Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Security Apple

Apple Releases 'Highly Critical' Patch 96

Toothpick writes "Apple Insider reports that a new security update is available for download from Apple. This addresses issues identified in sudo, Safari, and OpenSSL among others. The gory details are, predictably, available on the Apple Info site." Commentary from ZDNet is also available.
This discussion has been archived. No new comments can be posted.

Apple Releases 'Highly Critical' Patch

Comments Filter:
  • by Golias ( 176380 ) on Thursday December 01, 2005 @10:56AM (#14157257)
    Why can't Apple just patch their...

    ... oh, they did? Before there were any exploits in the wild?

    Never mind.
    • Seriously - look at the detailed description, follow the links to the CVE entries. These are old, old vulnerabilities. I think the oldest one in there is about five or six months old.

      I love Apple's products, I use Macs myself, but they really have to get their act together on security patching.

      And there have been proof of concept exploits for some of these vulnerabilities published quite a while ago.
  • Installed yesterday. No problems so far.
    • Re:One problem (Score:3, Interesting)

      by vertinox ( 846076 )
      nstalled yesterday. No problems so far

      I installed updates on a 10.3.9 and a 10.4 machine and it appeared fine til I noticed I can't share files anymore between the two machines. Might be a configuration change though.
      • Re:Problem solved (Score:3, Informative)

        by vertinox ( 846076 )
        Apparently the Apple File Sharing had become unchecked after the patch and by rechecking it and rebooting both machines it resolved the issue (oddly enough it wouldn't resolve the issue til they were rebooted)
  • How is this news? (Score:5, Insightful)

    by Paul Bristow ( 118584 ) on Thursday December 01, 2005 @11:07AM (#14157396) Homepage
    So called highly critical patch installed itself yesterday on my iBook.

    For those of us who need it, Apple update takes care of it.

    If there was an exploit that meant we should click on "Software Update" instead of waiting for it to cycle round, great but this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too" while there are many many exploits in the wild for them?

        Anyway it's a day late. This is "internet time", if you can remember that far back :-)
    • No, that doesn't cut it. Any time any major OS has a remote "arbitrary code execution" vulnerability (and privilege escalation too), that is by definition a critical problem. In this case, the haters are absolutely right: Mac users will probably get away unscathed because we aren't a big enough target for crackers to write a 0-day exploit. If more bad guys knew how to code for OSX, a lot of iMacs would be toast right now.

      I'm definitely disappointed with Apple's dev team. They should have caught these things
      • by jht ( 5006 ) on Thursday December 01, 2005 @12:04PM (#14158026) Homepage Journal
        Yes, it would be better if this (and other flaws) never occurred. The main point here, though, is that Apple typically does a pretty good job of finding and addressing these flaws when they occur, and in a timely fashion. Microsoft does so in many cases, but in others they sit on the problem long enough that there's an opportunity for crackers to find and exploit it.

        So for the most part Apple's methods work well. Of course zero bugs is a good target, but prompt identification and dissemination of fixes is reasonable. It's also pretty tough to craft an exploit that will simply zap Mac users and then get to them before Apple has an opportunity to get the patch out.

        One thing Apple should do, though, is make Software Update a bigger part of the Guided Tour, and set it to default to check daily and download critical fixes automatically (right now, it just notifies as default behavior, and checks weekly). I've noticed users who simply ignore Software Update's dialog boxes because they don't understand what it's doing.
        • by prichardson ( 603676 ) on Thursday December 01, 2005 @12:47PM (#14158466) Journal
          Users don't ignore software update dialogues because they don't know what it's doing, they ignore them because they've been trained that they won't know what it's talking about. If they actually took a minute to READ the dialogue, I think all but the most naive and illiterate would find it pretty self-explanitory. The window is titled "Software Update," and that is the extent of the vocabulary required to know what's going on. The word update is a common english word, so everyone should be able to get it, and the word software is far from obscure computer vocabulary. Right below that is a text space that says in bold "New software is available for your computer." Finally, the words "Security Update" are in the name of the patch itself, which is visible and the user can click on it to get a more detailed description.

          This is a not a difficult dialog box, and it's explained in the (very short) OS X manual. If a user can't figure this one out either they're illiterate or they just don't want to (much more likely). An absolute worst case scenario would be to ask someone else what it was. The explanation would take mere minutes.
        • Is apple normally slow with updates?

          The SUDO flaw was discovered in June 2005 and a patch was released subsequently after...

          So 6 months later, Apple decicdes to update their OS? WTF!?!?!

          http://www.securityfocus.com/archive/1/402741 [securityfocus.com]
    • this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too"

      Quite fiercely not. I'm just as anti-ms as the next /.er, having run OS/2 as of 1994, Linux since 1995, and Mac as of October of this year.

      I just submitted the story; I left it up to the /. ops to determine whether it was newsworthy. I haven't even (fully) applied the patch. I've had a HandBrake job running and didn't want to interrupt it with a reboot.
      • You are fairly new to Apple community. The trick is, there should be no word about security in Mac community.

        All systems run fine. All users are reviewing what they grant admin access, there were no finder exploit , intego like companies are "snake oil" sellers. :)
    • For those of us who need it, Apple update takes care of it.

      If there was an exploit that meant we should click on "Software Update" instead of waiting for it to cycle round, great but this is just Apple-bashing. Is this a microsofty going "look! other OS's have security updates too" while there are many many exploits in the wild for them?

      Save that corporate brand wars stuff for someone who cares.

      This is about security. People need to be informed; it's how disasters are prevented.

      And FYI: not everyon

  • I installed it yesterday, but decided to give Software Update a check anyway. for those of you with iPod shuffles, there's a new iPod updater with some bug fixes.
  • OS X has bugs and security vulnerabilities???? No way!

    Actually, I am a HUGE Apple fan. They are pretty timely with their updates. They don't let an exploit linger for long. Neither do most Linux distros.

    I tend to wonder though, when it comes to MS Patching stuff like IE, does Microsoft delay because the fix breaks too manyu things? MS has said before that IE can't be fully standards compliant because it would break too many intranets.
    • by kmo ( 203708 )
      does Microsoft delay because the fix breaks too manyu things

      The reason Microsoft patches to IE take so long is that their quality control is so good. They view every web page on the internet with each new version of IE before releasing it. Of course, by they time they do, some of those pages have changed such that they break, but Microsoft isn't responsible for that.

    • Internet Explorer can't be secured because it would require changing the API. I expected them to do that back in 1997, when it became obvious that backing out the tight integration between the desktop, the browser, and the ActiveX API was the only way to fix the real problem. Obviously I'm naive... having seven (no, eight now) years of spyware and viruses is preferable to abandoning their 'loophole' in the consent decree.

      But if they're prepared to stonewall on deep security flaws, why do you expect them to
  • Safari is crashing repeatedly, and reproducibly on a PB. I've been pumping Apple reports for two weeks on their crash catcher. Another iBook running Safari is unaffected, running a lower ver of MacOS X.

    Take the update at face value, friends.
  • by Budenny ( 888916 ) on Thursday December 01, 2005 @12:47PM (#14158463)
    The interesting commentary is to be found on the Security Focus site.

    http://www.securityfocus.com/news/11359

    Look at the numbers. Whoever would have thought that the numbers for MS and Apple would have got this close? Complacency is their, and their users, greatest danger right now. You can see it in most of this thread. Time to wake up.
    • by Morgalyn ( 605015 ) <slashmorg@gmail.com> on Thursday December 01, 2005 @01:02PM (#14158655) Journal
      SecurityFocus is apparently owned by Symantec, so I'm unsure just how much salt you might want to throw on that article. I'm guessing at least a grain or two.
    • Two things... (Score:5, Insightful)

      by Space cowboy ( 13680 ) * on Thursday December 01, 2005 @01:24PM (#14158904) Journal
      1) Securityfocus is owned by a company with a vested interest in selling anti-virus software to Mac (and PC) users. It does serve a useful purpose, but when the points made are so vague, I consider it more advertising than service.

      Say I wanted to market X, and say that I'm a sneaky and underhand individual. I might purchase or support a website dedicated either to X or anti-X and have *some* articles on it that suit my purpose. I wouldn't undermine the integrity of the site (well, much), but I would use it as an authoratitive mouthpiece that mouthed off about *my* preferred direction.

      So, ok I'm a cynic, but so far my cynicism has been proved right depressingly often. Sigh.

      2) "Looking at the numbers" is no useful guide to pretty much anything to do with security. The phrase works when the numbers themselves are the pertinent facts (eg: a bank-balance sheet). "Humans are obviously not the dominant species on the planet - there are millions more houseflys. Look at the numbers".

      The point is that one dose of cancer can kill you, but you may survive fifty or more infections of the common cold without significant harm. The numbers don't tell you the relative importance of the problem, and indeed may just reflect different counting methods or diligence in detection.

      Simon.
      • Microsoft is not the answer. Microsoft is the question. NO is the answer.


        Insightful sig!

        Microsoft is the question... the question that has been driving us..........insane.
    • by 99BottlesOfBeerInMyF ( 813746 ) on Thursday December 01, 2005 @01:35PM (#14159032)

      Look at the numbers. Whoever would have thought that the numbers for MS and Apple would have got this close?

      Counting the number of bugfixes released is no measure a a system's security. The number of remote vulnerabilities on a default install of the OS, the ease of exploiting those vulnerabilities, the number of local exploits, and the likelihood of an exploit happening are all factors. Additionally, predictive criteria, like past performance and the exposure and design of the architecture may be useful. If you look at Windows it has innumerable unpatched local vulnerabilities and working exploits that have existed for many years. They don't even bother fixing them most of the time. OS X on the other hand has a handful of potential local priviledge escalations vulnerabilities, that are fixed in a timely manner, and with one or two proof of concept exploits (none unpatched). Windows has a number of long running remote vulnerabilities and they crop up every month. Exploits for these vulnerabilities occasionally appear before a fix is available for the vulnerability, and regularly appear before administrators have time to thoroughly test those fixes (which is very necessary due to the kludgy Windows architecture and their history of catastrophically broken patches). On OS X I am unaware of any remote vulnerability with a published exploit that preceded the fix for that vulnerability.

      The ease of exploitation of vulnerabilities on Windows is much higher due to the lack of a usable non-admin environment, non-network services that run exposed on the network, default settings that run unneeded services, auto execution of scripts and executables within default and unremovable applications, ease of concealing the nature of an executable in the GUI, integration of web browsing and file browsing code, lack of packaging for executables, shared registry, and larger install base for automated propagation. OS X is by no means perfect and experiences regular security flaws. Much of the security auditing that is done, is a side benefit of the open source user environment components OS X shares with other UNIX-like systems. I'd be much happier if Apple did some more thorough security testing of their products. That said, to make the argument that the security of OS X is approaching the same level of complete cluster-fuckedness that is Windows based solely on counting the number of vulnerabilities patched by the respective vendors is ludicrous.

  • by dreamer-of-rules ( 794070 ) on Thursday December 01, 2005 @01:32PM (#14158989)
    My brother recently switched to Apple.. We were IM'ing about this update and he said..

    "one thing i looove about this thing is that i'm never afraid to update like in windows. i'm not scared that it will be worse off"

    Trust is important. How many people haven't updated Windows to SP2 still??
  • Microsoft vs Apple (Score:5, Insightful)

    by argent ( 18001 ) <peter@NOsPAm.slashdot.2006.taronga.com> on Thursday December 01, 2005 @04:22PM (#14160841) Homepage Journal
    Microsoft: the latest security hole in the HTML control is a buffer overflow in Javascript. They've known about it for months. Nothing happens until a sample exploit is released.

    Apple: the latest security hole in Webkit is a buffer overflow in URLs. The first anyone hears of it is a patch through Software Update.
  • my take (Score:3, Interesting)

    by mkoz ( 323688 ) on Thursday December 01, 2005 @08:23PM (#14162606)
    While comparing these things is difficult at best, try (for example) Secunia's relevant product pages:

    Advisories (2003-2005) OSX 57 & XP Pro 102

    As for vendor patches Apple is at 100%... not bad.

    (XP Professional) http://secunia.com/product/22/ [secunia.com]
    and...
    (Mac OS X) http://secunia.com/product/96/ [secunia.com]

    Is any system perfect... no (even OpenBSD admits to 1 hole in 8 years), but Apple does make it as painless as possible.
  • Mostly only apple people read apple.slashdot. We're already all patched up, days before this item came to print. There are no worm, trojans, virii, or etcetera. In short, this isn't news. If this were microsoft it would be news. Because it is Apple, this is not news. As it is only Apple people who read apple.slashdot this shouldn't be taken as a flame: This article on slashdot, and the time of oue lives we wasted reading this is evidence of our superiority. We are superior in our decision making pro
  • What I like is that Apple is providing public credit for institutions that are pointing out these flaws. Kudos for Apple for this, and double kudos for the third-parties who are assisting the public as a whole.

Beware of all enterprises that require new clothes, and not rather a new wearer of clothes. -- Henry David Thoreau

Working...