Apple Mac OS X Update For 17 Vulnerabilities

BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."

It's not only about the vulnerabilities...

[Secret Rabbit (914973)]

... it's also about /how/ they are handled. Some might say more-so.

From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.

Re:It's not only about the vulnerabilities...

[dustin_c1 (153078)]

"From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain."

Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

Apple has historically been terribly irresponsible with found vulnerabilities. This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found.

You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. It looks like they are making progress.

Re:It's not only about the vulnerabilities...

[by Anonymous Coward]

MOAB was founded by security researchers who wanted publicity. Among other issues was a bug in OmniWeb, which was never reported to The Omni Group. How would being frustrated at Apple possibly justify that one?

Re:It's not only about the vulnerabilities...

[Jeff DeMaagd (2015)]

I guess it was a hit job which blindsided Telestream's Flip4Mac, Panic's Transmit, Colloquy's Colloquy, Unsanity's Application Enhancer, and the open sourced VLC as innocent bystanders in their vendetta against Apple, so at least six non-Apple branded programs were thrown in to fill out the month. Day 31 has a "filler", meaning that it's just over three weeks' worth of Apple Bugs.

There may be some legitimacy to the complaints that Apple was unresponsive, but I agree, to bring in flaws in third party products to the mix is beyond irresponsible.

Microsoft: 10 years, Apple: 3 years.

[argent (18001)]

Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.

Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.

I'm talking, of course, about deliberate automatic code executio

Re:Microsoft: 10 years, Apple: 3 years.

[argent (18001)]

Which Microsoft vulnerability are you referring to as being over 10 years old?

Well, they started out caling it "Active Desktop". It's had other names, but that's where it started.

The vulnerability is that when you combine ActiveX with the API that applications use to call the HTML control the resulting design is fundamentally impossible even in principle to secure. The problem is that the HTML control is given the responsibility for deciding whether an object its called on to display should be trusted or not, but there the HTML control does not have enough information to make that determination. It's arguable whether the application calling it does, but in every exploit I'm aware of that has made use of this vulnerability to infect the computer giving the application responsibility for that decision would have prevented it.

The changes required to the API could be:

(1) Making the control would call back to the application to follow links, access embedded objects, and so on.

(2) Making the control by itself purely a display mechanism, and requiring explicit installation of extensions by the application.

(3) Making the sandbox the control uses "hard", and requiring the user or the application to explicitly install plugins based on roles, and making the application explicitly specify the role that the instance of the control takes.

In addition, in all cases:

(4) Make the inheritence of the environment absolute. If you follow a link from an application then the target of the link MUST be displayed under the control of the same application. That application can display it by running a more restricted helper application if appropriate (so Windows Explorer could call Internet Explorer) but that decision MUST be made by the application, not the HTML control.

Except in VERY limited circumstances (such as the default "open safe files after downloading" option in Safari, which CAN BE TURNED OFF) every other browser or mail software follows some variant of these rules (for example, the KHTML/Webkit "IO slaves" follow rule 2). The idea that a program failing to implement one of these rules would be treated as anything less than a critical bug to be fixed as soon as it was discovered was literally a bad joke before 1997. I mean, there were jokes going around about it, because everyone knew nobody would be so stupid as to implement something like Active Desktop.

Re:It's not only about the vulnerabilities...

[dr.badass (25287)]

This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

You misunderstand. This is the first update that doesn't patch anything listed by MOAB. That doesn't mean that everything patched before was. MOAB only listed 31 bugs, whereas dozens of potential vulnerabilities have been patched by Apple in that time.

The MOAB project was started by security researchers who decided to release their findings publicly because they got mad when Apple outright denied some existing vulnerabilities they found.

That doesn't explain why they chose to give the same treatment to VLC [info-pull.com], OmniGroup [info-pull.com], and Panic [info-pull.com].

Re:

[djupedal (584558)]

"Read up the MOAB."

You're purposely sending people to a rigged website...? Does this mean you're in on the trap or just that you're clueless about what really lies behind MOAB?

Re:It's not only about the vulnerabilities...

[vertigoCiel (1070374)]

It doesn't matter how long it takes to patch an exploit, as long as it is patched before it's used in a virus or other attack on a system. There are currently no OS X viruses in the wild that can attack a Mac in a meaningful way (there is a proof-of-concept one that requires the user to install it). Compare that to the tens of thousands of Windows OS viruses and worms exploiting security holes without requiring the user. Given that, I'd say that Apple has an excellent track record when it comes to patching vulnerabilities.

Re:It's not only about the vulnerabilities...

[gig (78408)]

When you're tempted to compare Windows and Mac security all you have to do is point to the fact that there are Unix user accounts on the Mac since 2001. Game over, Mac wins.

Mac users do not run as root, and in fact root user access is not enabled by default. Just that by itself is much more important than randomized memory paths and UAC prompts and even firewalls.

Microsoft has people doing office work running as root because their poorly managed third-party software platform has not yet adapted to a networked user model.

Apple is also way ahead of Microsoft on quality, design, execution, product management. It is a more tightly built boat.

This could just as well have a different title

[Opportunist (166417)]

"Macs gain market share"

Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.

So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

Re:This could just as well have a different title

[mstone (8523)]

Define 'nominal'.

The installed base of Macs is estimated to be between 10% and 15% of the market. That value follows from the sales numbers established in market share, amortized across the 5-7 year functional lifespan of the average Mac.

"One machine in ten" seems like a reasonably attractive size for a target.

Besides, you're forgetting the automated nature of malware. You don't create a botnet by hand, one machine at a time. You pump out a massive number of potential attacks and glean the ones that succeed. And having a botnet means having a massively distributed system whose resources can be devoted to making itself even bigger.

It doesn't even take an infected Mac to compromise another Mac. The attack is just a package of data, so it would be trivially easy to dedicate a Windows botnet to locating and infecting Macs if someone really wanted to.

The reason malware developers target the Windows platform is that it's so much easier to find a Windows machine with an exploitable hole and take it over. Windows up through XP carries a ton of historical baggage that assumes the existence of an isolated, single-user system: All processes are launched by a user with absolute privilege. Half the processes on any given machine are running at the highest possible level of privilege, and they accept data from sources with lower levels of privilege. The directory that contains system binaries is writable by pretty much anyone, there's no index to say where any given binary came from, and it's standard practice to add or overwrite files in that directory. The absolute-privilege daemons are controlled by the Registry, which again is writeable by almost anyone, and whose format is obscure enough that it's difficult to find tampering even if you know something is wrong with the machine.

Those were all convenient and effective solutions in the days when 99.9% of the data coming into a machine came from the person at the keyboard. But they don't fare so well against a hostile internet.

OS X doesn't have that baggage. It inherited unix's experience dealing with multi-user systems in an untrusted network environment. Yes, there are weak spots, but the attack surface is much smaller than that of Windows.

The people who collect botnets don't care about market share. They care about exploitability, especially exploitability which can be automated. Windows machines offer an easy target in that respect. Macs and unix-alike systems require more work. And there's no reason for them to do the extra work when Windows machines are both so easy to find and so easy to take over.

Re:

[Weedlekin (836313)]

"If anything this shows that OSX still doesn't have near the market share some people seem to think."

This would indeed be true if the act of writing malware was a quest that earned a +5 Amulet Of Knowing Real User Numbers which gives them magical abilities that people who don't write malware lack. If however we reluctantly accept the fact that malware writers don't have such wondrous artefacts, then we must also accept that Windows' market dominance and its total dominance of the malware sector are merely a

Multiple Mac users

[AlpineR (32307)]

You Mac users can't have it both ways.

Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!

Necessary?

[Tatsh (893946)]

How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.

Too bad the update sucks!

[__david__ (45671)]

I installed this update and rebooted and now it kernel panics every time I try to boot! It happens early enough that I can't even boot into single user. Grrr.....

-David

Sorry...

[BrianRagle (1016523)]

...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?

Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.

Re:

[kurt555gs (309278)]

Because your M$ updates might have spyware, viri, trojans, etc, so it would be dangerous to notify you.

Re:I feel robbed

[Actually, I do RTFA (1058596)]

Becuase the patches are all released on the first(?) Tuesday of every month.

Why doesn't Slashdot tell me when Thanksgiving is?

5 patches in 5 months

[dj245 (732906)]

This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.

Re:5 patches in 5 months

[Opportunist (166417)]

Especially when you're developing exploits for a machine. You can time them so they hit the market a day after patch, so you have a guaranteed full month before your exploit gets a fix.

Re:I feel robbed

[vslashg (209560)]

What's so special about Apple? Why can't I be notified by Slashdot when Microsoft releases patches?

Yeah, Slashdot never makes post like this about Microsoft. Certainly this article from two weeks ago [slashdot.org] has nothing to do with notable Windows security patches.

Re:I feel robbed

[mh101 (620659)]

Why can't I be notified by Slashdot when Microsoft releases patches?

Because then they would run out of room for the other stories.

Re:

[Opportunist (166417)]

You didn't get the media spin memo, right? The former is now called "life threatening" and the latter "potentially deadly".

Re:

[rgravina (520410)]

Reminds me of how I used to pick up the cat and place him right in front of the dog :) Cue the Benny Hill music!

Re:Thats unpossible!!

[Sunburnt (890890)]

Macs have no vulnerabilities, thats why people buy them....Right guys?.....RIGHT??

No, most of us just want another overpriced peripheral for our iPods.

Yeah im gettin trolled for that....

Just a hunch, but I'll bet most of your troll mods come from your sig.

Your confusion

[SuperKendall (25149)]

All systems have vulnerabilities.

Macs have no EXPLOITS (yet).

This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.

You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.

Re:Your confusion

[Jeff DeMaagd (2015)]

A proof of concept exploit seems to surface about once or twice a year. I really haven't heard of one "in the wild".

Any of the above

[SuperKendall (25149)]

All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.

There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)

Yes...

[SuperKendall (25149)]

I've done some development (GUI and otherwise) on Linux, WIndows, and Macs - including a fair amount of X11, MFC, C, C++, Java, some C#, and some Objective C.

Linux and Macs are nice to develop for for the same reasons - the tools are great. In fact for most of my Mac programming I still use Emacs. But XCode does have a lot of things going for it, and I've been using it more and more...

I guess my main point is, if you like development for Linux I don't see why you wouldn't like Mac development since you c

Re:

[Jeff DeMaagd (2015)]

I think you have the relationship wrong. The grandparent post didn't suggest that Macs were harder or easier to program than Windows, just that GP poster prefers Linux instead.

So what

[SuperKendall (25149)]

...and the bubble of no 0-day exploits on OS X is just waiting to burst.

Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?

Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.

Sometimes. Not always. See last month's patches. None were 0-day.

That you know of...

Re:Your confusion

[pdbaby (609052)]

the bubble of no 0-day exploits on OS X is just waiting to burst

I'm sure it'll happen eventually, but it's curious that there are no viruses on the loose that target OS X

Mac users don't account for a huge percentage of total users, but it's a large enough group -- and we're usually high-tech enough for it to be highly profitable for spammers/crackers/whatever to work for an exploit - we don't run anti-viruses, and I'm sure most non-developer mac users wouldn't even know how to find the process list, let alone figure out what's not supposed to be running.

Re:

[Lars T. (470328)]

Here's a hint: "lets remote users execute arbitary code"... I think we can safely label that one an "exploit", in your terminology. Welcome to the real world, pal.

Well, if the "remote user" wouldn't actually have to be "an attacker on the local network".

Re:

[edwardpickman (965122)]

Windows virus making you irritable? It's okay Mac users understand, it's why we're on Mac. Just take two virus checkers and make sure your firewall is set. Don't install any non Microsoft approved software and stick with Office software until your machine is feeling better. If you need to get some work done just borrow a friends Mac. When I got my first Mac a year ago I looked for a copy of anti spyware for the Mac. A friend pointed out it's like giving a nun birth control. Macs aren't a 100% secure they ju

Re:

[RealGrouchy (943109)]

Where the hell is the Microsoft comeback ad.?

Comeback to whom?

"Hey, you there! Yes, you--the small market share that makes up Apple users."

If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.

- RG>

Re:Developers!

[ColdWetDog (752185)]

He said passion not possession.

There is a subtle difference.

Re:Not a big deal

[by Anonymous Coward]

Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.

Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP [wikipedia.org] ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.

Re:

[bryan1945 (301828)]

"I was a fresher"

Could you please explain what that means?

Re:Not a big deal

[The Bungi (221687)]

A degree on creating "softwares"?

Re:

[Breakfast Pants (323698)]

Certainly not one creating English.

Re:Not a big deal

[EMB Numbers (934125)]

What is it about developing software for Mac OS X that you dislike compared to Linux ?

Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?

Are you using X-Code, eclipse, something else ?

I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.

USB Breathalyzer

[by Anonymous Coward]

I really need to get a USB breathalyzer that prohibits me from:

A. logging in as root
B. sending email
C. posting to slashdot

if my blood alcohol level is higher than 0.15%.

Re:open the gates

[Actually, I do RTFA (1058596)]

Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?

Re:

[lexarius (560925)]

I've never known it to autoreboot. I don't think it has a timer on the dialog or anything like that. I usually don't want to reboot when it wants to, so I just force-quit the updater once it is done. It will reboot when I feel like it.

Re:The reboot was not appreciated...

[Kadin2048 (468275)]

She must have hit the dialog without realizing it...by default, Apple Software Update won't auto-restart, and I don't think there's any way to even enable that behavior.

By default, this is how it works:
* ASU puts up dialog showing list of installable updates; they're checked by default. Ones with restart required are marked.
* User unchecks items they don't want, presses "Install" or hits Return.
* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.
* User returns to ASU; if an update requiring restart has been installed, a modal dialog is displayed saying "The new software requires that you restart your computer..." with options "Shut Down" and "Restart." Default is 'Restart,' if user presses Return. (However, the dialog is modal only within the ASU application, you can still switch away from ASU and use the computer normally, and after clicking on it once, ASU no longer bounces in the Dock.)
* If Restart is pressed, the computer will begin the reboot process. I *think* that the process will stop if you have an application open with an unsaved document, but I haven't tested this recently.

Unfortunately, I think users are sometimes conditioned to quickly clicking the default option in any dialog they're presented with, that they sometimes don't realize until 1/4 sec after they hit it, that they just rebooted their computer.

As an aside: it's possible to avoid the reboot either by just leaving ASU in the background indefinitely (pressing Cmd-H 'hides' it so that it doesn't clutter up the UI) or by Force Quitting it, although I doubt that's recommended.

Re:The reboot was not appreciated...

[anticypher (48312)]

a modal dialog

Nope, the ASU dialog is non-modal, just like all other dialogs in OS-X. Modal means the user can do no more work on the computer until they respond. Non-Modal means the user can hide the dialog or application or switch focus and continue working. Dialogs can be modal to their application, but this is strongly discouraged as a design philosophy as well.

Yes, I am a veteran of the Modal Wars. The war is mostly over and we non-modalists and computer users everywhere won. It was a major, well understood design decision from the original OS-X architects that nothing could ever be modal in OS-X. Users who switch away from using OS-X to a system that still permits modal dialogs often comment about how jarring it is to have a modal dialog they don't understand, and being forced to make an uninformed decision before being allowed to continue working or unable even to save their work. It is a subtle but very powerful distinction about who is in control of a session, the user or the OS. Modality is just a power trip for those who hate the idea that a person sitting in front of a machine might actually know what they are doing.

the AC

Re:The reboot was not appreciated...

[namgge (777284)]

What really happened was she was presented with a dialog that clearly showed the machine would need to be rebooted if she proceeded and she then clicked the "Install Items" button. Then she was asked to authenticate as an admin user, then she was give a dialog asking for permission to reboot, which she could have ignored until a better time but didn't.

However, under no circumstances tell her this. She is your wife and this automatically makes the reboot YOUR fault. So just apologize to her and go buy flowers, you insensitive clod.

Namgge

Re:

[Elentari (1037226)]

Mine displayed a clear dialog box, containing the message 'The new software requires that you restart your computer now. Click restart to quit all applications and restart. ', so this is hardly a fault with Macs, and more a case of your bride not paying attention.

I prefer it to the Windows 'feature' that automatically shuts down your PC whether you want it to or not, even if you tell it you're going to restart later.

Re:

[biftek (145375)]

No, you're wrong. Bonjour (aka rendezvous aka mdns[responder]) listens on UDP port 5353 by default on a client install - that's how iTunes/iChat/AFP sharing find other computers. And guess what - it's one of the apps that has a local root exploit in this security update.