Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security Businesses OS X Operating Systems Apple

Apple to Fix Security Holes in Jaguar 297

Simon Cozens writes "Yesterday's unsubstantiated report that Apple is refusing to supply security upgrades to Jaguar turns out to be untrue; Apple told MacCentral they will be fixing the bugs turned up by @stake. Next conspiracy, please!"
This discussion has been archived. No new comments can be posted.

Apple to Fix Security Holes in Jaguar

Comments Filter:
  • Well hell (Score:5, Funny)

    by mojowantshappy ( 605815 ) on Friday October 31, 2003 @02:40PM (#7361466)
    I didn't see this comming at all! Who would have thought they would be supporting their own products.
    • Re:Well hell (Score:5, Interesting)

      by feldsteins ( 313201 ) <<scott> <at> <scottfeldstein.net>> on Friday October 31, 2003 @02:51PM (#7361606) Homepage
      Mac fans can't win on these stories. First an alarmist article claiming that they are "forcing" paid upgrades by not fixing security holes in existing systems. Hundreds of Apple-bashing posts later, it comes out that they are indeed patching the existing systems. You come on here to point this out and say "see? They ARE fixing it!" and someone comes behind you and says "big fucking deal! this is what everyone else would do!"

      Following Apple-related discussions on Slashdot is like riding on a bus with no steering: it careens onto the right shoulder, heads back toward the middle, only to screetch onto the left shoulder, back toward the middle...
      • Perhaps that is because you're listening to everyone on Slashdot. Many of the assholes posting yesterday aren't posting today, and vice versa.

        Sure, between both of them, it careens. So ignore morons. In that last story, many of the highest rated posts were people smacking them down. Don't worry about it.
      • by gr ( 4059 ) on Friday October 31, 2003 @03:57PM (#7362323) Journal
        The initial security advisories did include a "vendor response" section. Across the board that said "upgrade to 10.3", without any mention of a forthcoming patch for earlier releases.

        That's the only thing that had Bugtraq up in arms: the lack of assurance that earlier versions would see a patch. And most of the people worried about that were worried because they want Apple to suceed as a Unix vendor, not because they want to see it crash and burn. (I don't know about the Slashdot comments, because I only read more than the highest rated couple of comments when I've got moderator points, but I'd guess that at least some of them were along the same lines.)

        I don't know if it was merely a typographical oversight, or if Apple really didn't have any plans to release patches for earlier releases. In the first case they should have been more clear initially (and now they will), in the latter case they were making a huge mistake. I'm inclined to believe it's the former.

        This is [cotse.com] not [securityfocus.com] the first time that Apple's security PR has been less than impeccable. They've rebounded pretty well each time, and I haven't seen them make the same mistake twice.

        It's only reasonable to expect them to get harshly criticized, especially with Mac OS X: they're jumping from a very soft, easy-going market (desktop publishing and education) into an insanely security-conscious market (Unix enterprise servers). They're actually doing quite well, but there are still more entrance pains to come. The security community is, to an extent, xenophobic, and certainly disinclined to believe that a vendor with a relatively small amount of experience in the market can be relied upon to do the right thing. So Apple has to prove themselves a bit. So far, they're doing pretty well. It doesn't matter if you make mistakes like this, as long as you admit to them, patch things up, and then don't keep making them (hey Microsoft, you listening here?).

        And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't matter, because Red Hat doesn't support them commercially).
        • The interesting thing is that so many people are so desperate to hear something negative about Apple that they eagerly accepted an unsubstantiated report that was ridiculous on its face. After all, Apple has continued to support earlier versions of OSX long after they were supplanted by new versions. And they were clearly working on a 10.2.8 upgrade almost up to the day of release for Panther.
        • And Apple really is doing a good job: I've seriously considered bringing Mac OS X (and the related hardware) in as a replacement for aging Sun hardware running Solaris. Sun seems to be falling apart, and (especially with the G5) Apple seems to be a reasonable replacement in the mid-range compute + high I/O line of work without the vendor/service problems you get from Linux (which isn't so hot on the I/O front, since it's hampered by the IA32 architecture's crappy I/O design... other architectures don't mat
      • by McSpew ( 316871 ) on Friday October 31, 2003 @03:58PM (#7362325)

        According to David Goldsmith of @Stake, [com.com] "In my initial conversations with them [Apple], they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that."

        In other words, this isn't just some sort of overblown speculation run amok. Apple did initially tell security experts they didn't plan to patch Jaguar. That was a stupid plan, and even the security experts didn't expect that to last, but that doesn't change the fact that someone from Apple did claim Jaguar wouldn't be patched.

        What I find amusing is the fact that Apple zealots are using this story and its development as further evidence in the conspiracy against Apple, when even the much-hated (and deservedly so) Microsoft has been known to back-port security and even many stability patches to the current and previous versions of their OSes as they're working on their next generation products. Does anybody remember that MS backported lots of fixes to NT 4.0 in SP5 and SP6 based on work they'd done developing Win2k?

        Unlike Apple, however, MS didn't make NT 4.0 users wait until after Win2k shipped before bothering to release the fixes for NT 4.0. Jaguar users shouldn't have had to wait until after Panther shipped to get those security fixes. They're still waiting, aren't they?

        • by MoneyT ( 548795 ) on Friday October 31, 2003 @04:09PM (#7362449) Journal
          One person's "initial conversations" That could have been as simple as him calling tech support and asking the question. Or asking one of the employees at the apple store. Not everyone in Apple knows everything that's going on at every minute.
          • I'm guessing the director of research at a leading security company is not going to bother with clueless tech support droids. I'd suspect he has a direct line to the people responsible for security issues with the various OS products. It's highly probable the person he spoke to was reasonably well-informed. Does that mean that the person he spoke to was definitely in the loop? Possibly not. However, I'd suspect if that person didn't know, they might just say, "I don't know what the plans are at this po

            • Even the statement "I don't know of any plans to patch" could easily have been translated as a no by anyone. Corporate and government doublespeak often use "I don't know of any plans" to say no, but cover their ass if plans change. But since there was no official statement from Apple, he spoke to one person, and could not even provide a direct quote, I would take the statement with a grain of salt.

              It's not different than the "anonymous sources close to the whitehouse said..." those sources could just have
            • However, I'd suspect if that person didn't know, they might just say, "I don't know what the plans are at this point," as opposed to saying they weren't planning to port those security updates back to Jaguar.

              Maybe he did, and Goldsmith misinterpreted or misremembered. Or, maybe he was trying to be cool and act like he knew something when he didn't. Like you.

              However, none of this changes the fact that Apple initially planned not to backport the fixes to Jaguar.

              Yes, exactly like you. It is not a fact
        • by buysse ( 5473 ) on Friday October 31, 2003 @04:41PM (#7362784) Homepage
          I'm paranoid, I'll freely admit, but this is the same l0pht^H^H^H^H^H @stake that canned someone who was critical of Microsoft? Hmmp.
          $credibility{'@stake'}--;
        • According to David Goldsmith of @Stake, "In my initial conversations with them [Apple], they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that."

          Who at Apple? Was it someone who actually had authority or knowledge? And what, exactly, was said? How do we know Goldsmith didn't misunderstand? This quote from Goldsmith is entirely useless. It has no meaning. Maybe some low-level techie who was working on the bugs told Goldsmith, "I dunno, I'd be surprised if they update
        • Unlike Apple, however, MS didn't make NT 4.0 users wait until after Win2k shipped before bothering to release the fixes for NT 4.0. Jaguar users shouldn't have had to wait until after Panther shipped to get those security fixes.

          Well, genius, will you give your time-machine to Apple so they can send the fix back to before they A) shipped Panther and B) were informed of the bug after A)? As for Microsoft, they sure as hell fixed bugs in NT 4 after Win2k shipped, as well as after XP shipped - and NT4 is EOL,

          • A) shipped Panther and B) were informed of the bug after A)

            Please tell me how Apple fixed security problems before they were informed of them? Public disclosure does not equal initial notification. Security researchers routinely privately notify software companies of their discoveries of flaws and then allow those companies time to fix the flaws before they publicly disclose them. In return, the software companies state in their press releases, something to the effect of, "XYZ software thanks Foo Bar

      • discussions on Slashdot are like riding on a bus with no steering: it careens onto the right shoulder, heads back toward the middle, only to screetch onto the left shoulder, back toward the middle...

        Are you just now figuring that out?
      • Weeeeeeeeeee........ That's what makes it fun!

        Ooooooh, an anonymous coward just posted an insightfull string of condescending vugarities! Gotta go!
  • Damn straight (Score:5, Insightful)

    by admiralfrijole ( 712311 ) on Friday October 31, 2003 @02:41PM (#7361476) Homepage
    Of course Apple is going to fix them, they still support the 10.2 Server, so they have to...

    Damn Windows zealota making shit up...
    • Of course Apple is going to fix them, they still support the 10.2 Server, so they have to...

      Are you implying Mac OS X 10.3 Server is not available?
  • by danigiri ( 310827 ) on Friday October 31, 2003 @02:41PM (#7361480)
    Definitely Apple deserves more credit and unlike other companies, the benefit of the doubt until official statements are made.
  • Wha! (Score:5, Funny)

    by TheVidiot ( 549995 ) on Friday October 31, 2003 @02:42PM (#7361491) Homepage
    Conspiracy! And slashdotters believed it? Un-be-lievable!
  • Good to hear (Score:5, Interesting)

    by AvantLegion ( 595806 ) on Friday October 31, 2003 @02:43PM (#7361503) Journal
    There's no question people were gratuitously jumping the gun on the last story, but it's good to hear official confirmation that the fixes will be made available for Jaguar. There would not have been a story here at all if not for nonsense speculation.

    However, the story makes reference to Jaguar specifically, but what about OS X releases before that?

  • *GASP*! (Score:3, Funny)

    by ChuckleBug ( 5201 ) * on Friday October 31, 2003 @02:43PM (#7361517) Journal
    Panther, Apple's latest operating system, was not affected by the security issues outlined by @Stake -- the flaws only affect Mac OS X 10.2.8 and lower.

    This PROVES it! Apple has NO INTENTION of fixing these egregious bugs in Panther! How is Apple ever going to be taken seriously in [echo]THE ENTERPRISE[/echo] when all they care about are legacy customers?!?!?!?!
  • by dirk ( 87083 ) <dirk@one.net> on Friday October 31, 2003 @02:48PM (#7361566) Homepage
    Now the real question is whether they told @stake they weren't going to fix them and changed their mind after the because of all the talk about it. It is as wrong to assume they were always going to fix it as it is to assume they weren;t going to fix it. I would tend to believe they told @stake that, and then when word got out and everyone screamed, they changed their minds right quick.
    • Actually I would tend to think that someone who has nothing to do with the decision process might have told someone at @stake something which vaguely resembled that there were no plans for it. @stake and company spun the information accordingly.

      Whether Apple had any prior plans? Their track record says "yes," though there is no way we are ever going to find out one way or the other.

      Now can you please put the tinfoil away? It's making a horrible sound.
    • by Anonymous Coward on Friday October 31, 2003 @02:54PM (#7361641)
      I just go on Apple's past performance. After OSX 10.2 was released out there were still security updates released for 10.0/10.1

      After OSX 10.2 was released, actually, there were even updates for MacOS 9.

      Apple's past record for support of older systems is a stronger indication of their intent than the ramblings of any site, publication or group of users.
    • by Trillan ( 597339 ) on Friday October 31, 2003 @03:23PM (#7361946) Homepage Journal

      I doubt they told @stake they weren't going to fix them. I doubt they told @stake they were going to fix them. In fact, I doubt they even told @stake that the flaws didn't affect Panther... @stake probably found that out and told Apple.

      Apple doesn't talk details in unreleased products.

      There's a couple reasons we're seeing this press release:

      • @Stake acted unethically and went to the press early to get their name seen.
        Ethical reporting of security flaws involves going to the company and giving them time to get a patch out. Then, one or both companies announces the flaw... and includes details of the patch. @stake jumped the gun and did not use white hat practices.
      • ZDNet engaged in wild speculation with typical bias.
        ZDNet decided that @stake's announcement meant Apple wasn't going to fix the problem, and decided to give it a spin. As they actually indicated in their story, they did not wait for a comment from Apple before rushing the thing to press.

      Hopefully, @stake will do better next time. But I doubt their role in this will be examined very carefully.

      I know ZDNet will do the same thing next time. They smell any blood around Apple, they're the first to paint a picture of mass destruction, mayhem and cats and dogs sleeping together.

      If @stake hadn't jumped the gun, we'd have seen a press release some time next week on Apple's site about the security flaws, with a fix, and with credit to @stake for finding them. How do I know this? Because it's what they've done every other time, including with 10.1 after 10.2 was released!

      • According to this advisory at @stake [atstake.com], they have at least once withheld release of a vulnerability until affected systems could be patched. This paragraph kinda sums it up:

        Due to the severity of this vulnerability @stake has confirmed that they will not be releasing this information publicly on their research page (http://www.atstake.com/research/) until Nokia has confirmed that all affected operators have fully patched and tested all affected elements. However @stake would ideally like to release thi
        • Ouch. That's a good point. I never even considered investigating @stake's past advisories. From the link you posted, it looks like they have a long history of being a grey hat.

          So much for any hope they'll do better next time.

          Thanks for the information!

        • Although Apple doesn't give direct credit, don't they usuall provide a link to the advisory or somesuch?

      • One more example where @stake allows time to fix the issue before going public.....

        This @stake advisory [securityfocus.com] was published on July 12, 2002. Under the section "Vendor Response", it states that: "Vendor was notified of these issues on May 28, 2002."

        That's pretty much a month and a half advanced notice before going public. Again, it appears that since Pingtel acknowledged their "accomplishment" with "a point by point response to the @stake advisory" they held off with the announcement. Granted, this is
    • Well, let's see, @Stake is the same company that only a few weeks ago fired Dan Geer for that article on the Microsoft monoculture (http://news.com.com/2100-1009_3-5082649.html). Who do you want to believe today?
  • by EvilStein ( 414640 ) <spam@BALDWINpbp.net minus author> on Friday October 31, 2003 @02:50PM (#7361594)
    Apple rolled several security updates into that thing called 10.2.8, which has caused many people no end to troubles, especially those with older hardware.

    Yes, I have a beige G3. Yes, I've put a much faster ZIF processor in it. It's a small OS X Server. 10.2.8 screwed up all *kinds* of things.

    Can Apple please release the security updates individually so we can apply them as needed instead of bundling them into a dot-whatever release?
    That's all I ask, Apple. I'll buy a shiny new G4 (or G5) when I can actually afford it. (No, they're not too expensive, I'm just flat broke. :P)
    • i still don't even have a g3 to run mac os x on
    • Is it the "oops" release of 10.2.8 or the fixed one? I haven't tried 10.2.8 on a beige yet, but otherwise it seems to be fine...even the problematic ethernet error didn't affect machines using 100base. I did have a problem applying 10.2.8 once though, it just stopped copying files and I force quit it...bad move since the system couldn't boot. So I can agree with you on wanting some smaller chunks to update with (optionally). I'm broke and stuck with an older Mac for now too :(
  • by MuckSavage ( 658302 ) on Friday October 31, 2003 @02:50PM (#7361604)
    At least ZDNet continues their excellent track record of fair, unbiased reporting with regards to apple.
    • ZDNet has also "upgraded" their message boards into unusability. No preview button, and it takes an average of fifty-seven hours between clicking "comment" and getting the entry page.

      Did Microsoft merge with them as well?

      Aw, geez, here comes another Offtopic Troll mod. :-\

  • by Anonymous Coward

    Hello. I would like to discuss a neat little command line utility included in Mac OS X that doesn't get enough attention in my humble opinion. Living in /usr/bin/, this simple Open Source tool is something that I just can not live without. What is this wondrous textual utility that I'm talking about? It's none other than machine!

    Included since 1991 with the 4.4BSD platform, machine gives you the processor name that your system is based on. I don't know if it works for Intel or any other architectur

  • And, they installed perfectly, with no troubles. Although I did think it odd that I had to reboot a couple of times. I always thought that was just a Microsoft thing. Can't complain though; Mac OS/X boots FAST. I'd say about a minute, maybe less. So you don't really notice it that much...

  • would they have done it as quickly without @stake first finding these bugs then putting bugtraq and media pressure on apple?
    • Apple has generally been very responsive in fixing security problems. I don't have any reason to believe they would have acted differently in this case.

      Since the historical trend indicates that Apple is good at issuing fixes in a timely manner, what makes you think that Apple has suddenly changed their policy on patches?

      The real million dollar question here is whether or not @stake acted responsibly in releasing the details of the flaws publicly. Did they give Apple time to prepare the patches or did th
  • by freeze128 ( 544774 ) on Friday October 31, 2003 @03:16PM (#7361861)
    I don't want to be forced to upgrade to an Apple ][gs...
  • Conclusions (Score:3, Funny)

    by Verteiron ( 224042 ) * on Friday October 31, 2003 @03:31PM (#7362054) Homepage
    from the do-not-jump-to-the-island-of-conclusions dept.

    Wow, and here I was starting to think I was the only person in the world who read "The Phantom Tollbooth".
    • Wow, and here I was starting to think I was the only person in the world who read "The Phantom Tollbooth".

      Nope, here's at least one other. In later years I always wanted to get a supply of those "subtraction cakes" so I could chow down and lose some weight. Then Atkins comes along, and I discover those subtraction cakes were under my nose the whole time ... in the form of steaks, bacon, eggs, and assorted other greasy stuff. Who knew?

      The phantom tollbooth as an educational child's fantasy absolutely r
    • One more here. That's one of those books that really had a sense of magic and the bizarre to it. Truly original.

      Whoops, gotta go, you know how Time Flies. ;)
  • by indros13 ( 531405 ) * on Friday October 31, 2003 @04:22PM (#7362574) Homepage Journal
    ...posting unsubstantiated claims.

    But did you hear that M$ is buying Google?

    *smack*

  • I didn't see the word "beleagured" anywhere in the security advisories.

    We are talking about Apple Computer, right? I often get them confused with the Beatles' record label, Apple Corps, Ltd.
  • Apple said:

    "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," Apple said in a statement given to MacCentral. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."

    Which is a nice bit of damage control but stops far of saying "We are going to patch pre 10.3 releases."

    I personally think they will
  • I am sure the next conspiracy will be coming right up with the next Microsoft-related post here at /.
  • Sensationalism? (Score:3, Insightful)

    by Mikey-San ( 582838 ) on Friday October 31, 2003 @07:06PM (#7364016) Homepage Journal
    I only have a simple question, really:

    If the original story, about Apple not fixing security holes in Jaguar, made the front page, why didn't this?

    Fox^H^H^HSlashdot: Fair and Balanced.
  • I think it's a bit naive to swallow that Apple did this on it's own and not even consider that it was done to stop the backlash.

Mediocrity finds safety in standardization. -- Frederick Crane

Working...