Forgot your password?
typodupeerror
OS X Security Upgrades Apple

Apple Patches Massive Holes In OS X 246

Posted by timothy
from the well-it-wouldn't-be-polite-to-patch-windows dept.
Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.
This discussion has been archived. No new comments can be posted.

Apple Patches Massive Holes In OS X

Comments Filter:
  • Re:Twelve? (Score:5, Insightful)

    by mjschultz (819188) on Wednesday January 20, 2010 @05:35PM (#30838010) Homepage

    Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?

    The Flash update is actually 7 vulnerabilities.

  • Re:Cover your eyes (Score:5, Insightful)

    by amicusNYCL (1538833) on Wednesday January 20, 2010 @05:42PM (#30838160)

    You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.

  • by 0racle (667029) on Wednesday January 20, 2010 @05:45PM (#30838202)
    It is when you want security updates from Apple.
  • Re:Cover your eyes (Score:4, Insightful)

    by e2d2 (115622) on Wednesday January 20, 2010 @05:47PM (#30838222)

    Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

    How would you know? Zero-day means a non-public exploit.

  • Re:Twelve? (Score:5, Insightful)

    by Graff (532189) on Wednesday January 20, 2010 @05:48PM (#30838262)

    The Flash update is actually 7 vulnerabilities.

    Moral of this story:
    Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

  • by recoiledsnake (879048) on Wednesday January 20, 2010 @06:11PM (#30838658)

    It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?

  • by His Shadow (689816) on Wednesday January 20, 2010 @06:39PM (#30839078) Homepage Journal
    Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.
  • by DJCouchyCouch (622482) on Wednesday January 20, 2010 @06:39PM (#30839082)

    Using random data doesn't work if some structured data needs to be read first.

    So you need non-random random data. :)

  • by LihTox (754597) on Wednesday January 20, 2010 @06:43PM (#30839140)

    Viruses tend to find MacOS too arrogant an environment to survive in.

    Making our arrogance is an adaptive self-defense mechanism. So shove off, Windoze loser. :)

  • Re:Cover your eyes (Score:3, Insightful)

    by amicusNYCL (1538833) on Wednesday January 20, 2010 @06:48PM (#30839194)

    Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

    You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.

    The point? You don't need to run something other than Windows if you want to avoid infection, you just need to use your computer intelligently. It seems like you're saying that OSX is the platform for people to be as stupid as they want and still manage to avoid infection. That, my friend, is changing (as evidenced by the 7 patched vulnerabilities in Flash player).

  • by jo_ham (604554) <joham999@NoSPaM.gmail.com> on Wednesday January 20, 2010 @07:02PM (#30839394)

    There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.

    If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.

    It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.

  • Re:Cover your eyes (Score:4, Insightful)

    by EvanED (569694) <evaned@gma[ ]com ['il.' in gap]> on Wednesday January 20, 2010 @07:02PM (#30839398)

    So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

    Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.

  • Re:Twelve? (Score:1, Insightful)

    by Anonymous Coward on Wednesday January 20, 2010 @07:06PM (#30839440)

    And you can avoid most of the internet at the same time.

  • by Anonymous Coward on Wednesday January 20, 2010 @07:38PM (#30839830)

    At least we're getting some...

  • Re:Cover your eyes (Score:5, Insightful)

    by shutdown -p now (807394) on Wednesday January 20, 2010 @07:41PM (#30839888) Journal

    So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

    So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.

    Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).

    If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.

  • Re:Cover your eyes (Score:2, Insightful)

    by mystikkman (1487801) on Wednesday January 20, 2010 @07:57PM (#30840124)

    That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?

  • Re:Cover your eyes (Score:2, Insightful)

    by TiberiusMonkey (1603977) on Wednesday January 20, 2010 @08:06PM (#30840230)
    To be fair MS themselves used to make a big deal out of claiming that IE was Windows and they couldn't be separated. That not being true didn't stop them.
  • Re:Cover your eyes (Score:3, Insightful)

    by AHuxley (892839) on Wednesday January 20, 2010 @08:07PM (#30840236) Homepage Journal
    One off professional solutions for a cash prize by a ex NSA worker.
    Where are the in the wild hacks?
    Where are the step by step scripts and FAQ's for setting up a Mac trap?
    We have one very very very smart person showing up with a prize to win at this time.
  • by phantomfive (622387) on Wednesday January 20, 2010 @08:21PM (#30840378) Journal
    I don't know if you've ever written an image parser before, but sanitizing the data before you parse it can be really hard. If you think about it, the data itself can be almost random, considering a picture can be almost anything. To do a good job validating the data, you would almost have to re-implement the parser itself.

    Not saying they shouldn't have caught these bugs, but it's a little harder than just validating the data as it comes in.
  • by GoodNicksAreTaken (1140859) on Wednesday January 20, 2010 @09:06PM (#30840828)
    You most have missed all the reports on the virus spread through torrents for Photoshop CS4 and iLife. [atomicsub.net]
  • Re:Twelve? (Score:3, Insightful)

    by Graff (532189) on Wednesday January 20, 2010 @09:12PM (#30840878)

    Only turn flash on when you need it, youtube and the like

    You can mostly avoid using Flash with Youtube. Many of the videos can now be viewed with H.264 so you don't need Flash there either.

    Honestly I find very few sites that I need to enable Flash to view. Most of the sites that require Flash are annoying anyways and I'm glad to avoid them. A lot of sites want iPhone users to be able to view them and so they provide a non-Flash fallback that is a lot more usable than their main Flash page.

  • by mario_grgic (515333) on Wednesday January 20, 2010 @10:00PM (#30841230)

    What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.

    If you have a user willing to do that, then all bets are off.

    The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.

  • by mario_grgic (515333) on Wednesday January 20, 2010 @10:04PM (#30841264)

    Except you kids need to read on what people mean when they say a "virus". Hint: it's not the same thing as malware that user has to install themselves, and you need to rely on social engineering techniques to get them to install your malware for you (in the above case the lure of free Photoshop installation), etc.

  • Re:Cover your eyes (Score:2, Insightful)

    by JDeane (1402533) on Wednesday January 20, 2010 @10:18PM (#30841366) Journal

    I ran into a machine about two weeks back. The only obvious symptom was that when I tried to run Spybot the program would just close. This machine was stable and fast too.... really scary stuff some of the new crap. Then I took a peek at the AVG they where running, all up to date on version 8 point something (I use AVG too and knew that version 9 had already come out so this was messed up too the spyware or what ever it was had even taken over AVG lol)

    I finally used an old trick of renaming the .exe for Spybot and it ran fine then and even recognized the infection although it could not clean it at least it gave me a name to google and removal instructions.

    This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)

    So I guess the moral of the story on this one is that with the new stuff you might be infected and not even know it, and user security is even more vital then any other type.

  • Re:Twelve? (Score:1, Insightful)

    by Anonymous Coward on Thursday January 21, 2010 @03:54AM (#30843354)

    > You wouldn't need Flash at all if Youtube would stream one of the many open standards.

    Pardon me, but the whole reason that YouTube beat ALL the competing video-sharing sites was because they chose ONE standard to host their videos. They made it easy to upload and convert just about ANY format by doing it on the server side!

    They went with Flash because:

    1. Flash is already on most desktops
    2. Other video standards may require users to download software or codecs
    3. Users don't like to have to install + configure software to use the Web
    4. It provided a means of copy protection that other formats didn't

    That's basically it. Doesn't mean Flash is superior, but if they had gone with one of the open formats, people would be saying "YouWhat??"

  • Re:Twelve? (Score:2, Insightful)

    by joost (87285) on Thursday January 21, 2010 @05:18AM (#30843718) Homepage

    Just the really shitty parts. Only turn flash on when you need it, youtube and the like

    Not even then. ClickToFlash [github.com] plays H.264 in youtube, avoiding flash altogether.

  • Re:Twelve? (Score:3, Insightful)

    by Graff (532189) on Thursday January 21, 2010 @11:20AM (#30846202)

    Well guess what fanboi, you can get Flash on Windows too. If this isn't an OSX problem where is the Microsoft Security Update? And why is Apple patching this, not Adobe?

    Face it, Apple is way less secure than Windows.

    There were also vulnerabilities in the Windows version. They were patched by Adobe a couple of months ago. Adobe just released the Mac version of the updates. Again, blame Adobe for being late to patch Flash for Mac, not Apple.

    Apple is not patching Flash, they are just pushing out the latest version from Adobe since Flash is part of the default install for Mac OS X.

    You might want to actually do some research before you make baseless accusations but I guess that's why you hide behind the "Anonymous Coward" feature...

  • by stewbacca (1033764) on Thursday January 21, 2010 @02:12PM (#30848642)

    I dunno. Apple seems to be selling millions of new Macs each quarter for about 10 years now. When will there be "enough macs out there" for your hypothesis?

Forty two.

Working...