Apple Uncommunicative About Security Holes 573
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
A strategy (Score:2, Insightful)
Wow, this is pointless (Score:4, Insightful)
Security through obscurity ? (Score:1, Insightful)
Poorly thought out, badly written sensationalism. (Score:5, Insightful)
However, with all due respect to Techworld and the author, this is really a pathetic attempt at a story. Biases half-truths, no principle of charity (regardless of Apple's good record of *actual* security exploits- not the whole story, but a major part of it) with a comparison to Windows security where somehow Microsoft comes out on top, no hard figures, a poor understanding of security as a whole, and, though it may be a low blow, not very good prose (it seems rushed- i.e. one statement is "Apple's half-hearted effort to these holes can be found here." There's really no proof (hard or soft) for any of the assertions in the article.
In conclusion, there's really really nothing to see here.
RD
Re:A strategy (Score:2, Insightful)
Not.
Comment removed (Score:5, Insightful)
Where's the evidence??? (Score:5, Insightful)
I read the article - I can't believe that the editors (are there any?) let this article see the light of day. Sure, there are security holes in Mac OS. It's a given that any OS has some kind of bug or flaw that, when properly exploited, will cause a DOS, crash or improper security. But this author is speculating (or, using speculation as source material).
Any OS based on a solid Unix core (Darwin, Linux, AIX) is going to be much more secure than any Windows kernel - at least at this point. It remains to be seen if Microsoft can build a reliable, secure kernel.Oh, and by the way, how many flaws, and how bad are they, are in Linux and Mac OS compared to windows? Having administered global networks of >1000 Windows workstations and servers, I'll take a similarly sized Linux network ANY day, if security is paramount.
Re:security holes on a BSD-based system??? (Score:5, Insightful)
Windows is insecure. So is MacOS X, Linux, BSD, Solaris etc if run by an incompetent admin. One system I had to fix was a hardened install of Solaris that was running VNC server without a password because the local admin was too lazy to walk over to a terminal to type commands. However, by the same token. Windows, MacOS X, Linux, BSD, Solaris etc are all secure if run by an admin that knows what they are doing.
Macs may have security holes, but... (Score:1, Insightful)
Re:Wow, this is pointless (Score:1, Insightful)
Sorry, I'm getting a bit philosophical about this.
Re:Wow, this is pointless (Score:4, Insightful)
Re:Reasons why... (Score:0, Insightful)
When it was revealed the Apple sold a $300 super-walkman that needed a $100 exchange for a refurbished iPod & battery after a year, the Appleheads insisted that it was perfectly ok. Hell, AAA batteries would cost more!
Now the some bleating shit about security patches:
"Apple is not revealing exploits to protect us"
Would would your reaction be if Steve Ballmer got up and said "patches do not matter, we are withholding them for your protection"? It would be a vertitable orgy of Microsoft denunciations.
The argument "Well, the CIA used NeXT, so OSX is secure" holds no water either. The CIA used alot of Sun boxes from that era as well. Solaris 2.5/2.6 and SunOS were practically wide open from a security POV. If you stuck a gold disk Solaris 2.6 box on the internet, it would be rooted in minutes.
I hear Steve Jobs is going to ask you to drink the kool-aid! Get your cup ready!
Re:Wow, this is pointless (Score:5, Insightful)
It becomes Apple's problem when they ship a copy of Apache with every copy of their OS. It may not be their fault, but it's certainly their problem.
Comment removed (Score:4, Insightful)
moot (Score:3, Insightful)
"Solution:
Apply Security Update 2004-05-03."
(The article is dated "04 May 2004")
Re:Where's the evidence??? (Score:3, Insightful)
The story got mentioned on Slasdhot, MyAppleMenu, and Spymac... it's gotten plenty of coverage. I never never that site existed until this article. Its sole purpose, I believe, was to get Slashdotted.
And by the way, Apple is dying.
Re:Where's the evidence??? (Score:5, Insightful)
Stepping back from the apple/*nix/Windows flame wars, the article itself seems subject to the very thing it attempts to criticize - a lack of any sort of depth of information.
--
If we do not do what we must do, what we must do does not get done.
Re:Reasons why... (Score:5, Insightful)
It would be a bad idea to protect your house by trying to keep the fact that your front door's lock is broken a secret. But, it also wouldn't be a good idea to put a giant sign out advertising that fact while you were waiting for the locksmith.
Re:A strategy (Score:2, Insightful)
Not
And I 'not' your 'not'. Patching a hole quietly is not security through obscurity.
*Nobody* advertises their holes (Score:2, Insightful)
The holes are generally publicized by outside parties (like @stake and Secunia in this article) who somehow make their living finding these problems (1. find bugs 2. ??? 3. profit!)
We hear about MS's bugs so much because they affect so many people, there are so many of them (bugs
So why was this posted then? (Score:5, Insightful)
Don't publicize such articles by posting them on Slashdot.
Clarification... (Score:4, Insightful)
Considering Apple releases one security patch every month or two, I would hardly consider that as evidence of weak security policys.
How many different patches were released for XP within the last 6 months compared to Apple? I thought so...
Re:security holes on a BSD-based system??? (Score:3, Insightful)
I think what really matters is how secure an OS is when installed with the defaults. Windows is completely open... At least all the Linux installers I've used asks the user to create a root username and pass, then tells the user that they shouldn't usually log in as root and gets them to create another user.
Re:Poorly thought out, badly written sensationalis (Score:4, Insightful)
Now you're mixing two different things. First, a worm on the scale of blaster/sasser is not likely to happen soon on a Mac, if you look at how they spread: they just attack random IP adresses. Guess how often they'll hit a Mac. Spreading a Mac worm this way will be quite slow. The problem is mostly single root exploits. A remotely rooted Mac is possible, but unless it's a high profile site, how would you know about it? Do you think I'll make the news if my iBook gets rooted? Check this thread [slashdot.org]: you can get remotely rooted if AFS is on (meaning if you turned on Personal File Sharing). The lesson: don't let your guard down just because you're not running Windows.
Re:Biggest bunch of bull ever (Score:1, Insightful)
Re:Reasons why... (Score:5, Insightful)
I call bullshit, prove me wrong! How do you know that the person who created the worm didn't have access to this exploit before? Microsoft didn't find that exploit, a third party did, and without the source. What makes you think that only the third party and Microsoft knew about this.
There have been a great many bugs that I have seen personally, being exploited on IRC months before Microsoft fixed it. Besides even if the worm writer did find out throught he description, it doesn't mean that the descriptions should be removed! The descriptions are there for a reason, if a patch changed a bunch of stuff without saying what it was going to change, I'd be worried as a sysadmin as to whether i'd be able to recover something if it broke. If something goes wacky on a wireless card wpa fix, and your wireless card no longer works you can probably deduce that the patch probably broke your hardware by looking up the last few things that touched anything having ot do with wireless.
What's wrong with just saying, "We fixed an exploit discovered by someone at some company in this component of the operating system." ? Need bugfixes also give information on exactly how to reproduce the bug? Open the farthest right menu so it becomes sticky, move the mouse to the right of that menu in the menu bar (the menu will close), press the right arrow key on the keyboard.
Ah so you realize that most exploits or problems are actually discovered by a third party before Microsoft. Isn't that weird, considering that MS is the only one with the source?? That should be throwing up red flags to everyone, I mean most exploitable bugs are found by the maintainers of the packages in the open source world, the people who know the code most intimately. I wonder why the same doesn't hold true for Microsoft. Security through obscurity doesn't work, obviously. Why try to apply further obscurity by not providing relevant info to the sysadmins...
Re:Reasons why... (Score:5, Insightful)
Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.
I have no idea how to solve this, it's a fairly deep question, deeper than me just now with a bottle of wine in me.
Re:Wishing for a way to mod "journalists" as troll (Score:5, Insightful)
Apple is hiding the fact that this is a REMOTE ROOT exploit in Apple developed code. There have been issues before, but they have come from external projects, like OpenSSL and Apache. This is a huge deal, and if Microsoft understated the importance of a patch like this, Slashdotters would be all over them.
Microsoft's experience with this has made them too sensitive. Everything is "critical" now, which makes it hard for SysAdmins of hundreds of machines to tell the difference between "change window" critical and "shutdown the site and patch all night" critical.
Re:Reasons why... (Score:2, Insightful)
Re:Reasons why... (Score:3, Insightful)
Re:This could be pretty serious (Score:3, Insightful)
I don't talk about my heart condition either (Score:4, Insightful)
Mind you, I don't have a heart condition, or at least, not one any doctor has identified. I guess I *could* have one and just don't know it. Sure I do some of the things that could lead to a heart condition. Don't smoke but do drink. Don't eat fast food but do enjoy butter on my baked potato, that sort of thing.
I think that this journalist is trying to spread FUD about the Apple dieing of a heart condition it doesn't have.
Re:Keeping quiet makes perfect sense to me! (Score:5, Insightful)
-Don.
Re:This could be pretty serious (Score:2, Insightful)
What else is there to know besides that? Do artists really need to know about processes and threads and priorities?
Getting people to patch their system is merely a matter of running Software Update or Windows Update periodically. Both Mac OS X and Windows have this facility, and it should almost always be turned on.
The way I view it (Score:1, Insightful)
Apple issues updates to their operating system that include security holes as well, and usually just "theoretical" vulnerabilities. They just issue the update, don't detail people on what's being fixed, and in the end you have what appears to be a more secure operating system.
How can kiddies write a script to take advantage of a vulnerability if they don't even know what the vulnerability is?
So why is there even such a "discussion" or "commotion" about this? There isn't. These "Security companies" just want to be able to issue a press release with their name plastered all over it and can't do so with Apple. So they cry foul to ZDnet, or whatever, and now get their name mentioned in the press!
I remember reading the one article from a company called eEye and the guy quoted was labelled as the "Chief hacking officer." What "corporation" would have an executive officer named the "Chief hacking officer" ?
come snipe with me come snipe come snipe away! (Score:3, Insightful)
Ok now see how one can go off half cocked? this is the statement from McCarthy " Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more"
Im not really sure what more one would want them to say? Perhaps "OH MY GOD THIS IS A DISASTER!" Well clearly its not. But if you want to hype it for an article sure whatever. Perhaps you want want to know exactly when it'll be fixed. Good let them give you some fictional date that they makeup before they have actually investigated it. But hey sure you can hype in your article.
To be annoyingly pedantic, apache isnt part of the OS. Additionally most people dont use the (Apache) built in web server. I should also mention that none of the 3 articles linked about the Apache problem are listed as 'highly critical' anyway. (2 moderate and one 'less')
IPsec ones.. both moderate. So this leaves us with 2 unconfirmed, 2 moderates, and 1 left of privilege escalation. I cant say much about it as I dont know anymore than the rather curt descriptions.
The really best part is is what is claimed to be "Apple's half-hearted effort to these holes" Links to a page on a security update for them. But hey if you need to hyper that a fix means nothing is being done because you have an article deadline.. then sounds like you are doing a "half hearted" job.
Re:This could be pretty serious (Score:5, Insightful)
This is a problem, why? They are learning art, not computer science. They are ARTISTS learning about how to create ART, using the computer as a tool (or perhaps toolbox). This art is not some excuse for these students to hone up on their computer skills and become some sort of pseudo computer geek that would appear to be more acceptable to you.
The difference here (Score:3, Insightful)
Occam's Razor (Score:5, Insightful)
Apply Occam's Razor.
What is more likely - that somebody else (assuming the security firm that reported it didn't write Sasser) discovered the flaw, wrote an exploit, and released it within days of Microsoft's detailed report.
-or-
Somebody read the detailed report, wrote the exploit, and released it into the wild a few days after reading.
Hmm. I wonder. %)
# # #
That said...I second the idea that there's no good reason to essentially provide the blueprints of either fix or exploit to anybody but the reporting party.
I know there is some issue with "What if the company gets the report, but doesn't do anything with it ?" - in which case documenting the flaw may be the only way to 'force' a company to fix it. However, it may be more strategic to release bits of the flaw-documentation at a time, so that over time the likeliness of an exploit becomes higher - but only by those with enough knowledge, rather than every script-kiddie on the block. A company would likely (hopefully) provide a fix before a full disclosure of the flaw would be given, understanding that exploits will be released into the wild at some point.
Re:Reasons why... (Score:5, Insightful)
Security through obscurity is wrong and stupid, but so is security through full disclosure. I hate to say it; I love Free Software and I am happier trusting the security of my data to it than I would be trusting anything proprietary, especially Windows. But I can't buy the argument that telling the world about an exploit before anyone has had a chance to patch is a good thing.
You're assuming
a) that the black-hat community does NOT disseminate vulnerabilities amongst themselves even before the white-hat community does
b) that patching is the only way to get rid of a vulnerability.
Case in point wrt b) the Sasser worm is effectively killed by switching on your friendly neighborhood firewall/IP filtering (which is built right in to the affected OSes). You don't even need to switch off a single service (though in many cases only a single service (or daemon) is affected).
Let's Do Some Research (Score:4, Insightful)
The last line of the article is "Apple's half-hearted effort to [patch] these holes can be found here. While Secunia's full rundown on the problems can be found here."
The first link goes to a very complete page that details Apple's security updates back to Sept 2003. It looks fully-hearted to me. This page states "For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." Sounds reasonable.The second link details a security notice that was released on May Fourth with some security issues. The fix is to dl the patch Apple released on the third.
Nothing to see here. This guy is taking a non-issue, spreading around some FUD and hoping that soemone will bite.
Re:Reasons why... (Score:3, Insightful)
so, after all of the crap people have slung at apple trying to discredit their security, one simple fact still remains: every 3-6 months, there is some worm that does millions of dollars of damage, spreads by getting the windows equivalent of root-level access via some bug exploit. BUT, i have yet to see a successful remote-root exploit (the ldap w/ spoofed dhcpd hardly counts, too complex to automate) for mac osx that has hit the public eye, let alone a worm that exploits it.
windows machines do occupy the majority of the marketshare, so of course viruses/worms/hack-attempts will be more prevalent, but one would think the ratio would hold... if, for the sake of argument, 10% of the world was using macs, wouldnt 10% of the virii and worms be for mac, if both sides were equally competant?
Nah, just a bad article (Score:5, Insightful)
Well, I dunno, I think it's less that than just that slashdot is naturally reactive. They aren't reacting to Apple at all. They're reacting to the article. And this article is very poorly written. It goes into basically nothing except Apple's presentation in the ASU dialog box of update descriptions, while failing to give any hard data or really any evidence whatsoever as far a whether Apple is taking any amount of time to patch security holes.
If this guy had actually gathered some sort of hard data that gave an indication of whether Apple actually was taking excessive amounts of time to patch security holes, or whether people weren't installing ASU updates, or Apple was trying actually to hush up security vulnerabilities, I think you'd see a very different reaction. There was one time that Apple took a little bit too long to be reasonable to fix a security hole and when the slashdot story on the subject came out they were rightfully bashed for it. However in the absense of any hard data we're left only with the ability to respond to the article, and well, look at the article.. about the only response possibly is "poorly formulated, poorly researched rant".
Perhaps a good way to test your theory would be to post to the slashdot front page a really *bad* article attacking Microsoft's security practices and see if people agree with it or if they go "wait, this doesn't make sense".
Apple is scary to criticize (Score:4, Insightful)
I've been an Apple user, off and on, since the IIgs days. There's always been a good amount of zealotry about the product line, but what can you say? The gear is pretty good, and has a good reputation. Unfortunately, no small amount of that reputation is maintained through absolutely vociferous defense of any arbitrary behavior.
I'm not just talking about buffer overflows. When Apple's DHCP implementation made it trivial for anyone on the LAN (even a coffee shop wireless network) to remotely take full control of the machine [carrel.org], the response was not one of confident correction but defensive redefinition -- "It's not a bug, it's a feature, you unintelligent carbon rod." And when Apple became the first operating system ever to be exploitable via its generic text forms [macslash.org] -- the response really was yet another circle-the-wagons-and-apply-the-double-standard. And in case you don't believe me about the obsessive, O'Reillyian hijinks going on here -- look at the Boingboing [boingboing.net] response to what's just an open-and-shut data/executable confusion vulnerability. "OS9 is vulnerable too" is not a defense. "But you need to GET the file first" isn't a defense either -- that is , um, sort of the point of a Trojan horse. "An antivirus company came up with this" -- no way, you mean antivirus companies actually try to find security problems? This type of alternation between non-sequitor and ad-hominem is par for course. And don't say it's always this way -- there's no other operating system vendor who either themselves or through their users reacts to security risks like this. Not Microsoft, not the various Linux distributors (who really are getting hammered), not Sun or SGI, and certainly not Theo or his security-obsessed users. Everyone else seems to have realized it's safe to openly acknowledge and repair faults. Apple is the exception. "Like pulling teeth" comes to mind.
People, this is technology, not politics, and I don't even like this kind of behavior in politics. The more apologism there is for Apple failures -- and yes, even the eternally scrappy upstart from Cupertino can screw up, just look at your Powerbook monitors -- the less likely we are to actually see what ultimately we all want, which is correctly behaving technology.
That's all I have to say on this.
Re:Biggest bunch of bull ever (Score:3, Insightful)
Actually, even if you didn't update your Mac and left all the services off (like Apache and SSH) it's completely safe. Simple as that. How can you remotely root a computer with no open ports?
Period. End of story.
Re:Reasons why... (Score:5, Insightful)
47Ronin wrote this and almost everyone ignored it (Score:4, Insightful)
Less used features vs. Core problems (Score:5, Insightful)
My point being that, first off Apple might want to be quiet about it because the majority isn't effected, and second the vunerabilities aren't nearly integral to the OS as most windows vulnerabilities are.
My apologies if this is redundant.
Re:Mac OS probably has tons of vulnerabilities... (Score:1, Insightful)
Then I'd think that people would be working overtime to be the first guy to write a successful virus for Mac OS, whose security makes Windows security look like a slice of Swiss cheese that has absorbed a shotgun blast.
Any script kiddie can download a tool to make a Windows worm. Nobody even cares anymore, it's like, "Ho-hum, a new Windows worm wreaking havoc this week." You want to stand out from the crowd, you try to hack the Gibson.
Plus, when the first modern Mac worm/virus hits, the Microsoft-biased tech media will be tripping over themselves to feed Apple some crow. So I'd say it's a safe bet your shout-outs hidden in the source code will be made known pretty quickly, and there's your fame.
Re:Reasons why... (Score:4, Insightful)
Sweeping it under the carpet until you have a patch ready is ridiculous reasoning. What if the exploit details get leaked, but not published?
What happens if a black hat comes across it anyway? Then you have an exploit being used that no-one knows about yet.
Full Disclosure has risks, but it allows for more corrective steps to be taken then waiting for a patch or something similar.
Re:Reasons why... (Score:3, Insightful)
The functionality is there with OS X, it's just that it's not turned on until you actually used it. It means that probably 95% of OS X users out there don't have unecessary services running because they simply don't use them, not because they are not available to them.
Re:Reasons why... (Score:2, Insightful)
But then, do they really need to download most security patches? Assuming they know to avoid spyware and not open attachments, how exposed is a dial-up user to attacks compared to someone on broadband or better?
Here's what I'd like to see... (Score:4, Insightful)
I do tech support all over So. CA, for mac and pc clients. And I have made 10x as much money from running to the PC client's LAN and ridding it of worms, spyware, and such, than to my Macintosh clients.
I've been using OS-X since the original OS-X Public Beta, and have proudly upgraded ever since to the latest version (10.3.3). I seriously laugh at anyone that attempts to dog on OS-X's security (well, lack-thereof). I am proud to be able to take my 12" Powerbook G4 anywhere, and fix/troubleshoot anyone's computer or network without worrying about getting a virus, or worm, or anything.
I easily backup friends and clients PC's through firewire and OS-X (w/ NTFS Addin for Pre OS-X 10.2) and reinstall their system in a heartbeat, without worrying about getting a boot virus, or prefetch virus (what a pain!) or a random piece of sh*t adware software.
I am proud to own a Mac. And yes... I really do LAUGH in the face of anyone attempting to put down the Mac, when their reasons are 99% crap. (unless of course they are talking about playing games!)
In conclusion, I really would love to see a "outbreak" of a virus for OS-X. This happens DAILY for Windows. This event might actually let some reporters report that OS-X isn't so secure. But... until that day my friends... read 'em and weep.
Viva la OS-X!
- Insolence (Mac User/Evangelist)
Re:Reasons why... (Score:1, Insightful)
Microsoft gets attacked for taking too long to patch an issue that is raping and pillaging the entire goddamned internet, while Apple gets a free pass for taking it's own sweet time to patch issues that could potentially, maybe, if you enable certain services, be problematic.
Microsoft's security holes are a danger to every system on the internet, regardless of OS. For a company as large as they are, and with such a dominant share of internet clients, they should bear more responsibility.
Can you say Apache? (Score:5, Insightful)
Apache has demonstrated this is simply false.
Re:Biggest bunch of bull ever (Score:2, Insightful)
Uh, I've been a sysadmin since 1994, and I still don't believe that most systems need firewalls. Sure, I hear there are some poor excuses for operating systems that are so busted that they can't take care of themselves, but I don't use those.
And why would you ever expect anyone to do that? Unusually technical users may know the term firewall as meaning "that thing between the engine compartment and the cab," but most normal anglophones will never have heard the word at all.
I did such a search (I'd never heard the term), and I can assure you that the odds of the average computer user finding and following these instructions is substantially lower than that of them developing the aforementioned eye lasers.
My point here is not that people are dumb. My points are:
Many intelligent and competent people have better things to do with their lives than master the details of Microsoft's myriad failings.
If you feel that it's so blindingly obvious that these things always need to be done, why aren't they done already by default, rather than forcing every single user to repeat these exercises? Why would a reasonable user not assume that all of the necessary-for-everyone things have already been done?
Re:Reasons why... (Score:2, Insightful)
'Uninstalling back' is a really bad idea on a Windows system. Your admission that you engage in such practices identifies you as someone who probably tweaks your systems into problems by meddling with them.
If you like that sort of tweaking and tuning fun, you should switch to Linux or one of the BSD OSes, where it's more fruitful.
Re:Reasons why... (Score:3, Insightful)
Until another Sasser style vulnerability is exploited, yes. Sasser is relatively mild, and unless I'm mistaken about what I'm reading about it (possible, I don't run win systems anymore) it exploits something that you can't turn off without losing a lot of functionality (and security, apparently). With the variants running around it's just a matter of time unitl a worse one comes out.
If I'm wrong about this, please tell me...
SB
Re:Apple is scary to criticize (Score:1, Insightful)
What boingboing was referring to is the fact that because this "exploit" relies on the Mac file's resource fork, which is not transmitted over the net unless the file is compressed or archived, it's almost unimaginable that transmission could occur via p2p, email, etc. It would take an impressive feat of social engineering to get the target to decompress/unarchive and then execute the file
The point about getting the file first had nothing to do with whether it's a Trojan. You need to do better research if you're going to call yourself an expert around these parts
Re:Can you say Apache? (Score:5, Insightful)
If you insist on including a scripting module, why didn't you choose the popular mod_perl [cert.org]?
Oh, whoops, that's not nearly as close!
Funny how that works.
Re:Reasons why... (Score:3, Insightful)
Which completely ignores the fact that "hackers" tend to have their own communications channels.
Windowslessness (Score:3, Insightful)
Then for quite a while I was very torn about the two. Linux was clearly the sane choice for servers, but I found that they each frustrated me in about equal measures as a workstation. I went back and forth between running macos and linux on my macs. (Well, and a little beos.)
So when macosx was released, it felt as if it were written pretty precisely for me. There are still a few ways here and there in which it's not quite as good a unix as linux is, nor quite as good a desktop as paleo-macos was. But being almost as good at _both_ is truly a whole greater than the sum of its parts.
Honestly, Windows never even came into it. By the time I had enough familiarity with computers to be able to make any kind of judgement about platforms, it seemed very clear to me that Windows users were pretty regularly unhappy, and struggled with things that I'd just always taken for granted.
Re:Reasons why... (Score:5, Insightful)
Quietly, yes, very. Quickly? No.
If you call a fix for a good ol' buffer overflow a "patch to improve the handling of long passwords" you're being too quiet: people will not be properly motivated to install the patch.
And doing roll-up patches for old (sometimes very old) issues once a month only does not qualify as quick. Sorry.
I mean, look at this week's update, all of the issues patched were discovered in 2003.
Like some others here I am completely astonished that "security by obscurity" is suddenly a good thing when Apple does it. Come on folks, get a grip. Apple isn;t doing this right, don't close your eyes to that simple, obvious fact just because you like them.
Re:update mechanisms (Score:5, Insightful)
Can I just point out the latest issue with MS04-11 (the Sasser worm vuln fix) if you have the files ipsecw2k.sys, imcide.sys and dlttape.sys - (the last one being PRETTY common on corporate servers) instead of your machine rebooting all the time - it will just hang or fill up a CPU to 100%
Microsoft are now offering a hotfix to one of their patches! priceless!!
Re:Biggest bunch of bull ever (Score:2, Insightful)