Apple Forcing Panther Upgrade for Security Patch

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

Eh?

[1010011010]

1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.

2) They'll probably have a patch in a few days. If they're smart.

Dangerous Behavior...

[Dracolytch]

"You didn't pay up when we wanted to, and so now you're screwed."

How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.

I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.

~D

quick! someone defend Apple to the bitter end!

[wankledot]

If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.

Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.

As a long time Mac user, I'm not surprised.

[soft_guy]

I can't remember anytime Apple has ever released an update for a non-current version of MacOS. They always assume that you should update to the latest version that you can run on your machine.

There are all sorts of bugs in 10.1 that Apple will has addressed in 10.2 and 10.3. That does not mean they go backwards and release patches for older OSes. They don't have the resources to do that. Many such bugs are also potential security holes.

Maybe it only applies to Panther.

[KD5YPT]

I'm no expert. But is there a possibility that it is only possible to patch this security hole on Panther?

Possible

[mojowantshappy]

Isn't it possible that they just haven't released the 10.2 patch yet?

Um.. what?

[norkakn]

Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?

Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.

Glad to finally find out who beleives all of the things in the tabloids

Re:But... but I thought...

[Lane.exe]

All who are under the influence of the fabled Reality Distortion Field still believe there Macs are inherently safe. Remove your tin hat and soon your fears will be eased.

In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.

On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and use them are surprisingly small. They're more apt to want to break into Windows machines because 1) it's easier 2) it's more well-documented and 3) what they want to break in to (a friend's computer, school computers, etc) probably run Windows, statistically speaking.

Jeez... give apple at least a week

[NickV]

This bug was found and reported on three days ago. I don't think Apple has issued a statement saying they will or will not release a patch. Everyone seems to be acting like there will be no patch like Apple has issued a statement to that effect.

Let's not get too pissy yet.

Re:As a long time Mac user, I'm not surprised.

[Sebby]

So, we're stuck with 'defective' products (like most other sw publishers provide these days...)

One of these days one of them is going to get seriously taken to court over this.

Either that, or the government is eventually going to have to get sw publishers to provide a warranty for their sw, like all other good are forced to have. I guess it's just up to us to stop settling for defective sw.

Driving sales verses Product support

[OSeXy]

On the surface, it seems a bad move not to offer patches to Jaguar (10.2.x) users. If the assumption is correct, that Apple is indeed withholding a patch simply to spur sales of Panther (10.3), it borders on bad ethics. There are many users of now unsupported hardware that won't tun Panther who rely on their Macs to earn a living, Apple seems to be holding their security as ransom forcing them to upgrade not only the OS, but hardware too. - Bad form, Apple! In all fairness, we need to see what the next few week hold regarding Apple releasing (or not releasing) a patch. I'd be very suprised if they don't. It's probably just a marketing tactic to spur every possible user to upgrade - Still, bad form.

Re:Um.. what?

[davebo]

Well, considering they've left unpatched the SSH bugs in 10.1 (which was released Sept. 2001) for which 10.2 fixes were released a month ago, I'd say history lies on the side of those claiming no more updates.

Re:quick! someone defend Apple to the bitter end!

[strider]

" If MS did this, the /. crowd would scream bloody murder (hell, they have... and y'all have.) But you know Apple apologists are going to have some reason why this is OK for them to do, and try to make it out like Apple is still the good guy, no matter what.

Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill."

I see this argument on slashdot all the time. It does not work. It seems to follow some of the worse arguments in popular culture. Basically it claims that since Slashdot readers take a particular position about software, they are biased and can't possibly be doing so because they have good reason to.

This is a bad argument. If you think a particular post ignores facts and make poor arguments, point them out. Don't just yell "BIAS" as a blanket acusation against every future post that expresses the position that this is not as bad as it seems. If you think the moderation system is biased, I suggest you provide evidence showing particular posts of high quality being ignored and low quality advance to an extent that you can establish their is a systemic process going on here.

Just because people here seem to currently prefer OS X to XP does not mean everything they say can be ignored under the all encompasing label of bias. Please, provide arguments, not unsuported assertions.

Apple has not made a statement

[CraigCourtney]

While this could be true, Apple has not made an official statement that I know of. Some one saying they talked to some one at apple does not make policy. It is entirley possible that Apple has just concentrated all resources to get Panther out the door. No work was allowed on previous versions until it was done. It just as plausible as the radical they won't fix Jaguar. Until Apple states their official policy people shouldn't fly off the handle.

Re:quick! someone defend Apple to the bitter end!

[TheRaven64]

While I won't defend them to the bitter end, I would rather that we waited to hear a statement from Apple saying that they have no plans to continue to support 10.2. So far, we have:

1. Apple has not yet released security fixes for 10.2
2. Apple have not officially stated that they are not going to.
3. Someone claims that Apple told him that they would not support 10.2

It seems a little early to be jumping to the conclusion that they will not support an OS a week after releasing the successor. To do so would be incredibly stupid, and I find it hard to imagine that Apple would intentionally shoot themselves in the foot like this.

RTFA

[greygent]

Some third party news site is making a claim that apple didn't have a comment in and we are supposed to take that to mean that it is true?


Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.

Relevant section of article below, because you're too lazy to click a link:

Apple declined comment.

David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

Re:Bugtraq links

[Anonymous Coward]

What's interesting is that you somehow missed this part of the article:

David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

Re:If true, leaves Beige-G3 users out in the cold

[Gannoc]

I, like many other folks, run OS X 10.2 (Jaguar) on an older, "Beige" G3, which is not supported by Panther.

Just because you own a mac doesn't mean you can expect to have your hardware supported until the case turns to dust.

"I run Windows 95 on an older "Pentium 90", which is not supported by Windows XP. I'm enraged that Microsoft has dropped support for Windows 95 leaving all of us Pentium 90 users stuck with a system with KNOWN SECURITY HOLES."

Tech Report

[CountBrass]

Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.

You can't believe eveything you read on the 'net!

Re:quick! someone defend Apple to the bitter end!

[JoshWurzel]

First of all, Apple hasn't done (or not done) anything wrong. The eploit was publicized 3 days ago. Odds are they are working on a patch, it just isn't ready in 3 days. At the point, the publicity generated is enough to make them release a patch even if they weren't planning one (which I find unlikely, given that panther is less than a week old).

Not all OS's have a 40-hour turnaround time for bugfixes like microsoft ;-)

Wait a minute...

[Phroggy]

The same security company who recently fired an employee for publishing a paper saying Windows is insecure because it could damage the company's relationship with Microsoft has now identified three security issues in Mac OS X 10.2, which do not exist in 10.3. They made this announcement two days ago, and people are screaming that Apple is screwing their customers because they haven't released a patch within two days. Because 10.3 is not affected by these issues, upgrading to 10.3 would be one solution. Another solution would be to wait until Apple develops and tests a security patch for 10.2, which will probably take them about a week.

Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.

Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file

Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.

10.3 Only Problem

[Goo.cc]

This is a 10.3 only problem and the writeup on this topic needs to be fixed. Jesus, look at the people who came out looking for an excuse to bash.

Re:If Microsoft did this...

[teamhasnoi]

One reason that I can see for Apple *not* releasing a fix for 10.2 (if this is true, which I highly doubt) is that Apple *needs* everyone (developers and users) to be on the same page.

Unlike MS, Apple doesn't have such a gigantic installed base of, say, 8.6 users compared to Win95/98 in the MS world.

If MS said, "We're scrapping the Windows kernel and writing a new Unix-based OS (Is that a pig that just flew by?), MS would try to drop support for the old Windows, to get developers, users, and enterprises all using the same software.

Is this a good idea? Sure, if you are the maker of the software - less bugs, exploits and versions to support and fix. If you're a user of the software, it would suck - buy (licence :( new software, try and get old files to work with new programs, loss of hardware investment. Change happens, especially in the coumputer industry.

One reason I doubt that Apple will stop releasing patches for pre-Panther is on the Xtools developers' disk. There is an option to install compilers? for 10.x thru Panther. It wouldn't stand to reason that Apple would kill support for pre-Panther and include tools to develop for the older versions.

My two cents.

why don't we stop arguing and go to the source?

[Anonymous Coward]

why doesn't someone write a letter to Apple and find out exactly what's up? I would but i really don't care. The fact that none of the posters know the full story, and are only assuming, is bothering.

Fortunatly...

[ProfessionalCookie]

1. Core Files are disabled by default. So unless you've enabled them you should be ok.

2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.

3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.

In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.

Panther hasn't even been out a week yet.

Re:FUD

[Genghis Troll]

No, these problems are already fixed in 10.3 [securityfocus.com] . It's 10.2 (and maybe 10.1, I don't know) that are vulnerable.

That fact should speak to those saying "just give them a week, the bug was only found yesterday", too. The bugs were found quite some time ago if they are already fixed in 10.3. It's just that the group that found the bugs withheld them from public disclosure to give Apple some time to fix them.

Re:*swirls in MS logo*

[Anonymous Coward]

At least MS supports an OS for 5+ years before abandoning it, unlike Apple, who is forcing you to pay for yearly upgrades now if you want patches.

Re:If true, leaves Beige-G3 users out in the cold

[curtlewis]

The Beige G3 is a 6 year old computer. Think about that for a minute...

Apple is unacceptable as a server provider.

[emil]

David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.

Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.

At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.

Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.

I am not amused.

Re:Apple is unacceptable as a server provider.

[ErikZ]

You don't understand the server enviroment then. What if they upgrade to 10.3 and it breaks a mission critial app?

The original poster is right, this kind of attitude will keep serious businesses away from Apple in the server room.

Taco, why would you post such crap??

[codemachine]

At least wait a week or so before posting something this absurd. I'm pretty damn sure Apple was planning on patching 10.2 sooner or later, but they just got around to 10.3 first.

Or maybe they just wanted to test 10.2 a bit more since it is more likely to be use in production than the week-old 10.3. Either way, it is a bit of a stretch to say that Apple has massively changed their patching policy just because one patch is a bit later than some would like. Quite the big accusation; quite little evidence.

In the end, Apple gets all this negative publicity on Slashdot for no reason at all. I guess MS gets that a lot on here, but I'd expect us to be a bit kinder to our UNIX brothers.

Re:RTFA

[mcc]

David Goldsmith is not a representative of Apple.

David Goldsmith was, most likely, not talking to the person within Apple who has the actual authority to decide whether a 10.2 patch will be issued or not. (He might have been. But we don't know.)

Goldsmith's comments indicate Apple will not be fixing the problems, and they are worrying. However it is a massive stretch to call them confirmation.

On the other hand, we still probably want to yell bloody murder about this, because lots of public complaining is probably the best way to convince Apple to change things..

Re:Apple is unacceptable as a server provider.

[Mikeytsi]

Oh no! Microsoft is phasing out support for an operating system that's 8 years old! In two years, I won't be able to get new patches for my 10 year old operating system!

That's a FAR cry from basically killing off support for a operating system that's less than a year old. It's a stupid idea, and not something I would tolerate in a server environment.

Re:Not True...

[shrubya]

what reason is there for running 10.1?

Because it's on your Mac already? Because you don't want to shell out $129 for an upgrade? Because it's better than Classic?

anybody who uses their computer for work dosen't use 10.1.

Umm...most Macs are in schools or homes, not work. How many schools buy OS upgrades every year? How many grandmas?

Why should they support it?

Because Apple was selling it less than 18 months ago? Because if Microsoft, or RedHat, or anyone else, dropped support for an OS version that early then everyone would be screaming.

Re:Apple is unacceptable as a server provider.

[synx]

Apple sells a different product called 'Mac OS X server' which comes with all the 'usuals'. Which includes "forever support" and whatnot.

The assumption and heresay behind the story is pretty lame.

Re:Apple is unacceptable as a server provider.

[binarstu]

Yes, 10.2 is older than 10.3, but that is not justification for no longer offering security patches for it. And this goes way beyond the server market. Offering security patches for recent, active operating systems is one of the most basic responsibilities an OS manufacturer has to its customers. Of course, one could dispute exactly what qualifies an OS as recent and active, but I'd say any major software product released a year ago is still very much alive. Apple seems to be truly short-changing its customers on this one. Oh, and MS isn't completely dropping support of Windows NT until 2005 -- ten years after its introduction. The comparison to 10.2 is not very valid.

Re:Not True...

[Phroggy]

That should be adequate for virtually all users of 10.1. The rare 10.1 users who actually need SSH enabled are probably sophisticated enough to apply the open source patch.

Oh I see - so any user who knows how to SSH into a remote machine and run a few commands automatically knows how to download, compile and install a piece of software from source, with the correct options to get all the paths in the right places, overwriting the Apple-supplied binaries (which of course you've backed up first).

And, of course they all know the problem exists in the first place.

Right.

Comment removed

[account_deleted]

Comment removed based on user account deletion