Linked by Thom Holwerda on Thu 23rd Jun 2011 22:51 UTC
Mac OS X "Apple has now released Mac OS X 10.6.8, the eighth maintenance update for Snow Leopard, via Software Update. The update offers a number of fixes implemented since the release of Mac OS X 10.6.7 in late March."
Thread beginning with comment 478440
To read all comments associated with this story, please click here.
Apple's engineers getting better
by 3rdalbum on Fri 24th Jun 2011 09:34 UTC
3rdalbum
Member since:
2008-05-26

Usually, looking at a list of security fixes in Mac OS X updates is like watching The Three Stooges: You laugh at all the buffoonery that's happened.

There's normally a whole bunch of security fixes for things that you'd never believe could make it through quality assurance, such as "Entering a password with three letter A's causes the user's privileges to escalate" and "Guest users can use 'cron' to run malicious code after they've logged out".

To Apple's credit, I had a quick scan through the list of fixes, and there were no thigh-slappingly-hilarious ones. This was about the funniest I could see:

Impact: Visiting a malicious website may lead to files being sent from the user's system to a remote server

Description: A cross-origin issue existed in WebKit's handling of windows. Visiting a malicious website may lead to files being sent from the user's system to a remote server. This issue is addressed through improved tracking of origins.
CVE-ID

CVE-2011-0167

Of course, this might just mean that Apple HASN'T fixed the one that allows a maliciously-crafted PDF to set your printer on fire; but I hope this means that OS X is finally maturing as a secure platform. About time, considering it's over ten years old.

Reply Score: 3

kaiwai Member since:
2005-07-06

What has always confused me is how Apple is so happy to break compatibility when it comes to adding or enhancing something but apparently it is 'one step too far' when it comes to breaking compatibility for the sake of security - implementing ASLR system wide has only just come to Mac OS X Lion for example, something that should have been implemented in Snow Leopard (if you're going to break a couple of things why not go for gold and smash a few more things whilst you're at it?).

One thing that has surprised me is how Apple is still supporting 10.5 given how quick they are to throw the old release under the bus and push people onto the next version (especially so given the cheap price of Snow Leopard and same low price repeated again with Lion).

Regarding Webkit, it'll be interesting to see whether the different parts being isolated off will result in a more secure experience as with the case of webkit2 versus webkit1; hopefully we'll get to see some security boffins having a good hack away at it to see whether all the hard work has paid off.

Reply Parent Score: 2

malxau Member since:
2005-12-04

One thing that has surprised me is how Apple is still supporting 10.5 given how quick they are to throw the old release under the bus and push people onto the next version...


Apple have had a pretty consistent policy for a long time of issuing "minor" updates to the current release, and security updates only for the previous release. It's quite possible (likely?) that 10.6.8 will be the final minor update for 10.6 under this model, and this will be the final security update for Leopard. After this, PPC users are totally screwed.

Reply Parent Score: 2

MOS6510 Member since:
2011-05-12

I guess they still support 10.5 because that's where all the G4 and G5 PowerPC based Macs got stuck. The dual CPU editions are still pretty powerful and I can imagine still in serious use.

Reply Parent Score: 1