Stories
Slash Boxes
Comments

News for nerds, stuff that matters

Apple Patch Released, But Is It Enough?

Posted by Zonk on Sat May 13, 2006 01:21 PM
from the conflicting-viewpoints dept.
entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."
This discussion has been archived. No new comments can be posted.
Display Options Threshold:
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • Stupidity (Score:5, Insightful)

    by Phroggy (441) * <slashdot3@nOspAm.phroggy.com> on Saturday May 13 2006, @01:22PM (#15325651)
    (http://phroggy.com/)
    and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.

    Let's settle this debate.

    No.

    Changing CPU architectures will have absolutely effect on security.

    Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).
    • Re:Stupidity (Score:5, Insightful)

      by Anonymous Coward on Saturday May 13 2006, @01:30PM (#15325698)
      I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

      You have to make the initial exploit to get "in." Once you are in you can use most standard unix libraries to do whatever you want. The hard part with PPC was finding someone who knew how to code the inital exploiit and the carefully crafted shellcode (with no null bytes, etc.). With Mac moving to Intel this part is MUCh easier for the people who know x86 ASM.
      [ Parent ]
      • Re:Stupidity (Score:5, Insightful)

        by CODiNE (27417) on Saturday May 13 2006, @01:52PM (#15325797)
        (http://slashdot.org/)
        You mentioned avoiding null bytes, I seem to recall reading that on PPC that's much harder to pull off because of many RISC ops tend to have a byte of null padding that smaller CISC ops don't need. So besides having to learn a new asm, its also much harder to exploit... PPC did have a real advantage here.
        [ Parent ]
        • Re:Stupidity by Nimey (Score:2) Saturday May 13 2006, @03:36PM
          • Re:Stupidity by dfghjk (Score:3) Saturday May 13 2006, @03:56PM
          • Re:Stupidity by strstrep (Score:2) Saturday May 13 2006, @03:58PM
        • Re:Stupidity by Idaho (Score:2) Sunday May 14 2006, @03:01AM
          • 1 reply beneath your current threshold.
        • 1 reply beneath your current threshold.
      • x86 is coherent by r00t (Score:2) Saturday May 13 2006, @01:52PM
      • by AHumbleOpinion (546848) on Saturday May 13 2006, @02:01PM (#15325828)
        (http://slashdot.org/)
        I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

        I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.
        [ Parent ]
      • Security by oscurity by xswl0931 (Score:2) Saturday May 13 2006, @03:21PM
        • Re:Security by oscurity by Ohreally_factor (Score:3) Saturday May 13 2006, @04:41PM
        • Re:Security by oscurity (Score:5, Interesting)

          by steeviant (677315) on Saturday May 13 2006, @06:15PM (#15326887)
          I'm so sick of hearing people tout this crap over and over... the truth is that security by obscurity does work, and you just highlighted that it does in fact work by noting that there are far fewer people attacking PPC than x86, that situation is only going to get better not worse, with Apple moving away from the PPC platform.

          Ever since my company made it policy to move SSH away from the standard ports, the number of dictionary attacks and exploits has gone down from upwards of 20 a day across all our machines down to zero (0). Even though any automated scanning tool worth it's salt could easily identify that it's SSH running on an obscure port from the banner.

          Security by obscurity is enough to break the default configuration of most automated scanning tools, which in turn is enough to stop most of the people out there attacking servers at random.

          The great thing about using security by obscurity is that by effectively foiling most automated scanning tools, we limit our focus to only people who are genuinely trying to hack us, rather than just anyone, and can focus on tracking them down and turning them over to the authorities.

          Security by obscurity does work, it doesn't devalue your other forms of security, and should be considered a useful and valid part of the arsenal of security defences that can be deployed to protect things.

          Anyone who says otherwise has obviously never worked in a situation where their security knowledge actually made any difference. It's obvious that an SSH server getting blasted 20 times a day by attackers is at least 20 times more likely to be hacked than one that's hit 0 times a day, and security by obscurity can make that difference.
          [ Parent ]
          • Re:Security by oscurity (Score:5, Insightful)

            I agree that people repeat that "security by obscurity doesn't work" without really understanding the concept. I mean, what is a password but an obscured piece of information? Still, the origin of the phrase is attacking the idea that an obscured algorithm will protect you; you have to assume that an attacker will capture one of your en/de-cryption devices, and learn the algorithm.

            That being said, I disagree with your assertion that 20 dictionary attacks a day is 20 times more likely to get into an SSH server than 0 dictionary attacks. If your passwords are any good, they won't get in either way.

            Yes, your "obscure" port protects you from the dumber automated scripts. That could buy you a little time if a genuine vulnerability shows up in the sshd. But it's only a matter of time before the stupid scripts scan for sshd on other ports.

            Then you'll have to switch to port knocking ;)
            [ Parent ]
            • Re:Security by oscurity (Score:5, Interesting)

              by steeviant (677315) on Saturday May 13 2006, @08:16PM (#15327406)
              Heh, we have yet to encounter even a port scan on our obscure SSH port, let alone any kind of attack, so it's safe to say that script kiddies don't want to spend the time scanning all 65,000 ports on every computer when they can get a similar yield by only harvesting those computers that answer on port 22.

              It's also probably safe to assume that if someone has the intelligence to change the port that SSH is listening on that they are also clever enough to keep it up to date and securely configured. :)

              Moving your potentially vulnerable services to a different port is effectively putting yourself in the too-hard basket as far as auto-scanning script kiddies are concerned, but doesn't do anything to stop attackers who are targetting you.

              Unfortunately the soft pink human underbelly of your network is the most glaring weak point for attackers targetting your systems, and we can't really firewall their voice-boxes and fingers if we expect to keep doing business.
              [ Parent ]
          • Re:Security by oscurity by ejtttje (Score:2) Sunday May 14 2006, @12:46PM
          • Re:Security by oscurity by mcrbids (Score:2) Monday May 15 2006, @12:38PM
          • Re:Security by oscurity by Crispy Critters (Score:2) Monday May 15 2006, @02:48PM
      • Re:Stupidity by dakryx (Score:1) Saturday May 13 2006, @03:55PM
        • Re:Stupidity by Zwaxy (Score:1) Saturday May 13 2006, @08:38PM
      • Re:Stupidity by Firehed (Score:2) Saturday May 13 2006, @10:21PM
      • Re:Stupidity by Durandal64 (Score:2) Sunday May 14 2006, @12:53AM
    • What about NX? by DaHat (Score:2) Saturday May 13 2006, @01:40PM
    • Re:Stupidity by Aqua OS X (Score:2) Saturday May 13 2006, @02:22PM
      • Re:Stupidity by Phroggy (Score:2) Saturday May 13 2006, @02:38PM
      • Re:Stupidity by petermgreen (Score:2) Saturday May 13 2006, @10:17PM
    • Re:Stupidity by neonstz (Score:3) Saturday May 13 2006, @02:27PM
      • Re:Stupidity by cnettel (Score:2) Saturday May 13 2006, @03:08PM
    • Wrong and wrong. by LKM (Score:2) Saturday May 13 2006, @02:47PM
    • Intel is the cause by alxtoth (Score:1) Saturday May 13 2006, @03:36PM
    • Re:Stupidity by Ragingguppy (Score:1) Saturday May 13 2006, @04:20PM
    • Re:Stupidity by ninja_assault_kitten (Score:1) Saturday May 13 2006, @05:13PM
    • Sure it will, makes it better by SuperKendall (Score:2) Saturday May 13 2006, @07:03PM
    • Re:Stupidity by nathanh (Score:2) Sunday May 14 2006, @05:14PM
    • Re:Stupidity by Listen Up (Score:2) Tuesday May 16 2006, @12:36AM
    • Re:Stupidity (Score:5, Informative)

      by Have Blue (616) on Saturday May 13 2006, @02:04PM (#15325840)
      (http://www.seizurerobots.com/)
      The truth is the Intel processor is a lot more prone to buffer overflow attacks

      Bullshit. Buffer overflows are a software problem and have nothing to do with the CPU. The PowerPC would have been just as vulnerable, when running identical code.

      And building your own PC teaches you absolutely nothing about discovering vulnerabilities.
      [ Parent ]
      • Re:Stupidity (Score:5, Funny)

        by ImaNihilist (889325) on Saturday May 13 2006, @02:14PM (#15325884)
        And building your own PC teaches you absolutely nothing about discovering vulnerabilities. Sure it does. It teaches you that all systems, regardless of CPU and OS, are vunerable to static electricity. Thus, the best "hacks" are to break into someones house with a ballon, find their PC, open it, rub the ballon on their head, and then start touching the motherboard.
        [ Parent ]
      • Re:Stupidity by morgan_greywolf (Score:1) Saturday May 13 2006, @02:18PM
        • Re:Stupidity by Ohreally_factor (Score:2) Saturday May 13 2006, @04:46PM
          • Re:Stupidity by dorkygeek (Score:3) Saturday May 13 2006, @06:31PM
      • Re:Stupidity by suv4x4 (Score:2) Saturday May 13 2006, @02:24PM
        • Re:Stupidity (Score:4, Interesting)

          by Ulrich Hobelmann (861309) on Saturday May 13 2006, @02:46PM (#15326022)
          (Last Journal: Sunday July 16 2006, @03:31AM)
          PPC makes it much harder ... to run code after overflow since it'll clear the stack.

          Clear what stack? The only meaningful difference between PPC and x86 regarding buffer overflows is that PPC has more registers (including a link register which won't be saved by leaf procedures), and that the x86 CALL instruction pushes its value on the stack.

          A buffer overflow would simply overflow some buffer, and be engineered so that it will overwrite the stack frame's return address to call some other code (which is also in the overflowed buffer).

          Now on Intel every procedure has a return location on the stack, while on PPC only non-leaf procedures do, but since all computation happens in the context of *some* call stack, there will always be a parent procedure that has a return value that just waits to be overwritten.

          I'm not sure how PPC can "clear" the stack, or with what purpose.
          [ Parent ]
          • Re:Stupidity by prockcore (Score:2) Wednesday May 17 2006, @07:12PM
            • Re:Stupidity by Ulrich Hobelmann (Score:2) Thursday May 18 2006, @05:14AM
      • buffer overflow by falconwolf (Score:2) Saturday May 13 2006, @03:00PM
      • Re:Stupidity by Jared Lundell (Score:3) Saturday May 13 2006, @03:17PM
      • Re:Stupidity by iabervon (Score:3) Saturday May 13 2006, @04:35PM
        • Re:Stupidity by TheRaven64 (Score:2) Saturday May 13 2006, @07:31PM
      • Re:Stupidity (Score:4, Informative)

        by LO0G (606364) on Saturday May 13 2006, @09:21PM (#15327652)
        There are processor architectures that make stack overflows orders of magnitude harder. For instance, processors with a grow down stack architecture are way easier to exploit than processors with a grow up stack architecture (grow down means that a forward memory copy can overwrite the return address thus enabling the attacker to control the return address, that's a classic buffer overflow).

        There are other processor features that make stack overflows harder, NX being a classic example (also mentioned above). The processors calling convention can also help - if your processor operates with three stacks, one for parameters, one for local data, the third for data flow, it renders the return stack immune from overflow of local data buffers, and mitigates the damage that can be caused by an overflow.

        So yes, buffer overflows are a software problem. But the damage that they can cause is strictly a processor architecture issue.

        [ Parent ]
      • Re:Stupidity by raddan (Score:2) Monday May 15 2006, @03:34PM
        • Re:Stupidity by epee1221 (Score:1) Friday May 19 2006, @03:47PM
      • 1 reply beneath your current threshold.
    • non-NX CPUs irrelevant, not shipped by Apple by AHumbleOpinion (Score:2) Saturday May 13 2006, @02:17PM
    • Re:Stupidity by bealzabobs_youruncle (Score:3) Saturday May 13 2006, @04:15PM
    • 3 replies beneath your current threshold.
  • What purpose? (Score:2)

    by samkass (174571) on Saturday May 13 2006, @01:23PM (#15325656)
    (http://www.samkass.com/blog | Last Journal: Thursday May 12 2005, @02:40PM)
    What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?
    • Re:What purpose? (Score:4, Insightful)

      by Phroggy (441) * <slashdot3@nOspAm.phroggy.com> on Saturday May 13 2006, @01:27PM (#15325681)
      (http://phroggy.com/)
      What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

      In theory, it's possible that black-hats have already discovered the flaw, and will exploit it without telling anyone. If they've already figured it out, then releasing details to the public won't make the situation significantly worse. However, public embarassment will prompt the company to release a fix more quickly.

      I'm not saying I agree with this theory.
      [ Parent ]
    • Re:What purpose? by flooey (Score:2) Saturday May 13 2006, @01:30PM
    • Re:What purpose? (Score:5, Informative)

      by lancejjj (924211) on Saturday May 13 2006, @01:36PM (#15325726)
      (http://lancej.blogspot.com/)
      Purpose? Easy... he makes money by promoting himself.

      If you check out his web site, it seems that he's trying to maximize advertising revenue. Not only does he have many ads, he also has many Amazon referal links. In addition, he is directly selling advertising:

      From his website:

      Want to advertise on the Security-Protocols website?

      Below are our rates:
      Banner Advertising:
      10,000 impressions = $75
      20,000 impressions = $135
      30,000 impressions = $180

      [ Parent ]
  • Relativity (Score:5, Funny)

    by ImaNihilist (889325) on Saturday May 13 2006, @01:25PM (#15325662)
    Good thing I use Microsoft® Windows XP so I don't have to worry about things like this.
    • Re:Relativity (Score:5, Insightful)

      by Golias (176380) on Saturday May 13 2006, @01:37PM (#15325734)
      Whoever modded you down "Troll" has obviously not heard of sarcasm.

      Anyway. The difference between Mac OS X and XP can be summarized thus:

      Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.

      If a new actual virus or worm comes along for Windows, making it ever more sure that you still can't even put a new Windows box online to download patches until after the patches you need are already installed... it's business as usual.

      Windows users concerned about they penis size go on chanting "B B B But that's only because the Mac is less popular, so nobody bothers to write malware for it. Wait until the Mac gets more popular, then you'll be in a world of hurt!!!1!"

      Whatever. The Mac is probably never going to see double-digit market share, and even if it does, it's still vastly more secure than Windows is, and you all know it. So there's no need to worry about such a scenario ever happening.

      So I use Macs.

      If the market dominance of Windows has anything to do with Macs being relatively free of haX0r attention, then I just gotta say to all you stubborn Windows users out there:

      Hey man, thanks for taking one for the team.
      [ Parent ]
      • Re:Relativity by Haeleth (Score:2) Saturday May 13 2006, @02:53PM
        • Re:Relativity by ImaNihilist (Score:1) Saturday May 13 2006, @03:01PM
          • Re:Relativity (Score:5, Insightful)

            by Wordsmith (183749) on Saturday May 13 2006, @03:45PM (#15326288)
            (http://www.louishochman.com/)
            It most certainly is possible. I won't go as far as the grandparent, but close. I've never been -harmfully- afflicted by being hacked, rooted, or infected with a virus or spyware. I've almost never run into any of those at all - but once every couple of years something crops up.

            I've (very) occasionally caught a virus present on the machine before it was ever executed or did any harm. I've (very) rarely wound up with spyware - but nothing major, and nothing that couldn't either be uninstalled via its own well-behaved uninstaller or removed easily via something like adaware.

            Why? Because I don't run or install software if common sense says the source might be shady. The one or two spyware incidents I've had were with semi-legit software - it probably told me in a Eula all about the nasty reporting it wanted to do, and I clicked through - that, as spyware goes, was relatively benign.

            Now my old roommate's machine, with the same basic setup, was another story. It was amazing she could move the mouse with all the crap going on in the background from various malware. Different computing use habits, I suppose.
            [ Parent ]
        • Re:Relativity by CaymanIslandCarpedie (Score:2) Saturday May 13 2006, @03:07PM
        • Re:Relativity by lubricated (Score:2) Saturday May 13 2006, @03:21PM
        • Re:Relativity by BasilBrush (Score:3) Saturday May 13 2006, @03:32PM
          • Re:Relativity by NutscrapeSucks (Score:2) Saturday May 13 2006, @03:58PM
            • Re:Relativity by OptimusPaul (Score:1) Saturday May 13 2006, @09:29PM
              • 1 reply beneath your current threshold.
          • Re:Relativity by toddestan (Score:2) Saturday May 13 2006, @04:12PM
        • Re:Relativity by shish (Score:2) Sunday May 14 2006, @06:55AM
        • 2 replies beneath your current threshold.
      • Re:Relativity by skinfitz (Score:3) Saturday May 13 2006, @03:33PM
        • Re:Relativity by klez23 (Score:1) Saturday May 13 2006, @08:43PM
          • Re:Relativity by Whiney Mac Fanboy (Score:2) Sunday May 14 2006, @04:25AM
          • 1 reply beneath your current threshold.
        • Re:Relativity by Golias (Score:3) Sunday May 14 2006, @02:28AM
      • Ummm, no... by DavidD_CA (Score:2) Saturday May 13 2006, @03:50PM
        • 1 reply beneath your current threshold.
      • Re:Relativity by dioscaido (Score:2) Sunday May 14 2006, @11:12AM
      • Re:Relativity by SilentChris (Score:2) Sunday May 14 2006, @12:32PM
      • 1 reply beneath your current threshold.
    • 1 reply beneath your current threshold.
  • what a ego (Score:4, Insightful)

    by falcon5768 (629591) <Falcon5768@NosPAm.comcast.net> on Saturday May 13 2006, @01:26PM (#15325670)
    (Last Journal: Friday October 24 2003, @12:44PM)
    Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.

    I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.

    Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

    • Re:what a ego by 0racle (Score:2) Saturday May 13 2006, @01:31PM
    • the alternative by r00t (Score:2) Saturday May 13 2006, @01:59PM
    • Re:what a ego by falconwolf (Score:2) Saturday May 13 2006, @02:11PM
    • Re:what a ego by kfg (Score:1) Saturday May 13 2006, @02:16PM
    • Re:what a ego by mindstormpt (Score:1) Saturday May 13 2006, @02:18PM
    • Grow up kids! (Score:5, Insightful)

      by Deorus (811828) <jps@corah.org> on Saturday May 13 2006, @02:42PM (#15325999)
      > Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

      What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.

      Here goes my karma... ;-)
      [ Parent ]
    • 3 replies beneath your current threshold.
  • extortion? (Score:5, Interesting)

    by v1 (525388) on Saturday May 13 2006, @01:30PM (#15325690)
    (http://vftp.net/ | Last Journal: Saturday December 09 2006, @09:52PM)
    I'd like to see Apple fix security problems as quickly as possible, but this guy threatening to release exploit information a few days after the first patch to go out after the notification? That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things. Apple should not be forced to make an ill-prepared and possibly buggy patch release due to the threats of this "analyst". If he had given several months of warning I could see the justification, but it looks like he is doing this to get some publicity because he knows Apple won't rush something like this, not to the degree this fellow is demanding.
    • Re:extortion? by flooey (Score:2) Saturday May 13 2006, @01:37PM
    • Re:extortion? by suv4x4 (Score:2) Saturday May 13 2006, @01:57PM
      • Re:extortion? by Lars T. (Score:2) Saturday May 13 2006, @06:54PM
    • Re:extortion? by I'm Don Giovanni (Score:3) Saturday May 13 2006, @02:13PM
    • Re:extortion? by Lauwenmark (Score:1) Saturday May 13 2006, @03:55PM
    • Re:extortion? by SilentChris (Score:2) Sunday May 14 2006, @12:34PM
    • Re:extortion? by NightHwk1 (Score:3) Saturday May 13 2006, @06:27PM
    • Re:extortion? by arminw (Score:2) Saturday May 13 2006, @08:25PM
    • 2 replies beneath your current threshold.
  • Open "safe" files strikes again (Score:4, Insightful)

    by noidentity (188756) on Saturday May 13 2006, @01:37PM (#15325728)
    from the updater notes: " When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."

    OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!
  • Is it enough? Yes. (Score:4, Insightful)

    by sootman (158191) on Saturday May 13 2006, @01:39PM (#15325741)
    (Last Journal: Thursday July 12, @12:30PM)
    Considering that there has not been one real, severe, in-the-wild, massively spread, substantial, damage-causing virus in the five year history of Mac OS X, I would say yes, the boys and girls in Cupertino are doing just fine. Thank you very much for all your hard work, and all naysaying columnists and pundits can go screw.
  • Sue Sue Sudio (Score:1, Insightful)

    by Frankie70 (803801) on Saturday May 13 2006, @01:39PM (#15325745)
    Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.


    Apple will then just have to take him to court like they do with everybody else, won't they?
  • by ShyGuy91284 (701108) on Saturday May 13 2006, @01:40PM (#15325747)
    The way I see it, they probably intend on patching the other problems, but they decided to get a decent amount done, and then release the update. Much like how Microsoft's once-a-month releases could give some time for the vulnerabilities to be taken advantage of (I recall that release cycle, I'm not sure if they are still done anymore though), if they waited for all patches to be done in this case, it may have prolonged the wait by quite a bit longer.
  • Not surprised (Score:4, Interesting)

    by frostilicus2 (889524) on Saturday May 13 2006, @01:46PM (#15325777)
    I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD [openbsd.org], its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made.

    Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.
  • Talk about timing... (Score:4, Funny)

    by UOZaphod (31190) on Saturday May 13 2006, @02:02PM (#15325829)
    I enjoyed today's (semi-relevant) Ctrl+Alt+Del comic [ctrlaltdel-online.com]
     
  • by BadassJesus (939844) on Saturday May 13 2006, @02:55PM (#15326063)
    On XP I have bunch of monitoring and firewalling software. On Mac I only have the knowledge that my OS is bullet proof. Now the second is not valid anymore. Oh my...
  • Give me REAL WORLD proof (Score:2, Insightful)

    by a_greer2005 (863926) on Saturday May 13 2006, @03:12PM (#15326149)
    I hear, every nonth or so, now a days that "OSX is as volnerable as Windows" yet I have yet to see one attack in the real world that doesnt requier utter user stupidity (hint -- a web-app should never need your root/"admin" password)

    Please someone, give me a web address that will install spy/crudware without my consent automaticly, show me how, with no user intervention, an unpatched box can be hacked to hell by spamers to use in botnets in under 2 minutes...show me this or shut the fuck up!

    I understand that OSX isnt perfectly secure, it has its bugs, so does BSD as a whole, but the holes get FIXED and not denied for months untill the hole is used to destry hundreds of thousands of PCs.

  • by NeoSlash (974486) on Saturday May 13 2006, @03:34PM (#15326243)
    I run both and my new MAC has been patched more than my new PC and Adobe alone has released at least twice as many patches this year for my MAC than for my PC.
  • by Danathar (267989) on Saturday May 13 2006, @06:18PM (#15326895)
    (Last Journal: Sunday August 20 2006, @09:16PM)
    I REALLY hope that Apple is planning to port (or participate in the ports already in progress) to get the NSA's MAC controls into Mach Microkernel.

    OS X would be a WHOLE lot more secure with them in place.
  • by Sithgunner (529690) on Saturday May 13 2006, @07:36PM (#15327222)
    I'm keep saying this but it's so funny that these people when it comes to Apple, says 'fixes whopping 43 bugs' lol. When it comes to MS, they go like 'omfg 43 bugs I was living with, geez is MS selling such a trash?'

    Keep going, because it just sounds totally funny.
    Not that I blame Apple for fixing bugs, but they do ship quite a buggy software in the first place, but people never tend to pick on Apple anyway.
  • update screwed up (Score:1)

    by Niteshade (674961) on Monday May 15 2006, @09:27AM (#15334293)
    (http://www.artechne.com/)
    Am I the only one who's system was royally screwed by this update?
  • by IDontLinkMondays (923350) on Thursday May 18 2006, @06:17AM (#15356330)
    First, of all, patching OS X is in violation of Apple's advertising campaign. You would have to reboot your computer and Macs don't need to be rebooted. So, you couldn't patch if you wanted to. Second, Mac is secure from viruses and trojans, so patching is obviously useless, there is no need for security patches.

    If you look at it from my point of view, there is no point to patching a Mac because even with all the root problems and such, the real problem with Macs are the users. As it says on my blog, http://64now.com/ [64now.com] all that needs to be done to make an easily spread virus for a Mac is to download ffmpeg for mac, make an installer based on Apple's installer system, require the user to enter their administration password, install the backdoor or security hole, even disabling firewalling while you're at it, then package it and stick it on Version Tracker. It would be months before anyone knew there was a security hole and it will have been installed on a large percentage of the computers out there.... even the ones run by computer competant users.

    Antivirus software for Mac is designed to block known viruses. They lack the advanced features such as sandboxing like those found on PCs since there are really not that many creative viruses on Macs. For the most part, the only purpose for virus scanning software on Mac is to make sure you're not receiving a PC virus and sending it out again to a PC user.

    So, thanks to Apple that advertises that their machines are bulletproof and users shouldn't worry about security on their machines, all these fancy hacks are a waste of time, take advantage of the users' trust and you don't need rootkits.
  • by noidentity (188756) on Saturday May 13 2006, @01:32PM (#15325707)
    "Since I hate smug Mac users, let me be the first. . .to say hahahaha hahahaha ha ha ha ha ha hahaha hah ha hahahahahahaha HA!!"

    Yeah, us Mac users and our potential vulnerabilities. All the potential data I haven't lost has really cost me.

    And smug people suck, no matter what computer they choose.
    [ Parent ]
  • Re:Quicktime? (Score:1, Informative)

    by John Nowak (872479) on Saturday May 13 2006, @01:39PM (#15325743)
    Quicktime is much more than the Player. It is a very rich API that lets you do some great things, albeit often with some suffering, as it is getting a bit old...

    Even if you use VLC (I do), there's no chance of escaping Quicktime.
    [ Parent ]
  • Re:Tom Ferris (Score:3, Funny)

    by rackrent (160690) on Saturday May 13 2006, @01:40PM (#15325749)
    My only experience with someone named "Ferris" who happened to know computers was someone who changed his excessive high school absences from nine times (nine times?) to 0
    [ Parent ]
    • Re:Tom Ferris by generic-man (Score:1) Saturday May 13 2006, @02:59PM
      • Re:Tom Ferris by generic-man (Score:1) Saturday May 13 2006, @09:34PM
        • 1 reply beneath your current threshold.
      • 1 reply beneath your current threshold.
    • 2 replies beneath your current threshold.
  • Re:Its been stated before but... (Score:2, Insightful)

    by heinousjay (683506) on Saturday May 13 2006, @02:14PM (#15325883)
    (Last Journal: Sunday October 07, @01:01AM)
    Perhaps he chose to post AC because anything that goes against groupthink is inevitably modded down? Typically as Troll (Slashdot definition: I disagree with your opinion) or Flamebait (Slashdot definition: I disagree with your opinion)
    [ Parent ]
  • Re:Quicktime? (Score:2)

    by LocoMan (744414) on Saturday May 13 2006, @02:18PM (#15325899)
    (http://www.locoman3d.com/)
    I personally like quicktime (even on PC) for two things. One is movie trailers. My net connection is kinda "fast" (for venezuelan standards), but it's not very constant, so I always get buffering stops on streamed media. I much prefer quicktime's way to present them (at least on the trailers in quicktime.com) where I can select the highest quality trailer, leave it leading in a tab in the background while I do something else, and then come back once it's fully loaded and watch it without interruption.

    The other thing is when I'm doing 3D animations. So far no other video codec allows natively so easily to go frame by frame (left and right arrow), so I like to render quick previews in quicktime format, see it at normal speed until something pops up as wrong and then go frame by frame to see what it is.. :)
    [ Parent ]
  • Re:Quicktime? (Score:3, Funny)

    by ATPTourFan (898906) on Saturday May 13 2006, @02:26PM (#15325925)
    The latest version of VLC, 0.8.5, is Intel native as a universal binary. You may want to upgrade.
    [ Parent ]
    • Re:Quicktime? by jbreidbord (Score:1) Saturday May 13 2006, @04:54PM
  • So 100,000 birds in the hand are worth 20 in the bush?

    I mean, note the word "potential". There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal? The day you'll trade me 100,000 dollars for a chance at 20 bucks is the day I'll toss my Apple in the trash.
    [ Parent ]
  • Missing the point (Score:5, Interesting)

    by mrraven (129238) on Saturday May 13 2006, @03:36PM (#15326254)
    It's not that there are no vulnerabilities, all complex code contains multiple vulnerabilities, it's that Macs being set up with a user level account as opposed to Windows default admin account are much less liable to being actually exploited. The same can of course be said for most Linux distros which are also set up with a default user level account.

    Vista will probably help IF it's ever released and as I read on here on slashot the way Vista handles admin tasks (at least in it's current release state) involves an infuriating number of dialog boxes. I'll stick with my mac for now so I can just get some work done (shrug).

    I guess this is what I get for responding to a troll.
    [ Parent ]
  • Huzzah! Here, loyal Applehead, take your $20 discount voucher for the Apple Store as a reward for your fine trolling on Slapdash, I mean, err, Slashdot. Yeah, we all know, Microsoft, I mean, err, Micro$oft, has never ever released a Security Update for Windows, I mean, err, Windoze/Winblows, without there first being a worldwide outbreak of malicious activity as a direct result.
    [ Parent ]
  • Re:Quicktime? (Score:2)

    by abdulla (523920) on Sunday May 14 2006, @08:00AM (#15329180)
    Now that doesn't help me with playing videos in Front Row, now does it? VLC isn't the perfect replace for all situations. Now only if Flip4Mac would go universal, that'd solve all my issues.
    [ Parent ]
  • by 5plicer (886415) on Sunday May 14 2006, @03:16PM (#15330682)
    Here's the source code for the page:

    <HTML>
    <TABLE>
    <TR><TD ROWSPAN=2000000000>
    [ Parent ]
  • 14 replies beneath your current threshold.