Apple Computer released 20 patches for its OS X operating system designed to fix flaws that could catch users off-guard. The vulnerabilities apply to Mac OS X v10.3.9 and Mac OS X Server 10.3.9, according to Apple’s advisory. The advisory also falls just days after Apple’s much ballyhooed release of the latest version of its operating system, Mac OS X 10.4, widely known as Tiger.
Apple patches a batch of Mac OS X security flaws
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
It is nice to know that they are on top of things…someone is minding the ship. Seems like a good record this year of patches and updates to Panther. Tiger rocks!
Seems like Apple acts as fast as they can and have had a great track record patching before someone exploits the flaws…
on the udder side, it seems that the flaws which get exploited might-or-might-not get patched sometime in the future (no one knows when, but maybe)
IMHO
Jb
Yeah, but if you read the article, it’s obvious that they’re trying very hard to make OS X appear as as piecemeal as Windows. Misery loves company, I suppose. They can’t stand the fact that Apple and the Mac OS are receiving such good press.
Besides, this isn’t even news. Apple releases a security update just about every month. They stay on top of things, unlike some other companies that we know. It’s just another way to put a bad spin on Mac OS X.
The_Raven wrote:
Yeah, but if you read the article, it’s obvious that they’re trying very hard to make OS X appear as as piecemeal as Windows. Misery loves company, I suppose. They can’t stand the fact that Apple and the Mac OS are receiving such good press.
You do realize Microsoft owns a large stake in CNET, right?
Cnet always adds some sort of “but this or but that” to any Apple story. No matter how positive it really is. I never go on there site to read anything other then the occasional product review and even those I suspect are infuenced by some other revenue stream. They really do like to lick MS’s boots.
“Seems like Apple acts as fast as they can and have had a great track record patching before someone exploits the flaws… ”
Yup, they just closed security holes some of them open since September 2004 including remote access published in December 2004. That is really the most secure OS. It looks awfully similar to MS claims
Most of these are really patches to software that are based on other open source projects, like Apache, OpenSSH, etc. Apple’s Mac OS X for the most part is only as secure as the software that is built-in. Note that the only Apple software that have had security problems are iTunes and Safari, which are usually not remotely exploitable without user interaction.
“Cnet always adds some sort of “but this or but that” to any Apple story”
They add that to *every* story man…I can’t stand that site.
“If users visit a Web site and accept AppleScript from that site, they could find it executing different code than they had expected, Kristensen added.”
If I visit a website and accept an executable or script file on any platform, I bet I could find that it executes different code than I expect. Please. That’s an OS vulnerability? What’s Apple to do, stop people from downloading files? Maybe I’m reading the statement wrong only because I didn’t know there was an option to accept Applescript in Safari.
It’s still better than the alternative:
“In the news today, another concern is with an XP, Internet Explorer flaw. If a user simply visits a website, they could find IE executing code other than what they expected.”
With Apple’s security reputation nowadays, I’ll take my chances with Tiger. With some of the other security concerns in the article, Apache, sudo, and some others are freely available open-source apps just bundled with the OS. I don’t necessarily count them as security exploits against the OS but Apple should be responsible for including vulnerable apps in their product. Bundling it together with their product at the point of sale can still open up a weakness in the rest of the system. If they left is as a downloadable option instead of an automatic install, they could probably avoid the press.
The kind of stuff CNet publishes shouldn’t be called journalism. I think it has something to do with their news and editorial people versus their lab people. The actual reviews are usually pretty unbiased, but it seems like the front page is constantly bashing Apple.
Say what you will, but at least Windows users are honest and are concerned about the transparency of information. Make one small off-beat comment about MacOS, and everyone beats up the messenger.
Meanwhile, Windows has scheduled monthly patches just like OS X. Further, to date, in the 4 years that I’ve run Win 2000, I have never been hit with a virus, or paid for an OS upgrade. I have an antivirus app installed, but it gets switched off when I don’t run a scan.
Yes, CNET are dogs.
I mean, can you imagine them trying to cast this GREAT NEWS in a negative light?! It just shows how biased they are.
I hope we can look forward to more good news – say 20 or 30 Apple security flaws every month – without the CNET guys bringing me down.
Dirk
It’s good they are still looking to fix and upgrade 10.3 even though Tiger is out.
If Apple release 20 patches during their monthly cycle everybody here thinks it’s great news and Apple are on the ball.
If Microsoft realease 20 patches during their monthly cycle its because Windows is insecure and has loads of bugs.
[i]If Apple release 20 patches…
If Microsoft release 20 patces…[i]
Hahahah… very true.
Just proves what a baseless argument it is to “prove” how secure or insecure an OS is. Actually I think Microsoft pulled this same argument out trying to disuade the press that linux was more secure than windows.
I think its the nature of the response. MS puts out patches in response to current or on going vulnerabilities that are being exploited.
Apple will patch things that have been proven in concept to be vulnerabilities but have NOT been exploited.
So you have MS playing little dutch boy and Apple being little bit more proactive about patching the wall even when nothing is leaking through. At least thats how I see it.
isn’t the issue. I agree that all OSes have vulnerabilities, discovered or not, and pretty much all major companies now attempt to patch them pretty quickly. Aside from my dig at Microsoft in my earlier comment, my main issue with the article was twofold. First regarding their definition of the AppleScript vulnerability. To insinuate that it is a vulnerability in the OS if a user downloads and runs a script they’re unfamiliar with is a bit silly. That’s not an OS vulnerability, it’s the user brain that needs a patch. Second, many in this thread sense that CNet has a particular bias against Apple and much more leniancy with Microsoft by the tone and wording in its article. If you check CNet’s site, they freely state that they have a strategic partnership with Windows Marketplace, MSN, and some others. That being said, it is 100% understandable that readers will suspect CNets impartiality in reporting on both Microsoft and its competitors. One must consider the source, a company doesn’t often bite one of the hands that feeds it.
If Apple release 20 patches during their monthly cycle everybody here thinks it’s great news and Apple are on the ball.
If Microsoft realease 20 patches during their monthly cycle its because Windows is insecure and has loads of bugs.
————————————————-
Shhhh… Dont expose the truth the anti Microsoft zealots.
If Apple release 20 patches during their monthly cycle everybody here thinks it’s great news and Apple are on the ball.
If Microsoft realease 20 patches during their monthly cycle its because Windows is insecure and has loads of bugs.
To answer that just compare the two companies past security problems. Apple’s exploits usually amount to potential security risks, but they’re usually trivial and rarely – if ever – exploited. Compared to the actual damage caused by Windows exploits. Even if it’s do to the amount of Win PC’s over Macs, it’s still a reason.
“I think its the nature of the response. MS puts out patches in response to current or on going vulnerabilities that are being exploited.”
That’s not so true either. It’s the nature of a vulnerability that some moron will find a problem and release an exploit before the vendor patches it. That has happened but it’s not the norm. And like it or not if more users use one OS it’s likely that that is the OS the vulnerabilities will be found on first. That works both ways though. There are probably more security companies checking Windows too so that’s a good thing.
A lot of the more public and major viruses over the last couple of years were avoidable if the users had patched their systems with standard MS patches BEFORE the virus came out (sometimes months before). The trouble is that patching is a pain. In business testing the patch and scheduling the downtime on your prod systems is no easy thing. At home Mom & Pop don’t have a clue about patching. The good news is that all vendors seem to be making progress with patching each year.
Before somebody jumps down my throat my first line should have read.
That’s not so true either. It’s the nature of a vulnerability
that it’s possible
that some moron will find a problem and release an exploit before the vendor patches it.
“The trouble is that patching is a pain. In business testing the patch and scheduling the downtime on your prod systems is no easy thing. At home Mom & Pop don’t have a clue about patching. The good news is that all vendors seem to be making progress with patching each year.”
Perhaps that needs to change. Not just on Windows, software updates on MacOSX are easy to apply but I still run into a lot of systems that are several updates behind and missing security updates as well.
On a side note I don’t have virus, security, malware or spyware issues with my PC but I apply all the updates when they come out. I have a firewall on the router and also run software firewalls on my Mac and PC. i don’t use IE on the PC or check mail from it. I use the PC strictly for apps. A lot of corporations could reduce the issues that they have if they could just nail down, email, web and updates on their PCs IMHO.
A large number of viruses for Windows come out in response to reverse-engineered patches. The l33t haxors disassemble the patch and write up an exploit. The exploit gets out faster than the patch. I think this was the case for Blaster and Sasser.
very true. windows update is not that very hard, really. turn on auto update if you’re that lazy.
i think apple insist on their user to get Tiger instead of waiting for another update to Panther.
very true. windows update is not that very hard, really. turn on auto update if you’re that lazy.>>
Perhaps it’s something specific with the permissions and images on our machines where I work, but we discovered that patches installed via windows update had a 50% chance of actually getting installed.
And how did we discover this? Sasser.
And how do I know it’s 50%? I got the call from my IT department and I walked down the hall and made sure that every one of my colleages clicked on the windows update icon. Eight out of 16 of us (self included) got infected.
Later, as I talked with the IT person who came over to clean up the mess, he also told me that of those in other departments who had used windows update, 50% of them got infected.
Interestingly enough, people who went to the microsoft website and installed by hand had a 100% install success rate.
So, while there are doubtless millions of people who have no problem with windows update, I don’t trust it.
This patch is purely for users on 10.3.9, not 10.4 (Tiger). Apple aren’t “insisting on their user to get Tiger” in this case – they’re patching Panther.
Please be a bit more careful with your facts.
“Much ballyhooed release”. What ballyhoo? They didn’t exactly buy every issue of a newspaper and give it away for free with advertising as Gates did with Windows 95.
People are surprised about CNets bias? please; Apple is flying high in terms of revenue and profit growth, and what do they do? quote some no-name analysts to give their “view” on the situation. These same “analysts” who claimed that Itanium shipments would be in the tens of billions, but have since hidden away realising that SUN ships more SPARC servers per week than Itanium machines in a whole quarter – realising that their “death of the RISC UNIX” has been exaggerated to the extreme – The POWER is till viable, SPARC is still powering along, and as much as HP would love to kill it, people are happy with the PA-RISC.
As for the reliability and security of MacOS X; name an exploit like slammer, that has been targetted at MacOS X. Not the number of exploits, but just one that has been created. I’ve yet to see one that has reecked the havoc that Slammer did, and yet, we still have people proclaim that Windows is gods gift to man? Sorry, but we hold Microsoft to a higher standard simply because they’re a bigger company, considerably bigger than Apple. They have *BILLIONS* at their disposal, they have *THOUSANDS* upon *THOUSANDS* of coders working for them. We’re not talking about a small $12billion a year company like Apple; we’re talking about a massive gorilla on the IT landscape – there are no excuses for crappy products once you get to that size – you have the resources and technology to improve the products, if the technology and resources are not used, then is simply a message to the customers that the company couldn’t give a flying continental about their product quality.
Being a Mac user you’ve obviously never been a part of a large scale product. This isn’t a weekend project OS. If you have thousands of developers and millions of customers, the product doesn’t get easier – It gets exponentially harder! A second grader should be able to tell you that. Look, there are no slammer-like worms deployed on Windows CE either. Why? It’s not because CE is that much more secure – it’s because no one bothers to write programs to target it. Symbian recently got hit with some spyware/worms … why? because it’s got a larger marketshare.
You used the word ballyhooed…
Eugenia, I love you!
/Never thought I’d make a sappy post on a tech board.
Good to read that Apple seriously works on their software products line.
Although nobody should start with illusions: the majority of these patches are security & vulnerability based. A Discipline in which M$ is ‘well known’.
Therefore we simply can say, that of course OS X has at least the similar security risks that any other BSD based system inherits.
A steady pain in the ass is the attempt to catch some percenteages in the right of the first digit from Apple at consumer level Hardware.
The Hardware is always aged considered to x86(_64) Development and therefore sucks, the HW Q&A is pending, and the support outside US is simply an ‘adventure’.
Time for Apple to recognize that. Nobody has to perform well in every discipline – that’s stupid. And it’s even more stupid to believe in that as a Customer.
Please, Apple, please, do good Software, do Services in Solutions for industrial Design, do develop funware for Lifestyle.
But please don’t fool the people with your environmental questionnable plastic monsters, which outperform no 500$ x86 PC.
But PLEASE stop nagging the buyers with the sh.t you call ‘consumer computing hardware’!
“Being a Mac user you’ve obviously never been a part of a large scale product.”
Logical fallacy right there. You’re assuming that those of us with Macs do nothing else. They’re used in large scale clusters, across biotech, in NASA and in many other fields. Perhaps you just need to take off your blindfold.
“This isn’t a weekend project OS.”
Neither is OS X, and only a fool would suggest it is. And in fact, neither in Linux. What’s your criteria on a weekend project OS? And can you show us one you’ve written?
“If you have thousands of developers and millions of customers, the product doesn’t get easier – It gets exponentially harder!”
Hmm… That doesn’t necessarily follow. In fact, under that argument Linux would be the ultimate OS – it’s had more developers than Windows or OS X – and yet, it’s generally a very secure OS and changes are well managed into the kernel and surrounding layers. And being completely open sourced, any vulnerabilities are right there for the world to see. Funny how it has very few real attacks.
… come to think of it, OS X has its Darwin component open sourced, so anyone with a bit of knowledge could look for vulnerabilities… and yet there are so few for it.
Perhaps the reasons that OS X and Linux suffer so few attacks is because they’re not trivial to hack or turn into zombie DDOS boxes. But I’m happy to consider other theories.
But Windows, where Microsoft have complete control over the code (and don’t let people view it easily) seems to have thousands upon thousands of viruses, many malware attacks and lots of security holes.
In fact, some bozo at Microsoft recently came out saying that the TCP/IP protocol could not be made secure. And yet UNIX has a secure implementation (as do derivatives like Linux and OS X).
It’s not that Windows is any more complex than UNIX, but that the mindset of Microsoft developers seems to be about features first and security second. That’s led to years upon years of buffer overflow exploits, the push for trusted computing (which has yet to achieve anything and has become a joke), security holes and all sorts of OS naughtiness.
I think they’re changing. I hope that part of the Longhorn delay is because OS security is first priority. I want to believe that they’re actually going to live up to some of their security hype.
Time will tell, and Apple needs some real competition in the OS world 😉
Don’t you have an ‘operating system’ to innovate? It’s already a soap opera without you wasting time.
“Being a Mac user you’ve obviously never been a part of a large scale product.”
Mike, I think it would surprise you how many Windows Admins are also Mac users at places like SAIC, NASA and the government.
“Symbian recently got hit with some spyware/worms … why? because it’s got a larger marketshare. ”
I think the point is that Windows vulnerabilties are EASIER to exploit and duplicate. Lots of unpatched or carelessly patched machines out there. Windows is the lowest common denominator OS. You’ll find it in governemnt sites to redneck trailer parks. In both instances and everything in between you will find machines carelessly managed. The marketshare thing is BS. You know which machine will get owned in an hour when it gets put out on a DMZ.
A lot of people have a gripe with Apple. Just take a look around the web at forums and websites. Lots of haters, many with technical capabilities.
Are you going to tell me that their is no hacker out there that would love to take down the largest music site on the internet?
The Darwin codebase is available for ALL to see on X86 and PPC.
BSD/Darwin or Windows, which do you put your money on for security?
“Don’t you have an ‘operating system’ to innovate? It’s already a soap opera without you wasting time.”
I don’t think it would make a difference either way!
Anyway back to the topic. Microsoft waits a month to patch software and that is understandable in contrast with Apple which patches ASAP. Apple’s ASAP approach would be hell for Windows Admins if MS were to do that.
I love Apple so much. I feel they are the absolute best of the best. In fact, without Apple, the world would be a dreary place. The sunshine they blow out with every release bathes me in goodness and lets me rest assured I have bought one of the best computers on the planet. Thank you Apple for caring about my security. Thank you for Tiger. And may god bless you and your flawless product line.
vuk wrote:
“very true. windows update is not that very hard, really. turn on auto update if you’re that lazy.
i think apple insist on their user to get Tiger instead of waiting for another update to Panther.”
Not true. I run ‘Panther’ and had no problem updating it, I wasn’t forced to buy ‘Tiger’. OS X also has an auto update feature, BTW.
Does anyone else have any happy stories about Apple patches to share with the rest of us? I’m sure many of you share the same mirth and joy that I do when installing patches on my Apple. Let’s keep this on-topic and positive stories only please. No need for any negative-Nancy’s in a wonderful and lighthearted Apple discussion. I’ll start things off, here’s a link to Woz’s personal webpage: http://www.woz.org/ . He is no longer with the Apple patch team but rumour has it that he might one day rejoin Apple. I think security updates would happen much quicker and look better all around with the Woz back on board! What do you guys think?
The way some people run around, you’d think MacOSX is the perfect, flawless system. I guess they are shocked now to learn that the Mac isn’t so bug free, and also needs patches to fix things.
So much for the “superior” OS…
if you thought that, then you are an idiot.
an OS made by men.. how can it be perfect? also, do not assume because it is not perfect that it is no better than MS’s pile of doo.
Yes, you’re absolutely right. Apple are the be-all and end-all of everything, and anyone mistakenly competing with them is sadly destined to discover their true worthlessness as customers flock away from their hopeless products.
Or something.
To the mindless trolls out there:
You’d be hard-pressed to find anyone so completely enamoured of Apple that they see no flaw. If you actually take the time to find out what Mac users think, you’ll discover that they’re Apple’s harshest critics (well, harshest of the critics who stay this side of reality, anyway).
We Mac users long criticised Apple for the slow processor speeds, even when we knew it was Motorola or problems IBM were having (along with Intel and AMD) in the 130nm to 90nm transition. We’ve bought lemons like the IIvx or LC (both of which I’ve owned… sadly) and complained loudly when Apple’s marketshare dropped through nothing more than the sheer incompetence of one useless board of directors after another.
We suffered through the years of Sculley (who famously and stupidly built incredible expectations around the Newton with a futuristic video, and then delivered a product that comprehensively failed to live up to them), Spindler (wasn’t so bad but couldn’t handle the pressure) and the Peanut (Gil Amelio, who spent 100 days finding out what was wrong with Apple, another few hundred days sitting around apparently with his thumb up his arse and then made one good decision – to buy NeXT instead of Be Inc).
We’ve spent years defending an OS we knew was good, but not as buzzword-compliant as Windows. We watched Windows turn from a joke (Win1.0 and 2.0 anyone?) to something people could actually use (Win3, 3.1) to something ‘good enough’ (Win95, 98) and finally to something really quite nice (WinNT, WinXP). With every Windows release, we saw the gap shrink but still we held out, complaining to Apple through letters, forums, emails and any other channel of communication we could.
Through it all we said the same things. “We want faster computers.” “We want you to tackle Microsoft head on.” “We want a more stable operating system.”
And now we’ve come a long way. We have an OS that beats Windows in most ways, from look and feel to stability to security. We’ve got computers that are very fast indeed. We’ve got Apple putting up a red flag to Microsoft in the form of the iLife and iWork packages, as well as occasional snide remarks about “copying.”
So a couple of trolls come along every now and then and think that they put forward their pissy little comments to shock us. Well, like most long term Mac users, I’ve said far worse, had more evidence and suffered more than a few morons whose idea of a real computer is based around nothing more than video games or the idea that if everyone else does something, then that thing is the best thing to do.
People like Jonathan, Mike, vuk and others can say nothing that I’ve not seen a thousand times before, but I’ve seen it said more eloquently by better people who knew what they were talking about. Instead we suffer fools like these, people who so clearly don’t know what they’re talking about and don’t seem to be more than thirteen year old children stuck in a mentality that their choice must be validated by others.
“I love Apple so much. I feel they are the absolute best of the best. In fact, without Apple, the world would be a dreary place. The sunshine they blow out with every release bathes me in goodness and lets me rest assured I have bought one of the best computers on the planet. Thank you Apple for caring about my security. Thank you for Tiger. And may god bless you and your flawless product line.”
🙂
I’m a former Windows user turned Linux advocate and found this quote made me laugh.
CNET quote: “Apple has no fixed schedule for issuing patches. By contrast, Microsoft in late 2003 moved to a monthly release of security fixes”
Differance here is that in the case of companies such as Apple, Novell and Red Hat they in most cases patch holes prior to third parties finding them. It’s called “research and resolve” where they probe in the labs to determine possible scenarios of attack, etc. Unlike Microsoft who have a long history of sitting on their ass waiting till someone else finds the holes then sit on their ass some more for in some cases 6 months or more prior to patching them. Which makes me question the author’s comment of MS having a release cycle monthly since 2003 when they haven’t even patched all the holes in their software such as IE.
Please don’t sully up our Apple thread with talk of competing OS’s. They quite simply don’t exist in our world. Thank you for your understanding. And thank you Apple for another prompt fix to an otherwise nearly-perfect system.
“So much for the “superior” OS…”
A few bugs does not make it less superior.
“Please don’t sully up our Apple thread with talk of competing OS’s.”
Apple users are first to jump in MS treads and almost first in linux treads.
6 months is not short time for delivering patches, and problems were discovered not by Apple but independent researches.
Some of those 20 patches cover more than one security problem. I would say that this is exactly MS level.
Anyway reading many of Apple users reminds me of Voltaire’s Candide.
“… a few morons whose idea of a real computer is based around nothing more than video games or the idea that if everyone else does something, then that thing is the best thing to do.”
Yes, and the absolute must for a machine to be seen as a ‘real computer’ is that considerable time must be spent to get something to work. If that’s not the case, or worse, if it works out of the box [gasp!], it most definately cannot be a real computer.
apple fanboys, you gotta love ’em. and yes garyp, i’m a 13yr old that have used windows, qnx, beos, linux and even your beloved macos and i’m clueless of what i’m talking about.
“apple fanboys, you gotta love ’em. and yes garyp, i’m a 13yr old that have used windows, qnx, beos, linux and even your beloved macos and i’m clueless of what i’m talking about.”
Yes, that pretty much sums it up. You’re completely clueless.
how is that possible?
so many patches for OS X?
I thought it is perfect and the most secure OS out there
To answer that just compare the two companies past security problems. Apple’s exploits usually amount to potential security risks, but they’re usually trivial and rarely – if ever – exploited. Compared to the actual damage caused by Windows exploits.
Yes, thats maybe because (almost) no one uses Apple.
It is simply no fun for the script kiddies to write worms and viruses for a platform most people doesen’t use or even know that it exists!
Those bad guys want haer of their creations at the TV, Newspapers and so on.
Believe me, if apple has a big market share, the damage and flaws would be much much bigger.
Kind of slow, eh?
“Those bad guys want haer of their creations at the TV, Newspapers and so on”
If a succesful virus for MacOS X were to be written, that’s exactly what would happen. So much for that dead horse.
“A few bugs does not make it less superior.”
This is pretty stupid statement.
remote root should never happen and it should be patched instantly. It was not which proves:
1. most people (and script kiddies) don’t know about Apple.
2. Users who thinks that this is o.k are idiots
3. Apple definitely is not serious about support
I think the biggest reason there are huge number of unpatched machines on the Windows side is that some users spend a majority of their time posting comments on Mac articles as if they knew WTF they are talking about instead of STF and patching their systems.
When MS releases security patches the Windows funboys hate it. When Apple releases security patches the same fun boys hate it. What is wrong with you people?
This really isn’t anything new, Apple has patched up and upgraded OS X just as much as any other OS has been. We’re at 10.4 and we started at 10.0 what are all these 10.x.1 point upgrades? most of those are to fix bugs while the x.1.x releases add in new features here and there while fixing more bugs and so on.
Big deal, in a few months you’ll probably see a 10.4.1 patch anyways then 10.4.2 and so on until next year some time you get 10.5 for another $130 and everyone is happy.
Evenon my old linux days using red hat/suse and mandrake, you get updates to different parts/apps depending on what you have installed, almost every day. It’s just normal.
actually, those are LinTrolls.
your 13? then I suggest you stop commenting because your opinion is not based in any knowledge. (and no.. using other OSs does not constitute knowledge, neither does being able to string together a VB “program”)
while the x.1.x releases
umm.. you can not use the same variable for the first number and the last number. if x = 10, then you are talking about a patch that never existed.. if x = <10 then you are talking about an OS that is not maintained any longer.
Root is never enabled under OS X, remote or local. You have to do it yourself through the NetInfo app, or through the command line. Either way is non-trivial, and warnings appear. Your points are invalid.
Also, these were all theroetical vulnerabilities. No specific attacks were ever reported, and Apple patched them all in both Tiger (included with the OS release) and 10.3.
Will we ever see the end of the incorrect meme about marketshare equating to attacks? If that were the case, Apache would be suffering more than IIS, but the reverse is true.
And cdr – Johnathan seems to be another troll. It’s so nice when trolls take each other seriously and spend time attacking their own sarcasm.
So it looks like “most secure OS” is PR only. For six months one could find information about some of these problems on secunia web page (including remote access). The idiot who claimed that OS X is the most secure OS should be fired so stupid it looks now.
To make use of these problems would take quite short time. Nobody bothered because there is only small percentage of OS X out there.
Instead of complaining about trolls you should complain to Apple.
“no.. using other OSs does not constitute knowledge, neither does being able to string together a VB “program””
This is so bad argument..
You definitely should stop to use computer (any), otherwise you may hurt yourself.
Here:
Take look at the dates of posted information about security issues.
http://secunia.com/product/96/
It was officialy known that OS X has severe problems long time ago. If you cant understand the consequences, there is not much to say.
The fact that now there is next version does not change anything because for long time OS X was only protected by the fact that it is unknown OS. So Apple is using security by obscurity. Congratulations.
really look at the other problems there is a lot more (web page above). What can I say. You should pray that OS X will not become more popular.
cdr, just quoting from your own link.
“The Secunia database currently contains 0 Secunia advisories marked as “Unpatched”, which affects Apple Macintosh OS X.”
What part of that page should I be looking at?
Apple is patching 10.3 not 10.4, what is the big deal! XP still is the worse OS in the world as far security is concerned.
A friend of mine was reinstalling his XP professional right beside me. (Me -> Tiger, powerbook).
After the install finished (we were watching a BAD movie on TV), he configured his xDSL. While installing firefox and Norton Antivirus, (somewhere in between), his box got a trojan…
I had to seach on google for a way to remove it. We had to use a XP sp 2 cd i had, and after SP2, connect as quick as possible to get windows update…
now… are you calling XP usable?
Please. Get lost.
OK I’ll play too.
MacOSX
http://secunia.com/graph/?type=sol&period=all&prod=96
47 advisories from 2003-2005 ALL patched
WindowsXP
http://secunia.com/graph/?type=sol&period=all&prod=22
73 advisories from 2003-2005, I won’t even bother telling you how many are unpatched.
This is exactly what I mean in relation to my last post.
“So it looks like “most secure OS” is PR only. For six months one could find information about some of these problems on secunia web page (including remote access). The idiot who claimed that OS X is the most secure OS should be fired so stupid it looks now.”
cdr, I concur with Martin, Monkey and Gary…your fired!
The one showing that for several months you have been using OS with realy nasty holes. It looks like “live update” is not worth that much. Next holes will be patched with next OS release.
You just don’t seem to get the point I’m making. These were not nasty holes at all.
They’re theoretical holes, some of which require the user to have enabled root access.
As I don’t have root enabled, there’s absolutely no chance that my iBook could be susceptible to the remote root exploit.
It’s not a nasty hole if it doesn’t exist!
I dont care about unpatched windows. For several months OS X was unpatched so it is not worth more than windows in terms of security.
It would be better to admit that something is wrong instead living in denial.
nighty night.
“Privilege escalation
System access
Where: From remote”
which part you dont get? It would be nice if you could pay attention to the security holes causing priviledge escalation. No root rights needed for these.
49
“I dont care about unpatched windows. For several months OS X was unpatched so it is not worth more than windows in terms of security.
It would be better to admit that something is wrong instead living in denial.
nighty night. ”
MacOSX is not perfect, no one said it was. Your right, for several months MacOSX was unpatched but I think Apple is doing a good job addressing the vulnerabilities. They don’t have a monthly schedule, they patch ASAP. Their response time is not going to please everyone but I think their current track record speaks for itself. As Gary had mentioned most of the vulnerabilties mentioned are conceptual in nature and can only be exploited under controlled conditions.
I am not comparing OS X to any other OS. The problem is that these holes were not patched ASAP.
There is no such thing and “controlled conditions” for remote access and privilege escalation. Definitely not “conceptual” problems.
These holes never were used because OS X is mostly unknown as a desktop and even more as a server. So it was in fact security by obscurity.
I think that OS X users should realy harass Apple for better security support instead of applauding “fast response” because it was not fast, in fact it was realy slow.
Wow these Windows fanboys really give every Windows user a bad name. STFU and deal with XP not seriously being as secure as it should have been. Stop making stuff up about XP or about OS X. Apple is WAY ahead of the game in terms of producing a secure feature rich OS. All XP has learned to do is not crash as much as it did with Win 98!!! Have you ever tried to surf the web without the service pack 2 installed? Jeezus! At least with OS X you can live without the patches because it does not suffer from all these viruses and spyware and malware. Are you XP fanboys really this retarded?
If a succesful virus for MacOS X were to be written, that’s exactly what would happen. So much for that dead horse.
You don’t get it.
Thats impossible. To let a virus or worm (or whatever it is called) you need enough (millions of them) stupid users, who opens/execute mail attachments, surfing without a firewall and so on.
And thats exactly whats happens again and again and again.
Windows has so much users (a billion?) that there are at least serveral millions people who don’t care about security and still opening mail attachments, turned off the internal firewall and so on.
The latest samples here in germany are Postbank phishers, who ask per mail for a TAN (something like a pin for electronic banking), or the WM 2006 Ticket Worm. They send mails with a worm attached. But people are stupid enough to open that mail and execute the attachment, so the worm spreaded rapidly!
So, Macs aren’t widely used (at least outside the us) and therefore the procentual amount if “idiots” is much smaller.
Worms or other viruses have no chance to spread widely.
Same goes for Linux.
Yes, i know that there were security holes in windows which allowed intruders come in without starting any attachment or any other user action. But all of them worked only if the firewall was turned off!
And the firewall is included since the first release of XP.
You see, the problem is mainly the user, not the system
Btw. I don’t like Microsoft. But XP is working good enough for most desktop tasks for mee. It’s not that bad that i can’t use it. Mac OS maybe better, i will see in a few days when my Mini arrives
I agree with part of your post.
Apple *did* take a while to fix some of these bugs. You’re right there, and they can do better. Six months is poor for those in mission-critical systems, and OS X users should raise a bit of angst over that.
Of course, defining how long something takes can only be done in relation to something else (ie Windows or Linux). Otherwise how long is too long and what is a reasonable time for a fix?
But yes, you have a valid point there, and one that can’t be argued based on the data.
I don’t agree at all about your point on there being no such thing as controlled conditions for an exploit. I take “controlled conditions” to mean “specific system set-ups required for the exploit”. These aren’t generally possible with new installs. They require something more – either for a user to enable root access and then get within BlueTooth range of a malicious Mac user, or for a user to run an AppleScript blindly, or some other similar circumstance.
They’re not easy things for a hacker to do. They’re not trivial, but a real source of weakness is (paradoxically) in how secure the OS is. Many OS X users are used to making an assumption of security and entering their password when asked. In reality, it’d be possible to get them to do this and then run an AppleScript to do all sorts of mischief (outside of root access, which Apple’s Authentication Manager doesn’t ever allow, so the actual OS would be safe but all data would potentially be lost).
The idiot who claimed that OS X is the most secure OS should be fired so stupid it looks now.
Damned. We’re in danger ! That idiot works for the NSA :
http://www.nsa.gov/notices/notic00004.cfm?Address=/snac/os/applemac…
for privilege escalation one does not need root account. That is the whole point of privilege escalation. In other words with all the idea of disbled root, one still can get into the machine. I hope that you understand that I dont mean trolling, but I am surprised that OS X users think that this is o.k. OS X had clean start. OS X appeared quite late on the marked. Apple had a chance to learn also (mainly) from Windows example how important is to be realy quick.
How fast response should be? Faster than official security reports. As soon as they appear someone may take advantage of specific hole.
OS X is proudly claiming BSD roots. Well in BSD world security report and patch appear at the same time.
Manik,
NSA or not, it looks stupid, even more because security expert did not read security reports.
this is pathetic. OS worship makes me nauseous.