Forgot your password?
typodupeerror
Security Businesses Apple

Apple Forcing Panther Upgrade for Security Patch 605

Posted by CmdrTaco
from the well-thats-a-bit-stingy dept.
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.
This discussion has been archived. No new comments can be posted.

Apple Forcing Panther Upgrade for Security Patch

Comments Filter:
  • I thought only windows was insecure...
  • Eh? (Score:3, Insightful)

    by 1010011010 (53039) on Thursday October 30, 2003 @02:55PM (#7350130) Homepage

    1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.

    2) They'll probably have a patch in a few days. If they're smart.

    • by emil (695) on Thursday October 30, 2003 @03:42PM (#7350803) Homepage
      David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

      "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

      Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.

      Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.

      At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.

      Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.

      I am not amused.

  • by anaphora (680342) * on Thursday October 30, 2003 @02:55PM (#7350131) Journal
    Meanwhile at Microsoft HQ...

    Gates: Damnit! Apple stole our idea to no longer support old versions of Operating Systems and force everyone to upgrade! Lawyer #1, isn't that illegal? Let's get a suit together!
  • Bugtraq links (Score:5, Informative)

    by chennes (263526) * on Thursday October 30, 2003 @02:56PM (#7350140) Homepage
    Here are the bugtraq links to the specific vulnerabilities:

    Arbitrary File Overwrite via Core Files [securityfocus.com]
    Systemic Insecure File Permissions [securityfocus.com]
    Long argv[] buffer overflow [securityfocus.com]

    If it is going to be Apple's policy to not provide support [apple.com] for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report [apple.com] Apple will do something about it.
    • Re:Bugtraq links (Score:5, Informative)

      by gclef (96311) on Thursday October 30, 2003 @03:06PM (#7350288)
      What's interesting (and/or disappointing) about this story is that all of the quotes I could see in the actual article were pulled straight from the Bugtraq thread about this. It appears that the reporter did no actual work besides paraphrasing and cut/paste from public emails.
      • Re:Bugtraq links (Score:3, Insightful)

        by Anonymous Coward
        What's interesting is that you somehow missed this part of the article:

        David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

        "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
    • Re:Bugtraq links (Score:2, Flamebait)

      by jafac (1449)
      I just got through a rough BSOD incident with NT 4.0 - Although I wouldn't call the assistence I got from Microsoft "helpful", it did technically qualify as "support".

      But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.

      Now that I think about it - I don't think Apple's ever really put any thought at all to that anyway. The XServe's basically a prosumer device to appeal to the geeks who've always wanted a rack system in their home. You
      • by thatguywhoiam (524290) on Thursday October 30, 2003 @03:50PM (#7350916)
        All over this thread, I keep seeing comments like:

        But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.

        WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--

        MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY

        ....Ah. I see.

        Er, carry on.

    • Re:Bugtraq links (Score:4, Informative)

      by Trillan (597339) on Thursday October 30, 2003 @03:25PM (#7350585) Homepage Journal

      Hmm. The only one that looks like it might be a problem to normal desktop users is the argv[] overflow. And that doesn't seem like much of a problem to me, since it's highly unlikely they'll hit it.

      The other two are easily fixable by users. In fact, by default they're already configured to not be an issue.

      Systemic Insecure File Permissions in particular is such a yawner as to not even be worth mentioning.

    • Fortunatly... (Score:5, Insightful)

      by ProfessionalCookie (673314) on Thursday October 30, 2003 @03:33PM (#7350685) Journal
      1. Core Files are disabled by default. So unless you've enabled them you should be ok.

      2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.

      3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.

      In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.

      Panther hasn't even been out a week yet.
  • Woah (Score:4, Funny)

    by kcornia (152859) on Thursday October 30, 2003 @02:56PM (#7350151) Journal
    Did MS buy Apple when I wasn't paying attention?

  • Ouch. (Score:3, Interesting)

    by DrEldarion (114072) on Thursday October 30, 2003 @02:56PM (#7350155)
    I remember how people reacted when they found out that Microsoft was going to stop patching Win98. At least they had the decency to wait 5 years. OSX is a really new product, why would they stop putting patches out so soon?
  • "You didn't pay up when we wanted to, and so now you're screwed."

    How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.

    I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.

    ~D
    • I can't imagine people would tolerate this kind of BS for long.


      In case you haven't noticed, Mac users have been tolerating this for years. They're constantly being dicked over and locked in, but they still WAIT IN LINE at midnight the day before an Apple product is released to fork over their hard earned money again and again. This is truly a new level of fanaticism that I've never seen in *any* other consumer product.
  • If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.

    Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
    • " If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.

      Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill."

      I see this argument on slashdot all the time. It does not work. It seems to follow some of the worse arguments in popular culture. Basically it claims that since Slas
    • by TheRaven64 (641858) on Thursday October 30, 2003 @03:13PM (#7350393) Journal
      While I won't defend them to the bitter end, I would rather that we waited to hear a statement from Apple saying that they have no plans to continue to support 10.2. So far, we have:
      1. Apple has not yet released security fixes for 10.2
      2. Apple have not officially stated that they are not going to.
      3. Someone claims that Apple told him that they would not support 10.2
      It seems a little early to be jumping to the conclusion that they will not support an OS a week after releasing the successor. To do so would be incredibly stupid, and I find it hard to imagine that Apple would intentionally shoot themselves in the foot like this.
    • First of all, Apple hasn't done (or not done) anything wrong. The eploit was publicized 3 days ago. Odds are they are working on a patch, it just isn't ready in 3 days. At the point, the publicity generated is enough to make them release a patch even if they weren't planning one (which I find unlikely, given that panther is less than a week old).

      Not all OS's have a 40-hour turnaround time for bugfixes like microsoft ;-)
  • by KD5YPT (714783) on Thursday October 30, 2003 @02:58PM (#7350170) Journal
    I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?
  • Not True... (Score:4, Informative)

    by Anonymous Coward on Thursday October 30, 2003 @02:58PM (#7350171)
    While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.
    • Re:Not True... (Score:5, Informative)

      by prockcore (543967) on Thursday October 30, 2003 @03:09PM (#7350338)
      oh really? Then where is the SSH patch for 10.1?
  • Damn! (Score:3, Funny)

    by Jackmon (170028) on Thursday October 30, 2003 @02:58PM (#7350183)
    ... and I was gonna boycott Panther until they added an 'up' button to the Finder. Oh, well..
  • Possible (Score:5, Insightful)

    by mojowantshappy (605815) on Thursday October 30, 2003 @02:59PM (#7350195)
    Isn't it possible that they just haven't released the 10.2 patch yet?
  • by Anonymous Coward
    of screwing its own customers. I learned that well -- I bought a @&#* Newton.
  • Um.. what? (Score:4, Insightful)

    by norkakn (102380) on Thursday October 30, 2003 @02:59PM (#7350202)
    Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?

    Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.

    Glad to finally find out who beleives all of the things in the tabloids
    • Re:Um.. what? (Score:3, Insightful)

      by davebo (11873)
      Well, considering they've left unpatched the SSH bugs in 10.1 (which was released Sept. 2001) for which 10.2 fixes were released a month ago, I'd say history lies on the side of those claiming no more updates.
    • RTFA (Score:4, Insightful)

      by greygent (523713) on Thursday October 30, 2003 @03:15PM (#7350421) Homepage
      Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?


      Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.

      Relevant section of article below, because you're too lazy to click a link:

      Apple declined comment.

      David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

      "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
      • Re:RTFA (Score:4, Insightful)

        by mcc (14761) <amcclure@purdue.edu> on Thursday October 30, 2003 @04:46PM (#7351603) Homepage
        David Goldsmith is not a representative of Apple.

        David Goldsmith was, most likely, not talking to the person within Apple who has the actual authority to decide whether a 10.2 patch will be issued or not. (He might have been. But we don't know.)

        Goldsmith's comments indicate Apple will not be fixing the problems, and they are worrying. However it is a massive stretch to call them confirmation.

        On the other hand, we still probably want to yell bloody murder about this, because lots of public complaining is probably the best way to convince Apple to change things..
  • by Octagon Most (522688) on Thursday October 30, 2003 @03:01PM (#7350223)
    This is a typical Apple bluff. Of course they want everyone to upgrade (and pay $129 yet again), and hope to encourage users to do so with new features (such as the drool-worthy Expose). Apple has many times tried to cut off support for earlier version of an OS and had to eventually relent. Sometimes it takes a lawsuit for them to do so. OS X is just getting some great press so it would be very damaging if the bad press from this decision serves to highlight a security vulnerability in what is otherwise being lauded as much more secure by design than any flavor of Windows. Expect Apple to quietly issue a patch for 10.2.
  • by NickV (30252) on Thursday October 30, 2003 @03:02PM (#7350231)
    This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.

    Let's not get too pissy yet.
    • Actually, it was reported to Apple in June/July, according to the @stake folks. Quoting Chris Wysopal's post to Bugtraq: "The DMG file issue was reported in June, 2003 and the core overwrite issue was reported on 7/25/2003. I don't have a recorded notification date for the long argv issue."
  • How many of these security fixes in the new update are related to the OS?

    I don't see why anybody aware of the open source technologies that underpin OS X couldn't just locate and apply the fixes themselves. The users who don't know how can pay for the convenience of continued consumer-level support. As for the OS specific security concerns, is it unreasonable to expect an upgrade when there is a new OS release?

  • by coolmacdude (640605) on Thursday October 30, 2003 @03:05PM (#7350278) Homepage Journal
    From TFA: Other vulnerabilities could allow a local or remote user to crash the system.

    Lol, I'd love to see the patch they came up with for preventing a local user from crashing the system.
  • This hasn't been a good followup week for Panther. First the upgrade issues, then the abysmal transfer rate of the belkin iPod media transfer thingy, now this security update fiasco.

    Stebe, please save us with all your messiah powers. We want to bask in the glory of your healing rays!

  • by jason.hall (640247) on Thursday October 30, 2003 @03:07PM (#7350306)
    Whoa, slow down - Apple has not said they aren't going to support 10.2 Jaguar. I'd be willing to bet they simply released the Panther patch first.
  • by tmoertel (38456) on Thursday October 30, 2003 @03:09PM (#7350334) Homepage Journal
    I, like many other folks, run OS X 10.2 (Jaguar) on an older, "Beige" G3, which is not supported by Panther. Unless Apple provides security patches for Jaguar in addition to Panther, Beige-G3 owners like me will be stuck with an OS that had known security holes and no reasonable way to plug the holes.

    That's so wrong that I have a hard time believing that this is actually Apple's position. I expect that we'll hear from Apple shortly, and they will clarify their position -- that the patches for 10.2 will be out Real Soon Now.

    But if not, Apple's going to get a lot of bad PR from this.

    • I, like many other folks, run OS X 10.2 (Jaguar) on an older, "Beige" G3, which is not supported by Panther.

      Just because you own a mac doesn't mean you can expect to have your hardware supported until the case turns to dust.

      "I run Windows 95 on an older "Pentium 90", which is not supported by Windows XP. I'm enraged that Microsoft has dropped support for Windows 95 leaving all of us Pentium 90 users stuck with a system with KNOWN SECURITY HOLES."

      • Close, but you took an extreme when the extreme is not representative of whats actually going on. He is running OSX 10.2 so a more accurate comparison would be Windows 2000 or ME depending on your chosen flavor.

        A quick search shows security updates for 2000 as recently as 10/29/03 and ME as recently as 10/14/03. I am running neither of these OS's so this is just checking the website; there may be more from the windows update service itself. Check please.
    • One of the reasons that people often justify Mac purchases is that the hardware has greater longevity than x86 stuff.

      If people like you are stuck in this sort of 'bind', then that is no longer true.

      I was thinking about purchasing an older, 'Beige' G3 on e-bay to play with OS X----does this affect all models (ie does Panther not work on all Beige G3s?)
    • You may actualy be able to install panther on the biege (either wait for X-Postfacto or try it yourself) it's just that Apple wont support your questions about it.
    • The Beige G3 is a 6 year old computer. Think about that for a minute...

  • I just looked at the BUGTRAQ mailings, and I get the impression that you need physical access to the computer to break in to it. Have I got that right? I'm no expert, but I've always assumed that given physical access to a computer, a decent hacker could easily have their evil way with it. Of course that doesn't excuse Apple's failure to provide a patch and their rather glib upgrade suggestions.
  • by CraigCourtney (21316) on Thursday October 30, 2003 @03:11PM (#7350364)
    While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.
  • Security Fixes already?

    wtf?
    • Yes, it's like a bug only it has extra buzzword-compliance.

      I look forward to your frequent posts of

      "Bug Fixes already? wtf?"
  • by Mononoke (88668) on Thursday October 30, 2003 @03:12PM (#7350392) Homepage Journal
    Did anyone actually read the descriptions of these "exploits"? We're not talking about email apps that autorun incoming attachments here.

  • All the more reason to turn to piracy. I'm sure a lot of people that would have stuck with their existing version of OS X are going to just pirate a newer version. The amount of piracy in response to this dumb move from apple will probably exponentially outweigh the amount of legal upgrades.
  • by BlowChunx (168122) on Thursday October 30, 2003 @03:16PM (#7350438)
    "Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."

    So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.
  • I guess I'm going to be modded as flamebait...

    But...

    If I had to upgrade my OS every year in order to get the latest security patches, I would shit a brick.

    Seriously.

    I'm glad that all the machines in my office get automatic patches from SuSE. I spend enough time screwing around with the applications on my system.

    If my OS works, I don't want to have to upgrade it. I don't care how easy it is, I don't care how much cool stuff comes with it.

    That's what my 'test-bed' (read toy) systems at home are for.

    Whe
  • and I think so because of this:

    I upgraded my machine at home 10.2.8->10.3. Unfortunately, one piece of software would not work (Silverfast SE, my scanner software. It would not detect the scanner even though the System Profiler showed that it was at SCSI address 2).

    It was easy to downgrade to 10.2, then run software update to get back to the 10.2.8 system. Then I realized that there were security updates for 10.3 that were unavailable to me. My choice is security updates, or using my scanner. For now,
  • Tech Report (Score:5, Insightful)

    by CountBrass (590228) on Thursday October 30, 2003 @03:19PM (#7350482)

    Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.

    You can't believe eveything you read on the 'net!

  • "'In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that,' he said."
    "'...this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year...'"
    Though Apple has been slow in providing updates to fully support their hardware in OS X (e.g. the ATI driver issue), this story is based on speculation on the part of the people interviewed. Also, there is no comment from Apple, so muc
  • by masonbrown (208074) on Thursday October 30, 2003 @03:19PM (#7350485) Homepage
    From the site at @stake [atstake.com]....

    Release: 10.28.03
    Name: Long argv[] Buffer Overflow
    Application: Mac OS X
    Platforms: Mac OS X 10.2.8 and below
    Severity: Attacker can crash Mac OS X and possibly execute commands as root
    Author: Matt Miller and Dave G.
    Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.

    Release: 10.28.03
    Name: Systemic Insecure File Permissions
    Application: Finder (and many others)
    Platforms: Mac OS X 10.2.8 and below
    Severity: High
    Author: Dave G.
    Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:

    A security issue regarding DMG files managed by Mac OS X
    Insecure file permissions packaged by different vendors
    The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.

    Release: 10.28.03
    Name: Arbitrary File Overwrite via Core Files
    Application: Kernel
    Platforms: Mac OS X 10.2.8 and below
    Severity: High
    Author: Dave G.
    Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.

    Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?

    "While this primarily affects local users"

    "This allows attackers with filesystem access"

    "attackers with interactive shell access"

    So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
  • Whenever a Microsoft or Linux hole appears, the Apple extremists come out of the woodwork, talking about how "If Apple was the majority player, not MS, none of this would happen." Well, guess what. If Apple was the majority player, this would have just screwed the majority of computer users.

    True, when Blaster was running rampant, MS refused to patch NT4 systems. But, those systems were not 1 year old either. This behavior is completely irresponsible of Apple, and should be a good example of why, even thoug

  • Wait a minute... (Score:5, Insightful)

    by Phroggy (441) * <slashdot3&phroggy,com> on Thursday October 30, 2003 @03:21PM (#7350511) Homepage
    The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.

    Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.

    Summary of the first issue: a user could:
    a) turn on core files, so when a process crashes it will dump core to a world-writable directory
    b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
    c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
    d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
    e) read the resulting core file

    Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
  • by cplater (155482) * on Thursday October 30, 2003 @03:21PM (#7350512) Homepage
    From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt [apple.com] (login: archives password:archives):

    >The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.
  • by Anonymous Coward
    Typical Slashdot.

    Give it a day or two. Apple has not said that they won't be issuing the patch for Jaguar, they merely haven't released it yet. In all likelyhood, a Jaguar patch will follow.

    If memory serves, they continued to issue security patches for 10.1 after Jaguar was released. I see no reason why they'd choose to alienate their customers by not doing the same for Jaguar now that Panther's out in the wild.

    Journalistic integrity on Slashdot? Yeah, I'm asking a bit much.

  • (Cupertino, CA) In other news, Apple announced three new viruses which attack older versions of the MacOS operating system. "Users who have purchased our latest upgrades should not experience any problems", reported an Apple spokesman. "Customers who purchase new computers during the 2003 holiday season are already protected. At least until next year."

    The new viruses will be shipping worldwide in early 2004.

  • 10.3 Only Problem (Score:3, Insightful)

    by Goo.cc (687626) * on Thursday October 30, 2003 @03:24PM (#7350557)
    This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.
    • Re:10.3 Only Problem (Score:4, Informative)

      by Phroggy (441) * <slashdot3&phroggy,com> on Thursday October 30, 2003 @03:46PM (#7350864) Homepage
      This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.

      You're a moron.

      The 10.3-only security issue Apple just patched has nothing whatsoever to do with what we're talking about, which is three security issues identified by @Stake that do not exist in 10.3. Sure, the summary is stupid, but that's because the article is stupid. They're saying Apple is only making the fixes available in 10.3; the truth is, the problems don't exist in 10.3 and Apple hasn't released a patch for 10.2 yet because @Stake only announced them two days ago.
  • ...Tech Report is a site that capitalizes on hearsay and likes to spread FUD. Avoid in future.
  • by Raptor CK (10482) on Thursday October 30, 2003 @03:31PM (#7350652) Journal
    So, you mean that a vulnerability in 10.3 has to exist in 10.2?

    It's not at all possible that with new functionality comes new bugs?

    The very title of this story indicates a lack of proper investigative journalism. Of course, this is /., so I'm not at all surprised.
  • by saddino (183491) on Thursday October 30, 2003 @04:24PM (#7351285)
    This article [apple-x.net] helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.
  • Debunked (Score:3, Informative)

    by uw_dwarf (611383) <wjjordan@oakencros s . ca> on Thursday October 30, 2003 @05:29PM (#7351924)
    Apple has posted a security update [apple.com] for both 10.3 and 10.2.8.

HEAD CRASH!! FILES LOST!! Details at 11.

Working...