Apple Forcing Panther Upgrade for Security Patch 605
The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see
the next day's story.
why do they need security fixes? (Score:2, Funny)
Re:why do they need security fixes? (Score:2, Funny)
Eh? (Score:3, Insightful)
1) Stupid of Apple, if true; part of the appeal is the lower number of problems OSX has vs Windows.
2) They'll probably have a patch in a few days. If they're smart.
Apple is unacceptable as a server provider. (Score:5, Insightful)
Such a statement, aparently confirmed by Apple, will keep Mac OS X out of any server applications. Just imagine Sun saying something similar.
Since Oracle server is out for OS X, I had been thinking about Macs for certain server applications.
At home, I have both an iMac and a beige G3. My beige G3 is not supported under 10.3; according to Apple I cannot upgrade (until xpostfacto gets through with them). Apple just tried to put a gun to my machine's head and pull the trigger.
Because they are dropping hardware in 10.3, they need to support 10.2 indefinately.
I am not amused.
Re:Apple is unacceptable as a server provider. (Score:5, Insightful)
The original poster is right, this kind of attitude will keep serious businesses away from Apple in the server room.
Re:Apple is unacceptable as a server provider. (Score:3, Insightful)
The assumption and heresay behind the story is pretty lame.
Re:Apple is unacceptable as a server provider. (Score:3, Funny)
Solaris 8 was free, so I don't know what you're talking about with this "thousands". I'm still getting patches for Solaris 2.6 from Sun. They support their older products just dandy. Granted, it takes 6 months to patch a mission critical vulnerability, but eventually they get around to it. On second thought, Sun sucks too. Use Debian.
Not true... (Score:3, Informative)
Re:Apple is Fine (even if Linux is Better :-)) (Score:3, Informative)
Nonsense. If you actually look up bugtraq reports by @stake, you will see all OS X versions 10.2.8 and below are vulnerable. Here [securityfocus.com], here [securityfocus.com] and here [securityfocus.com].
MOD PARENT DOWN (Score:3, Informative)
Does ANYONE read the articles? Apple recently released a security patch for a completely unrelated security issue in 10.3 that does not apply to 10.2, and everyone assumes that's what this is about, even though this article is about three COMPLETELY DIFFERENT security issues that @Stake found in 10.2 that do NOT exist in 10.3 that Apple HAS NOT YET released patches for.
Re:Apple is Fine (even if Linux is Better :-)) (Score:3, Informative)
I hate to sound rude but that is just pure BS. A shame to slashdot that you could achieve a +5 for that cr*p. Instead of your generalized disinformation here are the facts: Take a look at CAN-2003-0877 [securityfocus.com]. To quote:
Now if the vulnerability only existed in 10.3, how come you are supposed to update to 10.3 in order to f
You need to RTFA (Score:5, Informative)
Apple declined comment.
Sure, they should have pronounced their intent to fix the problems but they have certainly NOT stated that the intent is to leave 10.2.x unpatched.
The article is a bit misleading, as well. For instance, it fails to note that the @stake advisory in question (core files can be used to overwrite arbitrary files) pertains to a facility that is disabled in all Apple-supplied 10.2 installations.
In short, they should fix it. Soon. They haven't said they won't, though, and it's been *almost* two days. I'm taking a "wait and see" approach on this one.
*swirls in MS logo* (Score:3, Funny)
Gates: Damnit! Apple stole our idea to no longer support old versions of Operating Systems and force everyone to upgrade! Lawyer #1, isn't that illegal? Let's get a suit together!
Bugtraq links (Score:5, Informative)
Arbitrary File Overwrite via Core Files [securityfocus.com]
Systemic Insecure File Permissions [securityfocus.com]
Long argv[] buffer overflow [securityfocus.com]
If it is going to be Apple's policy to not provide support [apple.com] for previous operating systems from the day the new one comes out it is going to be very, very difficult for them to break into the enterprise world. Even Microsoft provides support for operating systems for a few years after the new one is released. Maybe if enough people submit a bug report [apple.com] Apple will do something about it.
Re:Bugtraq links (Score:5, Informative)
Re:Bugtraq links (Score:3, Insightful)
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Re:Bugtraq links (Score:2, Flamebait)
But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.
Now that I think about it - I don't think Apple's ever really put any thought at all to that anyway. The XServe's basically a prosumer device to appeal to the geeks who've always wanted a rack system in their home. You
What's with the Enterprise (Score:5, Funny)
But Apple's really going to have to get their sh1t together on this - or they'll never be taken seriously in the Enterprise.
WTF is it with you geeks and Star Trek? Listen carefully: IT'S NOT REAL, ITS JUST A SHOW. Why, the Starfleet or whatever would no more use Apple Computers on the Enterprise than any modern PC, the whole idea is abs--
MAN TAPS NARRATOR ON SHOULDER, WHISPERS URGENTLY
Er, carry on.
Re:Bugtraq links (Score:4, Informative)
Hmm. The only one that looks like it might be a problem to normal desktop users is the argv[] overflow. And that doesn't seem like much of a problem to me, since it's highly unlikely they'll hit it.
The other two are easily fixable by users. In fact, by default they're already configured to not be an issue.
Systemic Insecure File Permissions in particular is such a yawner as to not even be worth mentioning.
Fortunatly... (Score:5, Insightful)
2. DMG Folder permissions can be a problem but I think the bigger problem is broken permissions on executable program distributions. Publishers and developers aren't using the right permissions.
3. The buffer overflow crashes the machine but does not dump any sensitive data- no logs only memory addresses are dumped. This is generally not sensitive information.
In addition I think it's kind of lame to say that Apple will not release security update for 10.2 perhaps they just haven't released them yet. These flaws don't seem to be terribly pertinent since they all require that you already have access to the machine, one of them requires that you dig in and enable core files another requires insecure app permissions (not Apple's fault) and a trojan and the last is an overflow which must be within narrow length limits and does not dump sensitive data.
Panther hasn't even been out a week yet.
Woah (Score:4, Funny)
Re:Woah (Score:2)
Comment removed (Score:3, Interesting)
Dangerous Behavior... (Score:2, Insightful)
How much of this attitude until you're paying for each security update? I'm sure MS would love it if they could get away with it. A steady waterfall of cash.
I'm sure there'll be enough of an outcry to fix this behavior. I can't imagine people would tolerate this kind of BS for long.
~D
Re:Dangerous Behavior... (Score:2)
In case you haven't noticed, Mac users have been tolerating this for years. They're constantly being dicked over and locked in, but they still WAIT IN LINE at midnight the day before an Apple product is released to fork over their hard earned money again and again. This is truly a new level of fanaticism that I've never seen in *any* other consumer product.
quick! someone defend Apple to the bitter end! (Score:2, Insightful)
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill.
Re:quick! someone defend Apple to the bitter end! (Score:3, Insightful)
Don't get me wrong, I love my Macs, they're all I use, but Apple fanboys make me ill."
I see this argument on slashdot all the time. It does not work. It seems to follow some of the worse arguments in popular culture. Basically it claims that since Slas
Re:quick! someone defend Apple to the bitter end! (Score:5, Insightful)
- Apple has not yet released security fixes for 10.2
- Apple have not officially stated that they are not going to.
- Someone claims that Apple told him that they would not support 10.2
It seems a little early to be jumping to the conclusion that they will not support an OS a week after releasing the successor. To do so would be incredibly stupid, and I find it hard to imagine that Apple would intentionally shoot themselves in the foot like this.Re:quick! someone defend Apple to the bitter end! (Score:2)
If Apple doesn't release security fixes for 10.2, this is the end of Apple.
It think it is much more likely that they fix 10.3 first, because it is higher profile, and that patches will filter down over the next 2-3 weeks.
Re:quick! someone defend Apple to the bitter end! (Score:2, Insightful)
Not all OS's have a 40-hour turnaround time for bugfixes like microsoft
Maybe it only applies to Panther. (Score:3, Insightful)
Not True... (Score:4, Informative)
Re:Not True... (Score:5, Informative)
Re:Not True... (Score:3, Insightful)
Because it's on your Mac already? Because you don't want to shell out $129 for an upgrade? Because it's better than Classic?
anybody who uses their computer for work dosen't use 10.1.
Umm...most Macs are in schools or homes, not work. How many schools buy OS upgrades every year? How many grandmas?
Why should they support it?
Because Apple was selling it less than 18 months ago? Because if Microsoft, or RedHat, or anyone else, dropped support for an OS version that
Re:Not True... (Score:3, Insightful)
Oh I see - so any user who knows how to SSH into a remote machine and run a few commands automatically knows how to download, compile and install a piece of software from source, with the correct options to get all the paths in the right places, overwriting the Apple-supplied binaries (which of course you've backed up first).
And, of co
Damn! (Score:3, Funny)
Re:Damn! (Score:3, Informative)
There you go.
Re:Damn! (Score:2)
Possible (Score:5, Insightful)
Apple has an age-old tradition (Score:2, Funny)
Re:Apple has an age-old tradition (Score:3, Funny)
Um.. what? (Score:4, Insightful)
Apple isn't stupid, there will be patches, and if their won't then wait until they release something about it before you start burning them in efigy.
Glad to finally find out who beleives all of the things in the tabloids
Re:Um.. what? (Score:3, Insightful)
RTFA (Score:4, Insightful)
Maybe you should try reading the article. And maybe moderators should, too, before modding up your comment.
Relevant section of article below, because you're too lazy to click a link:
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Re:RTFA (Score:4, Insightful)
David Goldsmith was, most likely, not talking to the person within Apple who has the actual authority to decide whether a 10.2 patch will be issued or not. (He might have been. But we don't know.)
Goldsmith's comments indicate Apple will not be fixing the problems, and they are worrying. However it is a massive stretch to call them confirmation.
On the other hand, we still probably want to yell bloody murder about this, because lots of public complaining is probably the best way to convince Apple to change things..
A subtle prod to upgrade, or a bluff? (Score:3, Interesting)
Re:A subtle prod to upgrade, or a bluff? (Score:2)
Jeez... give apple at least a week (Score:5, Insightful)
Let's not get too pissy yet.
Re:Jeez... give apple at least a week (Score:2)
Is this just another stupid tax from a company? (Score:2, Interesting)
I don't see why anybody aware of the open source technologies that underpin OS X couldn't just locate and apply the fixes themselves. The users who don't know how can pay for the convenience of continued consumer-level support. As for the OS specific security concerns, is it unreasonable to expect an upgrade when there is a new OS release?
Vulnerabilities (Score:3, Funny)
Lol, I'd love to see the patch they came up with for preventing a local user from crashing the system.
Ignorance is bliss (Score:2)
Stebe, please save us with all your messiah powers. We want to bask in the glory of your healing rays!
Jumping the gun (Score:3)
If true, leaves Beige-G3 users out in the cold (Score:3, Interesting)
That's so wrong that I have a hard time believing that this is actually Apple's position. I expect that we'll hear from Apple shortly, and they will clarify their position -- that the patches for 10.2 will be out Real Soon Now.
But if not, Apple's going to get a lot of bad PR from this.
Re:If true, leaves Beige-G3 users out in the cold (Score:3, Insightful)
Just because you own a mac doesn't mean you can expect to have your hardware supported until the case turns to dust.
"I run Windows 95 on an older "Pentium 90", which is not supported by Windows XP. I'm enraged that Microsoft has dropped support for Windows 95 leaving all of us Pentium 90 users stuck with a system with KNOWN SECURITY HOLES."
Re:If true, leaves Beige-G3 users out in the cold (Score:2)
A quick search shows security updates for 2000 as recently as 10/29/03 and ME as recently as 10/14/03. I am running neither of these OS's so this is just checking the website; there may be more from the windows update service itself. Check please.
Re:If true, leaves Beige-G3 users out in the cold (Score:2)
If people like you are stuck in this sort of 'bind', then that is no longer true.
I was thinking about purchasing an older, 'Beige' G3 on e-bay to play with OS X----does this affect all models (ie does Panther not work on all Beige G3s?)
Re:If true, leaves Beige-G3 users out in the cold (Score:2)
Re:If true, leaves Beige-G3 users out in the cold (Score:3, Insightful)
But don't you need physical access to the computer (Score:2, Interesting)
Apple has not made a statement (Score:5, Insightful)
Security? (Score:2)
wtf?
Re:Security? (Score:2)
I look forward to your frequent posts of
"Bug Fixes already? wtf?"
Are these anything to worry about? (Score:3, Informative)
all the more reason.. (Score:2)
This just in from Apple: (Score:3, Informative)
So it seems that only Panther is vulnerable, and there is no need to release a patch for 10.2.x and 10.1.x.
This is craziness (Score:2)
But...
If I had to upgrade my OS every year in order to get the latest security patches, I would shit a brick.
Seriously.
I'm glad that all the machines in my office get automatic patches from SuSE. I spend enough time screwing around with the applications on my system.
If my OS works, I don't want to have to upgrade it. I don't care how easy it is, I don't care how much cool stuff comes with it.
That's what my 'test-bed' (read toy) systems at home are for.
Whe
This will impede corporate use (Score:2, Redundant)
I upgraded my machine at home 10.2.8->10.3. Unfortunately, one piece of software would not work (Silverfast SE, my scanner software. It would not detect the scanner even though the System Profiler showed that it was at SCSI address 2).
It was easy to downgrade to 10.2, then run software update to get back to the 10.2.8 system. Then I realized that there were security updates for 10.3 that were unavailable to me. My choice is security updates, or using my scanner. For now,
Re:This will impede corporate use (Score:3, Interesting)
When choosing a corporate platform, we don't just consider the QuickTime Java patch, we talk about hypothetical situations. This is done by asking "What would we do if..." In this case, we could not buy from a vendor that only fixes the current release and will not publish a road-map detailing availability policy for future security patches. Microsoft typically publishes secu
Tech Report (Score:5, Insightful)
Is a rabidly pro-Microsoft and anti-Mac site. Just check the tone of previous stories.
You can't believe eveything you read on the 'net!
Elvis sighted playing poker with JFK! (Score:2, Interesting)
"'...this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year...'"
Though Apple has been slow in providing updates to fully support their hardware in OS X (e.g. the ATI driver issue), this story is based on speculation on the part of the people interviewed. Also, there is no comment from Apple, so muc
Have you looked at the details of the bugs? (Score:5, Interesting)
Release: 10.28.03
Name: Long argv[] Buffer Overflow
Application: Mac OS X
Platforms: Mac OS X 10.2.8 and below
Severity: Attacker can crash Mac OS X and possibly execute commands as root
Author: Matt Miller and Dave G.
Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.
Release: 10.28.03
Name: Systemic Insecure File Permissions
Application: Finder (and many others)
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:
A security issue regarding DMG files managed by Mac OS X
Insecure file permissions packaged by different vendors
The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.
Release: 10.28.03
Name: Arbitrary File Overwrite via Core Files
Application: Kernel
Platforms: Mac OS X 10.2.8 and below
Severity: High
Author: Dave G.
Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.
Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?
"While this primarily affects local users"
"This allows attackers with filesystem access"
"attackers with interactive shell access"
So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.
This is why life wouldn't be better under Apple (Score:2)
Whenever a Microsoft or Linux hole appears, the Apple extremists come out of the woodwork, talking about how "If Apple was the majority player, not MS, none of this would happen." Well, guess what. If Apple was the majority player, this would have just screwed the majority of computer users.
True, when Blaster was running rampant, MS refused to patch NT4 systems. But, those systems were not 1 year old either. This behavior is completely irresponsible of Apple, and should be a good example of why, even thoug
Wait a minute... (Score:5, Insightful)
Remember that when security issues are found in Microsoft products, Microsoft is usually notified in secret months before the issue is made public, so that they have time to develop a patch.
Summary of the first issue: a user could:
a) turn on core files, so when a process crashes it will dump core to a world-writable directory
b) mount a disk image (or presumably any other writable filesystem such as an SMB mount)
c) make a symlink in the cores directory with a particular PID in the filename, pointing to an empty file on the mounted filesystem
d) cause that particular process, which could be owned by root, to crash, overwriting the file that was linked to
e) read the resulting core file
Or skip steps b and e, and just use it as a DoS to overwrite something important, but unless you've hacked OpenFirmware to prevent booting into single-user mode or booting from CD, anyone with physical access to the machine can do this anyway.
This does not effect 10.2.x (Score:4, Informative)
>The issue does not exist in earlier versions of Mac OS X or Mac OS X Server.
Sensationalist bullshit. (Score:2, Informative)
Give it a day or two. Apple has not said that they won't be issuing the patch for Jaguar, they merely haven't released it yet. In all likelyhood, a Jaguar patch will follow.
If memory serves, they continued to issue security patches for 10.1 after Jaguar was released. I see no reason why they'd choose to alienate their customers by not doing the same for Jaguar now that Panther's out in the wild.
Journalistic integrity on Slashdot? Yeah, I'm asking a bit much.
Apple announces new viruses (Score:2)
The new viruses will be shipping worldwide in early 2004.
10.3 Only Problem (Score:3, Insightful)
Re:10.3 Only Problem (Score:4, Informative)
You're a moron.
The 10.3-only security issue Apple just patched has nothing whatsoever to do with what we're talking about, which is three security issues identified by @Stake that do not exist in 10.3. Sure, the summary is stupid, but that's because the article is stupid. They're saying Apple is only making the fixes available in 10.3; the truth is, the problems don't exist in 10.3 and Apple hasn't released a patch for 10.2 yet because @Stake only announced them two days ago.
Note to self... (Score:2)
Great reporting, guys. (Score:4, Interesting)
It's not at all possible that with new functionality comes new bugs?
The very title of this story indicates a lack of proper investigative journalism. Of course, this is
Here's the real story (Score:5, Informative)
Debunked (Score:3, Informative)
Re:If Microsoft did this... (Score:2, Funny)
Re:If Microsoft did this... (Score:2)
Re:If Microsoft did this... (Score:2)
Here is the Windows lifecycle page [microsoft.com]. Looks like Win 95 became officially unsupported at the beginning of 2002 and reached the official "End of Life" on Decmber 31, 2002. IIRC, Win 95 was released August 95.
Win 98 becomes officially unsupported January 16, 2004, although system builders can still acquire licenses until March 31, 2004. (Looks like I should upgrade my Win 98 system pretty soon.
Re:If Microsoft did this... (Score:2)
Re:If Microsoft did this... (Score:3, Insightful)
Unlike MS, Apple doesn't have such a gigantic installed base of, say, 8.6 users compared to Win95/98 in the MS world.
If MS said, "We're scrapping the Windows kernel and writing a new Unix-based OS (Is that a pig that just flew by?), MS would try to drop support for the old Windows, to get developers, users, and enterprises a
Re:But... but I thought... (Score:2, Insightful)
In other news, it should come as no surprise to anyone that a computer has a potential security flaw. Does it have a keyboard? What's that? It does have a keyboard! Why, someone could just walk in and START ACCESSING YOUR COMPUTER by simply typing on it.
On the upside, the amount of skr1p7 kiddies who are likely to find Mac exploits and
Re:Bloody murder (Score:2)
But really, would my excessive ranting and whining on
Re:Bloody murder (Score:2)
They have a hardened group of insane users who simply won't switch to anything else.
As such, it makes good business sense for Apple to make them pay through the noise----They've got them by the short and curlies, now then can generate revenue by forcing Apple users to constantly purchase new stuff.
Look for Apple to move to a subscription OS model, soon.
Re:Bloody murder (Score:5, Funny)
I'm reminded of a battered wife who will never leave her husband despite getting beaten again and again.
A few people point out that there's no evidence to support the story yet, and you're reminded of a battered wife? I bet every time you stub your toe, you're reminded of the Hindenburg. Oh, the humanity!
Re:As a long time Mac user, I'm not surprised. (Score:3, Insightful)
One of these days one of them is going to get seriously taken to court over this.
Either that, or the government is eventually going to have to get sw publishers to provide a warranty for their sw, like all other good are forced to have. I guess it's just up to us to stop settling for defective sw.
Re:As a long time Mac user, I'm not surprised. (Score:5, Informative)
Re:As a long time Mac user, I'm not surprised. (Score:2, Informative)
Re:As a long time Mac user, I'm not surprised. (Score:2, Informative)
quick, what was the version of system software immediately before the release of 7.0?
6.0.7. System 7 was released after 6.0.7 and 6.0.8 was released AFTER System 7. When MacOS X came out, how many updates were there to 9.x?
Re:No surprise here. (Score:2)
That doesn't make sense. If someone gave me a basket of apples and one was rotten, that doesn't mean the rest of them aren't perfectly tasty delicious apples. Just rinse them off. I mean, "rotten" isn't contagious is it?
Re:Is Apple next? (Score:2)
Granted, Apple doesn't control the guys that release it, but in this case Panther already has the fix built in, so where's the one for Jaguar?
Time (and public opinion) will tell I guess...
Re:Here At Slashdot We're Unsure (Score:2)
Re:I only wish..... (Score:2)
http://simplest-shop.com/Macintosh--1-229660-so f tw are.html
Let's see
X.1 Sept 28, 2001
X.2 Aug 23, 2002
That puts 11 months between those two releases
X.3 Oct 25, 2003
That's a nice 14 months in between those releases
By contrast:
Windows 2000 , Feb 17 2000
Windows ME released Sept 14 2000
That would be 7 months
Windows XP Oct 25 2001
That would be 13 months
And lets compare prices:
Mac OS X $130 always (full version)
Windows 2000 $320
Windows ME $110 (