Apple Mac OS X Update For 17 Vulnerabilities

BSDetector writes "Apple has released fixes for 17 OSX vulnerabilities, ranging from system takeover to denial-of-service attacks. It was the fifth security update released this year. It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project. Today's update pushed Apple's year-to-date patch total to over 100. More than one of the affected flaws were called 'critical' or 'dangerous'."

Four fat guys on a crash cart...

[PHAEDRU5]

Where the hell is the Microsoft comeback ad.?

Do they care?

Re:

[RealGrouchy]

Where the hell is the Microsoft comeback ad.?

Comeback to whom?

"Hey, you there! Yes, you--the small market share that makes up Apple users."

If Microsoft were to say anything about this, it would merely acknowledge, and therefore (ironically) reinforce Apple's (well OSX's) image of being resistant to viruses. Perhaps more importantly, it would also reinforce MS's image of Windows being prone to viruses.

- RG>

Developers!

[PHAEDRU5]

"Developers! Developers! Developers! Developers! Developers! Developers! Developers!"

No passion. Right.

Re:Developers!

[ColdWetDog]

He said passion not possession.

There is a subtle difference.

It's not only about the vulnerabilities...

[Secret Rabbit]

... it's also about /how/ they are handled. Some might say more-so.

From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain.

Re:It's not only about the vulnerabilities...

[dustin_c1]

"From what I've seen, Apple has been quite responsible with fixing found vulnerabilities: turn around times, etc. More-so than that other guy. So, I can't really complain."

Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

Apple has historically been terribly irresponsible with found vulnerabilities. This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

Read up the MOAB. The MOAB project was started by security researchers who decided to release their findings publicly (and not contact Apple beforehand giving them time to fix the vulnerability before it becomes publicly known) because they got mad when Apple outright denied some existing vulnerabilities they found.

You are incorrect. Apple has a terrible track record when it comes to handling vulnerabilities when compared to the other guy. It looks like they are making progress.

Re:It's not only about the vulnerabilities...

[Anonymous Coward]

MOAB was founded by security researchers who wanted publicity. Among other issues was a bug in OmniWeb, which was never reported to The Omni Group. How would being frustrated at Apple possibly justify that one?

Re:It's not only about the vulnerabilities...

[Jeff DeMaagd]

I guess it was a hit job which blindsided Telestream's Flip4Mac, Panic's Transmit, Colloquy's Colloquy, Unsanity's Application Enhancer, and the open sourced VLC as innocent bystanders in their vendetta against Apple, so at least six non-Apple branded programs were thrown in to fill out the month. Day 31 has a "filler", meaning that it's just over three weeks' worth of Apple Bugs.

There may be some legitimacy to the complaints that Apple was unresponsive, but I agree, to bring in flaws in third party products to the mix is beyond irresponsible.

Microsoft: 10 years, Apple: 3 years.

[argent]

Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working hard on improving that.

Microsoft's coming up on 10 years for an unpatched vulnerability this year. One that's been exploited over and over again, and is still there.

Apple's comparable vulnerability is much less dangerous, AND you can turn it off, AND it only surfaces in one program. Much lower surface area, much harder to exploit.

I'm talking, of course, about deliberate automatic code executio

Re:

[Antique Geekmeister]

Which Microsoft vulnerability are you referring to as being over 10 years old? CERT and similar vulnerability report sites are not useful this way, because they don't publish the existence of the problem without explicit permission from the software manufacturer. So I've seen vulnerability reports held for over a year by CERT, until Microsoft got around to fixing it. So the apparent "window of vulnerability" was only a few weeks from the finally permitted CERT publication, and the patch being part of the st

Re:Microsoft: 10 years, Apple: 3 years.

[argent]

Which Microsoft vulnerability are you referring to as being over 10 years old?

Well, they started out caling it "Active Desktop". It's had other names, but that's where it started.

The vulnerability is that when you combine ActiveX with the API that applications use to call the HTML control the resulting design is fundamentally impossible even in principle to secure. The problem is that the HTML control is given the responsibility for deciding whether an object its called on to display should be trusted or not, but there the HTML control does not have enough information to make that determination. It's arguable whether the application calling it does, but in every exploit I'm aware of that has made use of this vulnerability to infect the computer giving the application responsibility for that decision would have prevented it.

The changes required to the API could be:

(1) Making the control would call back to the application to follow links, access embedded objects, and so on.

(2) Making the control by itself purely a display mechanism, and requiring explicit installation of extensions by the application.

(3) Making the sandbox the control uses "hard", and requiring the user or the application to explicitly install plugins based on roles, and making the application explicitly specify the role that the instance of the control takes.

In addition, in all cases:

(4) Make the inheritence of the environment absolute. If you follow a link from an application then the target of the link MUST be displayed under the control of the same application. That application can display it by running a more restricted helper application if appropriate (so Windows Explorer could call Internet Explorer) but that decision MUST be made by the application, not the HTML control.

Except in VERY limited circumstances (such as the default "open safe files after downloading" option in Safari, which CAN BE TURNED OFF) every other browser or mail software follows some variant of these rules (for example, the KHTML/Webkit "IO slaves" follow rule 2). The idea that a program failing to implement one of these rules would be treated as anything less than a critical bug to be fixed as soon as it was discovered was literally a bad joke before 1997. I mean, there were jokes going around about it, because everyone knew nobody would be so stupid as to implement something like Active Desktop.

Re:

[Secret Rabbit]

I said nothing about Apple's complete track record... nothing. I'm talking about lately, /lately/.

Re:It's not only about the vulnerabilities...

[dr.badass]

This article says this is the first exploit fixed that hasn't been logged on the MOAB project.

You misunderstand. This is the first update that doesn't patch anything listed by MOAB. That doesn't mean that everything patched before was. MOAB only listed 31 bugs, whereas dozens of potential vulnerabilities have been patched by Apple in that time.

The MOAB project was started by security researchers who decided to release their findings publicly because they got mad when Apple outright denied some existing vulnerabilities they found.

That doesn't explain why they chose to give the same treatment to VLC [info-pull.com], OmniGroup [info-pull.com], and Panic [info-pull.com].

Re:

[djupedal]

"Read up the MOAB."

You're purposely sending people to a rigged website...? Does this mean you're in on the trap or just that you're clueless about what really lies behind MOAB?

Re:

[Achromatic1978]

Yeah, because it doesn't matter what they actually found, and the validity thereof, because their motives weren't "to worship at the altar that is Apple". Those heathens!

Apologist, much?

Re:

[Goaway]

What they found matters, but that does excuse the fact that they were not just willfully irresponsible, but actively malicious (they used several different exploits against people on the web and on IRC). They were simply thugs out to stir up shit and get some attention.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:It's not only about the vulnerabilities...

[vertigoCiel]

It doesn't matter how long it takes to patch an exploit, as long as it is patched before it's used in a virus or other attack on a system. There are currently no OS X viruses in the wild that can attack a Mac in a meaningful way (there is a proof-of-concept one that requires the user to install it). Compare that to the tens of thousands of Windows OS viruses and worms exploiting security holes without requiring the user. Given that, I'd say that Apple has an excellent track record when it comes to patching vulnerabilities.

Re:It's not only about the vulnerabilities...

[gig]

When you're tempted to compare Windows and Mac security all you have to do is point to the fact that there are Unix user accounts on the Mac since 2001. Game over, Mac wins.

Mac users do not run as root, and in fact root user access is not enabled by default. Just that by itself is much more important than randomized memory paths and UAC prompts and even firewalls.

Microsoft has people doing office work running as root because their poorly managed third-party software platform has not yet adapted to a networked user model.

Apple is also way ahead of Microsoft on quality, design, execution, product management. It is a more tightly built boat.

Re:

[gig]

> Apple's time to patch was about twice as long as Microsoft's in 2006. From the looks of things, they may be working
> hard on improving that.

But Apple's bugs were much less severe, and when Apple ships a patch, it goes out to their Software Update system which patches a remarkable number of systems very quickly. Software Update is 8 or more years old, predates Mac OS X. It updates your Mac OS X system with a new version of Mac OS X every quarter or so. The whole platform is a moving target.

> MOAB

M

Partial quote, taken out of context

[Frequency Domain]

The full sentence was "It also marked the first time this year that an operating system security update from Apple did not patch a vulnerability disclosed by the January Month of Apple Bugs project." To quote Inigo, "I don't think that means what you think it means."

open the gates

[v1]

we shall now see the flood of the clueless that run around in circles screaming OMG SEE MACS HAVE BAD SECURITY TOO. To stamp out their fire before it gets beyond the first match I'd like to point out that even if they fixed 1000 things in this update, you can't compare apples (sorry) to oranges. The lion's share of vulns patched in say, Windows, I would classify "big trouble". Exploits that are in the wild (some of which have been running loose for months) that let remote attackers own your box. Even wi

Re:open the gates

[Actually, I do RTFA]

Their main concern there I believe is that you could send the evil attachment to an unprivileged user and that could lead to elevated privileges for that user or to execute code beyond that user's privs.

Regardless of where it originates from, isn't any program that allows an unprivledged user to execute code beyond that users privledge a serious issue? Why would it have higher privledges because an e-mail client downloaded it?

Re:

[dgatwood]

Let me answer in l33t sp3@k for your entertainment.

In order of severity: remote root exploits, local root exploits, remote non-root exploits, local trojan horses. The first is worst because it doesn't require any user interaction to 0wn your boxen. The second is not as bad because it does require action from a legitimate user to 0wn your boxen except when combined with the third. The third is not as bad as either of these because it is generally limited in the amount of damage it can do in the absence

This could just as well have a different title

[Opportunist]

"Macs gain market share"

Since exploits of machines are meaningless if they are not used by at least a nominal portion of the userbase. Unless said machines run very interesting services (like, say, a DNS root server), machines are only interesting in numbers for a potential attacker.

So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

Re:

[prelelat]

I think you are right that exploits would mean that it was seeing an increase in market share, but in this case I believe they were strictly talking about vulnerabilities being fixed. This means that people knew they were there but didn't even bother to exploit them. If anything this shows that OSX still doesn't have near the market share some people seem to think.

I prefer to think that they were doing preventative maintenance. Apple hasn't always been the best at patching vulnerabilities but I guess the

Re:

[Opportunist]

Still, someone had to find those bugs, and it was likely not the programmers themselves, or they would probably have been fixed before shipping. And 1000 people looking for bugs find more than 10 people doing the same. Given that I don't remember hearing about Mac bugs getting fixed once a month from, say, 5 years ago, I'd say it might have to do with an increase in market share.

Re:

[dr.badass]

Still, someone had to find those bugs, and it was likely not the programmers themselves, or they would probably have been fixed before shipping.

Ah, but much of what Apple ends up patching in updates like these isn't actually Apple-specific, but rather fixes to open source stuff they ship. This update has fixes for bind, fetchmail, ruby, and screen, to name a few. Those bugs could have been found by users or programmers on a dozen other platforms.

Re:

[Weedlekin]

"If anything this shows that OSX still doesn't have near the market share some people seem to think."

This would indeed be true if the act of writing malware was a quest that earned a +5 Amulet Of Knowing Real User Numbers which gives them magical abilities that people who don't write malware lack. If however we reluctantly accept the fact that malware writers don't have such wondrous artefacts, then we must also accept that Windows' market dominance and its total dominance of the malware sector are merely a

Re:This could just as well have a different title

[mstone]

Define 'nominal'.

The installed base of Macs is estimated to be between 10% and 15% of the market. That value follows from the sales numbers established in market share, amortized across the 5-7 year functional lifespan of the average Mac.

"One machine in ten" seems like a reasonably attractive size for a target.

Besides, you're forgetting the automated nature of malware. You don't create a botnet by hand, one machine at a time. You pump out a massive number of potential attacks and glean the ones that succeed. And having a botnet means having a massively distributed system whose resources can be devoted to making itself even bigger.

It doesn't even take an infected Mac to compromise another Mac. The attack is just a package of data, so it would be trivially easy to dedicate a Windows botnet to locating and infecting Macs if someone really wanted to.

The reason malware developers target the Windows platform is that it's so much easier to find a Windows machine with an exploitable hole and take it over. Windows up through XP carries a ton of historical baggage that assumes the existence of an isolated, single-user system: All processes are launched by a user with absolute privilege. Half the processes on any given machine are running at the highest possible level of privilege, and they accept data from sources with lower levels of privilege. The directory that contains system binaries is writable by pretty much anyone, there's no index to say where any given binary came from, and it's standard practice to add or overwrite files in that directory. The absolute-privilege daemons are controlled by the Registry, which again is writeable by almost anyone, and whose format is obscure enough that it's difficult to find tampering even if you know something is wrong with the machine.

Those were all convenient and effective solutions in the days when 99.9% of the data coming into a machine came from the person at the keyboard. But they don't fare so well against a hostile internet.

OS X doesn't have that baggage. It inherited unix's experience dealing with multi-user systems in an untrusted network environment. Yes, there are weak spots, but the attack surface is much smaller than that of Windows.

The people who collect botnets don't care about market share. They care about exploitability, especially exploitability which can be automated. Windows machines offer an easy target in that respect. Macs and unix-alike systems require more work. And there's no reason for them to do the extra work when Windows machines are both so easy to find and so easy to take over.

Re:

[suv4x4]

So, as a Mac user I'd see this as a sign of my computer gaining ground in the market.

So, you'll have to admit then all Jobs said about Windows being an insecure piece of garbage was wrong. It's, you see, just because they have so great market share.

You Mac users can't have it both ways. When hackers didn't pay attention to OSX and people said "this is because noone cares to attack you yet", you said "bs, it's because OSX is such a great OS, it's unhackable, it's secure *nix baby!".

Now you the community turn

Multiple Mac users

[AlpineR]

You Mac users can't have it both ways.

Yes, they can. You see, Mac users do not all speak with a single Borgified voice. There are some Mac users that believe the scarcity of exploits is due to the better design of a Unix base. And there are actually other Mac users that believe the smaller market share makes Macs a less attractive target. Amazingly, there might even be Mac users who change their beliefs according to argument and observation. What chaos!

Necessary?

[Tatsh]

How is this news? Apple fixes flaws. Linux distro communities fix flaws too. Next time Kubuntu gets an update I'm going to make a page here.

Even still, Macs have no open ports by default

[caseih]

Except for Server, OS X defaults to no, zero, nadda, ports open by default. That means there's zero chance of a remote root exploit. The only chance of remote exploit is really by exploiting something like safari or Mac Mail. However, such an exploit would be dramatically limited in scope as compare to, for example, Windows XP. Vista has made things a lot better, but UAC's effectiveness is not proved. A root exploit is highly unlikely, although you can argue a local user exploit is as destructive--after

Re:

[biftek]

No, you're wrong. Bonjour (aka rendezvous aka mdns[responder]) listens on UDP port 5353 by default on a client install - that's how iTunes/iChat/AFP sharing find other computers. And guess what - it's one of the apps that has a local root exploit in this security update.

Too bad the update sucks!

[__david__]

I installed this update and rebooted and now it kernel panics every time I try to boot! It happens early enough that I can't even boot into single user. Grrr.....

-David

Sorry...

[BrianRagle]

...how long has Unix existed? How many threats in the wild exist compared to oh, say, Windows? How many web servers run some variant of *nix compared to Windows and, of those servers, how many are affected by exploits and threats almost daily?

Yeah, bring that myth of "smaller user base means less of a target" one more time. I could use another good laugh.

Re:

[kurt555gs]

Because your M$ updates might have spyware, viri, trojans, etc, so it would be dangerous to notify you.

Re:

[ZakuSage]

It's "viruses". This isn't Latin, we don't pluralize with "i"s.

Re:

[drewness]

In Latin, virus didn't even have a plural.

Re:

[OECD]

Yes, but we're not speaking Latin. We're speaking a trade language that has (apparently) decided that it's easier if every singular Xus is pluralized as Xi.

Deal.

Re:

[baldass_newbie]

It's "viruses". This isn't Latin, we don't pluralize with "i"s.

When you're using Latin (even in English) you do with Second Declension nouns [ohio-state.edu], fuckhead. Singular: -us/-er; Plural: -i.
Not that this applies to virus, since it's NOT a second declension noun, but it its own plural, like data. The plural of virus, is virus.
So you're wrong in English AND in Latin.

(Boy this argument never gets old.)

Re:

[cnettel]

Datum (as in date)...

Re:I feel robbed

[Actually, I do RTFA]

Becuase the patches are all released on the first(?) Tuesday of every month.

Why doesn't Slashdot tell me when Thanksgiving is?

5 patches in 5 months

[dj245]

This is the 5th patch of the year. Its also the 5th month of the year (May). Apple's patches may not be evenly spaced like Microsofts, but maybe Microsoft is onto something with their one patch day a month policy. It also makes it much easier on administrators having one scheduled day for patches to count on.

Re:

[Opportunist]

And since Macs enjoy such a widespread use in corporate environments, a lot of admins are affected.

Re:

[Matt Perry]

And since Macs enjoy such a widespread use in corporate environments, a lot of admins are affected.

Consistency can be a good thing whether you are in a corporate environment or not.

Re:5 patches in 5 months

[Opportunist]

Especially when you're developing exploits for a machine. You can time them so they hit the market a day after patch, so you have a guaranteed full month before your exploit gets a fix.

Re:

[Matt Perry]

Especially when you're developing exploits for a machine. You can time them so they hit the market a day after patch, so you have a guaranteed full month before your exploit gets a fix.

Yep. Everybody wins.

Re:I feel robbed

[vslashg]

What's so special about Apple? Why can't I be notified by Slashdot when Microsoft releases patches?

Yeah, Slashdot never makes post like this about Microsoft. Certainly this article from two weeks ago [slashdot.org] has nothing to do with notable Windows security patches.

Re:I feel robbed

[mh101]

Why can't I be notified by Slashdot when Microsoft releases patches?

Because then they would run out of room for the other stories.

Re:

[Opportunist]

You didn't get the media spin memo, right? The former is now called "life threatening" and the latter "potentially deadly".

Re:

[rgravina]

Reminds me of how I used to pick up the cat and place him right in front of the dog :) Cue the Benny Hill music!

Re:Thats unpossible!!

[Sunburnt]

Macs have no vulnerabilities, thats why people buy them....Right guys?.....RIGHT??

No, most of us just want another overpriced peripheral for our iPods.

Yeah im gettin trolled for that....

Just a hunch, but I'll bet most of your troll mods come from your sig.

Your confusion

[SuperKendall]

All systems have vulnerabilities.

Macs have no EXPLOITS (yet).

This lack of exploits, and thus they need to spend tme preventing/dealing with them, is the selling point for Macs.

You Windows people have been ever confused on the fine distinction, I guess because on Windows if there's a vulnerability there's an exploit already written and working. Us Linux and Mac users know life can be better.

Re:

[Actually, I do RTFA]

What constitutes an exploit

• Crash your computer remotely?
• Install malware?
• Read your data without your consent

I don't know if any of those have been done on a Mac, but I'm curious where you would draw the line.

Re:Your confusion

[Jeff DeMaagd]

A proof of concept exploit seems to surface about once or twice a year. I really haven't heard of one "in the wild".

Any of the above

[SuperKendall]

All of the ones you listed involve manipulating code on my computer in ways it was not meant to be run, so sure.

There have been no exploits in any of those categories in the wild. Heck, some of the proof of concept exploits don't even generally work (like the Quicktime exploit, that required I RUN AN EXPLOIT GENERATOR locally and run the generated QT file - still didn't work on any of my Macs!)

Re:

[Shadow-isoHunt]

No exploits, eh? Ever search on milw0rm.com [milw0rm.com]? Quite a few exploits there. Do you monitor any security lists at all? BugTraq?

Re:

[Yahweh Doesn't Exist]

>...and the bubble of no 0-day exploits on OS X is just waiting to burst.

yeah, and the rapture was supposed to be during the lifetime of the original disciples. so it's guaranteed to happen any moment now!

So what

[SuperKendall]

...and the bubble of no 0-day exploits on OS X is just waiting to burst.

Yeah, and when they do - then I'll be just as poorly off as Windows users are today! So until that day, why not be better off?

Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.

Sometimes. Not always. See last month's patches. None were 0-day.

That you know of...

Re:

[suv4x4]

Only I won't be doing as poorly as Windows users, because it will take a long time for Mac or Linux exploits to catch up to Windows exploits numerically.

The total count, however doesn't matter. When you download the next Windows Update, you automatically lock out the exploits it fixes.

A well configured Windows computer, and always up to date is secure enough to remain unharmed my malware. The problem is this: do you have OS to look at it and enjoy at it all day long how it's more secure than another OS, or

Re:Your confusion

[pdbaby]

the bubble of no 0-day exploits on OS X is just waiting to burst

I'm sure it'll happen eventually, but it's curious that there are no viruses on the loose that target OS X

Mac users don't account for a huge percentage of total users, but it's a large enough group -- and we're usually high-tech enough for it to be highly profitable for spammers/crackers/whatever to work for an exploit - we don't run anti-viruses, and I'm sure most non-developer mac users wouldn't even know how to find the process list, let alone figure out what's not supposed to be running.

DING DING DING

[xjerky]

This is how I always get Mac bashers to STFU. Regardless of Apple's smaller market share, _somebody_ would want to have bragging rights to be the first l33t to Pwn OS X. If it were so easy to do so, at least. And you bring up something I hadn't considered before - the Mac user base is so complacent about not getting r00ted or viruses, that they are a ripe target for attack. Personally, I don't patch my OS X system immediately....I do it every few months at my leisure. I bet there are plenty of other Mac use

Re:

[TheRaven64]

If I write a virus for Windows, then the odds are that any computer it infects will be able to infect a few more on any network it connects to. If I write a virus for Outlook Express, then it is likely that it will be able to infect most of the people in each OE user's address book.

If I write a virus for OS X, then it may hit a small network of Macs, but then have nowhere to spread. A vulnerability in the JRE would make a good target, since it could potentially be used to write a virus that infected Macs

Re:

[Antique Geekmeister]

Just don't wait too long to do your patches or upgrades. I run into far, far too many old systems that are RedHat 7.2 still running critical applications that are no longer supported, or Win98 boxes with data that the owners have never properly backed up or ported ot a contemporary OS. (I shut down the last Win98 box in a large environment last year by bribing the owner of it with free long-distance calls to their kids with Skype on the new system.)

Fortunately, installing critical patches has gotten far eas

Re:

[IamTheRealMike]

I'm sure it'll happen eventually, but it's curious that there are no viruses on the loose that target OS X

You need a certain critical mass of market share before people find it profitable to target a new platform. For Firefox the "break point" was around 12% market share. Apple is nowhere near approaching that level of market penetration worldwide, so I doubt there'll be any serious Mac virus outbreaks for some time unless their market share starts growing rapidly.

Still, there's no point in Mac users d

Yes...

[SuperKendall]

I've done some development (GUI and otherwise) on Linux, WIndows, and Macs - including a fair amount of X11, MFC, C, C++, Java, some C#, and some Objective C.

Linux and Macs are nice to develop for for the same reasons - the tools are great. In fact for most of my Mac programming I still use Emacs. But XCode does have a lot of things going for it, and I've been using it more and more...

I guess my main point is, if you like development for Linux I don't see why you wouldn't like Mac development since you c

Re:

[teh*fink]

Afterall the main role of any operating system is to provide a good interface upto the root level.

if i had mod points, i'd mod you hilarious.

Re:

[Jeff DeMaagd]

I think you have the relationship wrong. The grandparent post didn't suggest that Macs were harder or easier to program than Windows, just that GP poster prefers Linux instead.

Great

[SuperKendall]

No-one cares about cracking Macs? Sounds fine to me. I don't own the system to win any popularity awards or to go with the herd, I just want a computer that works well - which it does. If the criminal element thinks it below them to bother with Macs, all the better...

My pet theory is that the whole of the russian mafia runs Macs, and the reason we see no exploits is they don't want to foul thier own nest so to speak. :-)

Re:

[Lars T.]

Here's a hint: "lets remote users execute arbitary code"... I think we can safely label that one an "exploit", in your terminology. Welcome to the real world, pal.

Well, if the "remote user" wouldn't actually have to be "an attacker on the local network".

Re:

[edwardpickman]

Windows virus making you irritable? It's okay Mac users understand, it's why we're on Mac. Just take two virus checkers and make sure your firewall is set. Don't install any non Microsoft approved software and stick with Office software until your machine is feeling better. If you need to get some work done just borrow a friends Mac. When I got my first Mac a year ago I looked for a copy of anti spyware for the Mac. A friend pointed out it's like giving a nun birth control. Macs aren't a 100% secure they ju

Re:Not a big deal

[Anonymous Coward]

Which OS doesn't have security vulnerabilities? For every single significant OS, the updates keep on coming. What matters is a good enough secure foundation - Apple and Linux have had that since long - they don't make users run as root.

Backend - Again, you are wrong - BSD is as best as it can get when you are talking about backends. And if it wasn't for Steve Jobs Apple would not have had OS X at all - It is based on NEXTSTEP ( http://en.wikipedia.org/wiki/NEXTSTEP [wikipedia.org] ) and without it they would have either had to live with something not up to the mark or license WindowsNT. And most people buy macs for OS X and some for the hardware quality.

Re:

[bryan1945]

"I was a fresher"

Could you please explain what that means?

Re:Not a big deal

[The Bungi]

A degree on creating "softwares"?

Re:

[Breakfast Pants]

Certainly not one creating English.

Re:Not a big deal

[EMB Numbers]

What is it about developing software for Mac OS X that you dislike compared to Linux ?

Are you using Cocoa, Carbon, Java, BSD/POSIX APIs, X Server ?

Are you using X-Code, eclipse, something else ?

I routinely develop software for a variety of Unix systems, and I find Mac OS X just as comfortable and any other Unix. I can't think of many developer tools for Linux that is not also available for Mac OS X (Maybe the IBM/Rational Tools Suite ?). Some of the Mac OS X tools like Interface Builder, Shark, CHUD, and OpenGL Profiler are best of breed.

Not too technical, huh?

[snowwrestler]

Its people like you stopping me from thinking Macs are worthwhile personal computers.

So your opinion of computer platforms is driven primarily by anonymous comments on Slashdot? As opposed to any merits of the systems themselves?

USB Breathalyzer

[Anonymous Coward]

I really need to get a USB breathalyzer that prohibits me from:

A. logging in as root
B. sending email
C. posting to slashdot

if my blood alcohol level is higher than 0.15%.

Re:

[otomo_1001]

Does she know if the update has the triangle with a circle on it it means a reboot will be needed?

You still get prompted after installation to shutdown or reboot. She might have hit the blue button instinctively. When I applied the update it was like any other, only 30 meg or so.

Re:

[jaredmauch]

my ppc g4 laptop also rebooed twice. I did not boot it in verbose mode as I was not expecting it to do anything strange so I wasn't quite sure what happened. I also was concerned as it was abnormal behaviour. I consider myself somewhat savvy, but i'm just some random fool on da inraweb clogging up dem t00bs.

Re:

[Breakfast Pants]

"Does she know if the update has the triangle with a circle on it it means a reboot will be needed?"

That's only slightly less random than throwing a disk into the trash to eject it.

Re:

[epee1221]

Even with the message by the buttons that says, "{circle-with-triangle} means that restart will be required"?

Re:

[mh101]

"Does she know if the update has the triangle with a circle on it it means a reboot will be needed?"

That's only slightly less random than throwing a disk into the trash to eject it.

Not really... they have the symbol beside the update, and at the bottom of the window it indicates that it means that update requires a reboot*. Also, if you've used a Mac recently you'd know that as soon as you begin dragging a mounted volume the trash icon is replaced with an eject symbol.

*Kinda like the way asterisks are used all the time.

Re:

[lexarius]

I've never known it to autoreboot. I don't think it has a timer on the dialog or anything like that. I usually don't want to reboot when it wants to, so I just force-quit the updater once it is done. It will reboot when I feel like it.

Re:

[Calibax]

There was a reboot required after installing this patch. Seriously, very few security patches don't require a restart - it's in the nature of the beast. Personally, I'm surprised when a restart isn't required after a system level update on Windows, Mac or Linux. FYI, there was a notification up front that a reboot would be required.

I'm somewhat amazed that you are complaining - but I guess you needed to complain about something.

Re:The reboot was not appreciated...

[Kadin2048]

She must have hit the dialog without realizing it...by default, Apple Software Update won't auto-restart, and I don't think there's any way to even enable that behavior.

By default, this is how it works:
* ASU puts up dialog showing list of installable updates; they're checked by default. Ones with restart required are marked.
* User unchecks items they don't want, presses "Install" or hits Return.
* ASU downloads and installs software. At end, flashes its own icon in the Dock as notification.
* User returns to ASU; if an update requiring restart has been installed, a modal dialog is displayed saying "The new software requires that you restart your computer..." with options "Shut Down" and "Restart." Default is 'Restart,' if user presses Return. (However, the dialog is modal only within the ASU application, you can still switch away from ASU and use the computer normally, and after clicking on it once, ASU no longer bounces in the Dock.)
* If Restart is pressed, the computer will begin the reboot process. I *think* that the process will stop if you have an application open with an unsaved document, but I haven't tested this recently.

Unfortunately, I think users are sometimes conditioned to quickly clicking the default option in any dialog they're presented with, that they sometimes don't realize until 1/4 sec after they hit it, that they just rebooted their computer.

As an aside: it's possible to avoid the reboot either by just leaving ASU in the background indefinitely (pressing Cmd-H 'hides' it so that it doesn't clutter up the UI) or by Force Quitting it, although I doubt that's recommended.

Re:The reboot was not appreciated...

[anticypher]

a modal dialog

Nope, the ASU dialog is non-modal, just like all other dialogs in OS-X. Modal means the user can do no more work on the computer until they respond. Non-Modal means the user can hide the dialog or application or switch focus and continue working. Dialogs can be modal to their application, but this is strongly discouraged as a design philosophy as well.

Yes, I am a veteran of the Modal Wars. The war is mostly over and we non-modalists and computer users everywhere won. It was a major, well understood design decision from the original OS-X architects that nothing could ever be modal in OS-X. Users who switch away from using OS-X to a system that still permits modal dialogs often comment about how jarring it is to have a modal dialog they don't understand, and being forced to make an uninformed decision before being allowed to continue working or unable even to save their work. It is a subtle but very powerful distinction about who is in control of a session, the user or the OS. Modality is just a power trip for those who hate the idea that a person sitting in front of a machine might actually know what they are doing.

the AC

Re:

[g0at]

The Software Update app clearly asks you, once the install is finished, whether you wish to shut down or restart your computer. You must actively make a choice before anything happens. If you ignore the dialog (e.g. if it sits in the background), the computer will not spontaneously reboot. She probably hit it by mistake.

-b

Mod parent incorrect

[forand]

Your wife missed it at multiple points. First it tells you that it will require a restart before you accept it to install. Second once the install is complete it puts up a big dialog asking if you want to Shutdown or Restart. There is no time limit. I am in fact posting this with the dialog in the background.

Re:

[Ilgaz]

My bride has a MacBook. She got the notification, it downloaded what seemed like a fairly large file after prompting for a password. Don't know if it asked and she missed it, or if it rebooted after installing the patch - but either way her machine did an unexpected restart. (Not that Microsoft is not guilty of the same thing, as one of my servers installed and rebooted last week at a very inconvenient time - dang thing was set to automatic) Anyhow, it sure made her nervous. She wanders down to my lab-of-doom and tells me her mac just shut down. I asked and she said she had just done an update. Perhaps she missed the dialog asking to restart... don't know. Had not seen a CERT email about it yet.

Automatic reboot is in fact generally done just because the systems updated part was in use.

This security update updates Carbon giant framework which is 99.99999% in use. In fact your bride should read screen more carefully, right after asking admin password (hope she got one setup!) and getting correct password, Apple clearly warns user that reboot will be needed. It is very standard feature of software update and installer.

Automatic update sadly (yes,for me) doesn't install updates or reboot automaticall

Re:

[Phroggy]

I think I know what she's talking about.

As others have pointed out, a restart is required after this update, but it won't restart automatically, it pops up a dialog box and you have to click a button. After you do so it restarts... but then, after the system has started booting but before the login, it automatically reboots again, with no warning or explanation. That's what it did for me. If that's what happened, tell her it's nothing to worry about; the update made something run after the reboot that r

Re:The reboot was not appreciated...

[namgge]

What really happened was she was presented with a dialog that clearly showed the machine would need to be rebooted if she proceeded and she then clicked the "Install Items" button. Then she was asked to authenticate as an admin user, then she was give a dialog asking for permission to reboot, which she could have ignored until a better time but didn't.

However, under no circumstances tell her this. She is your wife and this automatically makes the reboot YOUR fault. So just apologize to her and go buy flowers, you insensitive clod.

Namgge

Re:

[Elentari]

Mine displayed a clear dialog box, containing the message 'The new software requires that you restart your computer now. Click restart to quit all applications and restart. ', so this is hardly a fault with Macs, and more a case of your bride not paying attention.

I prefer it to the Windows 'feature' that automatically shuts down your PC whether you want it to or not, even if you tell it you're going to restart later.

Re:

[mkiwi]

This is normail behavior. Mac OS X had to rebuild its kernel extension cache and also had to load in new kexts, redo the prebinding, permissions, etc. Just like MS wants you to restart after installing every little piece of software, Apple wants you to do it whenever you make modifications to the system.

Re:

[riscthis]

FYI, there is no countdown timer with an automatic reboot on Windows XP. There is an annoying nag that pops up every 30 minutes or so, asking whether the system could be rebooted. But no automatic reboot. But I guess you knew that already, didn't you?

If you want to stop the nagging about needing to reboot, you can go to the command prompt and type:

net stop wuauserv

This will stop the Automatic Updates service and it'll stop prompting you. Remember to reboot at some convenient point though, so the patched c

Re:

[Antique Geekmeister]

You just got your Microsoft Certified Software Engineer coupon, didn't you?

I'm sorry, but you need to really do some looking and poking to see just why Windows OS's are traditionally vulnerable. From the oddness needed to allow graphics manipulation for new hardware features for high end games, to the incredibly badly done security models of Internet Explorer, to the unmanageable software installations and cooperation of setting up root kits for DRM purposes, to the foolishness of auto-opening attachments i

Re:

[Kojacked]

I am totally offended by your remarks! I AM gay and thought Bill & Steve would make a great looking couple. Who are you to chastise me for expressing my feelings! It would be one thing if you were debating on the content of my remarks; it's a whole other thing to bash me and my sexuality. You must be some sort of homophobe who hides behind the false precept of being mature. Hater!

Re:

[Lars T.]

*Please*, no more, "Oh my god! OS X isn't bulletproof! Teh shock!" 'news' items.

Whoa! You're completely missing the point.

The point is that Mac users are smug. They generally believe that they have better platform than Windows users, and it is the community's responsibility to continually let them know that their platform is, in fact, not perfect.

And it's our smug responsibility to tell you that it would still better than Windows even if it was just as vulnerable - which it isn't.