Linked by Thom Holwerda on Thu 23rd Jun 2011 22:51 UTC
Mac OS X "Apple has now released Mac OS X 10.6.8, the eighth maintenance update for Snow Leopard, via Software Update. The update offers a number of fixes implemented since the release of Mac OS X 10.6.7 in late March."
Order by: Score:
Apple's engineers getting better
by 3rdalbum on Fri 24th Jun 2011 09:34 UTC
3rdalbum
Member since:
2008-05-26

Usually, looking at a list of security fixes in Mac OS X updates is like watching The Three Stooges: You laugh at all the buffoonery that's happened.

There's normally a whole bunch of security fixes for things that you'd never believe could make it through quality assurance, such as "Entering a password with three letter A's causes the user's privileges to escalate" and "Guest users can use 'cron' to run malicious code after they've logged out".

To Apple's credit, I had a quick scan through the list of fixes, and there were no thigh-slappingly-hilarious ones. This was about the funniest I could see:

Impact: Visiting a malicious website may lead to files being sent from the user's system to a remote server

Description: A cross-origin issue existed in WebKit's handling of windows. Visiting a malicious website may lead to files being sent from the user's system to a remote server. This issue is addressed through improved tracking of origins.
CVE-ID

CVE-2011-0167

Of course, this might just mean that Apple HASN'T fixed the one that allows a maliciously-crafted PDF to set your printer on fire; but I hope this means that OS X is finally maturing as a secure platform. About time, considering it's over ten years old.

Reply Score: 3

kaiwai Member since:
2005-07-06

What has always confused me is how Apple is so happy to break compatibility when it comes to adding or enhancing something but apparently it is 'one step too far' when it comes to breaking compatibility for the sake of security - implementing ASLR system wide has only just come to Mac OS X Lion for example, something that should have been implemented in Snow Leopard (if you're going to break a couple of things why not go for gold and smash a few more things whilst you're at it?).

One thing that has surprised me is how Apple is still supporting 10.5 given how quick they are to throw the old release under the bus and push people onto the next version (especially so given the cheap price of Snow Leopard and same low price repeated again with Lion).

Regarding Webkit, it'll be interesting to see whether the different parts being isolated off will result in a more secure experience as with the case of webkit2 versus webkit1; hopefully we'll get to see some security boffins having a good hack away at it to see whether all the hard work has paid off.

Reply Score: 2

malxau Member since:
2005-12-04

One thing that has surprised me is how Apple is still supporting 10.5 given how quick they are to throw the old release under the bus and push people onto the next version...


Apple have had a pretty consistent policy for a long time of issuing "minor" updates to the current release, and security updates only for the previous release. It's quite possible (likely?) that 10.6.8 will be the final minor update for 10.6 under this model, and this will be the final security update for Leopard. After this, PPC users are totally screwed.

Reply Score: 2

kaiwai Member since:
2005-07-06

Apple have had a pretty consistent policy for a long time of issuing "minor" updates to the current release, and security updates only for the previous release. It's quite possible (likely?) that 10.6.8 will be the final minor update for 10.6 under this model, and this will be the final security update for Leopard. After this, PPC users are totally screwed.


IMHO the last PPC Mac shipped around 6 years ago - personally I think that is pretty damn good in my books; at some point one has to throw in the towel and say, "yeap, I've gotten good mileage out of the machine".

Reply Score: 3

Bill Shooter of Bul Member since:
2006-07-14

No, I don't support that from a consumer's perspective. You should use a system until its no longer able to do the tasks you require of it. As time progresses there are new tasks that arise that require more computational power (video editing, parallel processing expiraments, virtual machines) which cause machines to be obsoleted. But this is different than just turning to a box and saying " You're old I'm not using you any more because of your age." . I mean people do that, but its a waste of money, IMHO. Now in the past the necessary upgrade cycles were much shorter, but recently we've hit a plateau where we can keep machines much longer. My desktop upgrade cycle (from 1991 in years between upgrades 4,3,3,8.

Now, from a OS developer's perspective sometimes there are things that are beneficial that necessitate raising the hardware requirements. Sometimes its bloat, sometimes its Good stuff, sometimes its cost of development. I don't blame apple for not wanting to continue to support a six year old processor architecture which doesn't gain them much in revenues any longer.

Reply Score: 2

MOS6510 Member since:
2011-05-12

You can keep on using your Mac, even without (security) updates.

There aren't many attacks on OS X, let alone on a minority of Mac owners using an OS version and architecture that will be pretty rare.

Just my theory of course. But I do wonder if you put a Windows NT 3.51 server on-line (for example), will it get hacked by scripts scanning the net for vulnerable systems?

It's not a likely target you'd come across, nor would you expect it to have any important data/services on it.

So I doubt any hackers or script kiddies would look for those.

I still have a G3 iMac somewhere running Panther (OS X 10.3) and I use it as a SSH terminal, some light surfing, mail and chat.

Reply Score: 1

malxau Member since:
2005-12-04

You can keep on using your Mac, even without (security) updates.
...
I still have a G3 iMac somewhere running Panther (OS X 10.3) and I use it as a SSH terminal, some light surfing, mail and chat.


I think a lot depends on the applications. OS X has always had a good firewall and doesn't expose ports willy-nilly. If it's a well firewalled client connecting to SSH or well known mail/chat servers, the risk isn't very high. Browsing the web (or rendering HTML mail) on Safari 1.2 or FireFox 2 is probably much more risky, since the security holes tend to be cumulative and (for FireFox) frequently cross-platform.

Reply Score: 2

malxau Member since:
2005-12-04

IMHO the last PPC Mac shipped around 6 years ago - personally I think that is pretty damn good in my books; at some point one has to throw in the towel and say, "yeap, I've gotten good mileage out of the machine".


Personally I bought an iMac G5 right at the end of the PPC iMac's life. I don't feel like I got good mileage from the machine; actually it feels terrible. Almost overnight the platform became neglected. Leopard was frustratingly slow on it, many app developers shunned it quickly, and apps tended to depend on the CPU performance of Intel so even apps that "ran" didn't work well.

I bought a PC six months earlier, and I'm still using it. I even upgraded it to Win7, and it's working fine. The G5 is gathering dust.

I know, I shouldn't expect so much from Apple. But, particularly since the machine was expensive (Apple tax + integrated monitor etc made it the most expensive computer I've ever bought), it definitely left a sour taste and makes me think twice before getting Apple gear again.

Reply Score: 2

kaiwai Member since:
2005-07-06

Mate, I've said this numerous times - you're comparing apples to oranges; you're comparing one side of the industry with a constant ISA/architecture to Apple that has moved from PowerPC to Intel. If Apple were using Intel all this time but artificially blocked off all machines from 5 years ago from using Mac OS X then your point would stand but that simply isn't the situation as it stands today.

There are less and less PowerPC computers out there and to be completely honest if you've gotten 5-6 years out of a computer I think you're doing pretty damn good in my books. I would be saying this even if I owned a PC, I've gone from an eMac to an iMac/iBook to a MacBook to a MacBook Pro/iMac - I find it funny that people scream and wail with pain when it comes to computer upgrades but don't batter and eye lid when it comes to upgrading their car, television or some other piece of equipment of equal or greater value within the same 5-6 year time frame.

Reply Score: 3

malxau Member since:
2005-12-04

Mate, I've said this numerous times - you're comparing apples to oranges; you're comparing one side of the industry with a constant ISA/architecture to Apple that has moved from PowerPC to Intel.


That's true, although note that other vendors are much more reluctant to do things like this. Apple have changed CPUs a couple times (68k->ppc->intel), OSes a couple times (os9->osx->ios), and provided relatively poor compatibility experiences along the way. Apple users should not expect that today's arch will be tomorrow's arch, although PC users take that for granted.

...There are less and less PowerPC computers out there and to be completely honest if you've gotten 5-6 years out of a computer I think you're doing pretty damn good in my books.


My point is that I got around 2, not 5-6. The machine hasn't been in serious use for a long time.

...people scream and wail with pain when it comes to computer upgrades but don't batter and eye lid when it comes to upgrading their car, television or some other piece of equipment of equal or greater value within the same 5-6 year time frame.


I'd say the reverse. I've never upgraded any of those things in a 5-6 year timeframe. Computer upgrades have always been rapid, often artificially rapid. I'm shocked that many businesses replace PCs every 3-4 years even though the functionality/value that they get barely changes at each cycle. How often do they replace desks?

Reply Score: 2

kaiwai Member since:
2005-07-06

That's true, although note that other vendors are much more reluctant to do things like this. Apple have changed CPUs a couple times (68k->ppc->intel), OSes a couple times (os9->osx->ios), and provided relatively poor compatibility experiences along the way. Apple users should not expect that today's arch will be tomorrow's arch, although PC users take that for granted.


I have had a re-read with what you said and I feel your pain and if I was Steve Jobs I would have offered a 1/3 trade in programme on new Intel computers (for PowerPC owners) but hey - thats me, Mr Generous.

I feel for you and the transition wasn't smooth and the support hat Apple claimed they would provide was never something they lived up to but at the same time it is pretty silly to grind an axe over an issue that happened over 4 years ago.

I'd say the reverse. I've never upgraded any of those things in a 5-6 year timeframe. Computer upgrades have always been rapid, often artificially rapid. I'm shocked that many businesses replace PCs every 3-4 years even though the functionality/value that they get barely changes at each cycle. How often do they replace desks?


Most companies don't own the machine, they lease it, the company who owns them can write it off over 2-3 years via the tax system (many countries have favourable tax arrangements that encourage businesses to depreciate their equipment faster).

You maybe the reverse but casual walking around down the road tells a different story.

Reply Score: 2

Neolander Member since:
2010-03-08

I find it funny that people scream and wail with pain when it comes to computer upgrades but don't batter and eye lid when it comes to upgrading their car, television or some other piece of equipment of equal or greater value within the same 5-6 year time frame.

I think it has to do with the fact that computers are multi-purpose machines which operate on data.

If I replaced my bike with a new one in the same category and price range, I'd just spend an afternoon setting some things up and it's good to go. The controls and the capabilities of the machine don't change much. Maybe there's one more or one less gear on the back, but this you get used to in a week.

For computers, it's a different story. Computers and their OSs are shipped in a state where they're not good at anything useful. You need to clean up the mess that the manufacturer has left, install your own software, hope that it works (and, in case of PPC software on x86, it probably won't), move your data, discover that your data is incompatible with the newer versions of the software you're using, which you have been forced to buy because your old ones don't work with your new computers... And once everything is done, you get a machine that works in a significantly different way and have to relearn lots of your everyday habits from the ground up.

Getting a new computer is not like setting up a bike or car and getting used to it. There's a whole lot of pain and mess involved. That's why people are not as much willing to do it, I think.

Edited 2011-06-25 08:42 UTC

Reply Score: 1

kaiwai Member since:
2005-07-06

I think it has to do with the fact that computers are multi-purpose machines which operate on data.


Or the fact that the majority of people see computers as this magical box that whirls, whizzes and does amazing stuff instead of seeing what it really is, a glorified machine that allows you to achieve certain things.

If I replaced my bike with a new one in the same category and price range, I'd just spend an afternoon setting some things up and it's good to go. The controls and the capabilities of the machine don't change much. Maybe there's one more or one less gear on the back, but this you get used to in a week.


I can do the same thing; I purchased an iMac just recently, I setup my new machine, hooked up my machine, downloaded the applications I bought on AppStore, and installed some updates - within around 1-2 hours I was up and running.

For computers, it's a different story. Computers and their OSs are shipped in a state where they're not good at anything useful. You need to clean up the mess that the manufacturer has left, install your own software, hope that it works (and, in case of PPC software on x86, it probably won't), move your data, discover that your data is incompatible with the newer versions of the software you're using, which you have been forced to buy because your old ones don't work with your new computers... And once everything is done, you get a machine that works in a significantly different way and have to relearn lots of your everyday habits from the ground up.

Getting a new computer is not like setting up a bike or car and getting used to it. There's a whole lot of pain and mess involved. That's why people are not as much willing to do it, I think.


How has Mac OS X 'change significantly' (same can be said for Windows)? minor changes here and there, a few additional features added but more or less the fundamentals haven't changed. When it comes to applications - the majority of people around the world on their computer don't run anything fancy; Windows, maybe a copy of Microsoft Office, and if you're lucky a pirated copy of Photoshop or Photoshop elements they got with their multi-functional printer.

As for pain, there is as much or as little pain as you want to impose upon yourself - I've seen experts go to hell and back because their setup was an disorganised mess whilst on the other hand I've seen novices following guides, back up their stuff, clean upgrade Windows and then put their stuff back on within a few hours.

Reply Score: 2

MOS6510 Member since:
2011-05-12

I guess they still support 10.5 because that's where all the G4 and G5 PowerPC based Macs got stuck. The dual CPU editions are still pretty powerful and I can imagine still in serious use.

Reply Score: 1

kaiwai Member since:
2005-07-06

True, the dual G5's are still probably being used by many rendering farms but I'd say that long term these organisations will have to find an alternative.

Reply Score: 2

v FUD
by wocowboy on Fri 24th Jun 2011 10:47 UTC
RE: FUD
by MOS6510 on Fri 24th Jun 2011 10:56 UTC in reply to "FUD"
MOS6510 Member since:
2011-05-12

It's just an update, nothing special. Why should this be called FUD?

I installed it on my Intel Macs, all went fine. The PowerPC Macs also had a security update without bumping the OS version number.

Reply Score: 2

RE[2]: FUD
by wocowboy on Fri 24th Jun 2011 14:31 UTC in reply to "RE: FUD"
wocowboy Member since:
2006-06-01

The original comment to this thread by 3rdalbum made the statement that a bug in OS X could cause a printer to catch fire, when that is simply NOT true. To suggest that that could actually happen is an example of FUD.

Edited 2011-06-24 14:39 UTC

Reply Score: 1

RE[3]: FUD
by winter skies on Fri 24th Jun 2011 17:23 UTC in reply to "RE[2]: FUD"
winter skies Member since:
2009-08-21

The original comment to this thread by 3rdalbum made the statement that a bug in OS X could cause a printer to catch fire, when that is simply NOT true. To suggest that that could actually happen is an example of FUD.

It sounded like a joke to me - quite funny, btw.
Edited: sorry, cannot fully understand the comment system yet, quotes in particular. Maybe I should just learn to read.

Edited 2011-06-24 17:26 UTC

Reply Score: 2

RE[3]: FUD
by pantheraleo on Fri 24th Jun 2011 20:46 UTC in reply to "RE[2]: FUD"
pantheraleo Member since:
2007-03-07

The original comment to this thread by 3rdalbum made the statement that a bug in OS X could cause a printer to catch fire, when that is simply NOT true. To suggest that that could actually happen is an example of FUD.


It's called humor. You should try it some time. But I know... As an Apple fanboy, you probably call it religious blasphemy instead of humor.

Reply Score: 2

RE[3]: FUD
by tanishaj on Sun 26th Jun 2011 03:56 UTC in reply to "RE[2]: FUD"
tanishaj Member since:
2010-12-22

The original comment to this thread by 3rdalbum made the statement that a bug in OS X could cause a printer to catch fire, when that is simply NOT true. To suggest that that could actually happen is an example of FUD.


The whole point of his post was that the OS had matured and that embarrassing security issues were becoming less common. The final "not to say" that mentioned fire was clearly intended for levity not hyperbole.

I find your comment more in the FUDish tradition than his. You completely abandoned the context.

Reply Score: 1

RE: FUD
by JAlexoid on Fri 24th Jun 2011 11:52 UTC in reply to "FUD"
JAlexoid Member since:
2009-05-19

I have had to deal with many virus and malware infections over the years.


Don't download freaking pr0n and warez and Windows(even unpatched) is as secure as Mac OSX.

Reply Score: 3

Lots of experience
by wocowboy on Fri 24th Jun 2011 14:36 UTC in reply to "RE: FUD"
wocowboy Member since:
2006-06-01

I have been owner/manager of a cable TV system for 30 years and have provided internet service to my customers for 10 years. Over that time I have seen MANY of my customers' machines become infected with viruses and malware, and have been called on to assist them in removing those infections or doing the erase/format/reinstall routine on their machines. I have had customers whose machines have been taken over by what I do not know, with the result being them flooding my upstream provider and my server with hundreds of thousands of spam emails per day and having to deal with their computers and my servers as a result. I am smart enough to not deal with the items you suggest, but my customers are not. Therefore I DO have experience with malware and viruses. Not on my Macs, though, they have NEVER been affected.

Edited 2011-06-24 14:37 UTC

Reply Score: 1

RE: Lots of experience
by JAlexoid on Sat 25th Jun 2011 06:26 UTC in reply to "Lots of experience"
JAlexoid Member since:
2009-05-19

Oh... Are you saying that you're the parasite - that promotes anti-viruses over due diligence training?

I'll give you that Macs have far fewer worms/viruses/trojans than even Linux. Though you will never hear about any Linux malware, because it's not publicly accessible(used in attack operations on datacenters and highly customised). But with the growing popularity, there will be more and more malware for Mac. And given that people with Macs think they are very secure - that puts them at a higher risk level.

The only solution is education. Otherwise, Mac, Windows or Linux are very much the same.

Reply Score: 2

RE: FUD
by BallmerKnowsBest on Fri 24th Jun 2011 17:27 UTC in reply to "FUD"
BallmerKnowsBest Member since:
2008-06-02

I am a Windows user as well as a Mac user.


Yeah, the hand-waving melodrama and deliberately-missing-the-point-as-a-debate-tactic kinda gave you away.

Reply Score: 2

RE[2]: FUD
by wocowboy on Sat 25th Jun 2011 11:27 UTC in reply to "RE: FUD"
wocowboy Member since:
2006-06-01

I don't know what the hell that remark meant, I will take it as simply a tactic to demean my statement that I use Macs as well as Windows machines, both at home and at work in my business that deals with internet, and that based on that experience I have a certain amount of knowledge about which types of computers I have worked with that have ever been affected by malware or viruses.

And my original statement still stands and cannot be refuted since it is based on MY experience, which is: In MY experience, I have NEVER owned or seen a Mac that has been affected by malware or viruses, while I have seen MANY Windows machines either die or be rendered inoperable by malware and viruses. NONE of he Windows machines have been mine, all were my customers' machines. Nice try but it didn't work.

Reply Score: 1

RE[3]: FUD
by BallmerKnowsBest on Sat 25th Jun 2011 17:53 UTC in reply to "RE[2]: FUD"
BallmerKnowsBest Member since:
2008-06-02

I don't know what the hell that remark meant, I will take it as simply a tactic to demean my statement that I use Macs as well as Windows machines, both at home and at work in my business that deals with internet, and that based on that experience I have a certain amount of knowledge about which types of computers I have worked with that have ever been affected by malware or viruses.


Actually it was a reference to the standard Apple Apologist debate tactic: when you can't form a real rebuttal, then deliberately misunderstand one of your opponent's points and use that as a springboard to a hand-waving "OMG are you really saying that _____" rant.

And my original statement still stands and cannot be refuted since it is based on MY experience, which is: In MY experience, I have NEVER owned or seen a Mac that has been affected by malware or viruses, while I have seen MANY Windows machines either die or be rendered inoperable by malware and viruses. NONE of he Windows machines have been mine, all were my customers' machines. Nice try but it didn't work.


Hate to break it to you chuckles, but "anecdote" is not the singular form of the word "data". And even if your unsubstantiated personal anecdote weren't utterly useless, there's still the little matter of you being too obtuse to grasp the difference between the presence of good security and the mere absence of compromises. As an obvious Apple fanboy, I doubt you even realize there IS a difference.

Reply Score: 2

Upgrading the kernel (the core system)
by vikramsharma on Fri 24th Jun 2011 12:47 UTC
vikramsharma
Member since:
2005-07-06

I don't know if anyone remembers that OS X kernel (Darwin) is based on FreeBSD 5.0 and Mach Kernel, is it about time that the FreeBSD part was upgraded too. Apple is making changes on a superficial level ignoring the real changes like the kernel, filesystem etc. Hasn't it been pretty much the same kernel ever since, may be I'm wrong.

Reply Score: 2

kaiwai Member since:
2005-07-06

I don't know if anyone remembers that OS X kernel (Darwin) is based on FreeBSD 5.0 and Mach Kernel, is it about time that the FreeBSD part was upgraded too. Apple is making changes on a superficial level ignoring the real changes like the kernel, filesystem etc. Hasn't it been pretty much the same kernel ever since, may be I'm wrong.


"Based on FreeBSD" is something one shouldn't take necessarily as being 100% FreeBSD 5.0 given that Snow Leopard conforms to SUS2003 which would require changes in many parts to conform to the specifications. The kernel is being updated but more or less what needs to be changed isn't the stuff that faces the developer or end user but the underlying code for the sake of optimisations - something they're already doing.

Reply Score: 2

MacDefender
by pantheraleo on Fri 24th Jun 2011 13:20 UTC
pantheraleo
Member since:
2007-03-07

They also added signatures to detect and remove the latest versions of MacDefender. So by tomorrow, or even by late today, we should see another story about a new version of MacDefender that can bypass the latest update.

Welcome to the big leagues of having to play a constant cat and mouse game with the malware authors Apple.

Reply Score: 2

RE: MacDefender
by Neolander on Fri 24th Jun 2011 15:32 UTC in reply to "MacDefender"
Neolander Member since:
2010-03-08

Either that, or coming up with some real sandboxed security model at the cost of software compatibility. Hard choice, especially considering that Apple haven't taken the opportunity of iOS' release to do that vital update on at least part of their ecosystem...

Reply Score: 1

Re: FUD
by 3rdalbum on Sat 25th Jun 2011 07:18 UTC
3rdalbum
Member since:
2008-05-26

"Entering a password with three letter A's causes the user's privileges to escalate" was a joke.

The printer catching fire was a joke.

Guests being able to use cron was not a joke.

Non-root users being able to gain root by using the Apple menu in a setuid root program sounds like a joke, but is not.

My post was rather positive, and not at all FUD - I said that Apple seems to be taking security design seriously nowadays, because there are none of those "sounds like a joke but is not" security flaws that have occurred in Apple software in the past.

Reply Score: 2