Apple Release Mega Patch to Fix 19 Flaws 554
maotx writes "Apple has released a mega-patch that fixes 19 flaws in Mac OS X v10.3.9. The updates include several fixes for remote and local root exploits. The change log can be found here. You can download the updates using the Software Update Program or directly from Apple Downloads."
One assumes all of these are fixed in Tiger... (Score:2, Insightful)
Crow T. Trollbot
Several exploits (Score:4, Insightful)
Re:While I think... (Score:5, Insightful)
Re:Several exploits (Score:4, Insightful)
Re:While I think... (Score:2, Insightful)
People tend to go looking for them [debian.org].
If you're a penetration tester, or work for a security firm, then publishing flaws is how you get "noticed", and how you attract new customers.
Not many people do it for purely altruistic motives - but I guess that doesn't matter if the flaw is found and fixed.
Re:Several exploits (Score:4, Insightful)
Completely false. If you think that "pretty much every Mac in existence" upgraded to 10.3.9, then you would be wrong. If you are using hyperbole to make a troll-ish statement, then whatever. Just because an exploit exists does not mean that it is common knowledge and would have been used or even could have been used against "pretty much every Mac in existence". Please point to a report about any Macs that were rooted due to this exploit. Surely out of the millions of Macs out there, at least one was rooted if it's so easy.
Re:What about *MY* Problem? (Score:2, Insightful)
Re:Several exploits (Score:4, Insightful)
The mac interface runs on top of Darwin, a *bsd--not "some FreeBSD apps installed." Cygwin runs on top of windows.
OK, not a big difference--just the difference between an application and OS . .
hawk, off to eat soup with a fork, which is just a spoon with some holes attached
Re:Several exploits (Score:5, Insightful)
Re:Several exploits (Score:1, Insightful)
A nice balance (Score:4, Insightful)
Some people are posting and saying that Apple should release each update as soon as they patch it. This would be about one security update per day. Most users would probably find having to install a patch ever day to be rather annoying. They probably would wait until a number of them had built up anyway. They might even turn off updating altogether.
Besides, many of these security holes are only theoretical. If there are no exploits of them, does it really matter if the patch is delayed a few weeks?
I think Apple is striking a nice balance between endless daily updates and waiting for major OS updated every 18 months.
Re:Several exploits (Score:4, Insightful)
Mac OS X is not Unix. It never has been. We've never applied to use the Unix trademark, nor are we the least bit interested in maintaining absolute parity with Unix.
However, Mac OS X evolved from Unix, and there are many Unix-like pieces left. In particular, many of the programming interfaces common to Unix are still available through a framework we call libSystem. We ship the Unix user interface, X11. We offer a command-line user environment that includes many Unix-like utilities. And so on.
So no, Mac OS X is not now and has never been Unix. But neither is it something entirely different from Unix with a Unix-compatitbility layer bolted on.
So you were simultaneously right and wrong. Neat, huh?
Re:Several exploits (Score:3, Insightful)
If you truly understand and agree with that assessment then what actually matters to a practical person is the security records that actually exist, not what would be the case in a world that does not and will not exist. Be a man and own up to your decision. You choose a less secure system and are prepared to live with the consequences. Now go scan your system for viruses and clean out the latest batch.
Re:Several exploits (Score:4, Insightful)
The series of checkboxes you're looking for can be found in the Sharing pane of System Preferences.
Re:Several exploits (Score:5, Insightful)
That of course is a rhetorical question, which proves nothing. To actually defeat your argument: the existence of a theoretical vulnerability is not enough to get a system mass-rooted. The vulnerability has to be discovered first, and it will be easier to find one if the system has 100 exploitable vulnerabilities versus 10. It is likely that all complete network operating systems have some number; the question is how many and how easy they are to find. It is true that an attacker does not need more than one, but systems with fewer holes are still more secure for this reason.
Also, note that a security researcher does not need to come up with an actual working exploit, merely a theoretical description of how one could be written. Depending on the extent and nature of the vulnerability, it might be harder or easier to exploit than others.
The truth is that there is not currently an ideal mathematical way to evaluate the real, overall security of a computer system. Until we do the best real-world statistic we have is the actual security record, which is biased against Windows. However, the lack of a good measurement of security does not mean that all systems are equally secure.
To an end-user, it does not really matter what the reason is that Windows is more likely to be hacked. It remains one of the major problems of the platform, and a problem that is not nearly as pervasive on OS X.
Re:Move along; nothing here to see. (Score:3, Insightful)
Oh, wait.
Re:Poor mistakes (Score:5, Insightful)
From Secunia.org:
Number of unpatched OS X vulnerabilites: 0% of 50 = 0
Number of unpatched XP vulnerabilities: 25% of 73 = 18. The oldest unpatched one is from 2002.
The .DS_Store vulnerability:
GET IT TOGETHER BEFORE IT'S TOO LATE!
It is not a critical vulnerability as it requires a local account to exploit it. Lay off the caffeine, man.
Re:Several exploits (Score:2, Insightful)
You've been caught!
Yellow journalism (Score:5, Insightful)
Was it really necessary to echo The Register's ridiculous hyperbole in the article title?
Re:10.3.10? (Score:4, Insightful)
Wish they'd start behaving like a real OS company and release security patches for every 'supported' version instead of trying to drive upgrades with them.
Re:Several exploits (Score:1, Insightful)
IIS is a web server, an ftp server, a DNS server, a mail server, a whole load of other stuff, and TWO scripting languages in ONE package.
Apache is JUST a web server. If you really wanted an accurate comparison, you'd have to compare IIS to apache, wuftpd, BIND, sendmail, PHP and Perl. Now please tell me, with a straight face, that those packages all have spotless track records.
IIRC, the last exploit that applied directly to the webserving part of IIS was a directory traversal bug that also affected apache at around the same time.
Fucking moron.
Re:Several exploits (Score:2, Insightful)
Up until I read this post, I thought that you are an Apple employee.
Then what, pray tell, is this page [apple.com] all about? Or any of these [google.com]?
Cheers,
b&
Re:Several exploits (Score:4, Insightful)
Mac OS X is a super-modern operating system that combines the power and stability of UNIX with the legendary elegance of the Macintosh.
Note that it says "combines the power...of Unix." Not "derived from" or any other qualifer. Any reasonable customer is going to assume that when Unix is listed as one of the ingredients on the outside of the tin, that's what they're getting inside the tin.
Mass marketing aside, the PDF labelled "UNIX" [apple.com] in the sidebar, is sub titled "The power of UNIX with the simplicity of Macintosh. " and the first two paragraphs go on to state:
Mac OS X version 10.4 "Tiger" combines a robust and open UNIX-based foundation with the richness and usability of the Mac interface, bringing UNIX technology and 64-bit power to the mass market. Apple has made open source and standards a key part of its strategy to deliver an industrial-strength operating system that is both innovative and easy to use.
There are over 15 million Mac OS X users--scientists, animators, developers, system administrators, and more--making Mac OS X the most widely used UNIX-based desktop operating system.
Sure, OS X not 100% UNIX certified, or compliant, but then that didn't stop people (quite correctly) considering Linux as Unix.
So while I agree that OS X is not techncially Unix, and Apple has done a great job in by marrying BSD with Mach as well as a slew of other innovations, Apple has not been shy about using the Unix name liberally in its marketing and technical documentation, and it's not unreasonable, as a first order approximation, to call OS X a Unix. (And traditionally, the difference between Unix and Unix-based has been pretty meaningless when categorizing operating systems) If calling OS X Unix is an unreasonable approximation, and OS X is truly a horse of a different color, then the claim that OS X is "the most widely used UNIX-based desktop operating system" is a meaningless tautology: you've never seen a press release from, say, Be, reading that "The Be operating system is the most widely used Be operating system in the world." On some level, OS X must be a member of a larger equivalence class -- Unix and Unix-based OS's -- for that statement to mean anything.
Re:Several exploits (Score:3, Insightful)
This is Security Update 2005-005 we are discussing, not 004. More proof.
Re:Several exploits (Score:5, Insightful)
The logo, depicting a metal plate with embossed letters, reads "Unix Based." We still use it. But please note the use of the word "Based." It's not just there for show.
Any reasonable customer is going to assume that when Unix is listed as one of the ingredients on the outside of the tin, that's what they're getting inside the tin.
Except that's not what's going on. If you'll pardon the unflattering analogy, the ingredients list reads "fruit flavors" and you think it reads "fruit."
We market the hell out of our Unix compatibility and portability features. We advertise prominently the degree to which we've included frameworks making it easy to port existing Unix (including Linux) applications. That's not the same thing as saying our operating system is Unix.
Look, the reason for this is very clear: The word "Unix" has a terrible reputation among half of our customers, and a sterling reputation among the other half. To scientific and technical customers, Unix means "better than Windows." To commercial and home users, Unix means "that hard thing that geek tried to get us to use that one time before we switched back to Windows forever."
Obviously we want customers to know that we've brought the good parts of Unix into the 21st century, but at the same time they have to know that we've left the bad parts behind.
It's a very tricky idea to try to get across in two words. We chose "Unix Based." Obviously this hasn't been without its problems.
What we can't let happen, though, is let the idea get out that Mac OS X is Unix. At the risk of sounding (even more) superior (than usual), Mac OS X isn't merely Unix. It's the next generation beyond Unix. It's a quantum leap ahead of Unix. Saying that Mac OS X is Unix puts it on the same plane as Linux, which is definitely not true and is something we want strongly to avoid in our communications.
the difference between Unix and Unix-based has been pretty meaningless
Well, there's only so much we can do with our company communications if people just refuse to understand what words mean, you know? To say that something "is" something and that something is "based on" something are two radically different things. Confusing the two is like (to use an analogy that might be meaningful to you) saying that C and C++ are the same computer language.
Re:10.3.10? (Score:2, Insightful)
Re:Several exploits (Score:4, Insightful)
OS X has, at its very core, a BSD derivative (Darwin) which is a direct descendant of UNIX (unlike Linux, which is a clone of UNIX).
And don't forget the ad in Scientific American which read: Sends other UNIX boxes to
There are two primary reasons Apple is careful about calling OS X UNIX. The primary (or legal) one is that the Open Group sued Apple for violating its UNIX trademark.
The other is that Apple wants to differentiate OS X from the negative aspects of UNIX. OS X is *so* much more than UNIX, that in many ways, to call OS X "just another UNIX" underplays the NeXT/Cocoa- and Apple-derived technologies. It would be akin to calling Safari a "text reader".
So, it's sort of a "have your cake, and eat it, too" situation. Apple can simultaneously derive all the cachet of being a true UNIX, while mitigating the downsides. Which leads to statements like:
So you were simultaneously right and wrong. Neat, huh?
In other words: In some ways (all but one, actually) OS X is UNIX (and then some), and in some ways (one, really) it isn't. True and not true, simultaneously right and wrong. Neat? That wouldn't be my choice of word, but OK.
Re:Several exploits (Score:2, Insightful)
Re:Several exploits (Score:3, Insightful)
We don't want to imply that our product is derivative. I have been told that when Mac OS X was first being marketed, there was a push to call it "evolved from Unix." (That's where I picked up the phrase.) It went hand-in-hand with calling our implementation of Unix "Darwin."
We dropped that idea (the story goes) because "evolved" has a pretty strong negative connotation for a lot of people, too.
So we went with the technically accurate but obviously befuddling "Unix-based."
Re:Several exploits (Score:3, Insightful)
(Insert MS fanboy response about how your WinXP SP 2 system has _never_ had spyware and is now "rock" solid and you only reboot about every 1-2 weeks!)
(But leave out how Joe User still gets tons of spyware/viruses with WinXP SP2)