Apple Patches Massive Holes In OS X 246
Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.
Re:Twelve? (Score:5, Insightful)
Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?
The Flash update is actually 7 vulnerabilities.
Re:Cover your eyes (Score:5, Insightful)
You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.
Re:Don't bother looking if you have X.4 or earlier (Score:3, Insightful)
Re:Cover your eyes (Score:4, Insightful)
Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old
How would you know? Zero-day means a non-public exploit.
Re:Twelve? (Score:5, Insightful)
The Flash update is actually 7 vulnerabilities.
Moral of this story:
Avoid Flash and you can cut the amount of vulnerabilities approximately in half!
Re:Must be running bootcamp (Score:3, Insightful)
It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?
Different Day, Same Crap (Score:4, Insightful)
Re:image format bugs (Score:2, Insightful)
Using random data doesn't work if some structured data needs to be read first.
So you need non-random random data. :)
Re:Must be running bootcamp (Score:4, Insightful)
Viruses tend to find MacOS too arrogant an environment to survive in.
Making our arrogance is an adaptive self-defense mechanism. So shove off, Windoze loser. :)
Re:Cover your eyes (Score:3, Insightful)
Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.
You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.
The point? You don't need to run something other than Windows if you want to avoid infection, you just need to use your computer intelligently. It seems like you're saying that OSX is the platform for people to be as stupid as they want and still manage to avoid infection. That, my friend, is changing (as evidenced by the 7 patched vulnerabilities in Flash player).
Re:You forget one simple thing... (Score:4, Insightful)
There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.
If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.
It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.
Re:Cover your eyes (Score:4, Insightful)
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.
Re:Twelve? (Score:1, Insightful)
And you can avoid most of the internet at the same time.
Re:I just patched a massive hole (Score:2, Insightful)
At least we're getting some...
Re:Cover your eyes (Score:5, Insightful)
So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.
So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.
Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).
If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.
Re:Cover your eyes (Score:2, Insightful)
That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?
Re:Cover your eyes (Score:2, Insightful)
Re:Cover your eyes (Score:3, Insightful)
Where are the in the wild hacks?
Where are the step by step scripts and FAQ's for setting up a Mac trap?
We have one very very very smart person showing up with a prize to win at this time.
Re:image format bugs (Score:3, Insightful)
Not saying they shouldn't have caught these bugs, but it's a little harder than just validating the data as it comes in.
Re:Different Day, Same Crap (Score:2, Insightful)
Re:Twelve? (Score:3, Insightful)
Only turn flash on when you need it, youtube and the like
You can mostly avoid using Flash with Youtube. Many of the videos can now be viewed with H.264 so you don't need Flash there either.
Honestly I find very few sites that I need to enable Flash to view. Most of the sites that require Flash are annoying anyways and I'm glad to avoid them. A lot of sites want iPhone users to be able to view them and so they provide a non-Flash fallback that is a lot more usable than their main Flash page.
Re:You forget one simple thing... (Score:4, Insightful)
What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.
If you have a user willing to do that, then all bets are off.
The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.
Re:Different Day, Same Crap (Score:3, Insightful)
Except you kids need to read on what people mean when they say a "virus". Hint: it's not the same thing as malware that user has to install themselves, and you need to rely on social engineering techniques to get them to install your malware for you (in the above case the lure of free Photoshop installation), etc.
Re:Cover your eyes (Score:2, Insightful)
I ran into a machine about two weeks back. The only obvious symptom was that when I tried to run Spybot the program would just close. This machine was stable and fast too.... really scary stuff some of the new crap. Then I took a peek at the AVG they where running, all up to date on version 8 point something (I use AVG too and knew that version 9 had already come out so this was messed up too the spyware or what ever it was had even taken over AVG lol)
I finally used an old trick of renaming the .exe for Spybot and it ran fine then and even recognized the infection although it could not clean it at least it gave me a name to google and removal instructions.
This infection came from Limewire so I can't blame XP or IE for this one, it was all user ignorance (not stupidity just not aware of file sizes and how bad something.mp3.exe can be lol)
So I guess the moral of the story on this one is that with the new stuff you might be infected and not even know it, and user security is even more vital then any other type.
Re:Twelve? (Score:1, Insightful)
> You wouldn't need Flash at all if Youtube would stream one of the many open standards.
Pardon me, but the whole reason that YouTube beat ALL the competing video-sharing sites was because they chose ONE standard to host their videos. They made it easy to upload and convert just about ANY format by doing it on the server side!
They went with Flash because:
1. Flash is already on most desktops
2. Other video standards may require users to download software or codecs
3. Users don't like to have to install + configure software to use the Web
4. It provided a means of copy protection that other formats didn't
That's basically it. Doesn't mean Flash is superior, but if they had gone with one of the open formats, people would be saying "YouWhat??"
Re:Twelve? (Score:2, Insightful)
Not even then. ClickToFlash [github.com] plays H.264 in youtube, avoiding flash altogether.
Re:Twelve? (Score:3, Insightful)
Well guess what fanboi, you can get Flash on Windows too. If this isn't an OSX problem where is the Microsoft Security Update? And why is Apple patching this, not Adobe?
Face it, Apple is way less secure than Windows.
There were also vulnerabilities in the Windows version. They were patched by Adobe a couple of months ago. Adobe just released the Mac version of the updates. Again, blame Adobe for being late to patch Flash for Mac, not Apple.
Apple is not patching Flash, they are just pushing out the latest version from Adobe since Flash is part of the default install for Mac OS X.
You might want to actually do some research before you make baseless accusations but I guess that's why you hide behind the "Anonymous Coward" feature...
Re:You forget one simple thing... (Score:3, Insightful)
I dunno. Apple seems to be selling millions of new Macs each quarter for about 10 years now. When will there be "enough macs out there" for your hypothesis?