Apple to Fix Security Holes in Jaguar 297
Simon Cozens writes "Yesterday's unsubstantiated report that Apple is refusing to supply security upgrades to Jaguar turns out to be untrue; Apple told MacCentral they will be fixing the bugs turned up by @stake. Next conspiracy, please!"
Well hell (Score:5, Funny)
Re:Well hell (Score:5, Interesting)
Following Apple-related discussions on Slashdot is like riding on a bus with no steering: it careens onto the right shoulder, heads back toward the middle, only to screetch onto the left shoulder, back toward the middle...
Re:Well hell (Score:2)
Sure, between both of them, it careens. So ignore morons. In that last story, many of the highest rated posts were people smacking them down. Don't worry about it.
Let's be fair and balanced (no, really) here... (Score:5, Informative)
That's the only thing that had Bugtraq up in arms: the lack of assurance that earlier versions would see a patch. And most of the people worried about that were worried because they want Apple to suceed as a Unix vendor, not because they want to see it crash and burn. (I don't know about the Slashdot comments, because I only read more than the highest rated couple of comments when I've got moderator points, but I'd guess that at least some of them were along the same lines.)
I don't know if it was merely a typographical oversight, or if Apple really didn't have any plans to release patches for earlier releases. In the first case they should have been more clear initially (and now they will), in the latter case they were making a huge mistake. I'm inclined to believe it's the former.
This is [cotse.com] not [securityfocus.com] the first time that Apple's security PR has been less than impeccable. They've rebounded pretty well each time, and I haven't seen them make the same mistake twice.
It's only reasonable to expect them to get harshly criticized, especially with Mac OS X: they're jumping from a very soft, easy-going market (desktop publishing and education) into an insanely security-conscious market (Unix enterprise servers). They're actually doing quite well, but there are still more entrance pains to come. The security community is, to an extent, xenophobic, and certainly disinclined to believe that a vendor with a relatively small amount of experience in the market can be relied upon to do the right thing. So Apple has to prove themselves a bit. So far, they're doing pretty well. It doesn't matter if you make mistakes like this, as long as you admit to them, patch things up, and then don't keep making them (hey Microsoft, you listening here?).
And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't matter, because Red Hat doesn't support them commercially).
Re:Let's be fair and balanced (no, really) here... (Score:2)
Who needs it? (Score:2)
Re:Who needs it? (Score:2)
Certainly noone too stupid to add it to a Mac. Oh, you mean you don't know how to do it?
Re:Who needs it? (Score:3, Informative)
Re:Let's be fair and balanced (no, really) (OT) (Score:3, Interesting)
* SCSI drivers. These exist in
Apple DID NOT initially plan to patch Jaguar (Score:5, Interesting)
According to David Goldsmith of @Stake, [com.com] "In my initial conversations with them [Apple], they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that."
In other words, this isn't just some sort of overblown speculation run amok. Apple did initially tell security experts they didn't plan to patch Jaguar. That was a stupid plan, and even the security experts didn't expect that to last, but that doesn't change the fact that someone from Apple did claim Jaguar wouldn't be patched.
What I find amusing is the fact that Apple zealots are using this story and its development as further evidence in the conspiracy against Apple, when even the much-hated (and deservedly so) Microsoft has been known to back-port security and even many stability patches to the current and previous versions of their OSes as they're working on their next generation products. Does anybody remember that MS backported lots of fixes to NT 4.0 in SP5 and SP6 based on work they'd done developing Win2k?
Unlike Apple, however, MS didn't make NT 4.0 users wait until after Win2k shipped before bothering to release the fixes for NT 4.0. Jaguar users shouldn't have had to wait until after Panther shipped to get those security fixes. They're still waiting, aren't they?
Re:Apple DID NOT initially plan to patch Jaguar (Score:5, Insightful)
Re:Apple DID NOT initially plan to patch Jaguar (Score:3, Interesting)
I'm guessing the director of research at a leading security company is not going to bother with clueless tech support droids. I'd suspect he has a direct line to the people responsible for security issues with the various OS products. It's highly probable the person he spoke to was reasonably well-informed. Does that mean that the person he spoke to was definitely in the loop? Possibly not. However, I'd suspect if that person didn't know, they might just say, "I don't know what the plans are at this po
Re:Apple DID NOT initially plan to patch Jaguar (Score:3, Insightful)
It's not different than the "anonymous sources close to the whitehouse said..." those sources could just have
Re:Apple DID NOT initially plan to patch Jaguar (Score:2)
Maybe he did, and Goldsmith misinterpreted or misremembered. Or, maybe he was trying to be cool and act like he knew something when he didn't. Like you.
However, none of this changes the fact that Apple initially planned not to backport the fixes to Jaguar.
Yes, exactly like you. It is not a fact
Re:Apple DID NOT initially plan to patch Jaguar (Score:2)
Re:Apple DID NOT initially plan to patch Jaguar (Score:5, Interesting)
$credibility{'@stake'}--;
Re:Apple DID NOT initially plan to patch Jaguar (Score:2)
Who at Apple? Was it someone who actually had authority or knowledge? And what, exactly, was said? How do we know Goldsmith didn't misunderstand? This quote from Goldsmith is entirely useless. It has no meaning. Maybe some low-level techie who was working on the bugs told Goldsmith, "I dunno, I'd be surprised if they update
Re:How to tell who he talked to (Score:4, Funny)
That is speculation. You have no way of knowing, unless you know exactly who said what to Goldsmith. And you don't.
There is a very simple way to determine who Goldsmith talked to. Just check and see who was fired at Apple on Friday.
Re:Apple DID NOT initially plan to patch Jaguar (Score:2)
Re:Apple DID NOT initially plan to patch Jaguar (Score:3, Insightful)
Well, genius, will you give your time-machine to Apple so they can send the fix back to before they A) shipped Panther and B) were informed of the bug after A)? As for Microsoft, they sure as hell fixed bugs in NT 4 after Win2k shipped, as well as after XP shipped - and NT4 is EOL,
Re:Apple DID NOT initially plan to patch Jaguar (Score:3, Interesting)
A) shipped Panther and B) were informed of the bug after A)
Please tell me how Apple fixed security problems before they were informed of them? Public disclosure does not equal initial notification. Security researchers routinely privately notify software companies of their discoveries of flaws and then allow those companies time to fix the flaws before they publicly disclose them. In return, the software companies state in their press releases, something to the effect of, "XYZ software thanks Foo Bar
Re:Well hell (Score:2)
Are you just now figuring that out?
Re:Well hell (Score:2)
Ooooooh, an anonymous coward just posted an insightfull string of condescending vugarities! Gotta go!
Damn straight (Score:5, Insightful)
Damn Windows zealota making shit up...
Re:Damn straight (Score:2)
Are you implying Mac OS X 10.3 Server is not available?
Re:Damn straight (Score:2)
I dunno, how does Mac OS X Server 10.2 being supported imply that they must fix Mac OS X 10.2?
Re:Damn straight (Score:2)
yes, isnt it amazing how the truth hurts people so much, they have to mod down my post. reality stings like alcohol in a cut. and when people start to realize that most corporations are "REACTIVE" as opposed to "PROACTIVE", they will realize the truth in that post.
Cheers. Its Friday, SMILE!!!
Yesterday's bickering only mindless speculation (Score:4, Funny)
Re:Yesterday's bickering only mindless speculation (Score:5, Insightful)
Apple has not signed up as a Templar knight any more than Microsoft has sold its collective soul to the devil.
Wha! (Score:5, Funny)
Re:Wha! (Score:2, Funny)
I do not think that word means what you think it means.
Good to hear (Score:5, Interesting)
However, the story makes reference to Jaguar specifically, but what about OS X releases before that?
Re:Good to hear (Score:2)
However, this is not even close to being the case.
Re:Good to hear (Score:2)
The problem with Microsoft is that they sit on the problems for long periods of time - not after they're discovered, but often only after they're exploited, do we see a fix.
Apple is not waiting.
See the difference, AC?
*GASP*! (Score:3, Funny)
This PROVES it! Apple has NO INTENTION of fixing these egregious bugs in Panther! How is Apple ever going to be taken seriously in [echo]THE ENTERPRISE[/echo] when all they care about are legacy customers?!?!?!?!
were they always going to? (Score:5, Interesting)
Re:were they always going to? (Score:3, Insightful)
Whether Apple had any prior plans? Their track record says "yes," though there is no way we are ever going to find out one way or the other.
Now can you please put the tinfoil away? It's making a horrible sound.
Re:were they always going to? (Score:5, Informative)
After OSX 10.2 was released, actually, there were even updates for MacOS 9.
Apple's past record for support of older systems is a stronger indication of their intent than the ramblings of any site, publication or group of users.
Almost certainly... (Score:5, Insightful)
I doubt they told @stake they weren't going to fix them. I doubt they told @stake they were going to fix them. In fact, I doubt they even told @stake that the flaws didn't affect Panther... @stake probably found that out and told Apple.
Apple doesn't talk details in unreleased products.
There's a couple reasons we're seeing this press release:
Ethical reporting of security flaws involves going to the company and giving them time to get a patch out. Then, one or both companies announces the flaw... and includes details of the patch. @stake jumped the gun and did not use white hat practices.
ZDNet decided that @stake's announcement meant Apple wasn't going to fix the problem, and decided to give it a spin. As they actually indicated in their story, they did not wait for a comment from Apple before rushing the thing to press.
Hopefully, @stake will do better next time. But I doubt their role in this will be examined very carefully.
I know ZDNet will do the same thing next time. They smell any blood around Apple, they're the first to paint a picture of mass destruction, mayhem and cats and dogs sleeping together.
If @stake hadn't jumped the gun, we'd have seen a press release some time next week on Apple's site about the security flaws, with a fix, and with credit to @stake for finding them. How do I know this? Because it's what they've done every other time, including with 10.1 after 10.2 was released!
@stake sometimes waits for a fix.... (Score:3, Interesting)
Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release thi
Good point. (Score:2)
Ouch. That's a good point. I never even considered investigating @stake's past advisories. From the link you posted, it looks like they have a long history of being a grey hat.
So much for any hope they'll do better next time.
Thanks for the information!
I've been thinking about this... (Score:2)
Although Apple doesn't give direct credit, don't they usuall provide a link to the advisory or somesuch?
And one more example.... (Score:2)
This @stake advisory [securityfocus.com] was published on July 12, 2002. Under the section "Vendor Response", it states that: "Vendor was notified of these issues on May 28, 2002."
That's pretty much a month and a half advanced notice before going public. Again, it appears that since Pingtel acknowledged their "accomplishment" with "a point by point response to the @stake advisory" they held off with the announcement. Granted, this is
Re:Almost certainly... (Score:2)
But they didn't wait for the Jaguar patch.
Re:Almost certainly... (Score:2)
Also, you're just speculating on why it is fixed in Panther. For that matter, so is @stake if you've got this from them.
Re:Almost certainly... (Score:2)
Re:were they always going to? (Score:3, Interesting)
This might not be good news. (Score:5, Insightful)
Yes, I have a beige G3. Yes, I've put a much faster ZIF processor in it. It's a small OS X Server. 10.2.8 screwed up all *kinds* of things.
Can Apple please release the security updates individually so we can apply them as needed instead of bundling them into a dot-whatever release?
That's all I ask, Apple. I'll buy a shiny new G4 (or G5) when I can actually afford it. (No, they're not too expensive, I'm just flat broke.
quit yer whining (Score:2)
Re:This might not be good news. (Score:2)
Re: Macs and upgrades (Score:2)
Relatively small vendors such as Sonnet have plenty of work to do, just figuring out ways to cram faster G3 and G4 processors into all the older makes and models of Macs. Not only that, but they've already provided all the software tools needed to make them perform 100% in MacOS 9.x. In a few cases, they've sold optional utilities to make them work with OS X 10.2.x -- but ensuring support of the latest Apple OS's was nev
Re: Macs and upgrades (Score:2)
Apple had a pretty well defined set of rules of which systems supported which OS products of theirs. Anyone trying to bend those rules by purchasing 3rd. party hardware that puts CPUs in boxes never originally designed to run those CPUs is taking a chance.
The vendors of the upgrade boards probably have some interest in making them compatible
Re:This might not be good news. (Score:2)
10.2 *is* supported on the beige G3s. However, they're *not* releasing security updates for 10.2, except in the package called "10.2.8"
I want them to release the updates individually. That really isn't too much to ask. 10.2.8 caused a LOT of problems.
It has nothing to do with my particular configuration - it's the stock OS I'm worried about.
Re:This might not be good news. (Score:2)
I am not aware of any Apple supported upgrades for the beige G3. An Apple part does not necessarily make it a supported upgrade.
Re:This might not be good news. (Score:2)
10.2.8 introduced random USB power errors, hard freezes, intermittant ethernet, and a few other odd quirks.
Back to 10.2.6, stable once again.
I'm just going to stick to 10.2.6. I don't need anything that 10.2.8 provided anyway - except the security fixes. heh.
Re:This might not be good news. (Score:3, Insightful)
http://docs.info.apple.com/article.html?artnum=
Re:This might not be good news. (Score:2)
Re:This might not be good news. (Score:2)
Re:This might not be good news. (Score:3, Insightful)
Also, you d
ZDNet == FUDNet (Score:4, Funny)
What's up ZDNet? (Score:2)
Did Microsoft merge with them as well?
Aw, geez, here comes another Offtopic Troll mod. :-\
Re:What's up ZDNet? (Score:2)
Kids today just don't know the classiscs. :-(
check it out! (Score:2, Funny)
Hello. I would like to discuss a neat little command line utility included in Mac OS X that doesn't get enough attention in my humble opinion. Living in /usr/bin/, this simple Open Source tool is something that I just can not live without. What is this wondrous textual utility that I'm talking about? It's none other than machine!
Included since 1991 with the 4.4BSD platform, machine gives you the processor name that your system is based on. I don't know if it works for Intel or any other architectur
Re:check it out! (Score:2)
i call bullshit. (Score:2, Informative)
Description
The machine command displays the machine type.
double bullshit for "i386"
I got the patches last night... (Score:2)
Re:I got the patches last night... (Score:2)
the million $ question is... (Score:2, Insightful)
Re:the million $ question is... (Score:2, Interesting)
Since the historical trend indicates that Apple is good at issuing fixes in a timely manner, what makes you think that Apple has suddenly changed their policy on patches?
The real million dollar question here is whether or not @stake acted responsibly in releasing the details of the flaws publicly. Did they give Apple time to prepare the patches or did th
Apple refuses to fix bugs in ProDOS!!!! (Score:3, Funny)
Conclusions (Score:3, Funny)
Wow, and here I was starting to think I was the only person in the world who read "The Phantom Tollbooth".
Re:Conclusions (Score:2)
Nope, here's at least one other. In later years I always wanted to get a supply of those "subtraction cakes" so I could chow down and lose some weight. Then Atkins comes along, and I discover those subtraction cakes were under my nose the whole time
The phantom tollbooth as an educational child's fantasy absolutely r
Re:Conclusions (Score:2)
Whoops, gotta go, you know how Time Flies.
Serves all those speculators right... (Score:4, Funny)
But did you hear that M$ is buying Google?
*smack*
One thing missing from the advisory... (Score:2)
We are talking about Apple Computer, right? I often get them confused with the Beatles' record label, Apple Corps, Ltd.
THey haven't said they will fix them. (Score:2, Interesting)
"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," Apple said in a statement given to MacCentral. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."
Which is a nice bit of damage control but stops far of saying "We are going to patch pre 10.3 releases."
I personally think they will
Next conspiracy? (Score:2)
Sensationalism? (Score:3, Insightful)
If the original story, about Apple not fixing security holes in Jaguar, made the front page, why didn't this?
Fox^H^H^HSlashdot: Fair and Balanced.
It Did (Score:2)
Conspiracy? yeah, right (Score:2, Interesting)
Re:Ha! (Score:3)
They will entice us with OSX.4 being "snappier than ever"!
---gralem
It's Soprano time. (Score:5, Funny)
Get over here.
Now. (smack) Mac (smack) OS (smack) X (smack) supports (smack) multibutton (smack) mice (smack) right (smack) out (smack) of (smack) the (smack) box!
(smack) (smack) (smack) (smack) (smack)
Now pound sand before I officially sanction a hit. Jobs is a made man, and you shall not direspect his product. Capisca?
Re:It's Soprano time. (Score:2)
Re:It's Soprano time. (Score:2)
Yes they have: it's called.... (Score:2)
If you run this software there is a small fee - usually about $10.
Re:Goatse-guy replaced by goatse-pumpkin! (Score:3, Offtopic)
Re:Secrets (Score:2)
Re:Of course they were... (Score:2, Informative)
Re:service releases (Score:2)
RTFA. This is discussing whether or not security flaws in 10.2 (released a year ago) will be fixed, not 10.3. The flaws don't exist in 10.3.
Re:So what was the hold up? (Score:2)
It was released last week. In beta before that.
So, again, what was the hold up?
Re:So what was the hold up? (Score:2)
"Oh, here's a list of fixes, for bugs that don't exist." Yeah right.
Re:So what was the hold up? (Score:2)
Re:So what was the hold up? (Score:2)
Re:So what was the hold up? (Score:2)
Jaguar has bugs; they finally announce they'll fix them after all the storm over this.
Panther didn't have the bugs, because they were 'fixed' as part of development.
I ask why it took so long for Apple to announce the fixes, even waiting until after the bugs were revealed.
You tell me the list of fixes for Panther are for bugs that don't exist in Panther, only in Jaguar.
I ask why the list for Panther then.
You tell me it's for bugs that don't exist in Panther, only Jaguar.
Re:So what was the hold up? (Score:2)
Re:So what was the hold up? (Score:2)
Re:Untrue? (Score:2)
That's false. It said "Apple Forcing Panther Upgrade for Security Patch" which was untrue. I dunno who wrote the headline, but it was a fabrication.
Re:Panther? Jaguar? Why so specific? (Score:2)
Because they will not be updating 10.1 or 10.0. They also don't update Mac OS at all anymore, except for where it is necessary for Mac OS X interaction, and even that is rare.
Re:What about 10.1? (Score:2)
Re:What about 10.1? (Score:2)