Apple Forcing Panther Upgrade for Security Patch

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

Bugtraq links

[chennes]

Here are the bugtraq links to the specific vulnerabilities:

Arbitrary File Overwrite via Core Files [securityfocus.com]
Systemic Insecure File Permissions [securityfocus.com]
Long argv[] buffer overflow [securityfocus.com]

If it is going to be Apple's policy to not provide support [apple.com] for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report [apple.com] Apple will do something about it.

Not True...

[Anonymous Coward]

While Apple no longer releases point releases on prior releases of OS X, they DO release Security Releases. I think we all need to give them some time to finish the patch and post the update. Apple has *never* left users out in the dark, especially with recent releases (i.e. 10.2, 10.1). I know several users who are still using 10.1 and have received several security patches.

Re:Bugtraq links

[gclef]

What's interesting (and/or disappointing) about this story is that all of the quotes I could see in the actual article were pulled straight from the Bugtraq thread about this. It appears that the reporter did no actual work besides paraphrasing and cut/paste from public emails.

Re:As a long time Mac user, I'm not surprised.

[bizard]

I can't remember anytime Apple has ever released an update for a non-current version of MacOS.

actually, apple has been releasing 10.1 security patches all through the 10.2 lifespan. In addition they have been patching Mac OS 9 as well. This would truly be a change of attitude if it is true, but I imagine there will be enough hue and cry to fix it.

Re:Damn!

[teamhasnoi]

There is an 'up' button. Right click or Control-click on the toolbar, pick 'customize toolbar', add the 'up' button.

There you go.

Re:Maybe it only applies to Panther.

[Reblet]

It'd like to think so. To quote the Apple description of the Security Update:

Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system.

Java got a version boost in Panther, so it's not unthinkable that a little error slipped in this version; and doesn't affect the pre-Panther systems in any way.

Re:Not True...

[prockcore]

oh really? Then where is the SSH patch for 10.1?

Re:As a long time Mac user, I'm not surprised.

[neoform]

after OS X was released OS 9 was given a final patch 9.2.2 ...

FUD

[wtmcgee]

the latest flaw is apparently only a 10.3 problem, hence the 10.3 only update.

Are these anything to worry about?

[Mononoke]

Did anyone actually read the descriptions of these "exploits"? We're not talking about email apps that autorun incoming attachments here.

This just in from Apple:

[BlowChunx]

"Security Update 2003-10-28 addresses a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system."

So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.

Re:As a long time Mac user, I'm not surprised.

[scrawny]

not only have there been updates to 10.1 and 10.2, there have historically been updates on 'less-than-newest' MacOS versions.

quick, what was the version of system software immediately before the release of 7.0?

6.0.7. System 7 was released after 6.0.7 and 6.0.8 was released AFTER System 7. When MacOS X came out, how many updates were there to 9.x?

This does not effect 10.2.x

[cplater]

From http://lists.apple.com/archives/security-announce/ 2003/Oct/28/applesa20031028securityu.txt [apple.com] (login: archives password:archives):

>The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.

Sensationalist bullshit.

[Anonymous Coward]

Typical Slashdot.

Give it a day or two. Apple has not said that they won't be issuing the patch for Jaguar, they merely haven't released it yet. In all likelyhood, a Jaguar patch will follow.

If memory serves, they continued to issue security patches for 10.1 after Jaguar was released. I see no reason why they'd choose to alienate their customers by not doing the same for Jaguar now that Panther's out in the wild.

Journalistic integrity on Slashdot? Yeah, I'm asking a bit much.

Re:*swirls in MS logo*

[Anonymous Coward]

Yeah, those sneaky bastards are about to discontinue support for NT4.0 from 1996. Sounds so very similar to Apple EOLing an OS from August, 2002. Evil, evil Microsoft. They're so evil, they get accused of all the bad things that everyone else does that they don't do. Bad Microsoft! How could you leave OSX.2.x unpatched and force people to upgrade?!?!?! Bastards! Evil bastards!!!! Bad M$, BAD!

Re:Bugtraq links

[Trillan]

Hmm. The only one that looks like it might be a problem to normal desktop users is the argv[] overflow. And that doesn't seem like much of a problem to me, since it's highly unlikely they'll hit it.

The other two are easily fixable by users. In fact, by default they're already configured to not be an issue.

Systemic Insecure File Permissions in particular is such a yawner as to not even be worth mentioning.

Re:FUD

[fridgepimp]

The problem only appears to apply to Panther. The version of QuickTime in Panther appears to be 6.4. According to this TechNote:

http://docs.info.apple.com/article.html?artnum=9 34 14

QuickTime 6.4 for Jaguar (10.2) doesn't include QuickTime Java support.

I will make the leap that a) a fix is effectively in place for Jaguar (no support for vulnerable software) and b) the issue doesn't exist in versions of QuickTime's Java support prior to 6.4.

If all of the above is true, this is simply a big, fat FUD piece.

--fp

Re:10.3 Only Problem

[Phroggy]

This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.

You're a moron.

The 10.3-only security issue Apple just patched has nothing whatsoever to do with what we're talking about, which is three security issues identified by @Stake that do not exist in 10.3. Sure, the summary is stupid, but that's because the article is stupid. They're saying Apple is only making the fixes available in 10.3; the truth is, the problems don't exist in 10.3 and Apple hasn't released a patch for 10.2 yet because @Stake only announced them two days ago.

Re:As a long time Mac user, I'm not surprised.

[nek]

As a long-time Mac user, I'm surprised at all the FUD flying around in this discussion. I remember Apple releasing OS 9 updates long after 10.1 was released. I'm still running 10.1.x at work and it's been patched many times since 10.2 came out. Has anyone from Apple actually said anything in the REAL press about not supporting 10.2 anymore? Relax, people! Of course they will patch 10.2, I'm sure a large majority of their guys are still working on 10.3 so it happened first. Breath. Exhale. Repeat.

Here's the real story

[saddino]

This article [apple-x.net] helps put this FUD into perspective. Apple bashers need not read it, since they've already made up their minds.

You need to RTFA

[petard]

Most of it only speculates as to Apple's intent. Here is the only part relevant to their actual intent:

Apple declined comment.

Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.

The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.

In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.

Re:This does not effect 10.2.x

[Anonymous Coward]

The report that you've linked to as only affecting 10.3 is CVE candidate number: CAN-2003-0871. These new issues are: CAN-2003-0895 (for the long argument induced kernel panic) and CAN-2003-0876 (for the incorrect file permission on apps and dmg files).

Both of these are listed as affecting 10.2 and below, according to @Stake. Also, supposedly someone at Apple did tell someone at @Stake that they were not going to fix the bugs for 10.2.8. Let's hope they change their minds because $129 is a lot to pay for a security patch.

www.atstake.com/research/advisories/2003/a102803 -1 .txt
www.atstake.com/research/advisories/2003/a10 2803-3 .txt

Apple is Fine (even if Linux is Better :-))

[FreeUser]

"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications.

Such as statement was obviously taken out of context, carefully edited for maximum anti-Mac (and by implication pro-Microsoft) effect. As others have pointed out, the security flaw is only applicable to OS X 10.3. 10.1 and 10.2 are not vulnerable, so no patch is required.

Let me repeat. OS X 10.1 and 10.2 are not vulnerable, so no patch is required. Saying "Apple isn't going to release patches for 10.2" without pointing out the fact is dishonest, yellow journalism on steroids, and more indicative of a marketing FUD campaign than any serious technical reporting.

Indeed, the spin and dishonesty in the article is so severe, and the pro-Micorosoft bias in the (mis)reporting of the facts so obvious, that I'm surprised even Intel zealots would buy it outright, hook-line-and-sinker, without even a thought to the contrary. The allegation itself should be setting even the most ardent Microsoft zealot's bullshit alarm off.

And I say this as one who does most if his work on an Intel box, ableit running GNU/Linux (though I do enjoy my Apple Powerbook and OS X as well).

Debunked

[uw_dwarf]

Apple has posted a security update [apple.com] for both 10.3 and 10.2.8.

Re:Bugtraq links

[nosaj72]

Mod Parent -1 Idiot. I have a version 1 and version 2 ipod that are both formated FAT and play itunes music store songs without a problem.
You bought an ipod without an on the fly playlist feature and were never told you would ever have one. How is that a load of crap? They should develop software upgrades for older models they no longer sell???

Not true...

[Randar the Lava Liza]

If you check out the article at news.com [com.com] they mentioned:

On Tuesday, Apple released an advisory that indicate that the Mac OS X 10.3 upgrade--which adds an improved Finder menu, better synchronization of files and a tool to help users find a specific window on a crowded desktop--also includes more than a dozen "security enhancements."

However, Apple apparently doesn't intend to fix the flaws in previous versions of the software: Apple's Security Updates Web page doesn't list fixes for the flaws in Mac OS X 10.2 and earlier.

So the point is that there were a dozen security updates since 10.2, some of which were mentioned in the advisory, that are fixed in Panther but have no patches available in 10.2. Not that there isn't a security hole in 10.2, there is one. Just that they don't offer a patch for it. The only fix right now is to upgrade to Panther.

I honestly don't think that this will remain a problem, Apple has been pretty good about patching things as they come along, but the point of the article is that 10.2 IS vulnerable, with the only protection/patch being an upgrade to Panther.

Re:Apple is Fine (even if Linux is Better :-))

[zurab]

Let me repeat. OS X 10.1 and 10.2 are not vulnerable

[...]

Indeed, the spin and dishonesty in the article is so severe, and the pro-Micorosoft bias in the (mis)reporting of the facts so obvious, that I'm surprised even Intel zealots would buy it outright, hook-line-and-sinker, without even a thought to the contrary.

[snip bunch of Apple-ologist stuff]

Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here [securityfocus.com], here [securityfocus.com] and here [securityfocus.com].

MOD PARENT DOWN

[Phroggy]

Let me repeat. OS X 10.1 and 10.2 are not vulnerable, so no patch is required.

Does ANYONE read the articles? Apple recently released a security patch for a completely unrelated security issue in 10.3 that does not apply to 10.2, and everyone assumes that's what this is about, even though this article is about three COMPLETELY DIFFERENT security issues that @Stake found in 10.2 that do NOT exist in 10.3 that Apple HAS NOT YET released patches for.

Re:Apple is Fine (even if Linux is Better :-))

[Danta]

As others have pointed out, the security flaw is only applicable to OS X 10.3. 10.1 and 10.2 are not vulnerable, so no patch is required.

I hate to sound rude but that is just pure BS. A shame to slashdot that you could achieve a +5 for that cr*p. Instead of your generalized disinformation here are the facts: Take a look at CAN-2003-0877 [securityfocus.com]. To quote:

Recommendation:

1) Upgrade to Panther (Mac OS X 10.3).

Now if the vulnerability only existed in 10.3, how come you are supposed to update to 10.3 in order to fix it?

Now take a look at the Apple Security Updates [apple.com] page. Is the fix for CAN-2003-0877 listed under 10.2.8? No. It's only under 10.3.

Take a look at this comment [slashdot.org] for more links to vulnerabilities that exist under 10.2 but are only fixed for 10.3.

To all the mods who modded the parent up: Shame on you! It contains not one link to any evidence. A statement like "As others have pointed out..." without any further specification is a generalization and stinks of disinformation.