more than 1 Mac for every 1 million* IP addresses then maybe a worm might surface.

I just hope the worm author does something creative with his captive audience. Perhaps some hilarious messagesm, "right click to continue", "dx9.dll missing, please reinstall" or how about changing all their bookmarks to point at http://www.mac-sucks.com/ [mac-sucks.com] .

*made up number, real number is likely higher

Because of the nature of the holes patched (1)

Solr_Flare (844465) | more than 7 years ago | (#18811695)

The majority of the security holes patched are ones where you would have to be in a very unusual situation for someone to use them to any real effect. That doesn't lessen the fact that these are holes being patched up mind you. But, if you look closely at what was patched, you'll see a lot of the patches focus on the foundation that OSX is built on(BSD and its respective tools), and most are relatively harmless/hard to use to your advantage flaws.

As others have said, no operating system is bullet proof by any means. All of them are going to require security updates from time to time because it's impossible to catch everything, and security needs change over time as methods of attack change. But, this patch is more like monthly house cleaning than "seriously critical flaw fixing" like you get with the large majority of Windows security patches.

Re:Because of the nature of the holes patched (1)

Mockylock (1087585) | more than 7 years ago | (#18811815)

The good thing about any OS and patching is that they're at least addressing the situation and making it a bit harder for the system to be compromised. Of course, like you said, there will always be vulnerabilities... and hopefully with each patch, the complexity of exploiting them will gain. Though.. new software always seems to make people start from scratch. I don't understand why Microsoft didn't start their new OS solely on the 2003 architecture, with small additions and speed gains.. rather than what they decided on. Hopefully the security will tighten up, but I still don't see it being as tight as '03.

MS flaws = bad, Apple flaws = good...? (0)

Anonymous Coward | more than 7 years ago | (#18811131)

Before swiftly moving on to the next slownewsday article summary I noticed something about this one which made me realize just how subtle the differences of opinion of the /. crowd towards MS and Apple can really be shown. Would any article summary on an XP patch care to mention that the patch is 'free'? No. But everybody likes free, so it must be a good thing Apple is doing for us. Is there usually a link to the MS updates in the summary? No. Are there usually subjective comments about MS direction in the market or evility in the summary? Yea. I don't see any flamebait tags for this article... interesting. defectivebydesign. You all make me sick and puke up tiny bits of my hatred for you all that I tried to swallow this morning along with my pride.

JK.

MS sucks.

Re:MS flaws = bad, Apple flaws = good...? (2, Insightful)

Mockylock (1087585) | more than 7 years ago | (#18811179)

Yeha, that's usually how it happens. Microsoft has holes because the OS supposedly stinks, all other OS's Just patch holes to make their OS even better.

Basically saying, "I'm not screwing the sheep. I'm Merely helping it through the fence."

Re:MS flaws = bad, Apple flaws = good...? (-1)

644bd346996 (1012333) | more than 7 years ago | (#18811355)

Well, practically nobody can get away with charging for security patches for a currently shipping product. But apple has been known to charge for each and every new feature, such as unlocking 802.11n, and their frequent OS releases.

As for why there are rarely links to the security bulletins released by MS, that should be obvious. Anybody who really wants to try to extract information from their generic notices, rather than check Secunia, can look it up themselves. Also, Windows is not the preferred OS for the slashdot crowd.

Lastly, this is an honest security update. It has nothing to do with DRM or screwing the customer, so the defectivebydesign tag is unwarranted. The summary also doesn't say anything nasty about Apple or anybody else, so it is not flamebait.

Re:MS flaws = bad, Apple flaws = good...? (1)

stonefry (968479) | more than 7 years ago | (#18812103)

>Also, Windows is not the preferred OS for the slashdot crowd.

Is there a poll to this effect? I find that hard to believe.

Re:MS flaws = bad, Apple flaws = good...? (0)

Anonymous Coward | more than 7 years ago | (#18812355)

Sir, please put the crack pipe down, step away from the keyboard and surrender your computer to your local authorized recycling center. You have no business here.

Remote DoS (0)

Anonymous Coward | more than 7 years ago | (#18811137)

There's no mention of CVE-2007-1841 [mitre.org] , a remote DoS against the IPsec daemon racoon.

I wonder if the Apple fanboi is gonna show up.... (0, Flamebait)

moogs (1003361) | more than 7 years ago | (#18811139)

You know, with his "switcheur" troll post and links to pics of fugly people... Heh heh heh :)

10.3.9 also patched (5, Informative)

kybred (795293) | more than 7 years ago | (#18811321)

Apple is providing some patches for 10.3.9 as well. Good to see that they are still providing security related updates for the previous system.

Re:10.3.9 also patched (1)

0racle (667029) | more than 7 years ago | (#18811417)

Until 10.5 is released, 10.3.9 is a supported release. What you just said is like giving MS a hand for releasing patches for XP even though they just released Vista.

Re:10.3.9 also patched (1)

toQDuj (806112) | more than 7 years ago | (#18811631)

No, 10.4.x is the current version, the XP-alike. 10.3 would be more windows ME or 2000 perhaps..

Re:10.3.9 also patched (1)

kybred (795293) | more than 7 years ago | (#18811829)

Until 10.5 is released, 10.3.9 is a supported release. What you just said is like giving MS a hand for releasing patches for XP even though they just released Vista.

Um, XP is still shipping [slashdot.org]

Re:10.3.9 also patched (1)

drinkypoo (153816) | more than 7 years ago | (#18811489)

It's too bad they don't port improvements to the way the system behaves to the previous system. I'm not talking about bringing whole new APIs etc to prior revisions, although that would be responsible, but about backporting fixes to the way the context menus work for example (they are not very well-behaved in 10.3 in general. I finally went to 10.4 a couple weeks ago.)

25 holes? Wow. (1)

Opportunist (166417) | more than 7 years ago | (#18811353)

If this was an MS System, we'd now be at SP1.

Re:25 holes? Wow. (1)

Magneon (1067470) | more than 7 years ago | (#18812159)

Actually there have been a number of security issues patched. This is an update issued primarily for 10.4.9. Nine revisions, not one.

Also, at the end of the day, it's the number of viruses not on the computer and the functionality that matters.

Not news... (2, Insightful)

IwarkChocobos (881084) | more than 7 years ago | (#18811523)

Don't ALL operating systems have holes? I think the only thing different here is that Apple waited until there were a lot found and fixed to release the patch. MS and Apple release patches differently; MS releases them as soon as they can, one at a time usually, while Apple chooses to wait until there are a lot of patches to release it. Not really the best idea, but not the worst for both companies. Not news.

Re:Not news... (2, Insightful)

Ash-Fox (726320) | more than 7 years ago | (#18811941)

MS releases them as soon as they can, one at a time usually
They usually try to release them once a month.

while Apple chooses to wait until there are a lot of patches to release it.
Actually, I've noticed Apple delay updates long enough that a lot come out in the next OS X upgrade.

Not news.
Agreed.

Film at 11 (0, Offtopic)

wardk (3037) | more than 7 years ago | (#18811713)

Also in the news, Germany surrenders, the War in Europe is over.
and Franco is still dead.

all very newsworthy, it's a sloooowwwww day

Apple fixes, are they better documented yet? (1)

gelfling (6534) | more than 7 years ago | (#18812177)

One problem I have with Apple is that their change logs and what's new on releases and patches are poorly documented if ever. iPod is a good example. I guess you're supposed to apply the 'don't fix it if it ain't broke' approach which is good. But then why does iTunes constantly remind me of available updates? In either case I hope Apple documents their fixes on the computer side a little better. That way I can decide if I need to fix them.

And as for the MS ObiWan Kenfanboys, just because MS has a constant stream of fixes, doesn't make them better. I just saw 6 patches for code I don't use. That it's imperative for the people who do run it to apply these fixes means nothing to me. But chalk it up to at least documenting it so I don't waste time with them.

marketese (0, Flamebait)

cinnamon colbert (732724) | more than 7 years ago | (#18812537)

"the free patches.."
wow, FREE security patches
How generous of Mr. Jobs.
this is an example of market-speak, an orwellian version of the english language, where the subject (apple) is always made to appear in a favorable light, with every possible action embellished, and every possible flaw minimized.
this might seem like minor carping, untill you think about why the word "free" is there. surely you would expect a reputable company, as a matter of course, to stand behind its products and deliver free fixes to flaws; that this is embellished with positive language is perverse.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>