Apple Issues Patches For 25 Security Holes

TheCybernator writes "Apple today released software updates to plug more than two dozen security holes in its Mac OS X operating system and other software. The free patches are available via the Mac's built-in Software Update feature or directly from Apple's Web site. All told, today's batch fixes some 25 distinct security vulnerabilities, including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected. Earlier this month, Apple released a software update to fix a vulnerability in its wireless router, the AirPort Extreme Base Station. That update and instructions on how to apply it are available at the link."

cue doodly piano music

[stratjakt]

Mac: Hi, I'm a mac!

PC: And I'm a PC.

Mac: Steve Jobs just plugged up all my holes

PC: GOODNIGHT! (tapdances off stage)

Re:

[CowTipperGore]

Mac: Steve Jobs just plugged up all my holes

Way to go. You've just taken all the Apple fanbois away from their keyboards, as they think about Steve Jobs plugging up their holes.

Re:cue doodly piano music

[Bullfish]

My own take on one of those ads is the upgrade ad...

First day, Mac approaches PC wearing hospital smock

Mac: What's with the smock PC?
PC: I have to upgrade for Vista. I'm a bit scared
Mac: Okay, be cool. I'll send you flowers in the hospital.

Next day: Robust looking PC stands there smiling while Mac runs up in panic.

Mac: Hide me PC! Hide me!
PC: Why, what's up?
Mac: They want to upgrade me!!
PC: Don't be afraid, look at me! Upgrading is great!
Mac: You don't understand!!!

Three guys run up, one shoots Mac dead while PC stands there stunned. Two of them drag off Mac. Third guy in natty sweater stands beside PC

PC: Who are you?
Mac: I'm Mac.

Re:

[Bat Country]

So you're saying the 1984 Macintosh commercial should have been a Logan's Run them instead?

Re:

[captainjaroslav]

I'm an idiot. That's obvious because I just don't get this post, so I've saved you the trouble of responding and calling me an idiot, okay? Now, does this refer to the OS9>OSX migration? Or an incorrect assumption that Mac users buy new computers every time they want to upgrade? I'm currently running Mac OS 10.4.9, the latest release, on a 400mhz G3 iMac that I bought in early 2000, a computer that was released before OSX. It runs very smoothly and as about as fast as any computer with a 400mhz proc

Re:

[Angostura]

Did you try upgrading the graphics card, the DVD drive or the processor yet? That's what the parent post was getting act.

( a Mac fan writes)

Re:

[Charcharodon]

The sweater is just a sweater, and yes the joke is about how most Mac owners upgrade.

It's not saying much that your machine that you bought in 2000 runs OSX just fine, OSX (OSX server) was released in 1999.

but ...

[Anonymous Coward]

those apples commercials tell me they don't have security issues?

Re:but ...

[tji]

No, there are no OS's without security issues. Even OpenBSD has had a few. Since Mac OS X uses many open standards / open source components, they benefit from the wide deployment, review, and testing that turns up bugs in that code and generates fixes. In closed OS's, the holes are still there, they just cannot be easily analyzed, so it's mostly the highly motivated "black hat" types that discover them and use them for their devious purposes.

The Mac ads clearly referred to all the viruses, worms, spyware, etc. Which are VERY common on Windows PCs, and for whatever reason, are very uncommon on Macs. (I don't really care why they are not prevalent on Macs, I just care that my MacBook Pro is free of exploits, as are my Linux servers.)

Patched bugs are a good thing. Bugs are practically unavoidable. Unpatched bugs, as evidenced by rampant exploits, are the real problem.

Re:

[Mister Whirly]

Hey, I've had my TRS-80 around for 25 years without a single trojan, virus or remote exploit infecting it! Most securely designed OS ever! And it had "OS-9" way before Apple!

Re:

[Mister Whirly]

I believe the one he is referring to is called "Viruses". Tanscript follows -
MAC: Hello, I'm a Mac.

PC: And I'm a PC.

PC: Atchoo! Atchoo! Atchoo!

MAC: Gesundheit! Are you okay?

PC: No I'm not OK. I have that virus that's going around.

MAC: Oh yeah.

PC: In fact, you better stay back. This one's a doozy.

MAC: That's okay I'll be fine.


Just what conclusion do you think Apple wants the public to draw from this? Seems to me like they want people to think that Macs are immune to all viruses..Look

Re:

[Onan]

I'd say the conclusion they'd like you to reach is that macs are so much less susceptible to viruses that they don't require worrying about.

And fortunately, that conclusion is correct. You'll notice that these are all pre-emptive fixes to bugs that apple or white hats have discovered, not emergency patches for ongoing exploitation. I'd hazard a guess that the total number of macs compromised by these issues outside of a testing environment is zero.

I'm sorry that your sister was affected by the one mac virus

Quick summary to avoid reading TFA

[140Mandak262Jamuna]

10 of the 25 are local privilege escalations. A few more require physical access to the machine like loading a malformed disk. Some require authenticated access to the machine. (disk access, clear text password exchange, ftp user privilege escalation, untaring a malformed tar file, opening a malformed help file, etc).

The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes. One hole each in libinfo, portmap, ichat.

Re:Quick summary to avoid reading TFA

[Whiney Mac Fanboy]

The remote attacks seem to be coming out of the Kerebros admin daemon distributed by MIT 3 holes.

That's the beauty of Open Source (from Apple's POV).

When things go well: Hey - look at us! We 'support' OSS by leveraging all that free software.
When things go bad: Oh well - it's MIT's software! Not ours...

Seriously - I for one am really glad that one closed O/S vendorout there lets OSS do the heavy lifting security wise on their products. Apple users are left in a far less leaky boat. Thanks MIT, Thanks FOSS, Thanks Apple!

Re:

[140Mandak262Jamuna]

They are not blaming MIT, nor am I but my quick description might leave that impression.

That MIT developed it is relevant because, some admins might be running a home grown versions or ruggadized versions sold by other specialist vendors. Infact every hole clearly says which module is affected to help you decide whether or not you need to update your system. Wish MSFT also would clearly say what is not affected by the hole.

Re:

[Afecks]

Wish MSFT also would clearly say what is not affected by the hole.

You mean like how every MS security bulletin has a list of "Affected Software" and then lists each specific operating system version and service pack?

Re:Quick summary to avoid reading TFA

[ClosedSource]

Well, some FOSS supporters on Slashdot are known to equivocate about what "Linux" consists of. When trying to compare functionality with other OS's they consider the entire distro, when comparing stability or security the definition shrinks down to only the kernel.

Re:

[delire]

So true. Frankly I would be quite anxious use OS X as my primary OS for this reason alone.

In the context of Linux distributions if it's packaged it is the distributions problem: without smoking incense here, the ecology of the whole distribution is considered to be at risk if there is a security vulnerability in one of the packages in the distribution. You can then rest assured that if you download software beyond what's offered in the already comprehensive repositories, security audited with each updat

Re:

[geekoid]

YOu do know that apple has many, many OSS packages they created and support, right?

Re:

[Fulkkari]

Washingtonpost:

including a dangerous flaw present in the AirPort wireless devices built into a number of Apple computers, including the eMac, the iBook, iMac, Powerbook G3 and G4, and the Power Mac G4. Apple said computers with its AirPort Extreme wireless cards are not affected.

Apple [apple.com]:

A buffer overflow vulnerability exists in the AirPortDriver module which processes control commands for AirPort. By sending malformed control commands, a local user could trigger the overflow which may lead to arbitrary co

Re:

[Afecks]

FUD? I doubt that was the intention.

I think The Washington Post is just a little shocked. Especially since the Mac "just works" so there shouldn't be any bugs. Plus since OS X is so secure there should never be any exploits either, remote or local.

Re:

[Bat Country]

How is it FUD to call a dangerous flaw dangerous?

I administer a network of 50 systems and the only thing protecting those machines is that I don't allow users to execute downloaded software.

Any program which issued those malformed instructions while claiming to allow the users to punch the monkey or something could install the first OS X backdoor worms, installing them with root privileges then effectively hiding themselves.

This flaw allows exactly the same attack as the P2P "hot_teen_action.mpg.exe" tro

Re:

[Lars T.]

I liked the one for the installer:

By enticing a user to download and install an installer package with a maliciously-crafted file name, an attacker can trigger the vulnerability.

If you already got somebody to download and install your code, why bother hiding the bad code in the malformed name? Very subtle joke by the Apple techs.

Re:

[mzs]

Here is the distressing thing. Five of the exploits are because environment variables were not properly sanitized. How embarrassing is it to not be correctly setting the PATH and IFS environment variables in 2007? Even worse one of them is passing username and password via command line arguments!

Another exploit has any logged in user able to to see the keystrokes of other users thus making key-loggers possible. But that is not the worst part, the embarrassing part is that this was supposedly fixed in an ear

Why is this news?

[reality-bytes]

As an Apple 'outsider' I'm not certain why this is news.

Is it because these issues/vulnerabilities have been outstanding for a long time? Or perhaps Apple does not patch things often?

It's an honest question, my Ubuntu systems at home have frequent patches rolled out and the staff at work are always talking about another update on their Windows desktops.

Isn't Apple the same?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Why is this news?

[140Mandak262Jamuna]

Also the vulnerability notes very clearly spell out what is affected. I am not a mac user. Still I could make sense of what is broken, whether or not I am running a vulnerable service, whehter or not I need this update.

Compare this to the dense hole descriptions by MSFT. Almost everything affects everything. Even if the bug in Windows is such that "If you dont user IE you are not vulnerable" they cant/wont say it. Wont say it because it will drive FireFox usage up. Cant say it because IE can be invoked by any part of any code. Similarly when a hole in Windows is found, no one seems to know what/who would be affected. Another reason why they dont describe it better is allegedly their fear that the hackers will use it to attack yet unupdated systems. But most hackers use reverse-engineering tools like BlackIce and deconstruct the patch and know precisely how to attack unpatched systems. On the other hand people who might be persuaded to patch their systems faster if the hole description was more specific and pertinent wait because they cant determine whether they are affected. Add to it MSFT's practice of downplaying the bug severity, no wonder MSFT updates are becoming more of a problem than solution.

Re:Why is this news?

[644bd346996]

Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong. I get pestered by Windows update at least twice as often as by OS X Software Update, and I use both operating systems regularly.

Re:

[Jeff DeMaagd]

I think what was meant was that a fix is worked on as soon as possible, but I don't think that's always true. An inability to get Apple's attention on a bug is why that one guy did the Month of Apple Bugs, rightly or wrongly.

Microsoft's security fixes seem to fix smaller numbers of bugs per update. Recently, they were mostly updates to the malware removal tool, not security fixes.

Re:

[Mister Whirly]

Informative? How is this informative? How often your system checks for updates is entirely up to the user. Please take your straw man down now.

Re:

[644bd346996]

All of my systems check for updates every time I turn them on, ie daily. But that doesn't really matter, as long as the systems check significantly more often than updates are released.

When somebody says "... Apple updates and patches their system constantly compared to Microsoft" that seems to be a exaggerated way of saying that Apple releases patches far more often than Microsoft. In my experience, the opposite is the case. I asked if I was interpreting the comment the right way, and explained why I was q

Re:

[Mister Whirly]

It sure seems like a straw man as you were referring to the frequency of how often your system checks for updates, and not how often updates are released. Seeing the checking frequency is 100% determined by the user, it is a not related in any way to how often updates are released, it IS a strawman argument. Your second post clarified a little better what you meant, but I stand by my inital post as your inital post only refers to how often Windows Update runs a check compared to Apple Software Update.

Re:

[Scudsucker]

Did you really mean to say that Apple releases patches more often than Microsoft? Because that is just plain wrong.

Because Microsoft has a lot more to patch.

Re:

[GreggBz]

Just like Ubuntu Apple updates and patches their system constantly compared to Microsoft.

As a user of Linux (although I can't speak for Ubuntu), Mac OS and Windows all I can say is.. ehh.. no.

Re:

[clintre]

Actually that is far from the truth.

I am no M$ fanboy, but they used to push out patches constantly, but most IT shops do not want that. Generally IT shops like to validate the patches before applying them to their machines to make sure poorly written software does not have issues with a patch.

No on in their right mind would push patches out directly to the corporate computers without testing them. By having the patches come out on the same day every month you allow preparation and planning.

Really

Just the facts

[ad0gg]

By constantly you mean, every 3 months or so. Some of the holes had been open for over 3 months with a rating of highly critical on secunia. Secunia still list 6 unpatched holes for OSX, highest being moderately critical. Quick comparision to vista which has two unpatched holes which have a rating of not critical.

Vista [secunia.com]
OS X [secunia.com]

Re:Just the facts

[larkost]

One thing to note: the one bug that Secunia is rating as "moderately critical" is on FTP, and it is not enabled by default.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Why is this news?

[notthepainter]

It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.

I can only think of one in recent memory. The Hong Kong worm http://www.makingpages.org/pagemaker/virus.html [makingpages.org], aka Autostart 9805, was pretty devasting to the pre-press industry which passed around zip cartridges like they were free. This would have been back in 1998.

Paul

Re:

[hawaiian717]

I'm guessing at the numbers, but there were something like 50 viruses for classic Mac OS. Most seemed to be the type that would attach themselves to applications or floppies and spread that way. I remember one time coming home from printing something at Kinkos, putting the floppy in my machine, and Symantec Antivirus coming up and reporting that it had removed a virus from the disk. The objective was different, typically they just tended to spread and be annoying; a handful did actual damage. Since this

Re:

[account_deleted]

Comment removed based on user account deletion

Windows before 1997 had relatively few viruses too

[argent]

It's worth noting that Mac OS 9, which had no security whatsoever, had almost no (or none? The point is I've never come across one) viruses or worms.

Back in the '80s and early '90s the Mac was a fertile breeding ground for viruses, because of the design of the system. Just putting a floppy in the drive was enough to run code. Apple's response to this was to get rid of automatic execution of code fragments on floppies and in resource forks of documents. This was a normal and sane response to a bad design.

If you want to know why it hasn't been the target of a concerted hacker attack, you have to look elsewhere than the "Windows is insecure by design, OS X and Unix isn't" stuff that's become the prevailing consensus.

While the fact that there are more Windows boxes out there, there are several features of Windows that are insecure-by-design that have had a huge impact on Windows security. In particular, the design of Internet Explorer and the integration of the HTML control into the desktop and email programs had an enormous and direct effect on the spread of viruses and worms on Windows machines all out of proportion to their popularity.

Before the release of "Open Desktop", the virus problem on Windows really was managable without antivirus software. Just following good software hygiene was enough to make viruses a rare problem. Afterwards, I found that simply not allowing the use of IE and Outlook and other components that used the HTML control to display untrusted documents was more effective than antivirus software, because it removed the mosty common point of entry of new viruses.

The sane response to this would have been to back out the desktop-browser integration and redesign the system so that the right to run unsandboxed code was SOLELY mediated by the application displaying the document. Microsoft, instead, attempted to come up with tighter and tighter heuristics as to when to allow documents out of the sandbox, which boggled my mind then and still boggles my mind now.

There are other problems in the design of Windows that I've discussed before, but this one should be more than enough to make my point, especially after you handed me such a great counterexample.

Re:

[Paulrothrock]

It's not news, it's Fark... wait, wrong site.

But you're right, this isn't news. Mac OS X has bugs and security holes just like every OS that has ever existed. Apple patches them. It's just that they seem to be able to do it before someone wants to try to exploit them.

Re:I'll tell you what's news:

[frdmfghtr]

If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches? Didn't feedback from big IT shops compel MS to release patches in bigger batches with less frequency (hence the introduction of "Patch Tuesday")?

I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?

Re:

[drinkypoo]

If you are in charge of a business's IT department, do you want to go through and thoroughly test new patches every few days, or do one test covering multiple patches?

There's an argument to be made either way. You could argue that it would be better to QA a patch rollup because you only have to do one test. But you could also argue that it's better to be able to test the patches separately so you can apply all the patches that don't bend you over.

Re:

[drinkypoo]

Or we could just skip all that and say "Apple's way is better than Microsoft's way" in true Slashdot fashion.

the difference between Microsoft's way and Apple's way in this case is that Microsoft actually gives you more information about vulnerabilities and is actually less afraid to make themselves look bad than Apple. Maybe that's because Apple operates on looks, and Microsoft operates on lock-in.

Apple has traditionally been and continues to be somewhat sticky on the subject of disclosure.

Regardless, I

Re:

[faloi]

I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?

It all depends on the shop, but in general it does. The larger the company, the more likely you are to stage your roll out after a decent testing cycle...or at least that's been my experience. My experience has been that small shops tend to have more variety in the hardware that's out there, so it'd be tougher to get a really good test cycle built and running anyway. It's easier to test

Re:

[misleb]

I always wondered just how effective IT testing of patches really is and how often it finds stuff that breaks. What do you do, sit there and run through every menu of every single application that the business runs? Is there some kind of automated test suite you can run? Sounds like a huge, tedious pain in the ass to me. I'm glad I've never had to work anywhere that is so paranoid.

-matthew

Re:

[BigDogCH]

You are correct, it is simply impractical to test everything. Any IT department that has the time / manpower to test every single application with every single patch would require more IT staff than any company I have ever worked for or with. The reality is, we run system backups, and try to screen patches as best as possible. Yup, sometimes something slips through, and hoses something up, but it is easier to repair than it is to test everything. 99% of patches from MS work fine, so fixing the other 1%

Re:

[mkiwi]

I don't do IT, so maybe releasing 25 fixes at once can require 25 separate test cycles. Anybody care to enlighten me?

Here's how it works where I work (IT and Software Engineering):

1. Run MS auto update.
2. See what breaks.
3. Reinstall programs that are broken.
4. Pray the user's outlook database is not larger than 2GB.
5. ???
6. ??????
7. Whew. Only 300 more computers to go.

Very simple yet suprisingly time consuming :-)

Re:I'll tell you what's news:

[99BottlesOfBeerInMyF]

They rolled out these patches all at once. But the patches were almost certainly not done all at the same time. That's right, Apple has deliberately left you (and me! although I only have one mac to deal with and it's not my primary machine) vulnerable so that they could roll out a bunch of patches at the same time instead of one at a time.

Sigh. Have you ever worked in the software development industry. There is this thing called "testing" that some people find important. If you work on Kereberos and find a bug and patch it, you then test just it before distributing. If you work at Apple or Redhat where you are shipping an entire OS with a bunch of packages, it is impossible to patch and test those patches in conjunction with all other hardware in the same timeframe because you have multiple things to patch at once. Thus, the only real solution s to do it in bundles, where you stick a group of patches together then QA them all at once. This results in longer delays for some fixes, but it also means the patch is actually tested in conjunction with the other patches so one does not break another. Any responsible vendor uses this method for dealing with bugs.

Once again, the methodology commonly used by Linux distributions in which patches are rolled out as soon as they are ready provides greater security than Microsoft or Apple (who do the very same thing.)

Individual developers roll out patches and you could have patched your OS X box from them if you felt it was an emergency for you. As for what Linux vendors do, I don't know of any who roll one-off fixes into the stable branch intended for real use, instead of testing patches in bundles. You don't seem to know what you're talking about.

Re:

[Lars T.]

Apple's convenience is more important than your security.

Well, Linux' security is more important than the convenience of its users. I wonder if all Linux users do bother to patch all the vulnerabilities.

Re:

[drinkypoo]

Well, Linux' security is more important than the convenience of its users. I wonder if all Linux users do bother to patch all the vulnerabilities.

You and everyone else missed the point entirely. Linux provides you a patch ASAP, and you have a choice as to when to install it, whereas Apple and Microsoft and just about every other vendor releases patches on their schedule.

Microsoft makes early announcement of vulnerabilities in some cases, so you at least know there is a problem and can devise a workaround.

Re:

[Weedlekin]

"It's worth noting that Mac OS 9, which had no security whatsoever, had almost (or none? The point is I've never come across one) no viruses or worms"

There were at least 20 viruses for various types of Mac OS prior to OS X, and a whole bunch of worms etc. for different versions of MS Office running on those systems (conceptually similar to the Word / Excel macro malware that targeted Windows Office users). Note that these were all "in the wild" malware that infected people, not the sort of "proof of concept

Re:

[Lars T.]

Yes, it is the same. I think that a lot of Windows users just get tired of hearing whining about security from other OS users constantly, so it's their turn to gloat.

Somebody should help them by patching one of the active worms to send out gloat mails.

In other news...

[c0d3h4x0r]

Microsoft Issues Holes for 25 Security Patches

Why

[Mockylock]

Why isn't this listed under "HaHa" as well? Not trolling, as much as wondering what the reasoning of that was for. Bias?

Re:Why

[aicrules]

I think because no one really believes that Apple software is completely bulletproof. No software is completely bulletproof. I'm sure someone could find an exploit even for a Hello World program. Windows gets the majority of the "bad press" from flaws because it has a gigantic market share compared to Apple, so the security holes and related patches affect many more people.

Yes, some Windows folks will see this as a "haha" nelson moment. However, it isn't a haha moment until the headline reads that someone found 25 Apple exploits and released a huge virus to exploit them. And while I am firmly planted in my Windows environment, I will not be interested in laughing at my Apple compadres when or if that happens.

Re:

[Afecks]

However, it isn't a haha moment until the headline reads that someone found 25 Apple exploits and released a huge virus to exploit them.

I'm sure you meant a worm not a virus.

However, if there's ever more than 1 Mac for every 1 million* IP addresses then maybe a worm might surface.

I just hope the worm author does something creative with his captive audience. Perhaps some hilarious messagesm, "right click to continue", "dx9.dll missing, please reinstall" or how about changing all their bookmarks to

Re:

[aicrules]

That's why I say no one REALLY believes it. Even fanboys on both sides know, whether secretly or overtly, that their favorite OS isn't perfect. You'll see it mostly when groups of fanboys on the same side are together in a room with their favorite OS and can be found cursing why it does such and such.

People may pretend that their OS is great and infallible, but they all know better.

Because of the nature of the holes patched

[Solr_Flare]

The majority of the security holes patched are ones where you would have to be in a very unusual situation for someone to use them to any real effect. That doesn't lessen the fact that these are holes being patched up mind you. But, if you look closely at what was patched, you'll see a lot of the patches focus on the foundation that OSX is built on(BSD and its respective tools), and most are relatively harmless/hard to use to your advantage flaws.

As others have said, no operating system is bullet proof

10.3.9 also patched

[kybred]

Apple is providing some patches for 10.3.9 as well. Good to see that they are still providing security related updates for the previous system.

Re:

[0racle]

Until 10.5 is released, 10.3.9 is a supported release. What you just said is like giving MS a hand for releasing patches for XP even though they just released Vista.

Re:

[toQDuj]

No, 10.4.x is the current version, the XP-alike. 10.3 would be more windows ME or 2000 perhaps..

Re:

[0racle]

Completely missed it huh. MS has 2 Supported desktop versions of windows currently, Vista and XP. Apple has 2 supported versions currently (only ever has 2), Panther (10.3) and Tiger (10.4). The previous poster said it was good to see Apple patching Panther. Panther is a supported system, it should be expected that Apple continues to patch it. Giving Apple a hand for patching a supported system would be like thanking MS for going to the trouble of patching XP when Vista is the most recent, even though XP is

Re:

[drinkypoo]

It's too bad they don't port improvements to the way the system behaves to the previous system. I'm not talking about bringing whole new APIs etc to prior revisions, although that would be responsible, but about backporting fixes to the way the context menus work for example (they are not very well-behaved in 10.3 in general. I finally went to 10.4 a couple weeks ago.)

25 holes? Wow.

[Opportunist]

If this was an MS System, we'd now be at SP1.

Re:

[Lars T.]

If this was an MS System, we'd now be at SP1.

Nope, still about 175 missing for the average SP.

Not news...

[IwarkChocobos]

Don't ALL operating systems have holes? I think the only thing different here is that Apple waited until there were a lot found and fixed to release the patch. MS and Apple release patches differently; MS releases them as soon as they can, one at a time usually, while Apple chooses to wait until there are a lot of patches to release it. Not really the best idea, but not the worst for both companies. Not news.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[UnknowingFool]

Actually, I've noticed Apple delay updates long enough that a lot come out in the next OS X upgrade.

But I have seen Apple release critical patches out of cycle if the issue was severe enough.

Apple fixes, are they better documented yet?

[gelfling]

One problem I have with Apple is that their change logs and what's new on releases and patches are poorly documented if ever. iPod is a good example. I guess you're supposed to apply the 'don't fix it if it ain't broke' approach which is good. But then why does iTunes constantly remind me of available updates? In either case I hope Apple documents their fixes on the computer side a little better. That way I can decide if I need to fix them.

And as for the MS ObiWan Kenfanboys, just because MS has a constant

Re:

[99BottlesOfBeerInMyF]

One problem I have with Apple is that their change logs and what's new on releases and patches are poorly documented if ever.

It is funny to make such a comment in an article about Apple's security fixes. Apple's security fixes are poorly documented, unless you compare them to anyone else on the planet's, then they're pretty darn good. They provide a nice, English description of each item patched along with enough info for a normal human to know if the affects them, credit for finding the vulnerabilities, and links to external references when available. They provide the CVE numbers. What more do you want?

MS Patch management

[Hawat]

My work laptop (XP Pro) has developed an aversion to installing Office XP components. I tried to add MS-Access for a special project. In "Add/Remove programs" from the Control Panel it fails silently. From setup.exe on the the CD I get this message: "No valid sequence could be found for the set of patches."

This appears to be related to the Microsoft Windows Installer (msi.dll).

Eventually, I tried to uninstall Office XP and start over. The machine refuses do do this with another silent failure. I consid

Re:

[Speare]

The "defectivebydesign" tag is intended for use whenever discussing DRM and the way that technology can and will be changed to further restrict or disenfranchise you from using content on your own hardware, even if you are otherwise completely in the clear by your rights as a consumer and citizen of your particular country. It's defective, but it was intentionally designed to be that way.

Not that it's not misused occasionally by idiots and zealots, but there you are.

Re:

[Graff]

This is why the whole tags system is worthless. The article has already been placed into one or more sections and has thus been "tagged" by the administrators. You have the title and the article itself to get more information about the article. Having user-applied tags is superfluous and can be misleading - either by accident or on purpose.

Personally I ignore all tags and I think it's a waste of time to have the whole tagging system. Either the moderators should tag the article or there should be no tag

Re:

[elrous0]

If it's not hurting you, why do you care?

A lot of us like the tagging system.

Re:

[Graff]

I care because it is a waste of coding effort and time. I also care because it is being used to misrepresent what the actual article is about. The "defectivebydesign" tag that was being discussed further up in this thread is a good example of that.

How many times have you seen an article tagged with "yes", "no", "maybe" and all other sort of contradictory nonsense. Tags literally mean nothing when this sort of thing happens and they now serve no purpose other than being a kind of high-tech graffiti that

Re:

[jimstapleton]

Given the smug "it's so secure" comments from Mac users, I would agree the 'haha' would be appropriate. However, defectivebydesign insinuates that it is intended to be problematic or broken, and is not appropriate in this case. It's not appropriate in similar cases on MS news articles either, but /. is hardly an unbiased group. Additonally, many people want to lash out at MS, making them a good target. Few people care enough about Apple to give a damn.

Re:

[Mockylock]

Yeha, that's usually how it happens. Microsoft has holes because the OS supposedly stinks, all other OS's Just patch holes to make their OS even better.

Basically saying, "I'm not screwing the sheep. I'm Merely helping it through the fence."

Re:

[644bd346996]

I didn't say that most slashdot users don't use windows. What I said was that they prefer to not use windows. I sympathize with all those who can't use anything else, for whatever reason.

Also, any poll on the subject would be useless. All it would tell us is that CowboyNeal is more popular than Vista.

Re:

[geekoid]

He didin't sas it wasn't used, only that it wasn't perferred.

Webstats would show what /. users use

[ukemike]

I would love to have /. tell us what we as a group use. I have a website and I can look up what percentage of my hits were from each OS and each browser. I think it would be very interesting, it might make a good discussion. Especially on a slow news day (like today).

Actually I'd like to see more discussions about /. itself. I think that the moderation, meta-moderation, and karma systems are fascinating. A bi-annual state of the /. post with feedback about the various systems in place would be a hug

Re:

[Aladrin]

I think you have totally misunderstood what that tag means. It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.

These were bugs, not by design. Apple didn't not specifically in

Re:

[drsmithy]

It means that the designer specifically designed the device to not do something that is normally expected or wanted, or has been designed in such a way as to annoy the user constantly. In other words, they had to work harder to make sure the device did not work. Typical MS things that are defective by design are DRM, Clippy, and that new security thing in Vista that is so annoying.

Ah. So you mean like a media player that can't display full screen videos ?

(It would be interesting to see what you thinkg D

Re:

[Tim Browse]

How does the availability (or not) of other Quicktime players that aren't defective by design negate the point that Apple's QuickTime Player is defective by design? Ohh, wait, it doesn't - tough luck.

Re:

[Aladrin]

Whoa, wait a minute there bucko. Where did I say that Apple does it right? I don't actually own a single Apple product. Not a Mac Mini, not an iPod, nothing. I've thought about an iPod, and a ModBook, and a Mac Mini. But since the first thing I'd do would be to put Kubuntu on the computers, or MP3s on the iPod, it didn't make sense to spend my money that way.

I'll admit it. I used to -really- hate Apple computers. After the IIe, and before OS X, I found nothing I liked about them. I used Windows most

Re:

[PFI_Optix]

So you assert there's no hypocrisy on the part of the Mac fanboys?

OT: Re:I'd like to propose a tag

[zippthorne]

But, would you ever want do search for articles about things that are "defectivebydesign?" It's commentary-in-the-tags that caused me to disable them in my profile months ago.

For instance, on any article which poses a question, you can invariably find the tags, "yes," "no," and "maybe." But since they're so often together, they're basically redundant: searching any of them brings up the same articles. Better would be to use the tag, "question." but since all of the questions are titled ASK SLASHDOT, even

Re:

[Lars T.]

Linux does it, and the guy who found the bug is of course the first to do so.

Re:

[Chris whatever]

Heu!!!! how can you say that they are proactive if the patches fixes issue that are already there and they know about it.

proactive is seeing for potential threat in the future and taking steps to correct them before they happen

There are no more proactive than any other company when it comes to bugs and patches.

Re:

[CrazyTalk]

The difference is, no one has exploited the Apple security loopholes yet, while with Microsoft they are reacting after there have already been attacks.

Re:

[pclminion]

No such opinion appears in the article, and, your comment being the first post, clearly no such opinion has been expressed on Slashdot. So shut the fuck up and sit down.

Re:

[thejynxed]

Not to be to flameable here, but who says they aren't part of botnets? The various Unix flavours and derivatives are the reason why we know what a rootkit is.

As my CS professor said once, "With Windows, you know it's broken right up front, and that you have to take certain steps right away to fix it. such as slap an AV program on. With the various Unix-based OSes, you have to go over every little detail with a fine-toothed comb, putz around in the code, recompile, and all of that other hassle because they p

Re:

[Lars T.]

Because you'll get a bigger botnet if you write the hacks for windows. Same reason there's not much virus/malware/etc on the non-windows OS's.

That's your answer to somebody who says that most botnets don't use any "hacks"?

Re:

[Mister Whirly]

"Some local privilege escalations that nobody beyond a couple of security researchers have paid attention to is nothing compared to the stuff a Windows user has to put up with."

Yeah, Windows users have to put up with a constant stream of hypocritical double standards by rabid Mac Fanboys on Slashdot...

Re:

[nevali]

Yeah, 'cos patched local privilege escalation vulnerabilities that nobody has bothered to exploit is exactly the same as unpatched remote code-execution vulnerabilities affecting a default installation for which exploits are widely circulated in the wild for nefarious purposes.

If you think the two are the same, it's no wonder you think they're all fanboys.

Re:

[Mister Whirly]

An exploit is an exploit is an exploit. I'm not going to bother splitting hairs over that stupid argument. There WERE remote exploits, at least 3 of them. The only reason they aren't "in the wild" yet is because there isn't profit to be had by attacking an OS with less than 5% marketshare.

Let's all be honest - the only "secure" system would be one locked in a room nobody was allowed in ever, and not connected to any other machines. An operating system is just that - nothing magical or special about it.

Re:

[nevali]

And yet none of those remotely-vulnerable services are enabled by default. Indeed, of the three, two of them wouldn't get switched on by the vast majority of Mac users.

Which is somewhat different to, say, the .ANI vulnerability.

clearing throat...

[mzs]

Notice that those were taken from the SERVER security update? Guess what portmap is running and the firewall open for port 111 if an Xserve is exporting NFS. A very common configuration actually.