OSNews: http://www.osnews.com/story/17734/Apple_Patch_Tackles_Two_Dozen_Mac_OS_Vulnerabilities Exploring the Future of Computing en-us Copyright 2001-2009, David Adams adam+nospam@osnews.com Thu, 09 Jul 2009 21:04:38 GMT http://www.osnews.com/images/osnews.gif OSNews.com http://www.osnews.com Catching up... http://osnews.com/thread?232550 http://osnews.com/thread?232550 Since November, a lot of serious though not critical, problems were revealed, and it's good that they're finally getting closer to fixing all of the problems.

Obviously, their development staff have been stretched thin with Leopard and iPhone development but they really need to dedicate people to security issues. November, or even January, to April is a very long, very open window for attacks.

Still, since nothing has really been exploited, better late than never. Fri, 20 Apr 2007 19:30:00 GMT donotreply@osnews.com (bousozoku) Comments RE http://osnews.com/thread?232558 http://osnews.com/thread?232558 Job done, thanks Apple. I think security updates are good thing, even when I was on Windows. Apple's update app makes it so much less hassle, and Vista followed suit with a dedicated app instead of the hellacious IE-only Active X mess in XP.

I don't honestly see why this is news. None of these are being exploited, they've now been patched, only 3 were remote exploits (unlike what some comments on some sites are making out). Linux gets hundreds of patches all the time, we don't get news of that. Fri, 20 Apr 2007 19:54:00 GMT donotreply@osnews.com (Kroc) Comments excuse me http://osnews.com/thread?232568 http://osnews.com/thread?232568 >Job done, thanks Apple

Job or Jobs done? *g* ;) Fri, 20 Apr 2007 20:21:00 GMT donotreply@osnews.com (Oliver) Comments RE http://osnews.com/thread?232569 http://osnews.com/thread?232569 You are aware that the "hundreds" of patches send to Torvalds and maintainers are most bug fixes and new features ?

Most of security updates i have on my ubuntu box are obscure local exploits, maybe a little bit more than i had on my powerbook (in a comparable period), but we're far from hundreds.

I agree that people talk too much of Mac OS X patches, but that's not a reason for being offended and bashing others operating systems, especially open source ones. Fri, 20 Apr 2007 20:22:00 GMT donotreply@osnews.com (ValiSystem) Comments RE http://osnews.com/thread?232578 http://osnews.com/thread?232578 I wasn't bashing Linux at all - I stated that security updates are a good thing. Linux gets lots of patches because there is so much of it that is open source, and all programs on the system go through the same update system, naturally giving many more updates. But yet, we don't get news of these. But every single time Apple issues new updates; it's on the top of Digg and published everywhere. Fri, 20 Apr 2007 20:34:00 GMT donotreply@osnews.com (Kroc) Comments RE Agreed http://osnews.com/thread?232580 http://osnews.com/thread?232580 I completely agree. Confusing expansion of the kernel and bug completions due to either experimental implementations or further background on a particular subject allowing for a more complete solution are definitely not exploits and security breaches. Fri, 20 Apr 2007 20:35:00 GMT donotreply@osnews.com (tyrione) Comments RE http://osnews.com/thread?232587 http://osnews.com/thread?232587 Most of security updates i have on my ubuntu box are obscure local exploits, maybe a little bit more than i had on my powerbook (in a comparable period), but we're far from hundreds.
Only bug fixes and new feature, yeah I saw that ...
http://secunia.com/product/2719/?task=statistics
116 security holes since 2004 ...

And I assume that all those security holes from firefox are new features too
http://secunia.com/product/4227/?task=statistics (100% remote).

I will stop the demonstration here. If you think that your linux is more secure than mac os x, you are wrong. Fri, 20 Apr 2007 20:53:00 GMT donotreply@osnews.com (Duffman) Comments RE http://osnews.com/thread?232603 http://osnews.com/thread?232603 Job done, thanks Apple...

Security is NEVER done. It's a constant work in progress. Fri, 20 Apr 2007 21:33:00 GMT donotreply@osnews.com (tomcat) Comments RE: excuse me http://osnews.com/thread?232612 http://osnews.com/thread?232612 Attaboy ;) Fri, 20 Apr 2007 21:44:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232615 http://osnews.com/thread?232615 Most of these holes were less critical and only few of them were remotely exploitable. It's not like Windows where most public known holes are extremely critical and always easily remotely exploitable. Security holes on *BSD, Mac and Linux tend to be mostly theoritical. Some of the same is true for Vista. Fri, 20 Apr 2007 21:47:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232619 http://osnews.com/thread?232619 O.K., first of all, what exactly does Firefox have to do with anything? It isn't required on Linux (Konqueror, Galeon, Seamonkey, etc etc) and runs on Mac OS X and Windows as well.

And OS X, by the way, isn't much further behind the Linux Kernel in vulnerabilities.

http://secunia.com/product/96/

Of course, comparing an entire operating system (OS X) to a kernel (Linux kernel) is kind of pointless. Comparing Darwin to the kernel, or OS X to a well maintained distro would make much more sense. However, even this is pointless, because the average Linux distro contains much more software than Mac OS X, and vulnerabilities in any package, no matter how obscure and unused the package is, would show up on Secunia.

After reaching into the far regions of my brain, I've come up with the best solution. Quit fighting over something as insanely stupid as how secure your OS of choice is (one of the most pointless pissing contests I've seen in a while) and do something useful. Fri, 20 Apr 2007 21:58:00 GMT donotreply@osnews.com (rm6990) Comments RE http://osnews.com/thread?232620 http://osnews.com/thread?232620 I'm really curious to know what is the point of your "demonstration".

http://secunia.com/graph/?type=cri&period=all&prod=2719
http://secunia.com/graph/?type=cri&period=all&prod=96

By the way, i never pretended that linux were more secure, actually, i don't mind, they both have a security level well above i need for my use.

I just wanted to say that the "hundreds" patches thing was not an argument to complain about Mac OS X patches discussions we see at each patch releases. Fri, 20 Apr 2007 21:58:00 GMT donotreply@osnews.com (ValiSystem) Comments RE http://osnews.com/thread?232635 http://osnews.com/thread?232635 Uh... Windows get based every time a vulnerability is found or a patch is released. Typically this comes from the Linux community, so I really don't see why you're complaining. Fri, 20 Apr 2007 22:49:00 GMT donotreply@osnews.com (flanque) Comments RE http://osnews.com/thread?232639 http://osnews.com/thread?232639 Solaris 10, telnet...

telnet -l "-froot"

Couldn't get easier. Fri, 20 Apr 2007 22:51:00 GMT donotreply@osnews.com (flanque) Comments RE http://osnews.com/thread?232646 http://osnews.com/thread?232646 Doesn't mean anything in regard to Linux, *BSD and Mac. Dooooh!

Besides that you are spreading FUD. That particular security hole does not exist in a default Solaris 10 installation.

You have to modify a variable in /etc/default/login in order for the "flaw" to work. So truth is there is no security hole. The user has to deliberately make his system unsafe. Fri, 20 Apr 2007 23:32:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232647 http://osnews.com/thread?232647 That's because Windows flaws are almost always highly critical and remotely exploitable. This hardly ever happens with Linux, *BSD, Mac, Solaris and other Unices. Fri, 20 Apr 2007 23:34:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232650 http://osnews.com/thread?232650 Firefox is irrelevant in regard to the OS. These security holes also exist on Mac and Windows. They are not OS-specific but Browser-specific. And the majority of Firefox users are using Windows ;) Fri, 20 Apr 2007 23:44:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232655 http://osnews.com/thread?232655 Always an excuse. Sat, 21 Apr 2007 00:20:00 GMT donotreply@osnews.com (flanque) Comments RE http://osnews.com/thread?232659 http://osnews.com/thread?232659 Yes, and a technically valid one ;) Sat, 21 Apr 2007 01:05:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232661 http://osnews.com/thread?232661 Highly, highly debatable. Sat, 21 Apr 2007 01:47:00 GMT donotreply@osnews.com (flanque) Comments RE http://osnews.com/thread?232670 http://osnews.com/thread?232670 Nope.

1) Windows security issues tend to be very critical while security issues with 0*BSD, Linux, Mac, Solaris and other Unices tend to be less critical.

2) Windows security issues tend to be remotely exploitable while this isn't the case for *BSD, Linux, Mac OS X, Solaris and other Unices.

Conclusion. Windows is more insecure than any other OS.

It is not only the number of flaws, but also the criticality of the flaws and the time taken to fix them that are important.

Windows loses big time in this regard.

But of course you disagree. You spread lies about other OS'es like your lame Solaris-attack, which you chose not to reply to.

Why did you claim Solaris had a telnet-vulnerability when it doesn't have one? Sat, 21 Apr 2007 02:43:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232671 http://osnews.com/thread?232671 Gee, now that's a convincing set of arguments to conclude on. Windows security "tends" to be critical, Windows security "tends" to be remotely exploitable, so lets conclude it's more insecure. Solid and impressive.

As for spreading lies, I didn't. It's a problem with the Solaris 10 telnet daemon. Yes, it has to be enabled/opened to use but this is no different to any other service based vulnerability. Having a service in a disabled state is a temporary workaround, not a fix. The vulnerability still exists and all it takes to expose a system is some unknowing person to enable it for some tunnel vision reason without knowing the greater implications.

Add to that, I think many would agree that many sysadmins enable it to make fault finding easier thinking, "it's just telnet" or purely because they don't know better.

To justify that a vulnerability is somehow "OK" or "invalid" just because you can disable the problematic service is ridiculous and certainly raises questions over one's risk assessment competence.

Windows loses big time in this regard.


Yes, Windows Server 2003 certainly has proven to be very insecure. Sat, 21 Apr 2007 02:59:00 GMT donotreply@osnews.com (flanque) Comments RE http://osnews.com/thread?232672 http://osnews.com/thread?232672 And to be clear, I am aware of the need for the /etc/default/login CONSOLE entry. Sat, 21 Apr 2007 03:01:00 GMT donotreply@osnews.com (flanque) Comments RE http://osnews.com/thread?232676 http://osnews.com/thread?232676 Well in that case you would also know that there is no security hole. It is not a security hole if the user needs to open the hole before it works.

It is like claiming the Windows Firewall is insecure solely because the user can turn it off. Sat, 21 Apr 2007 04:12:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232681 http://osnews.com/thread?232681
Windows security issues tend to be very critical while security issues with 0*BSD, Linux, Mac, Solaris and other Unices tend to be less critical.


Thats debatable - it is ranked critical not because of the flaw itself, but the risk factor; the fact that Windows has a greater marketshare makes the risk factor higher than another operating system with less marketshare with a similar flaw.

The risk is there because as a product with a bigger marketshare, there will be more who are willing to spend time to come up with worms and virus's that target that specific hole.

You think thats rubbish? look at UNIX before the rise of Windows - it was the target for ever two bit hacker, cracker and oxgen thief out there - to say you 'cracked a *NIX box' was seen as some sort of an achievement.

People will say "what about Apache" - Apache is a small non-profit organisation that won't attract the same sort of attention that an attack on a product made by a large corporation. Add to the mix the 'supporting the underdog' ethos that seems to be in the IT world, if a cracker wants attention, Microsoft is their best target for it.Edited 2007-04-21 04:35 Sat, 21 Apr 2007 04:32:00 GMT donotreply@osnews.com (kaiwai) Comments RE http://osnews.com/thread?232684 http://osnews.com/thread?232684
Gee, now that's a convincing set of arguments to conclude on. Windows security "tends" to be critical, Windows security "tends" to be remotely exploitable, so lets conclude it's more insecure. Solid and impressive.


I didn't conclude on basis of tendencies. I conclude - on basis of hard facts - that:

1* Windows have more highly critical flaws than Linux, Mac OS X as well as BSD, Solaris and other Unices.
2* Windows have more remotely exploitable flaws than Linux, Mac OS X as well as BSD, Solaris and other Unices.
3* A Windows security vulnerability tend to be more critical than a vulnerability for other OS'es.
4* A Windows security vulnerability tend to be more often remotely exploitable than a vulnerability for other OS'es.

The basis for these four conclusions are the number of highly critical and remotely exploitable flaws in Windows. Highly critical and remotely exploitable flaws are virtually non-existent in Linux, Mac OS X as well as in *BSD, Solaris and other Unices.

So yes. Very solid and impressive. Solid security in other systems and impressive lack of security in Windows. Animated cursors anyone? ;)

As for spreading lies, I didn't. It's a problem with the Solaris 10 telnet daemon. Yes, it has to be enabled/opened to use but this is no different to any other service based vulnerability. Having a service in a disabled state is a temporary workaround, not a fix. The vulnerability still exists and all it takes to expose a system is some unknowing person to enable it for some tunnel vision reason without knowing the greater implications.


No, there is no issue with the telnet daemon on Solaris 10. There is a problem if you DISable a security setting in the configuration file. I agree that an insecure service in disabled state is still insecure and merely a workaround (in fact a very bad workaround). However, this is not the case for the telnet daemon. It is enabled and open. What is not possible is to use it remotely which you shouldn't do anyway under any circumstance on any OS. Use SSH for that.

It correct that disabling the security setting will poses a security threat but disabling the firewall in Windows also poses a security threat. But that doesn't mean the option to turn off the firewall is a vulnerability. Persons using Solaris are not dumb enough to let anyone log-on remotely without authorization. If they are dumb enough to do that they deserve all kind of trouble.

Add to that, I think many would agree that many sysadmins enable it to make fault finding easier thinking, "it's just telnet" or purely because they don't know better.


No. Only if you ask people that don't know about computers. But they wouldn't be sysadmins on a Solaris system so they are irrelevant. No sysadmin would EVER disable the security setting (no enabling here - it is disabling!) for the sake of convenience. If they want anything they'll use SSH. And not telnet. A Solaris sysadmin knows much better than that. Even if they didn't know better it is still not a security vulnerability. Stupid modifications to the configuration is a human error and not a flaw in the software. There is no security vulnerability. There is a possible risk if the user is dumb enough to turn off the security setting (commenting out the CONSOLE line in this case). It is basically a story blown out of proportion.

If somebody turned off the Windows firewall would you consider that option to be a security vulnerability or just plain stupid behaviour?

To justify that a vulnerability is somehow "OK" or "invalid" just because you can disable the problematic service is ridiculous and certainly raises questions over one's risk assessment competence.


Nobody has claimed that you should disable the service. Telnet is not a problematic service. It is some of the non-defaults that are problematic. That's why you shouldn't disable the security settings. There is no security vulnerability in telnet for Solaris 10. There are some security related settings turned on be default. Turning these settings off do not constitute a security vulnerability. Turning them on do however constitute a security risk. But a security risk and a security vulnerability are not the same things. Justifying FUD by removing the difference between risk and vulnerability certainly raises questions over one's risk assessment competance ;)

Yes, Windows Server 2003 certainly has proven to be very insecure.


Well, it's not exactly convincing. It has much better defaults than Windows XP (which is why I have Windows 2003 Server installed as my chosen Windows platform) but it still lags far behind. Windows 2003 Server has many highly critical security issues and loses big time in that regard. In wins over XP but only because of better defaults. The software is still highly insecure, as is evident in the beginning of each month. Sat, 21 Apr 2007 04:52:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232686 http://osnews.com/thread?232686 That depends on the exact definition of "risk". I'd expect the risk to be calculated on basis of access to the system by this flaw combined with how easy it is to exploit. The risk of somebody exploiting it doesn't mean much to me since the risk of exploiting it is a result for the easyness of exploiting it and the damage one can do with that vulnerability.

The marketshare doesn't mean anything when you get past the 1% (or 2%) line. At that stage the marketshare is big enough to warrant attacks. Take a look at Apache servers. They are constantly attacked but seldom surrenders. It is not lack of attacks that make Apache reasonably safe. It is the code quality (and the configuration). The many Windows flaws are not a result of market share but poor codequality and stupid defaults.

Add to the mix the 'supporting the underdog' ethos that seems to be in the IT world,


This is moot now, because most crackers are not in it anymore for the ideology but mostly for the money. Most crackers are working for companies making money on spam as well as spyware and malware.

The old cracker is dead. Sat, 21 Apr 2007 04:59:00 GMT donotreply@osnews.com (dylansmrjones) Comments RE http://osnews.com/thread?232700 http://osnews.com/thread?232700
That depends on the exact definition of "risk". I'd expect the risk to be calculated on basis of access to the system by this flaw combined with how easy it is to exploit. The risk of somebody exploiting it doesn't mean much to me since the risk of exploiting it is a result for the easyness of exploiting it and the damage one can do with that vulnerability.


Risk is based on the ease of exploit, the impact of that exploit (does it bring down the whole server, or does it just impact on performance?) and how many people utilise that service.

Its like someone claiming that "oooh, zyx feature in Linux has a vulnerability" - but if the vast majority *don't* use that service, the risk of the security vulnerability is *very* low.

The marketshare doesn't mean anything when you get past the 1% (or 2%) line. At that stage the marketshare is big enough to warrant attacks. Take a look at Apache servers. They are constantly attacked but seldom surrenders. It is not lack of attacks that make Apache reasonably safe. It is the code quality (and the configuration). The many Windows flaws are not a result of market share but poor codequality and stupid defaults.


Yes, but at the same time, look at Windows Vista? I mean, its a friggin large code base - when compatibility is broken for security, people whine. When compatibility is kept at the risk of security concern, people whine - what do you want?

You think that Linux has 100% perfect compatibility? remember the move to NPTL? remember the GTK fix which broke compatibility for the sake of correcting issues - I'm not bashing Linux, but lets be honest.

Microsof thas a large user base, they must fix up issues whilst not causing new issues to arise; its a pretty damn complicated dance step to make; billions and thousands of programmers don't make something better or worse. Don't assume because an organisation has those things at their disposal, everything should be perfect.

This is moot now, because most crackers are not in it anymore for the ideology but mostly for the money. Most crackers are working for companies making money on spam as well as spyware and malware.


True, hence, the concern shouldn't be on bashing a particular operating system vendor, but instead work together on catching these criminals.

By simply the various vendors pissing on each other over which is more vulnerable; the focus is taken off the perpertrators of these criminals acts and instead on simply child like taunting. This taunting goes both ways.

I'm not going to stand up for a company (they've got paid PR people to do that), but I think that all companies need to buck up their ideas and stop boasting one way or another. Microsoft needs to stop acting juvinile by attacking the licence or so-called 'security issues'. If they want to compete with Linux, compete based on actual realities rather than using subjective diatribes.

Sure, I use Windows Vista Business Edition, and with Office 2007 (one of Microsofts best products) its a pretty damn good setup - why why do Microsoft need to descend to name calling?Edited 2007-04-21 10:13 Sat, 21 Apr 2007 10:10:00 GMT donotreply@osnews.com (kaiwai) Comments