Forgot your password?
typodupeerror
OS X Businesses Operating Systems Security Apple

Apple Mac OS X Update For 17 Vulnerabilities 259

Posted by Zonk
from the enjoy-a-less-wormy-apple dept.
BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."
This discussion has been archived. No new comments can be posted.

Apple Mac OS X Update For 17 Vulnerabilities

Comments Filter:
  • Where the hell is the Microsoft comeback ad.?

    Do they care?
    • Re: (Score:3, Insightful)

      by RealGrouchy (943109)

      Where the hell is the Microsoft comeback ad.?

      Comeback to whom?

      "Hey, you there! Yes, you--the small market share that makes up Apple users."

      If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.

      - RG>
  • by Secret Rabbit (914973) on Saturday May 26, 2007 @09:48PM (#19287649) Journal
    ... it's also about /how/ they are handled. Some might say more-so.

    From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.
    • by dustin_c1 (153078) on Saturday May 26, 2007 @09:57PM (#19287719)
      "From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain."

      Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

      Apple has historically been terribly irresponsible with found vulnerabilities. This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

      Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found.

      You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. It looks like they are making progress.
      • by Anonymous Coward on Saturday May 26, 2007 @10:35PM (#19288025)
        MOAB was founded by security researchers who wanted publicity. Among other issues was a bug in OmniWeb, which was never reported to The Omni Group. How would being frustrated at Apple possibly justify that one?
        • by Jeff DeMaagd (2015) on Sunday May 27, 2007 @01:25AM (#19289183) Homepage Journal
          I guess it was a hit job which blindsided Telestream's Flip4Mac, Panic's Transmit, Colloquy's Colloquy, Unsanity's Application Enhancer, and the open sourced VLC as innocent bystanders in their vendetta against Apple, so at least six non-Apple branded programs were thrown in to fill out the month. Day 31 has a "filler", meaning that it's just over three weeks' worth of Apple Bugs.

          There may be some legitimacy to the complaints that Apple was unresponsive, but I agree, to bring in flaws in third party products to the mix is beyond irresponsible.
      • Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

        Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.

        Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.

        I'm talking, of course, about deliberate automatic code executio
        • Which Microsoft vulnerability are you referring to as being over 10 years old? CERT and similar vulnerability report sites are not useful this way, because they don't publish the existence of the problem without explicit permission from the software manufacturer. So I've seen vulnerability reports held for over a year by CERT, until Microsoft got around to fixing it. So the apparent "window of vulnerability" was only a few weeks from the finally permitted CERT publication, and the patch being part of the st
          • Which Microsoft vulnerability are you referring to as being over 10 years old?

            Well, they started out caling it "Active Desktop". It's had other names, but that's where it started.

            The vulnerability is that when you combine ActiveX with the API that applications use to call the HTML control the resulting design is fundamentally impossible even in principle to secure. The problem is that the HTML control is given the responsibility for deciding whether an object its called on to display should be trusted or not, but there the HTML control does not have enough information to make that determination. It's arguable whether the application calling it does, but in every exploit I'm aware of that has made use of this vulnerability to infect the computer giving the application responsibility for that decision would have prevented it.

            The changes required to the API could be:

            (1) Making the control would call back to the application to follow links, access embedded objects, and so on.

            (2) Making the control by itself purely a display mechanism, and requiring explicit installation of extensions by the application.

            (3) Making the sandbox the control uses "hard", and requiring the user or the application to explicitly install plugins based on roles, and making the application explicitly specify the role that the instance of the control takes.

            In addition, in all cases:

            (4) Make the inheritence of the environment absolute. If you follow a link from an application then the target of the link MUST be displayed under the control of the same application. That application can display it by running a more restricted helper application if appropriate (so Windows Explorer could call Internet Explorer) but that decision MUST be made by the application, not the HTML control.

            Except in VERY limited circumstances (such as the default "open safe files after downloading" option in Safari, which CAN BE TURNED OFF) every other browser or mail software follows some variant of these rules (for example, the KHTML/Webkit "IO slaves" follow rule 2). The idea that a program failing to implement one of these rules would be treated as anything less than a critical bug to be fixed as soon as it was discovered was literally a bad joke before 1997. I mean, there were jokes going around about it, because everyone knew nobody would be so stupid as to implement something like Active Desktop.
      • I said nothing about Apple's complete track record... nothing. I'm talking about lately, /lately/.
      • by dr.badass (25287) on Sunday May 27, 2007 @12:02AM (#19288675) Homepage
        This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

        You misunderstand. This is the first update that doesn't patch anything listed by MOAB. That doesn't mean that everything patched before was. MOAB only listed 31 bugs, whereas dozens of potential vulnerabilities have been patched by Apple in that time.

        The MOAB project was started by security researchers who decided to release their findings publicly because they got mad when Apple outright denied some existing vulnerabilities they found.

        That doesn't explain why they chose to give the same treatment to VLC [info-pull.com], OmniGroup [info-pull.com], and Panic [info-pull.com].
      • Re: (Score:3, Interesting)

        by djupedal (584558)
        "Read up the MOAB."

        You're purposely sending people to a rigged website...? Does this mean you're in on the trap or just that you're clueless about what really lies behind MOAB?
        • Yeah, because it doesn't matter what they actually found, and the validity thereof, because their motives weren't "to worship at the altar that is Apple". Those heathens!

          Apologist, much?

          • by Goaway (82658)
            What they found matters, but that does excuse the fact that they were not just willfully irresponsible, but actively malicious (they used several different exploits against people on the web and on IRC). They were simply thugs out to stir up shit and get some attention.
          • Re: (Score:3, Informative)

            by falcon5768 (629591)
            no but sending people to a website that knowingly hae embedded viruses on it foun by others is not considered nice.
      • by vertigoCiel (1070374) on Sunday May 27, 2007 @03:17AM (#19289787)
        It doesn't matter how long it takes to patch an exploit, as long as it is patched before it's used in a virus or other attack on a system. There are currently no OS X viruses in the wild that can attack a Mac in a meaningful way (there is a proof-of-concept one that requires the user to install it). Compare that to the tens of thousands of Windows OS viruses and worms exploiting security holes without requiring the user. Given that, I'd say that Apple has an excellent track record when it comes to patching vulnerabilities.
      • Re: (Score:3, Informative)

        by gig (78408)
        > Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working
        > hard on improving that.

        But Apple's bugs were much less severe, and when Apple ships a patch, it goes out to their Software Update system which patches a remarkable number of systems very quickly. Software Update is 8 or more years old, predates Mac OS X. It updates your Mac OS X system with a new version of Mac OS X every quarter or so. The whole platform is a moving target.

        > MOAB

        M
  • open the gates (Score:2, Informative)

    by v1 (525388)
    we shall now see the flood of the clueless that run around in circles screaming OMG SEE MACS HAVE BAD SECURITY TOO. To stamp out their fire before it gets beyond the first match I'd like to point out that even if they fixed 1000 things in this update, you can't compare apples (sorry) to oranges. The lion's share of vulns patched in say, Windows, I would classify "big trouble". Exploits that are in the wild (some of which have been running loose for months) that let remote attackers own your box. Even wi
    • Re:open the gates (Score:4, Insightful)

      by Actually, I do RTFA (1058596) on Saturday May 26, 2007 @10:28PM (#19287961)

      Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

      Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?

      • by dgatwood (11270)

        Let me answer in l33t sp3@k for your entertainment.

        In order of severity: remote root exploits, local root exploits, remote non-root exploits, local trojan horses. The first is worst because it doesn't require any user interaction to 0wn your boxen. The second is not as bad because it does require action from a legitimate user to 0wn your boxen except when combined with the third. The third is not as bad as either of these because it is generally limited in the amount of damage it can do in the absence

  • by Opportunist (166417) on Saturday May 26, 2007 @10:56PM (#19288195)
    "Macs gain market share"

    Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.

    So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.
    • by prelelat (201821)
      I think you are right that exploits would mean that it was seeing an increase in market share, but in this case I believe they were strictly talking about vulnerabilities being fixed. This means that people knew they were there but didn't even bother to exploit them. If anything this shows that OSX still doesn't have near the market share some people seem to think.

      I prefer to think that they were doing preventative maintenance. Apple hasn't always been the best at patching vulnerabilities but I guess the
      • Still, someone had to find those bugs, and it was likely not the programmers themselves, or they would probably have been fixed before shipping. And 1000 people looking for bugs find more than 10 people doing the same. Given that I don't remember hearing about Mac bugs getting fixed once a month from, say, 5 years ago, I'd say it might have to do with an increase in market share.
        • by dr.badass (25287)
          Still, someone had to find those bugs, and it was likely not the programmers themselves, or they would probably have been fixed before shipping.

          Ah, but much of what Apple ends up patching in updates like these isn't actually Apple-specific, but rather fixes to open source stuff they ship. This update has fixes for bind, fetchmail, ruby, and screen, to name a few. Those bugs could have been found by users or programmers on a dozen other platforms.
      • Re: (Score:3, Insightful)

        by Weedlekin (836313)
        "If anything this shows that OSX still doesn't have near the market share some people seem to think."

        This would indeed be true if the act of writing malware was a quest that earned a +5 Amulet Of Knowing Real User Numbers which gives them magical abilities that people who don't write malware lack. If however we reluctantly accept the fact that malware writers don't have such wondrous artefacts, then we must also accept that Windows' market dominance and its total dominance of the malware sector are merely a
    • by mstone (8523) on Sunday May 27, 2007 @01:52AM (#19289359)
      Define 'nominal'.

      The installed base of Macs is estimated to be between 10% and 15% of the market. That value follows from the sales numbers established in market share, amortized across the 5-7 year functional lifespan of the average Mac.

      "One machine in ten" seems like a reasonably attractive size for a target.

      Besides, you're forgetting the automated nature of malware. You don't create a botnet by hand, one machine at a time. You pump out a massive number of potential attacks and glean the ones that succeed. And having a botnet means having a massively distributed system whose resources can be devoted to making itself even bigger.

      It doesn't even take an infected Mac to compromise another Mac. The attack is just a package of data, so it would be trivially easy to dedicate a Windows botnet to locating and infecting Macs if someone really wanted to.

      The reason malware developers target the Windows platform is that it's so much easier to find a Windows machine with an exploitable hole and take it over. Windows up through XP carries a ton of historical baggage that assumes the existence of an isolated, single-user system: All processes are launched by a user with absolute privilege. Half the processes on any given machine are running at the highest possible level of privilege, and they accept data from sources with lower levels of privilege. The directory that contains system binaries is writable by pretty much anyone, there's no index to say where any given binary came from, and it's standard practice to add or overwrite files in that directory. The absolute-privilege daemons are controlled by the Registry, which again is writeable by almost anyone, and whose format is obscure enough that it's difficult to find tampering even if you know something is wrong with the machine.

      Those were all convenient and effective solutions in the days when 99.9% of the data coming into a machine came from the person at the keyboard. But they don't fare so well against a hostile internet.

      OS X doesn't have that baggage. It inherited unix's experience dealing with multi-user systems in an untrusted network environment. Yes, there are weak spots, but the attack surface is much smaller than that of Windows.

      The people who collect botnets don't care about market share. They care about exploitability, especially exploitability which can be automated. Windows machines offer an easy target in that respect. Macs and unix-alike systems require more work. And there's no reason for them to do the extra work when Windows machines are both so easy to find and so easy to take over.

    • Re: (Score:2, Insightful)

      by suv4x4 (956391)
      So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

      So, you'll have to admit then all Jobs said about Windows being an insecure piece of garbage was wrong. It's, you see, just because they have so great market share.

      You Mac users can't have it both ways. When hackers didn't pay attention to OSX and people said "this is because noone cares to attack you yet", you said "bs, it's because OSX is such a great OS, it's unhackable, it's secure *nix baby!".

      Now you the community turn
      • Multiple Mac users (Score:5, Insightful)

        by AlpineR (32307) <wagnerr@umich.edu> on Sunday May 27, 2007 @02:55PM (#19293643) Homepage

        You Mac users can't have it both ways.

        Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!

  • Necessary? (Score:3, Insightful)

    by Tatsh (893946) on Saturday May 26, 2007 @11:47PM (#19288567)
    How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.
  • Except for Server, OS X defaults to no, zero, nadda, ports open by default. That means there's zero chance of a remote root exploit. The only chance of remote exploit is really by exploiting something like safari or Mac Mail. However, such an exploit would be dramatically limited in scope as compare to, for example, Windows XP. Vista has made things a lot better, but UAC's effectiveness is not proved. A root exploit is highly unlikely, although you can argue a local user exploit is as destructive--after
    • Re: (Score:3, Informative)

      by biftek (145375)
      No, you're wrong. Bonjour (aka rendezvous aka mdns[responder]) listens on UDP port 5353 by default on a client install - that's how iTunes/iChat/AFP sharing find other computers. And guess what - it's one of the apps that has a local root exploit in this security update.
  • by __david__ (45671) * on Sunday May 27, 2007 @05:15AM (#19290337) Homepage
    I installed this update and rebooted and now it kernel panics every time I try to boot! It happens early enough that I can't even boot into single user. Grrr.....

    -David
  • Sorry... (Score:5, Insightful)

    by BrianRagle (1016523) <bragle AT gmail DOT com> on Sunday May 27, 2007 @05:18AM (#19290353) Homepage
    ...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?

    Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.

Suburbia is where the developer bulldozes out the trees, then names the streets after them. -- Bill Vaughn

Working...