Apple Forcing Panther Upgrade for Security Patch 605
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
Eh? (Score:3, Insightful)
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Dangerous Behavior... (Score:2, Insightful)
How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.
I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.
~D
quick! someone defend Apple to the bitter end! (Score:2, Insightful)
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
As a long time Mac user, I'm not surprised. (Score:1, Insightful)
There are all sorts of bugs in 10.1 that Apple will has addressed in 10.2 and 10.3. That does not mean they go backwards and release patches for older OSes. They don't have the resources to do that. Many such bugs are also potential security holes.
Maybe it only applies to Panther. (Score:3, Insightful)
Possible (Score:5, Insightful)
Um.. what? (Score:4, Insightful)
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
Re:But... but I thought... (Score:2, Insightful)
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.
On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and use them are surprisingly small. They're more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.
Jeez... give apple at least a week (Score:5, Insightful)
Let's not get too pissy yet.
Re:As a long time Mac user, I'm not surprised. (Score:3, Insightful)
One of these days one of them is going to get seriously taken to court over this.
Either that, or the government is eventually going to have to get sw publishers to provide a warranty for their sw, like all other good are forced to have. I guess it's just up to us to stop settling for defective sw.
Driving sales verses Product support (Score:1, Insightful)
Re:Um.. what? (Score:3, Insightful)
Re:quick! someone defend Apple to the bitter end! (Score:3, Insightful)
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill."
I see this argument on slashdot all the time. It does not work. It seems to follow some of the worse arguments in popular culture. Basically it claims that since Slashdot readers take a particular position about software, they are biased and can't possibly be doing so because they have good reason to.
This is a bad argument. If you think a particular post ignores facts and make poor arguments, point them out. Don't just yell "BIAS" as a blanket acusation against every future post that expresses the position that this is not as bad as it seems. If you think the moderation system is biased, I suggest you provide evidence showing particular posts of high quality being ignored and low quality advance to an extent that you can establish their is a systemic process going on here.
Just because people here seem to currently prefer OS X to XP does not mean everything they say can be ignored under the all encompasing label of bias. Please, provide arguments, not unsuported assertions.
Apple has not made a statement (Score:5, Insightful)
Re:quick! someone defend Apple to the bitter end! (Score:5, Insightful)
RTFA (Score:4, Insightful)
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Re:Bugtraq links (Score:3, Insightful)
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Re:If true, leaves Beige-G3 users out in the cold (Score:3, Insightful)
Just because you own a mac doesn't mean you can expect to have your hardware supported until the case turns to dust.
"I run Windows 95 on an older "Pentium 90", which is not supported by Windows XP. I'm enraged that Microsoft has dropped support for Windows 95 leaving all of us Pentium 90 users stuck with a system with KNOWN SECURITY HOLES."
Tech Report (Score:5, Insightful)
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Re:quick! someone defend Apple to the bitter end! (Score:2, Insightful)
Not all OS's have a 40-hour turnaround time for bugfixes like microsoft
Wait a minute... (Score:5, Insightful)
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
10.3 Only Problem (Score:3, Insightful)
Re:If Microsoft did this... (Score:3, Insightful)
Unlike MS, Apple doesn't have such a gigantic installed base of, say, 8.6 users compared to Win95/98 in the MS world.
If MS said, "We're scrapping the Windows kernel and writing a new Unix-based OS (Is that a pig that just flew by?), MS would try to drop support for the old Windows, to get developers, users, and enterprises all using the same software.
Is this a good idea? Sure, if you are the maker of the software - less bugs, exploits and versions to support and fix. If you're a user of the software, it would suck - buy (licence :( new software, try and get old files to work with new programs, loss of hardware investment. Change happens, especially in the coumputer industry.
One reason I doubt that Apple will stop releasing patches for pre-Panther is on the Xtools developers' disk. There is an option to install compilers? for 10.x thru Panther. It wouldn't stand to reason that Apple would kill support for pre-Panther and include tools to develop for the older versions.
My two cents.
why don't we stop arguing and go to the source? (Score:1, Insightful)
Fortunatly... (Score:5, Insightful)
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
Re:FUD (Score:0, Insightful)
That fact should speak to those saying "just give them a week, the bug was only found yesterday", too. The bugs were found quite some time ago if they are already fixed in 10.3. It's just that the group that found the bugs withheld them from public disclosure to give Apple some time to fix them.
Re:*swirls in MS logo* (Score:1, Insightful)
Re:If true, leaves Beige-G3 users out in the cold (Score:3, Insightful)
Apple is unacceptable as a server provider. (Score:5, Insightful)
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
Re:Apple is unacceptable as a server provider. (Score:5, Insightful)
The original poster is right, this kind of attitude will keep serious businesses away from Apple in the server room.
Taco, why would you post such crap?? (Score:2, Insightful)
Or maybe they just wanted to test 10.2 a bit more since it is more likely to be use in production than the week-old 10.3. Either way, it is a bit of a stretch to say that Apple has massively changed their patching policy just because one patch is a bit later than some would like. Quite the big accusation; quite little evidence.
In the end, Apple gets all this negative publicity on Slashdot for no reason at all. I guess MS gets that a lot on here, but I'd expect us to be a bit kinder to our UNIX brothers.
Re:RTFA (Score:4, Insightful)
David Goldsmith was, most likely, not talking to the person within Apple who has the actual authority to decide whether a 10.2 patch will be issued or not. (He might have been. But we don't know.)
Goldsmith's comments indicate Apple will not be fixing the problems, and they are worrying. However it is a massive stretch to call them confirmation.
On the other hand, we still probably want to yell bloody murder about this, because lots of public complaining is probably the best way to convince Apple to change things..
Re:Apple is unacceptable as a server provider. (Score:2, Insightful)
That's a FAR cry from basically killing off support for a operating system that's less than a year old. It's a stupid idea, and not something I would tolerate in a server environment.
Re:Not True... (Score:3, Insightful)
Because it's on your Mac already? Because you don't want to shell out $129 for an upgrade? Because it's better than Classic?
anybody who uses their computer for work dosen't use 10.1.Umm...most Macs are in schools or homes, not work. How many schools buy OS upgrades every year? How many grandmas?
Why should they support it?Because Apple was selling it less than 18 months ago? Because if Microsoft, or RedHat, or anyone else, dropped support for an OS version that early then everyone would be screaming.
Re:Apple is unacceptable as a server provider. (Score:3, Insightful)
The assumption and heresay behind the story is pretty lame.
Re:Apple is unacceptable as a server provider. (Score:2, Insightful)
Re:Not True... (Score:3, Insightful)
Oh I see - so any user who knows how to SSH into a remote machine and run a few commands automatically knows how to download, compile and install a piece of software from source, with the correct options to get all the paths in the right places, overwriting the Apple-supplied binaries (which of course you've backed up first).
And, of course they all know the problem exists in the first place.
Right.
Comment removed (Score:2, Insightful)