Submitted by Apple on Wednesday released Security Update 2006-001, available for download through Software Update system preference pane and from Apple’s Downloads Web page. The update addresses a recently reported exploit that left Safari users vulnerable to malicious shell scripts, corrects a vulnerability in Apple’s Mail software, and also changes the way iChat handles file transfers to help prevent the Leap-A malware.
O come on Apple, Why don’t you wait for a few more weeks so it would be a critical security threat then release the patch. Which is fairly good turnaround for a company like apple who needs to test the patches, and make sure it doesn’t break anything, and go threw S.O. Approval. Finally make it live. Before all the bugs start floating around.
Or even better, if a virus utilising the exploit had a payload date, release the patch _after_ that date. I thought Apple were supposed to be professional, only Microsoft are professional enough to stick to patch cycles no matter what, and release a fix after the payload has already been dropped.
Or even better, if a virus utilising the exploit had a payload date, release the patch _after_ that date. I thought Apple were supposed to be professional, only Microsoft are professional enough to stick to patch cycles no matter what, and release a fix after the payload has already been dropped.
1) Microsoft’s patch schedule was implemented at the request of their customers.
2) Microsoft has reserved the right to, and has broken from their patch schedule on several occassions if the vunerability was critical and the possibility of exploit was high.
Way to b*tch-slap the FSF/GNU trolls. 😀
1) Microsoft’s patch schedule was implemented at the request of their customers.
2) Microsoft has reserved the right to, and has broken from their patch schedule on several occassions if the vunerability was critical and the possibility of exploit was high.
No patch schedule pedictability justifies a critical vulnerability’s intentionial delay. OP refers to a real example of MS letting knowingly their users out in the cold up until after the X hit the Y.
I applaud Apple at the quick turnaround for implementing these security patches.
Side note: I believe I read that these patches were reported to Apple well before they were made public. The reporting party apparently was said to hold off on the announement of these holes until Apple was close to a patch.
I’m not crying foul! It may have been partly a marketing ply etc. but the fact is they acted upon the flaws, repaired ’em quite quickly… it may have not been as quick as we percieved, but a helluva lot quicker than others.
IMHO
Jb
If these holes were closed so fast and easily, how come they existed in the first place?
Perhaps that article about Apple code not being run through exploit check software is true.
Apple needs to hire some criminals to understand some things about human behavior, to think ahead how something can be exploited instead of this Microsoft “knee jerk” reaction to security.
Perhaps this is all BS to get us to accept Trusted Computing.
For example, imagine if there is a sudden backlash against Trusted Computing, Mac folks think it’s unneccessary because their operating system has always been very secure.
Now imagine if Apple carefully leaves a few holes open, nothing dangerous, but something enough to get the anti-malware companies going, a exploit appears, Apple patches it right away. Bingo! There’s the justification for enacting these strong DRM measures “It’s going to make your computing experience safer”
What of course they don’t tell you is that they have already decided what is trusted, you don’t have that power, they also decided not to trust us. They also decided what programs they don’t trust us with.
Of course the computing public won’t stand for this very long, it will be broken.
Because they weren’t holes? They used standard features of the Mac OS and Mac OS X to take advantage of ignorant users. The ability to make any file or folder have any Icon, isn’t a security hole. It was abused by the anti-virus companies who are trying to scare up more business.
I will have to look to see just how Apple fixed the issue(it was an issue but not a hole). Probably made changes so tht shell scripts don’t run so easily.
By the way I never had a problem. As I painstakingly use custom generic icons I noticed the difference right away. I say painstakingly as Apple has a habi of changing them back with point updates.
Alot of virses require stupidity on the end-user’s part. Whether it’s “Look at naked pictures of <insert celebrity name here>”, or people entering in a password to run a virus. Alot of the times it preys on not just the vulnerbility of the system, but on how naive the user is. OSX isn’t completely secure, and neither is any OS out there.
Don’t be an Apple apologist. The number of vulnerabilities fixed in this update was immense — http://docs.info.apple.com/article.html?artnum=303382
“Viewing a maliciously-crafted web page may result in arbitrary code execution” is not a security hole? Please. I eat the Apple cake too, but I don’t let it get to my had.
*head
I think wired news said it best :
“These Mac “threats” are only news because of their novelty, not the threat level they pose. […] the platform is more secure, and these new security threats are no more threatening that a paraplegic kitten.” (rpm -ihv –ignoreos /root/mnt_2005_2/microcode/F3157_A/146lp-c50j-AIX.rpm)
I’ve yet to meet a single person to have been hit by the Apple worms. Compare and contrast to the Windows worms which I usually learn about when I ask why the Windows guys at work are running around so franticly.
Seriously has anyone met someone hit by this ? The closest I came was some guy on the internet who installed it on purpose to find out how it works and even he had to strain to make it “work”.
I’m not contesting their lack of spread, I’m contesting the parent poster’s refusal to admit that there were any kind of vulnerabilities fixed in the first place. He seems to think it was all related to “user error”.
OS X is not a cure-all.
Now windows is not the onlyone that always has to Fix something.. Now OSX its starting to follow windows in that direction..
You mean Microsoft fixes things? Good job Apple!
Folk are starting to moan at Apple about security updates; well fine.
If you want a secure machine that you don’t have to update for 6 to 12 months then go try OpenBSD for desktop use. You will have fun setting up desktop conveniences such as RealPlayer, Skype, and so on.
If you want the desktop conveniences to be easy then you have Windows and there you have many new security challenges each week. Partly this is the price of (almost) endless backward compatibility and Microsoft do seem to try to bolt features on and then add security as an after thought.
Apples Mac OSX is somewhere between the two and some would say the best of both ends of the spectrum – a reasonable compromise.
The trade off seems observable though I’m sure it doesn’t HAVE to be this way.
OSX updates do have one nice feature; they tend to tag a defragmentation exercise into the larger updates. After seeing many Win32 boxes that are grinding slow due to bad fragmentation problems … it seems refreshingly sensible.
OSX updates do have one nice feature; they tend to tag a defragmentation exercise into the larger updates. After seeing many Win32 boxes that are grinding slow due to bad fragmentation problems … it seems refreshingly sensible.
No, the “Optimizing System Performance” phase is not defragmenting the HD, the HFS+ filesystem is designed to avoid fragmentation in the first place, so it isn’t necessary.
What that phase actually does is update the prebinding of changed libraries so that applications launch faster, although you’ll rarely see any significant improvements since prebinding is updated automatically when applications are launched.
“OSX updates do have one nice feature; they tend to tag a defragmentation exercise into the larger updates.”
Actually it doesn’t defrag the system (though I agree it might look like it). The filesystem Apple uses defragments itself!
That the windows user get virus ect.. cause the system its not secure and the OSX user get virus ect.. cause they are more morons than the windows user..
This is what I’ve been saying, I’ve said a few times that it’s neither a Virus or a Trojan, but Malware.
Good to see it classed that way at last.
Second, every OS is going to have problems, there’s always some people out there that find a trick or a way to do something that probably shouldn’t happen that the devs didn’t think about.
The thing that absolutely matters, is from when the problem is reported, to the time it’s fixed. That is where you find the true company that cares.
I mean, Microsofts average patch time is what? 130 days? Eek
Plus the refuse to release patches until the desired patch time schedule.
You get people doing what happened recently, making their own patches to fix the flaw in Media Player.
Edited 2006-03-02 22:24
OS X still shows the shell script in the proof of concept as being a jpeg once you download it. It just doesn’t automatically run it. It’ll still run the shell script if you double click on the file.