Apple Patches Massive Holes In OS X

Trailrunner7 writes with this snippet from ThreatPost: "Apple's first Mac OS X security update for 2010 is out, providing cover for at least 12 serious vulnerabilities. The update, rated critical, plugs security holes that could lead to code execution vulnerabilities if a Mac user is tricked into opening audio files or surfing to a rigged Web site." Hit the link for a list of the highlights among these fixes.

Twelve?

[Spyware23]

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?:

Security Update 2010-001

*

CoreAudio

CVE-ID: CVE-2010-0036

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution

Description: A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. Credit to Tobias Klein of trapkit.de for reporting this issue.

*

CUPS

CVE-ID: CVE-2009-3553

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: A remote attacker may cause an unexpected application termination of cupsd

Description: A use-after-free issue exists in cupsd. By issuing a maliciously crafted get-printer-jobs request, an attacker may cause a remote denial of service. This is mitigated through the automatic restart of cupsd after its termination. This issue is addressed through improved connection use tracking.

*

Flash Player plug-in

CVE-ID: CVE-2009-3794, CVE-2009-3796, CVE-2009-3797, CVE-2009-3798, CVE-2009-3799, CVE-2009-3800, CVE-2009-3951

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8, Mac OS X v10.6.2, Mac OS X Server v10.6.2

Impact: Multiple vulnerabilities in Adobe Flash Player plug-in

Description: Multiple issues exist in the Adobe Flash Player plug-in, the most serious of which may lead to arbitrary code execution when viewing a maliciously crafted web site. The issues are addressed by updating the Flash Player plug-in to version 10.0.42. Further information is available via the Adobe web site at http://www.adobe.com/support/security/bulletins/apsb09-19.html [adobe.com] Credit to an anonymous researcher and Damian Put working with TippingPoints Zero Day Initiative, Bing Liu of Fortinet's FortiGuard Global Security Research Team, Will Dormann of CERT, Manuel Caballero and Microsoft Vulnerability Research (MSVR).

*

ImageIO

CVE-ID: CVE-2009-2285

Available for: Mac OS X v10.5.8, Mac OS X Server v10.5.8

Impact: Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution

Description: A buffer underflow exists in ImageIO's handling of TIFF images. Viewing a maliciously crafted TIFF image may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved bounds checking. For Mac OS X v10.6 systems, this issue is addressed in Mac OS X v10.6.2.

*

Image RAW

CVE-ID

Re:Twelve?

[mjschultz]

Apple's own security update page (http://support.apple.com/kb/HT4004) lists these six, where did Threatpost author get the number 12 from?

The Flash update is actually 7 vulnerabilities.

Re:Twelve?

[Graff]

The Flash update is actually 7 vulnerabilities.

Moral of this story:
Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

Re:

[noidentity]

Avoid Flash and you can cut the amount of vulnerabilities approximately in half!

Either "cut the amount of vulnerability in half" or "cut the number of vulnerabilities in half". Avoid count noun mismatch. [wikipedia.org]

Re:

[Graff]

Either "cut the amount of vulnerability in half" or "cut the number of vulnerabilities in half". Avoid count noun mismatch.

Good call, I thought it sounded awkward but I didn't have time to rephrase it. Thanks!

Re:

[PitaBred]

Just the really shitty parts. Only turn flash on when you need it, youtube and the like

Re:

[Graff]

Only turn flash on when you need it, youtube and the like

You can mostly avoid using Flash with Youtube. Many of the videos can now be viewed with H.264 so you don't need Flash there either.

Honestly I find very few sites that I need to enable Flash to view. Most of the sites that require Flash are annoying anyways and I'm glad to avoid them. A lot of sites want iPhone users to be able to view them and so they provide a non-Flash fallback that is a lot more usable than their main Flash page.

Re:

[Sleepy]

You wouldn't need Flash at all if Youtube would stream one of the many open standards.
HTML 5 addresses it, but Youtube is pretty cozy to Adobe.
It wasn't always that way... back in the day, you could get streaming video with HARDWARE acceleration.
CPU accel is not a big deal on most desktops, but with the new low-wattage Ion/Intel combos or ARM CPUs, it really does matter.

Re:

[_merlin]

Really? I've gone without Flash on my work PC for three months, and the only things it stops me from using that I actually care about are funny videos that people send around the office, and the web site of the company that made the hardcore orange juicing machine in the kitchen (we'd lost the manual). Most of the stuff that's actually useful doesn't need Flash.

Re:

[Graff]

Well guess what fanboi, you can get Flash on Windows too. If this isn't an OSX problem where is the Microsoft Security Update? And why is Apple patching this, not Adobe?

Face it, Apple is way less secure than Windows.

There were also vulnerabilities in the Windows version. They were patched by Adobe a couple of months ago. Adobe just released the Mac version of the updates. Again, blame Adobe for being late to patch Flash for Mac, not Apple.

Apple is not patching Flash, they are just pushing out the latest version from Adobe since Flash is part of the default install for Mac OS X.

You might want to actually do some research before you make baseless accusations but I guess that's why you hide behind the "Anonymous Coward" f

Re:

[zippthorne]

The SSL vulnerability is somewhat disturbing. Read the date on the linked article.

Re:

[ekhben]

May all of OS X's "massive holes" be so insignificant to me.

The most concerning is the TIFF vulnerability; fortunately that's a 10.5 issue, not a 10.6 issue. The second most concerning is the SSL vulnerability, but I've not trusted SSL alone for a while now. Still tossing up throwing out Firefox's trust anchor code and replacing it with an SSH style known-hosts setup... but the FF code is a total dog to work with. And I don't care. Mostly, I guess, I don't care. Thank you, my bank, for two-factor aut

Must be running bootcamp

[Anonymous Coward]

The Apple commercials have told me that viruses and security holes are only possible in Windows, so I gather they are patching boot camp installs now

Re:

[recoiledsnake]

It's interesting that many of these(like the image exploits) can be triggered by just browsing to a website(like the IE6/Google/China fiasco) or by mp4 audio/video files. Where are all the 'LOL M$ can't code' posters here?

Re:

[dunezone]

Oh Sorry...

LOL A$$LE can't code

Wait, that doesn't look right.

Re:Must be running bootcamp

[binary paladin]

LOL M$ can't code

Re:

[GoodNicksAreTaken]

They are busy patching their Macs.. LOL they got pwn3d d00d..

Re:

[Sleepy]

Well the difference you are struggling to NOT understand is, only under MS do these exploits get to install ROOTKITS.

Re:Must be running bootcamp

[Anonymous Coward]

No - the Apple commercials tell you that viruses are a problem for Windows. Viruses tend to find MacOS too arrogant an environment to survive in.

Re:Must be running bootcamp

[LihTox]

Viruses tend to find MacOS too arrogant an environment to survive in.

Making our arrogance is an adaptive self-defense mechanism. So shove off, Windoze loser. :)

Re:

[_Sprocket_]

Awww crap. You just killed my Bonzai Buddy. Thanks a lot.

Re:

[gig]

It's viruses that are only possible on Windows. All operating systems have security holes, but only Microsoft systems get viruses. The Apple commercials very clearly refer only to viruses. The PC sneezes and acts like he has a cold, he's caught something, and the Mac can't catch it from him, he's immune to the viruses. Security holes are not covered at all.

Re:

[PitaBred]

The Apple commercials have told me that viruses and security holes are only possible in Windows

[citation needed]

http://www.youtube.com/watch?v=XiBLIGy_mpk [youtube.com]

That citation enough for ya? It's not outright stated, but it sure as hell is very strongly implied

Re:

[smash]

Welcome to marketing spin. At least in apple's case, they have real world usage stats to back it up. Microsoft's "most secure windows ever" bullshit is generally spouted on OS release, with no historical evidence.

Note that end users don't particularly care if "in theory" an OS is less secure, so long as THEY don't end up getting owned, they don't really care about the theory of it all.

Re:

[carou]

That citation enough for ya? It's not outright stated,

That would be a "no", then.

Re:

[carou]

Apple said things which were true, worded in such that might cause people to draw an exaggerated conclusion. PitaBred merely lied. You fail at logic.

A refund?

[Monkeedude1212]

The only hole I want Apple to fix is the one they put in my wallet.

Re:A refund?

[jgtg32a]

buyers remorse?

Re:

[RocketRabbit]

Probably not. The only folks I hear complaining about the cost of a Mac are the folks who haven't ever bought one.

Don't bother looking if you have X.4 or earlier

[oDDmON oUT]

Sometimes newer isn't better.

Re:

[0racle]

It is when you want security updates from Apple.

image format bugs

[phantomfive]

Two bugs were found in their image libraries (arbitrary code execution bugs in TIFF and RAW-DMG). Makes me wonder if they even tested their image libraries at all when they were being written, because that kind of bug can usually be found in an image library by feeding it random data.

Re:

[TrancePhreak]

Other companies got hit by those a long time ago and have since patched up their image libraries. Apple must have ignored it then and is now paying the price.

Re:

[eulernet]

A few years ago, when Microsoft's Windows source code was leaked, a hacker found a problem in the handling of the standard BMP format (IIRC, it was an integer that was not considered signed, and it contained the size of the picture), which could allow arbitrary code execution.

What bothers me is that Apple's developers don't check if they have the same problems as their direct competitor.

Re:

[ruiner13]

Speculate much? How do you know it is the same issue, especially considering you can't even seem to remember what the Windows bug actually was?

Re:

[barzok]

Sure you're not thinking of the WMF exploit? http://en.wikipedia.org/wiki/Windows_Metafile_vulnerability [wikipedia.org]

Re:

[DJCouchyCouch]

Using random data doesn't work if some structured data needs to be read first.

So you need non-random random data. :)

Re:

[twidarkling]

But computers can't generate truly random data, it's always at least partially procedurally generated. Thus, any data from a computer you feed to it is non-random random data :p

Re:

[phantomfive]

Actually, if you are debugging an image parser library, I advocate commenting out all the obvious fails (like, this file doesn't have the right magic number, it's not a GIF) and then feeding the thing pure random data, seeing how it handles it. You never know what kind of bug might turn up. Of course you'll want the non-random random data as well, but the random random stuff is useful.

Re:

[drinkypoo]

These sophomoric no-input-sanitization errors are the most common kind. didn't apple make one before with the iPhone and SMS or something? We've seen cellphones that don't check to make sure bluetooth data is valid. Firewire is a big mess because the hardware permits access to things it shouldn't.

Re:

[phantomfive]

I don't know if you've ever written an image parser before, but sanitizing the data before you parse it can be really hard. If you think about it, the data itself can be almost random, considering a picture can be almost anything. To do a good job validating the data, you would almost have to re-implement the parser itself.

Not saying they shouldn't have caught these bugs, but it's a little harder than just validating the data as it comes in.

Re:image format bugs

[Archaemic]

Actually, I personally found and patched the TIFF bug. In January. Of last year. http://bugzilla.maptools.org/show_bug.cgi?id=1985 [maptools.org]
Feeding random data (aka fuzzing) might work, but 99% of the time, I'd imagine it'd just give you a corrupted image and bail out. You have to be clever about how you search for it. I found a known vulnerability patch posted by, of all people, an Apple employee, and tried to reverse engineer what he'd fixed. I found that the patch hadn't been applied on old version of the PSP system software, which is what I was targeting. After messing with this specific attack vector, I noticed that I could still crash system software version that did have the patch. After reading up on LZW compression (which is what part of LibTIFF had the vulnerability) and the TIFF specification of how they implemented LZW, I realized that the Apple patch was incomplete--it only tested for one value you could give it that was erroneous. By simply changing the equality they used (in two places) to an inequality, I tested for all erroneous values. Meanwhile, I tried to exploit the new unpatched vector on the PSP so that I could inject code. Failing this, I decided the best course of action was to submit a bug report to LibTIFF. It might seem a tad unethical to try and exploit the bug before reporting it, but I wasn't trying to exploit in for malicious purposes, and not on a desktop operating system. Regardless, I failed to make it do more than crash the PSP. Surely the best course of action here would be to patch it upstream before anyone else found it. (Incidentally, this "arbitrary execution" this is blown out of proportion. In its current state, it is extremely unlikely that it could provide ANY code execution. Just crashing. Although I don't know if it's IMPOSSIBLE for it to execute code with this vulnerability, it would take a lot of work to get anything valuable out of this. Mostly it's a DoS. They usually just attach "arbitrary execution" when there's even the vaguest possibility for code to be executed, regardless of whether or not such an exploit has been demonstrated.)

It, um, took a while for anyone to notice the patch. In fact, the only reason anyone did notice was because someone found some of the fruit of my research into this bug and then posted a link to the research in a new bug report. Funnily, they created a different patch, which, instead of preventing the infinite loop caused by the erroneous data, just tested to see if the loop was writing out of bounds. Perhaps both approaches should be used together. Defensive programming and all that. Regardless, I noticed this new bug report shortly afterward it was posted and pointed them back to the inexplicably ignored old bug report. Most Linux vendors applied the patch shortly after the new bug report was filed, but Apple lagged by a number of months, until 10.6.2 came out. This update backports the fix into 10.5.x. However, I've found that some projects (such as Qt) are still using ancient versions of LibTIFF that have had numerous bug and security fixes since they were last updated in the projects' trees. While Qt does try to use the system's version of Qt if it can, it's still kind of scary to think about what could happen if it falls back on its own version, as I've seen it do before when I try my "corrupted" TIFF on things like Arora.

Incidentally, I am TAing a computer security course this semester. I guess previous experience helps.

Re:

[phantomfive]

Wow, you went through all the effort of learning LZW compression solely because of an Apple patch? That is ambitious.

Different Day, Same Crap

[His Shadow]

Has anyone driven a truck thru these gaping holes? Anyone? Beuller? When OSX is suffering from a deluge of viruses from all these supposed gaping holes in it's Architecture, please come back and let us know. Because while every operating system has vulnerabilities, only Microsoft was kind enough to make those vulnerabilities accessible by system wide scripting mechanisms that allowed millions of computer users the world over be the subject of attacks from the hundreds of thousands of pieces of malware constantly fighting to infect Windows PCs. The count (for those who think a security vulnerability makes Apple's points about viruses invalid) is about one hundred thousand to 0. This is being very generous. So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

Re:

[smash]

Whilst I'm a mac user/fanboi and agree with most of your post - I'm sure there must be some vulnerabilities being exploited for MacOS out there somewhere. It ships with Apache, and a heap of BSD userland tools ffs. I'd say there are no commonly encountered viruses on MacOS... not necessarily NONE.

Re:

[Monkeedude1212]

So, yes, as a matter of fact, there are no viruses for Mac OS X. Not virtually none, not almost none. None.

As a matter of Fact, there ARE viruses for Mac OS X.

OS X uses various parts of the FreeBSD Security Framework and Filesystem.

They have viruses for FreeBSD that base their attacks on those parts, and it has been proven that they work just as well on a Mac as they do on that flavour of Linux.

Just because Mac users are not affected by the hordes of windows viruses that they catch (and yes, Macs catch the same viruses as Windows, they merely can't operate because they were designed to run on Windows) - doesn't

Re:

[GoodNicksAreTaken]

You most have missed all the reports on the virus spread through torrents for Photoshop CS4 and iLife. [atomicsub.net]

Re:

[mario_grgic]

Except you kids need to read on what people mean when they say a "virus". Hint: it's not the same thing as malware that user has to install themselves, and you need to rely on social engineering techniques to get them to install your malware for you (in the above case the lure of free Photoshop installation), etc.

Re:

[mario_grgic]

Actually, no. Both virus and worm are self replicating and propagating without user interaction. The only technical difference is that a virus attaches itself to an existing process, whereas a worm is standalone.

http://en.wikipedia.org/wiki/Computer_virus [wikipedia.org]

http://en.wikipedia.org/wiki/Computer_worm [wikipedia.org]

Re:You forget one simple thing...

[jo_ham]

There aren't enough Windows with IIS installed to make the average script kiddie drool in anticipation in comparison to Linux/BSD with Apache. Oh wait.

If you don;t think the the chance to be the "first person to exploit the 'secure' OS X with a virus" isn;t driving some of these people then you are deluded. Or that genuine organised crime isn't going after the Mac platform (as a non-negligable marketshare) as well as Windows since it is amulti-million dollar industry compromising machines over the net. So far though, not much beyond proof of concept stuff and things that require user credential authentication.

It's no reason to be complacent (and the patching of vulnerabilities is not complacency), or the assertion that OS X is immune to threats, because it isn't. But it has proven to have a pretty good track record - not perfect, but pretty good. Continued work is still needed though.

Re:

[mystikkman]

Huh what? That was an incoherent fanboi rant. IIS has around 21% vs. Apache at 46% and still IIS6 has holded out to be pretty good, especially comparing to Apache.

So far though, not much beyond proof of concept stuff and things that require user credential authentication.

There were tons of vulnerabilities in Safari and Quicktime etc. not to mention the ones in TFA that would work without user credentials.
And this is one in the wild. http://it.slashdot.org/article.pl?sid=09/01/23/0127253 [slashdot.org]

But it has proven to have a pretty good track record - not perfect, but pretty good

Says who? According to TFA, an mp4 video or a picture could install spyware or delete all user files.Thats a pretty good track re

Re:You forget one simple thing...

[jo_ham]

Yes, my point about IIS vs Apache wasn't that there were more attacks against IIS, just that there are documented and exploited holes.

And yes, there have been many holes found in the various parts of OS X that have been fixed (and some yet to be fixed) but in terms of malware in the wild, there is practically none. There was a disk image that claimed to be Office for Mac on torrent sites that actually ended up deleting your files after you gave it your admin password, and a couple of other proof of concept attacks, but stuff actually out there roaming free in the wild is extremely rare - vanishingly so. I will not say "none" because it is clearly not true, and it allows the possibility of something to emerge, but for all the holes that have appeared in components of OS X, over the course of the life of the OS, no one has demonstrated stuff beyond possibilities.

The TFA does indeed say "could install spyware and delete files" - ie, if the hole is exploited. No one is denying that (and when the hole is closed, they can't) but so far, no one has been able to - the vector for attack has not been there. There was nothing in the wild that exploited some of these holes, and they have been nipped up before anything could be produced.

There are obviously other holes that have yet to be closed - including, as some security people have claimed, ones that have been open and exposed for a very long time (consider the guy who knew of two vulnerabilities and kept one to himself so he could exploit it the next year at the 'break OS X contest'). If that hole was known and vulnerable for a year, where are the in-the0wild exploits actually installing malicious software and keyloggers and so on? The hole was there for a malicious mp4 file, but the malware that exploited it was not.

I'm not not nieve enough to assume or assert that OS X gets a free pass on security, but the prior performance has been good compared to Windows, even with the difference in install base. It's in a similar position to Linux with regard to security holes (and shares holes with some BSD components that the OSS community is also exposed to).

Re:You forget one simple thing...

[mario_grgic]

What you are linking to is NOT a virus, but a malware that user has to download, authenticate themselves as someone allowed to install software and install it.

If you have a user willing to do that, then all bets are off.

The original assertion still stands though. No viruses (i.e. self propagating code that spreads from machine to machine without user intervention). There aren't any for OS X and I'm not aware of any for Linux/BSD etc either.

Re:

[stewbacca]

I dunno. Apple seems to be selling millions of new Macs each quarter for about 10 years now. When will there be "enough macs out there" for your hypothesis?

"MASSIVE"?

[jjoelc]

I just wonder why the summary title says "MASSIVE holes..." when the original article "serious".. a bit of bias, perhaps??

More realistically, this is just another security update. Find me an OS that doesn't have them, and for similarly "obvious" or "easily found/fixed" (hindsight and armchair hacking being perfect of course) and I'll either switch right away, or dust off the old TRS-80 from my closet to run it on.

The way I see it, if you have a brain and use it while browsing, you are generally fine. But people are stupid. And if you are going to market your product to stupid people, you need to make sure you do everything you can to minimize the damage stupid people can do to others. (Stupid people generally deserve their own damages...)

Now to start the debate over which company is more in the business of marketing to stupid people...

Re:

[smash]

You must be new here.

Re:I just patched a massive hole

[Anonymous Coward]

I'm afraid your patch provides insufficient coverage.

Re:

[Anonymous Coward]

At least we're getting some...

Re:Cover your eyes

[amicusNYCL]

You just couldn't wait to post that, could you? FYI: every piece of software needs updates, and there is still always one piece of software that will be more secure than the others. I don't know if OSX is more secure than Windows 7, but both of them will continue to receive updates, that fact doesn't make either of them less secure.

Re:Cover your eyes

[e2d2]

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

How would you know? Zero-day means a non-public exploit.

Re:

[AHuxley]

Anything posted on some forum, whispers in an irc chat?
Anything new floating around for a Mac running 10.6 that will do an IE and pop the browser/OS from a remote site?
Most still need the user to enter his/her password as a application/codec.
Mac are still safe to surf with for now.
Macs have a list of malware and loggers, the pre OS 10 had lots too.
But nothing in the wild to infect just yet with a site visit.
If anything existed outside law enforcement, spooks and one off professional solutions, every M

Re:

[TrancePhreak]

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Re:

[AHuxley]

One off professional solutions for a cash prize by a ex NSA worker.
Where are the in the wild hacks?
Where are the step by step scripts and FAQ's for setting up a Mac trap?
We have one very very very smart person showing up with a prize to win at this time.

Re:Cover your eyes

[Lars T.]

The pwn2own contest would say otherwise. Mac is usually the first to go down.

Because for pwn2own you need a zero-day exploit - how high are the chances to find a 0day for Windows and nobody else having it out in the wild until that one day in the year of pwn2own? OTOH, Charlie Miller was sitting on his last winner for over a year, and nobody else found that exploit during that year.

Re:

[prockcore]

You hack whichever's easiest, considering pwn2own had $10k cash prizes.

Re:

[DJRumpy]

This is actually a valid complaint, although this link is actually referring to hacking done under Leopard, not Snow Leopard. Snow Leopard is still missing a full implementation of ASLR, and that leaves it vulnerable to some exploits.

Vista was the first Windows OS to implement ASLR, and it was assumed that Snow Leopard would do the same, but that didn't happen, or at least not fully. They have prevented 'data' from being executed as arbitrary code (DEP), but they still don't randomize all of the OS componen

Re:Cover your eyes

[DJRumpy]

You mean the one with cheaper/slower celeron with less L2 cache, slower DDR2 800 Mhz memory, a cheaper/slower integrated graphics solution, no firewire, a cheaper battery, mono audio speaker, VGA Out Only, no bluetooth standard, no Cam standard, and no optical digital audio output?

Comparable specs?

Re:Cover your eyes

[chentiangemalc]

With default Windows 7 settings, the current exploit doesn't work. IE8 in XP without DEP protection. It CAN theoritically be expolited with DEP but haven't seen any current exploits that work around DEP protection. Also running with non-admin privileges (recommended, and default in vista & windows 7) reduces the attack surface (i.e. backdoors can't be installed without taking advantage of some other vunerability) so the IE vunerability is a bit overblown, following good security practices (which are default in vista & windows 7) already prevent the known attacks.

Re:

[TheRaven64]

Because Safari hasn't been around that long. Even if it contained but that were exploitable since Safari 1.0, it still wouldn't have any vulnerabilities that went unpatched for as long as the one in IE.

Re:

[recoiledsnake]

Link?

Re:

[Erikderzweite]

http://www.vupen.com/english/advisories/2010/0135 [vupen.com]

Re:

[mystikkman]

That doesn't say anything about sandboxing or DEP, like you claimed it would "confirm", got any more references to back up your claim?

Re:

[e2d2]

LOL, ok now i get it. OP's point was valid. IE6 really does have bugs in the wild that are older than firefox itself. Mozilla is pretty old so that would be possible, but not FF technically.

Re:

[Dumnezeu]

No, it can't. Well technically, it can be exploited, but IE runs sandboxed in Win 7 so the exploiter can't really do much.

Re:

[h4rr4r]

Could it use/harvest saved passwords? Open new browser tabs? Launch perhaps an app that would run the escalation exploit from this morning?

Re:Cover your eyes

[TheRaven64]

Well, except get access to the authentication credentials for my Internet banking site and transfer all of my money to a numbered Swiss account as soon as I log in. Good thing it can't get at my Freecell high scores though...

Re:

[amicusNYCL]

Windows 7 can still be targeted by a IE bug that's been in place since IE6. Safari doesn't have zero day bugs *that* old

Regardless of whether or not your statement about IE in Windows 7 is accurate, that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday.

Re:

[daveime]

that doesn't have anything to do with an update for OSX somehow implying that OSX is less secure than it was yesterday

What kind of fanboi drivel is this ?

They've just patched 12 serious vulnerabilities, how could it NOT be less secure yesterday before the patch than it is now after the patch ?

Re:

[amicusNYCL]

That's exactly my point - read the first post in the thread and my reply. Someone responded to that with a non-sequitor about IE and you saw my reply. The original poster seemed to imply that Apple releasing an update somehow decreased the perceived security of OSX.

"Fanboi", huh? Exactly which company do you think I'm a huge fan of?

Re:

[daveime]

You *have* to be a fanboi to post here ... you must take a side, there is no fence-sitting allowed on Slashdot.

You can take the "M$ sucks" route for infinite karma heaven, or the "A$$le sucks" route for instant karma hell. The "Linux (no dollar sign of course, this is FOSS) sucks" route simply leads to much debate and handwringing, with unknown karma effects ... look on that path as something like Buddhism.

Where we go from here, that's a choice I leave up to you. (oblig. Matrix reference)

Can we get this sti

Re:

[amicusNYCL]

Hmm.. I used to hate Microsoft, back when I had to develop for IE6, but with steps in the right direction for IE8 and Windows 7 I'm feeling less hatred and more optimism. I used to have not much of an opinion on Apple, but now I think Apple is my most hated company (somehow they overtook Sony). Google is sort of like a fun uncle who always comes over bringing gifts, but you're not sure if he just does that because he wants to molest you. I gave up on Linux after a terrible experience trying to install De

Re:

[Tim C]

Not in the default configuration it can't.

Re:Cover your eyes

[jo_ham]

But it is.

And patching vulnerabilities that are found just makes it more so.

Sorry, what was your point again?

Re:

[shutdown -p now]

His point is that you can't take a Windows vulnerability, and write a /. comment around it that basically amounts to "and that's why Windows security sucks", but when a similar vulnerability is found in OS X, write another /. comment around it that amounts to "well, shit happens, but anyway, now it's even more secure than ever" - it's hypocritical. Either both vulnerabilities indicate systemic problems, or neither one does.

Re:

[jo_ham]

Well, it really depends *who* says it - the marketing departments at MS and Apple both tout "OS X/Windows is more secure than ever" - from a marketing standpoint they obviously aren't going to say anything else. From a certain perspective both are true - both Windows and OS X are more secure than ever, since they have been patched up - whether there are still a thousand other holes doesn't really change that, it just infers that there are no other problems which is where it gets muddy.

The GP's original poin

Re:

[shutdown -p now]

The GP's original point, I believe, was to totally discount that OS X is secure/more secure than Windows because of these patched vulnerabilities.

Yes, and GGP's original point was that the original assertion that OS X is more secure than Windows is based on precisely such Slashdot stories as this one.

Re:Cover your eyes

[tacarat]

Saying that OSX is less secure due to these vulnerabilities is how MS said that Linux was less secure than windows. These aren't OS vulnerabilities, they're application vulnerabilities (well, for the programs I recognize as a non-Mac person). The OS itself is fine. The trick is, of course, that some of these things are included practically by default. So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

That's not to say that Mac users have free license to ignore proper security practices. Trojans, poor/shared passwords and not updating their software can leave them as vulnerable, if less targeted, than PC users. Given that one of the problems is with flash (and the fix is as simple as an update), I wonder if there's a good enough of a target out there for hacking Mac WOW players through flash ads hijacks.

Before you flame, I will say that if you're on /. and a Mac lover, I sincerely doubt you're one of the problem kids for updates on most any system you control.

Re:Cover your eyes

[EvanED]

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

Not saying you're in this group, but a lot of people around here have no problem counting IE vulnerabilities against Windows.

Re:

[TiberiusMonkey]

To be fair MS themselves used to make a big deal out of claiming that IE was Windows and they couldn't be separated. That not being true didn't stop them.

Re:Cover your eyes

[shutdown -p now]

So as we wouldn't count a problem with notepad as a Windows OS issue, so we shouldn't count ones for other OS's non-essential programs.

So far as I have seen, problems with user-space components such as Notepad are indeed counted as Windows issues. Which makes perfect sense, since Notepad is present out of the box, and the box says "Windows" on it.

Similarly, OpenBSD has a fork of Apache 1.3 in their base system. If a vulnerability is found in that, then surely it's an OpenBSD vulnerability (hence the difference between base system and ports).

If Apple ships Flash plugin that way, then they have to deal with any security issues that may cause.

Re:

[amicusNYCL]

Meanwhile, I go home at night and surf with impunity on my Mac running OS X, just like I've done for the last 8 years.

You think you're the only one? My machine at home runs an unpatched version of XP SP3 (legally licensed, I just don't really bother to update it). I don't run a virus scanner, nor a software firewall, nor a memory-resident malware scanner. My current machine has never been infected (~2 years or so, since Crysis). My machine before that (same config) got infected once, when my roommate was porn browsing in IE.

The point? You don't need to run something other than Windows if you want to avoid infection, y

Re:

[amicusNYCL]

how do you know if your PC is infected

That's a good point, most of the time I don't have a reason to believe that but if I suspect something funny is going on I'll fire up Malwarebytes or something like that to check on it. I've got one or two anti-malware programs installed, I just run them on an as-needed basis instead of constantly scanning.

Re:

[amicusNYCL]

The point? You're not "us[ing] your computer intelligently" if you don't use any run some sort of security software just as a precaution.

That's a good point.

I'm not saying I only browse sites I trust (porn certainly needs to be watched occasionally), but when I'm browsing I'm using either Opera or Chrome, neither of which seem to get targeted. Not using IE (for anything) is actually the #1 security tip I can give to any Windows user. The only time I'll ever run IE is when I'm developing a site in Opera and I want to test it. I've got a toolbar button to open the current page in IE so it doesn't even need to go to its home page or anywhere

Re:

[DJRumpy]

Massive Holes? I wouldn't consider any of these critical vulnerabilities, except for the ever so popular Flash sponge.

* CoreAudio (CVE-2010-0036) -- A buffer overflow exists in the handling of mp4 audio files. Playing a maliciously crafted mp4 audio file may lead to an unexpected application termination or arbitrary code execution.
Seems this could crash your audio player.

* CUPS (CVE-2009-3553) -- A use-after-free issue exists in cupsd. By issuing a maliciously craf

Re:

[Thinboy00]

I just RTFA'd; when I was reading I said to myself "there are holes in SSL and TLS? WTF when did this happen?! Why didn't I hear about it anywhere?"

Re:Cover your eyes

[DJRumpy]

Not at all. Your only looking at the end result as evaluating risk from that, and not the vector of infection.

The flash update wasn't 'dismissed' and I noted it was a serious issue, but the fault lies with Flash. It is an abomination.

The MP4 vulnerability would require someone actually get their hands on a specifically crafted MP4. The typical user either creates their own MP4's from their own audio CD's, or downloads them from iTunes on a Mac. If they are getting them from seedy sources, then they pretty much get what they deserve

The last one I wouldn't consider a huge risk simply for the fact that I had never heard of the format. It would require someone that works with raw image data who happens to get an Adobe DNG image that has this vulnerability. This isn't like some drive by hijacking. I don't see this as a likely path to infection.

Re:Cover your eyes

[Piquan]

That's how most MP4s come into existence. But an MP4 (or a TIFF for that matter) can be put up onto a webpage by an attacker, and rendered by the browser without the user needing to explicitly download and run it. If visiting a maliciously-crafted website can lead to arbitrary code execution, I'd say there's a serious problem. (I haven't investigated the particular flaws closely enough to tell if that is the case. However, based on the advisory, it seems quite likely.)

Re:

[IntlHarvester]

You are overlooking that Safari considers certain filetypes "safe" (including MP4, not sure about TIFF or DNG) and opens them by default. Its quite possible these vulnerabilities could be rigged to "drive by" a casual web surfer with no user interaction.

Furthermore Finder has a preview function which is activated by simply single-clicking on a file, which could be another vector to attack an 'innocent' user.

Re:Security Well

[amicusNYCL]

You already posted that in the first comment anonymously, and it wasn't funny then either.

Re:

[amicusNYCL]

Being that there are many reasons to post things, and to post anonymously, "funny" isn't always the primary intent. What was my primary intent?

If it's necessary to have a discussion about your intent, how successful do you think you were in conveying it?

But it's possible I might say something funny.

Tell me a joke!