Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Mac OS X Update For 17 Vulnerabilities

Zonk posted more than 7 years ago | from the enjoy-a-less-wormy-apple dept.

OS X 259

BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."

cancel ×

259 comments

Sorry! There are no comments related to the filter you selected.

Not a big deal (-1, Troll)

singhparul (1107427) | more than 7 years ago | (#19287475)

I can find out at least 170 vulnerabilities on my Mac. They have pretty good interface but very bad backend. Apple would have been number one if they didnt have steve jobs.

Re:Not a big deal (1)

Tickletaint (1088359) | more than 7 years ago | (#19287579)

What?

Re:Not a big deal (4, Insightful)

Anonymous Coward | more than 7 years ago | (#19287645)

Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.

Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP [wikipedia.org] ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.

Re:Not a big deal (0, Troll)

singhparul (1107427) | more than 7 years ago | (#19287689)

Well I make softwares for mac. I was a fresher and I never knew that they will put me up in apple software team. Developing softwares on apple is a nightmare. I like developing softwares more on linux than on mac.

Re:Not a big deal (0)

Anonymous Coward | more than 7 years ago | (#19287735)

Good. Please stay as far away from Mac development as possible. Already the Mac community is straining under the weight of application design tragedies from beancounters and linear thinkers. The last thing we need is another tasteless Bill Gates wannabe like you ("Apple would have been number one if they didnt have steve jobs!") littering the Mac application landscape with your PC-minded shit.

Re:Not a big deal (2, Funny)

bryan1945 (301828) | more than 7 years ago | (#19287817)

"I was a fresher"

Could you please explain what that means?

Re:Not a big deal (1)

singhparul (1107427) | more than 7 years ago | (#19287843)

That means that I just completed my bachelor degree.

Re:Not a big deal (4, Funny)

The Bungi (221687) | more than 7 years ago | (#19287887)

A degree on creating "softwares"?

Re:Not a big deal (0)

Anonymous Coward | more than 7 years ago | (#19288265)

He writes them for the internets.

Re:Not a big deal (0)

Anonymous Coward | more than 7 years ago | (#19288549)

Oh great, here we go: dialectical pluralisms... :)

Re:Not a big deal (1, Funny)

Anonymous Coward | more than 7 years ago | (#19288017)

Judging by the confusion and the lack of understanding that your post created, I think you are better off writing software for Linux. :) /me ducks.

Re:Not a big deal (5, Informative)

EMB Numbers (934125) | more than 7 years ago | (#19288367)

What is it about developing software for Mac OS X that you dislike compared to Linux ?

Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?

Are you using X-Code, eclipse, something else ?

I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.

USB Breathalyzer (5, Funny)

Anonymous Coward | more than 7 years ago | (#19287775)

I really need to get a USB breathalyzer that prohibits me from:

A. logging in as root
B. sending email
C. posting to slashdot

if my blood alcohol level is higher than 0.15%.

I feel robbed (0, Troll)

HairyCanary (688865) | more than 7 years ago | (#19287525)

What's so special about Apple? Why can't I be notified by Slashdot when Microsoft releases patches?

Re:I feel robbed (2, Funny)

kurt555gs (309278) | more than 7 years ago | (#19287557)

Because your M$ updates might have spyware, viri, trojans, etc, so it would be dangerous to notify you.

Re:I feel robbed (1)

ZakuSage (874456) | more than 7 years ago | (#19287905)

It's "viruses". This isn't Latin, we don't pluralize with "i"s.

Re:I feel robbed (1)

drewness (85694) | more than 7 years ago | (#19288499)

In Latin, virus didn't even have a plural.

Re:I feel robbed (4, Funny)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19287585)

Becuase the patches are all released on the first(?) Tuesday of every month.

Why doesn't Slashdot tell me when Thanksgiving is?

5 patches in 5 months (4, Interesting)

dj245 (732906) | more than 7 years ago | (#19287725)

This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.

Re:5 patches in 5 months (1)

Opportunist (166417) | more than 7 years ago | (#19288153)

And since Macs enjoy such a widespread use in corporate environments, a lot of admins are affected.

Re:5 patches in 5 months (1)

Matt Perry (793115) | more than 7 years ago | (#19288461)

And since Macs enjoy such a widespread use in corporate environments, a lot of admins are affected.
Consistency can be a good thing whether you are in a corporate environment or not.

Re:5 patches in 5 months (5, Funny)

Opportunist (166417) | more than 7 years ago | (#19288473)

Especially when you're developing exploits for a machine. You can time them so they hit the market a day after patch, so you have a guaranteed full month before your exploit gets a fix.

Re:5 patches in 5 months (1)

Matt Perry (793115) | more than 7 years ago | (#19288509)

Especially when you're developing exploits for a machine. You can time them so they hit the market a day after patch, so you have a guaranteed full month before your exploit gets a fix.
Yep. Everybody wins.

Re:I feel robbed (-1, Offtopic)

Anonymous Coward | more than 7 years ago | (#19287597)

If you don't know what Cmd-Shift-1 and Cmd-Shift-2 are for, GTFO.
If you think Firefox is a decent Mac application, GTFO.
If you're still looking for the "maximize" button, GTFO.
If the name "Clarus" means nothing to you, GTFO.

Bandwagon jumpers are not welcome among real [imageshack.us] Mac [imageshack.us] users [imageshack.us] . Keep your filthy, beige [imageshack.us] PC fingers to yourself.

Re:I feel robbed (4, Informative)

vslashg (209560) | more than 7 years ago | (#19287625)

What's so special about Apple? Why can't I be notified by Slashdot when Microsoft releases patches?

Yeah, Slashdot never makes post like this about Microsoft. Certainly this article from two weeks ago [slashdot.org] has nothing to do with notable Windows security patches.

Re:I feel robbed (0, Flamebait)

catwh0re (540371) | more than 7 years ago | (#19288089)

Storm in a teacup. Use of words such as "dangerous" and "critical" for sensationalism purposes. "Dangerous" is my computer's battery blowing up. Critical is a pacemaker failing.

Re:I feel robbed (2, Funny)

Opportunist (166417) | more than 7 years ago | (#19288179)

You didn't get the media spin memo, right? The former is now called "life threatening" and the latter "potentially deadly".

Thats unpossible!! (0, Troll)

Drakin020 (980931) | more than 7 years ago | (#19287535)

Macs have no vulnerabilities, thats why people buy them....Right guys?.....RIGHT??

Yeah im gettin trolled for that....

Re:Thats unpossible!! (3, Funny)

Sunburnt (890890) | more than 7 years ago | (#19287605)

Macs have no vulnerabilities, thats why people buy them....Right guys?.....RIGHT??

No, most of us just want another overpriced peripheral for our iPods.

Yeah im gettin trolled for that....

Just a hunch, but I'll bet most of your troll mods come from your sig.

Your confusion (5, Insightful)

SuperKendall (25149) | more than 7 years ago | (#19287615)

All systems have vulnerabilities.

Macs have no EXPLOITS (yet).

This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.

You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.

Re:Your confusion (1)

singhparul (1107427) | more than 7 years ago | (#19287767)

Did you ever have any development experience on mac? I love developing more on linux than on mac and windows. It is about the usability of the operating systems. Interface is not always graphical, there is something known as the interface with the system which matters a lot. Afterall the main role of any operating system is to provide a good interface upto the root level.

Re:Your confusion (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19287885)

If you find Cocoa more difficult than .NET, you're probably doing it wrong. As in: You don't understand the Mac, and you're trying to program Mac applications as though they were PC ports.

Stop it. Either learn how Mac programs behave, or if you're too inflexible to escape your PC-minded prison, just GTFO. We've seen far too many PC users lately trying to develop for Macs, and to be blunt, we're sick of your shit clogging up what used to be a platform of reliably good software.

Re:Your confusion (2)

Jeff DeMaagd (2015) | more than 7 years ago | (#19288021)

I think you have the relationship wrong. The grandparent post didn't suggest that Macs were harder or easier to program than Windows, just that GP poster prefers Linux instead.

Re:Your confusion (-1, Flamebait)

Anonymous Coward | more than 7 years ago | (#19288047)

You're right, I should have read more carefully. Nevertheless, my point remains: PC-minded developers tend to fail at writing Mac applications, and we'd all be better off if they'd just learn to stay the fuck off the Mac.

Re:Your confusion (-1)

Anonymous Coward | more than 7 years ago | (#19288145)

Don't stop programming for the mac because my older sibling says so. Stop programming for the mac because the platform as a whole sucks ass as does xcode and objective-c.

Stop because there is absolutely no need for it. Make these users go away, we don't need another platform to make more work for us.

Apple wants to keep their OS to their hardware? Good...let them make their own software for it too.

Yes... (2, Interesting)

SuperKendall (25149) | more than 7 years ago | (#19288291)

I've done some development (GUI and otherwise) on Linux, WIndows, and Macs - including a fair amount of X11, MFC, C, C++, Java, some C#, and some Objective C.

Linux and Macs are nice to develop for for the same reasons - the tools are great. In fact for most of my Mac programming I still use Emacs. But XCode does have a lot of things going for it, and I've been using it more and more...

I guess my main point is, if you like development for Linux I don't see why you wouldn't like Mac development since you can use all the same tools. You don't have to use XCode. You can even sticl to X11 (though frankly I liked that much less than other systems, even if some of the capabilities are nicer.

I have also used Visual Studio but frankly, I don't like how it thnks.

Re:Your confusion (1)

sid0 (1062444) | more than 7 years ago | (#19287795)

...and the bubble of no 0-day exploits on OS X is just waiting to burst.

I guess because on Windows if there's a vulnerability there's an exploit already written and working.

Sometimes. Not always. See last month's patches. None were 0-day.

Re:Your confusion (1)

Yahweh Doesn't Exist (906833) | more than 7 years ago | (#19288003)

>...and the bubble of no 0-day exploits on OS X is just waiting to burst.

yeah, and the rapture was supposed to be during the lifetime of the original disciples. so it's guaranteed to happen any moment now!

Re:Your confusion (0)

Anonymous Coward | more than 7 years ago | (#19288133)

...and the bubble of no 0-day exploits on OS X is just waiting to burst.
That's not surprising... even OpenBSD [openbsd.org] (hint: read the embarrassing red caption under the banner at top of page) developed fatigue cracks eventually. The selling point of OpenBSD, Linux, OS X etc.. is that even if it is inevitable that they will get cracked up once in a while they are still unlikely to end up like Windows which has been cracked up so often by various forms of malware that it looks like a particularly finely tiled Roman mosaic.

So what (4, Insightful)

SuperKendall (25149) | more than 7 years ago | (#19288321)

...and the bubble of no 0-day exploits on OS X is just waiting to burst.

Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?

Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.

Sometimes. Not always. See last month's patches. None were 0-day.

That you know of...

Re:So what (1)

sid0 (1062444) | more than 7 years ago | (#19288607)

How do you define the number of exploits? The absolute number over the years doesn't matter TODAY. If it is the number of serious unpatched exploits, Windows Vista currently has ZERO [secunia.com] , just like OS X [secunia.com] and Linux [secunia.com] .

Just as you said, patches != exploits. I'll go a step further and say that patched exploits != exploits.

That you know of...

Conspiracy theories FTW!

Re:Your confusion (5, Insightful)

pdbaby (609052) | more than 7 years ago | (#19288393)

the bubble of no 0-day exploits on OS X is just waiting to burst

I'm sure it'll happen eventually, but it's curious that there are no viruses on the loose that target OS X

Mac users don't account for a huge percentage of total users, but it's a large enough group -- and we're usually high-tech enough for it to be highly profitable for spammers/crackers/whatever to work for an exploit - we don't run anti-viruses, and I'm sure most non-developer mac users wouldn't even know how to find the process list, let alone figure out what's not supposed to be running.

Re:Your confusion (1)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19287881)

What constitutes an exploit

  • Crash your computer remotely?
  • Install malware?
  • Read your data without your consent

I don't know if any of those have been done on a Mac, but I'm curious where you would draw the line.

Re:Your confusion (4, Interesting)

Jeff DeMaagd (2015) | more than 7 years ago | (#19287981)

A proof of concept exploit seems to surface about once or twice a year. I really haven't heard of one "in the wild".

Any of the above (4, Informative)

SuperKendall (25149) | more than 7 years ago | (#19288347)

All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.

There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)

Re:Your confusion (-1, Troll)

QuantumG (50515) | more than 7 years ago | (#19287939)

Cause, just like Mac Software, no-one could be fucked. Mac == no-one cares.

Depends on with whom you run (0)

Anonymous Coward | more than 7 years ago | (#19288139)

No one in your circle of loser friends, maybe, but Macs have been commonplace among (for lack of better class terminologies) pioneers and creatives in almost every industry for decades. It sounds snobbish—all right, it is snobbish, I know, and I wish I were able to put it more delicately. But it's true.

Re:Depends on with whom you run (1)

seaturnip (1068078) | more than 7 years ago | (#19288371)

I guess nobody is creative in the videogame industry, then.

Also, associating your brilliance and good taste to a particular brand is pathetic. Apple's marketing has you brainwashed.

Re:Depends on with whom you run (0)

Anonymous Coward | more than 7 years ago | (#19288445)

I didn't say I was brilliant and tasteful, just that the most brilliant and tasteful in some remarkably diverse areas of human expertise, for whatever reason, tend to be Mac users.

That includes the several Nintendo engineers I've been privileged to know in my lifetime (granted, that was the mid-'90s).

Re:Depends on with whom you run (0)

Anonymous Coward | more than 7 years ago | (#19288487)

Also, associating your brilliance and good taste to a particular brand is pathetic. Apple's marketing has you brainwashed.
Real Mac users don't use Macs for the image. Real Mac users didn't just buy their Macs last week at Hot Topic. We've been here on the Mac platform since 1984 and believe me, we resent the recent influx of switcheurs almost as much as we don't give a damn about PC users.

Re:Depends on with whom you run (0)

Anonymous Coward | more than 7 years ago | (#19288493)

You're also assuming that the people developing on Winblows boxes have a choice one way or the other. They develop on PCs because that's where their company wants to be. You would likely see a lot more alternative platforms for games if the average user wasn't so afraid to consider anything other than MicroSloth.

Re:Depends on with whom you run (0)

Anonymous Coward | more than 7 years ago | (#19288553)

John Carmack uses a Mac. Even in his glory days, before he was a has-been, he was always an Apple fan.

The majority of Bungie's titles, before being acquired by Microsoft, were Mac-only, and its founders left the company around the time it sold out to Microsoft. Notably, nothing interesting has come from Bungie since then.

Shall I continue, or are you getting the picture?

Great (1)

SuperKendall (25149) | more than 7 years ago | (#19288373)

No-one cares about cracking Macs? Sounds fine to me. I don't own the system to win any popularity awards or to go with the herd, I just want a computer that works well - which it does. If the criminal element thinks it below them to bother with Macs, all the better...

My pet theory is that the whole of the russian mafia runs Macs, and the reason we see no exploits is they don't want to foul thier own nest so to speak. :-)

Re:Your confusion (0)

Anonymous Coward | more than 7 years ago | (#19288643)

Guess your idol, Mac user John Carmack, must be a "no-one."

Re:Thats unpossible!! (2, Informative)

edwardpickman (965122) | more than 7 years ago | (#19288271)

Windows virus making you irritable? It's okay Mac users understand, it's why we're on Mac. Just take two virus checkers and make sure your firewall is set. Don't install any non Microsoft approved software and stick with Office software until your machine is feeling better. If you need to get some work done just borrow a friends Mac. When I got my first Mac a year ago I looked for a copy of anti spyware for the Mac. A friend pointed out it's like giving a nun birth control. Macs aren't a 100% secure they just seem that way to the users.

Four fat guys on a crash cart... (1)

PHAEDRU5 (213667) | more than 7 years ago | (#19287577)

Where the hell is the Microsoft comeback ad.?

Do they care?

Re:Four fat guys on a crash cart... (3, Insightful)

RealGrouchy (943109) | more than 7 years ago | (#19287639)

Where the hell is the Microsoft comeback ad.?

Comeback to whom?

"Hey, you there! Yes, you--the small market share that makes up Apple users."

If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.

- RG>

Well, ok (0, Flamebait)

PHAEDRU5 (213667) | more than 7 years ago | (#19288015)

Gotta say, however, that when the supercilious little Mac f**k opens his mouth, I just want to slap him.

Re:Well, ok (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19288203)

You do understand you're supposed to identify with the hapless PC (John Hodgman, in real life a militant Mac user), don't you? If not—if you're such an irony-impaired, self-important douchebag as to actually find these commercials offensive—it's a safe bet Apple doesn't want you as a customer anyway.

Re:Four fat guys on a crash cart... (0, Troll)

Tickletaint (1088359) | more than 7 years ago | (#19287659)

Microsoft's culture is devoid of passion. Which is wholly understandable—how could anyone be passionate about the sewage spewing forth from Redmond?

So the answer is no. They don't care.

Re:Four fat guys on a crash cart... (0)

Anonymous Coward | more than 7 years ago | (#19288037)

Since when is software something to be passionate about? I mean, I know Macs are pretty stylish, but "passionate"?

Developers! (1)

PHAEDRU5 (213667) | more than 7 years ago | (#19288039)

"Developers! Developers! Developers! Developers! Developers! Developers! Developers!"

No passion. Right.

Re:Developers! (1)

Tickletaint (1088359) | more than 7 years ago | (#19288073)

Haha, point taken.

Re:Four fat guys on a crash cart... (0)

Anonymous Coward | more than 7 years ago | (#19288659)

Lets bash apple for being open about their vulerabilities and fixing it! Yeah!

Totally redundant story, please sack someone (1, Insightful)

milo_a_wagner (1002274) | more than 7 years ago | (#19287621)

This is just getting dull, dull, dull. I don't know why I'm even bothering to type this. *Please*, no more, "Oh my god! OS X isn't bulletproof! Teh shock!" 'news' items.

Re:Totally redundant story, please sack someone (-1, Troll)

lancejjj (924211) | more than 7 years ago | (#19288067)

*Please*, no more, "Oh my god! OS X isn't bulletproof! Teh shock!" 'news' items.
Whoa! You're completely missing the point.

The point is that Mac users are smug. They generally believe that they have better platform than Windows users, and it is the community's responsibility to continually let them know that their platform is, in fact, not perfect.

Furthermore, continual pointless rantings and debate about tired matters is what keeps readers like you and me coming back.

Re:Totally redundant story, please sack someone (0)

Anonymous Coward | more than 7 years ago | (#19288143)

Steve Jobs and Bill Gates are running from a bear. Bill says to Steve: "You don't think you can run faster than the bear do you?" Steve replies: "I don't have to run faster than the bear. I just have to..."

It's not only about the vulnerabilities... (3, Informative)

Secret Rabbit (914973) | more than 7 years ago | (#19287649)

... it's also about /how/ they are handled. Some might say more-so.

From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.

Re:It's not only about the vulnerabilities... (0, Flamebait)

BSDetector (1056962) | more than 7 years ago | (#19287693)

Did you miss "...Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project."?

Partial quote, taken out of context (1)

Frequency Domain (601421) | more than 7 years ago | (#19287809)

The full sentence was "It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project." To quote Inigo, "I don't think that means what you think it means."

Re:It's not only about the vulnerabilities... (5, Informative)

dustin_c1 (153078) | more than 7 years ago | (#19287719)

"From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain."

Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

Apple has historically been terribly irresponsible with found vulnerabilities. This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found.

You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. It looks like they are making progress.

Re:It's not only about the vulnerabilities... (5, Informative)

Anonymous Coward | more than 7 years ago | (#19288025)

MOAB was founded by security researchers who wanted publicity. Among other issues was a bug in OmniWeb, which was never reported to The Omni Group. How would being frustrated at Apple possibly justify that one?

Microsoft: 10 years, Apple: 3 years. (3, Interesting)

argent (18001) | more than 7 years ago | (#19288187)

Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.

Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.

I'm talking, of course, about deliberate automatic code execution from web browsers (and in Microsoft's case mail software and any other application that uses the Microsoft HTML control). Not buffer overflows or anything patchable like that, but a design that automatically opens a file or object just as if you'd manually downloaded it and run it from the desktop. I'm talking about daft things like ActiveX in IE, or "Open Safe Files" in Safari...

Re:It's not only about the vulnerabilities... (1)

Secret Rabbit (914973) | more than 7 years ago | (#19288439)

I said nothing about Apple's complete track record... nothing. I'm talking about lately, /lately/.

Re:It's not only about the vulnerabilities... (4, Informative)

dr.badass (25287) | more than 7 years ago | (#19288675)

This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

You misunderstand. This is the first update that doesn't patch anything listed by MOAB. That doesn't mean that everything patched before was. MOAB only listed 31 bugs, whereas dozens of potential vulnerabilities have been patched by Apple in that time.

The MOAB project was started by security researchers who decided to release their findings publicly because they got mad when Apple outright denied some existing vulnerabilities they found.

That doesn't explain why they chose to give the same treatment to VLC [info-pull.com] , OmniGroup [info-pull.com] , and Panic [info-pull.com] .

Re:It's not only about the vulnerabilities... (1)

frederickroyceperez (865361) | more than 7 years ago | (#19287877)

My setups vulnerabilities is a four year old . I think it will take at least sixteen years to fix this computer imp . My guess ? There is a patent on him . I just know I'll get the chair , drat .

The reboot was not appreciated... (1, Interesting)

(H)elix1 (231155) | more than 7 years ago | (#19287851)

My bride has a MacBook. She got the notification, it downloaded what seemed like a fairly large file after prompting for a password. Don't know if it asked and she missed it, or if it rebooted after installing the patch - but either way her machine did an unexpected restart. (Not that Microsoft is not guilty of the same thing, as one of my servers installed and rebooted last week at a very inconvenient time - dang thing was set to automatic) Anyhow, it sure made her nervous. She wanders down to my lab-of-doom and tells me her mac just shut down. I asked and she said she had just done an update. Perhaps she missed the dialog asking to restart... don't know. Had not seen a CERT email about it yet.

Re:The reboot was not appreciated... (1)

otomo_1001 (22925) | more than 7 years ago | (#19287889)

Does she know if the update has the triangle with a circle on it it means a reboot will be needed?

You still get prompted after installation to shutdown or reboot. She might have hit the blue button instinctively. When I applied the update it was like any other, only 30 meg or so.

Re:The reboot was not appreciated... (1)

jaredmauch (633928) | more than 7 years ago | (#19288057)

my ppc g4 laptop also rebooed twice. I did not boot it in verbose mode as I was not expecting it to do anything strange so I wasn't quite sure what happened. I also was concerned as it was abnormal behaviour. I consider myself somewhat savvy, but i'm just some random fool on da inraweb clogging up dem t00bs.

Re:The reboot was not appreciated... (1)

wordsofwisedumb (957054) | more than 7 years ago | (#19288709)

My G4 and my mother's iMac core2duo also rebooted twice. I think that is standard for this update.

Re:The reboot was not appreciated... (2, Insightful)

lexarius (560925) | more than 7 years ago | (#19288035)

I've never known it to autoreboot. I don't think it has a timer on the dialog or anything like that. I usually don't want to reboot when it wants to, so I just force-quit the updater once it is done. It will reboot when I feel like it.

Re:The reboot was not appreciated... (1)

Calibax (151875) | more than 7 years ago | (#19288103)

There was a reboot required after installing this patch. Seriously, very few security patches don't require a restart - it's in the nature of the beast. Personally, I'm surprised when a restart isn't required after a system level update on Windows, Mac or Linux. FYI, there was a notification up front that a reboot would be required.

I'm somewhat amazed that you are complaining - but I guess you needed to complain about something.

Re:The reboot was not appreciated... (1, Interesting)

Anonymous Coward | more than 7 years ago | (#19288239)

I have been doing updates on Macs for a long time (I work in IT) and never see this. It always asks you if you want to restart, yes, no, after the updates that require a restart. Windows, on the other hand, has this nice count down timer dialog box. So if you are not paying attention, you can lose a lot of data. And that, unfortunately, is routine in the land of Microsoft.

Re:The reboot was not appreciated... (5, Informative)

Kadin2048 (468275) | more than 7 years ago | (#19288377)

She must have hit the dialog without realizing it...by default, Apple Software Update won't auto-restart, and I don't think there's any way to even enable that behavior.

By default, this is how it works:
* ASU puts up dialog showing list of installable updates; they're checked by default. Ones with restart required are marked.
* User unchecks items they don't want, presses "Install" or hits Return.
* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.
* User returns to ASU; if an update requiring restart has been installed, a modal dialog is displayed saying "The new software requires that you restart your computer..." with options "Shut Down" and "Restart." Default is 'Restart,' if user presses Return. (However, the dialog is modal only within the ASU application, you can still switch away from ASU and use the computer normally, and after clicking on it once, ASU no longer bounces in the Dock.)
* If Restart is pressed, the computer will begin the reboot process. I *think* that the process will stop if you have an application open with an unsaved document, but I haven't tested this recently.

Unfortunately, I think users are sometimes conditioned to quickly clicking the default option in any dialog they're presented with, that they sometimes don't realize until 1/4 sec after they hit it, that they just rebooted their computer.

As an aside: it's possible to avoid the reboot either by just leaving ASU in the background indefinitely (pressing Cmd-H 'hides' it so that it doesn't clutter up the UI) or by Force Quitting it, although I doubt that's recommended.

Re:The reboot was not appreciated... (1)

Anonymous Coward | more than 7 years ago | (#19288517)

* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.

That is the smartest thing that Apple has done for the update system. Windows' Automatic Updates pops up at the most inconvenient time to ask for a restart. I don't mind it had it used a balloon tip instead. Worst thing is if you don't want to restart yet, it goes away, only to steal focus again after X minutes.

Re:The reboot was not appreciated... (1)

g0at (135364) | more than 7 years ago | (#19288515)

The Software Update app clearly asks you, once the install is finished, whether you wish to shut down or restart your computer. You must actively make a choice before anything happens. If you ignore the dialog (e.g. if it sits in the background), the computer will not spontaneously reboot. She probably hit it by mistake.

-b

Mod parent incorrect (1)

forand (530402) | more than 7 years ago | (#19288685)

Your wife missed it at multiple points. First it tells you that it will require a restart before you accept it to install. Second once the install is complete it puts up a big dialog asking if you want to Shutdown or Restart. There is no time limit. I am in fact posting this with the dialog in the background.

open the gates (2, Informative)

v1 (525388) | more than 7 years ago | (#19287925)

we shall now see the flood of the clueless that run around in circles screaming OMG SEE MACS HAVE BAD SECURITY TOO. To stamp out their fire before it gets beyond the first match I'd like to point out that even if they fixed 1000 things in this update, you can't compare apples (sorry) to oranges. The lion's share of vulns patched in say, Windows, I would classify "big trouble". Exploits that are in the wild (some of which have been running loose for months) that let remote attackers own your box. Even with that we see the antivirus companies coming out with many new patterns every week. Most are for viruses and spyware, but some are for remote code execution, which is arguably the worst thing you can have happen to your computer.

The number of patched remote code execution bugs that have been found and fixed on the mac recently are countable on one hand. Most (all?) of them are LAN originatable only. And it's not that Apple's not plugging existing holes... there weren't many to fix to begin with. The rest of the fixes, as pointed out by an earlier poster, are for things where someone emails you an attachment and you run it. Sorry but if you are assisting the viruses you really shouldn't hold the computer accountable anyway, but Apple still does its best to bulletproof you even in your stupidity. Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

Any OS that has so many holes to fix that it can justify a weekly scheduled security fix is clearly in a class by itself.

Re:open the gates (3, Insightful)

Actually, I do RTFA (1058596) | more than 7 years ago | (#19287961)

Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?

Re:open the gates (1)

dgatwood (11270) | more than 7 years ago | (#19288235)

Let me answer in l33t sp3@k for your entertainment.

In order of severity: remote root exploits, local root exploits, remote non-root exploits, local trojan horses. The first is worst because it doesn't require any user interaction to 0wn your boxen. The second is not as bad because it does require action from a legitimate user to 0wn your boxen except when combined with the third. The third is not as bad as either of these because it is generally limited in the amount of damage it can do in the absence of the second and cannot 0wn your boxen (though it may 0wn a service on your boxen). The fourth is usually not a security hole at all, but user error. However, in some cases, there is some subtle security hole that makes it easier for the user to make such an error (e.g. the ability to have an application that looks like a file). Those are the least severe of all, as it requires quite a bit of user interaction to 0wn your boxen.

Just my $0.01997, adjusted for inflation.

This could just as well have a different title (3, Insightful)

Opportunist (166417) | more than 7 years ago | (#19288195)

"Macs gain market share"

Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.

So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

WHO CARES ABOUT MARKET SHARE (1, Insightful)

Anonymous Coward | more than 7 years ago | (#19288303)

If it's so important to you what everyone else is doing, GTFO. Fucking beancounter.

Re:This could just as well have a different title (1)

prelelat (201821) | more than 7 years ago | (#19288335)

I think you are right that exploits would mean that it was seeing an increase in market share, but in this case I believe they were strictly talking about vulnerabilities being fixed. This means that people knew they were there but didn't even bother to exploit them. If anything this shows that OSX still doesn't have near the market share some people seem to think.

I prefer to think that they were doing preventative maintenance. Apple hasn't always been the best at patching vulnerabilities but I guess they don't need to worry as no one has exploited them like with windows.

Not too sure what the point of the article was, I mean any OS that is out there has some vulnerability that needs to be patched, I'm sure at any given time there are at least 5 for any OS that someone hasn't noticed yet.

BTW Macs are gaining ground in the market patch or no patch. I remember 5 years ago I don't think I knew a single person who admitted to using a Mac now they throw it in your face. I just tell them penguins eat apples for lunch... if they had apples in the south pole anyways. I'm rambling..

Re:This could just as well have a different title (1)

Opportunist (166417) | more than 7 years ago | (#19288423)

Still, someone had to find those bugs, and it was likely not the programmers themselves, or they would probably have been fixed before shipping. And 1000 people looking for bugs find more than 10 people doing the same. Given that I don't remember hearing about Mac bugs getting fixed once a month from, say, 5 years ago, I'd say it might have to do with an increase in market share.

Re:This could just as well have a different title (1)

dr.badass (25287) | more than 7 years ago | (#19288781)

Still, someone had to find those bugs, and it was likely not the programmers themselves, or they would probably have been fixed before shipping.

Ah, but much of what Apple ends up patching in updates like these isn't actually Apple-specific, but rather fixes to open source stuff they ship. This update has fixes for bind, fetchmail, ruby, and screen, to name a few. Those bugs could have been found by users or programmers on a dozen other platforms.

EnpH?! (-1, Troll)

Anonymous Coward | more than 7 years ago | (#19288421)

OS. Now BSDI is

Apple/gay analogy (0)

Anonymous Coward | more than 7 years ago | (#19288425)

The denial in the Apple community is so much like AIDS was with the gays at first. There was so much misinformation back then...

If you are going to live the Mac lifestyle then you need to be aware and practice safe security.

Re:Apple/gay analogy (0)

Anonymous Coward | more than 7 years ago | (#19288667)

To make your analogy work, there would have to be a lot of people who didn't have Macs who were using OS X on the down-low. And an overwhelming majority dedicated to attacking, belittling and marginalizing them, which you are an example of, so I guess that part's accurate. Are you in the closet too?

My experiences with the latest update... (1)

jbdaem (959867) | more than 7 years ago | (#19288525)

If anyone cares.... Can't get to technical cause I am quite drunk n' I wasn't payin full up close attention to the verbosity of the reboot after the installation... But I ended up getting a second reboot... On both my machines I have updated so far... This has got to be the most updates in a year ever with Apple, to my best recollection... Is it cause the user base is getting bigger, or the nIx flavoured underpinnings allow for so much more fine tuning, tweaking, n' progging finesse, or is it just that more employees @ Apple == more updates/visibilities into holes??';!$I think I found something of a lil bit of interest... A story about someone elses blogging, linkin, on macobserver, about sec fixes and apporximately how long it takes apple to fix them.. According to the research that Brian Krebs did into Apples security fixin's... He foudn that the average company took 91 days to fix n' meanwhile apple took around 50 for most.. He discovered this from Bud Tribble, VP of software technology over at Apple.. He was then quoted to say, " "[A Mac user] simply expects things to work with single button click, and that means we have to take time to do that correctly,""... I dunno why but that makes me gigg.le... Heres a direct link to the article... http://www.macobserver.com/article/2006/05/02.10.s html [macobserver.com] Here... So if anyone would like, I can post the reboot logs from the install, to allow people to know what exactrly happened rat eboot... Hope I taint oo f thopic... Peace n Grease.: TeH Daem.On.

Necessary? (3, Insightful)

Tatsh (893946) | more than 7 years ago | (#19288567)

How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?