Apple’s security update train rumbled into the station late May 11 with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The company’s Security Update 2006-003 patches 31 flaws in the Mac OS X, most of them serious enough to cause ‘arbitrary code execution attacks’. Apple also shipped QuickTime 7.1 as a major security overhaul to correct 12 code execution and denial-of-service flaws.
At least with Windows I have come to expect updates, patches, etc, and so I am not phased by the fact that my computer and all of its files were open for some period of time… But, I had never expected that OSX would be as vulnerabile as it clearly is (increasing number of serious bugs found).. Even my trusted Ubuntu install often patches serious ‘arbitrary code execution’ holes… This has got me a bit shaken…
Is this just part of computing, something I have to accept, or will we have totally secure software one day? Surely, code analysis tools must exist to catch some of these more basic problems (like the missing { in the X.org release)
Instant solution:
Disconnect internet.
If you notice, the security holes in these os’s seem to be with programs that support the os..not the os itself(usually). to answer your question..no.. there will never be a completely secure shytstem. I would also say that becuase you run osx or ubuntu(as i also run both) does not excuse you from pracitcing best housekeeping practices. Ya know.. use a router.. iptables… that sort of thing.
When software is proven before shipped. So yes, if you would like to wait 200 years for Adobe Photoshop you can have totally secure software.
But yes, software is getting more secure in general due to a few things:
1.) Better recognition for it amongst developers.
2.) Better tools for preventing it (this also means slower btw).
3.) Better tools for making exploitation beyond DoS (a crash) highly unlikely.
Apple and it’s users should feel lucky that these things are being discovered now instead of later when it may become a bigger target. Little to no damage caused by these yet.
Apple and it’s users should feel lucky that these things are being discovered now instead of later when it may become a bigger target.
yes… we should all get down on our hands and knees and offer the mighty steve oral pleasure.
Installed the patches and everything seems fine. As a software developer I’m not worried about holes being patched. There are always bugs and logic problems in any complex piece of software. I’m glad that they are being found and fixed.
…Mac’s had going for it was security.
It’s gotten to be now that I can’t even recommend a Mac to a newbie anymore. I used to set them up and forget them as they go through the learning curve.
Not any more.
If Mac OS X security is going to be this bad from now on, Apple might as well just sell Vista on their boxes next year.
Maybe that’s the plan all along, their going to replace Dell.
i don’t understand this impression people have that macs are secure. i haven’t seen much beyond very simple security mechanisms distinguishing osx from windows.
might be down to the lack of viruss, spyware, trojans and hacking attempts……
Having no major viruses, spyware and the like helps. I’ve even seen Apple capatilizing on this idea with a commercial that advertises how in Apple you don’t have to worry about viruses.
Until there is a major virus that is easily activated and spreadable people are going to feel that Macs are more secure, even if they aren’t.
I agree, the only difference is some very simple security mechanisms. But those simple mechanisms are a huge deal to me. The Mac on my desk at work frequently asks me for my password and confirmation before doing anything important that affects the system as a whole, while the Windows box just quietly does things. Similarly, my Mac double-checks me before running any applications that it hasn’t seen before, while it’s possible to get my Windows box to run software I never even knew was on my computer without my knowledge. My Mac doesn’t run anything with privileges it doesn’t need, and my Mac doesn’t do silly things like building the web browser so deeply in the OS that it has the ability to muck with stuff a web browser should never be allowed to touch in any sane world.
It’s really not that any of these measures are such a great testament to how secure OS X is – I’ll be the first to say, they’re all rather simple, mundane, and obvious precautions. It’s that the lack of these measures is a great testament to how insecure Windows is. They’re also a great testament to how little Microsoft cares about security.
For example, the running crap without my knowledge or permission issue has been a serious problem on Windows since time immemorial and it lies at the heart of the malware problems that plagued windows users for a long time spanning many versions of Windows, but, as far as I can tell, Microsoft _still_ hasn’t come up with a comprehensive solution to the problem. On the other hand, when someone discovered that the same problem existed on OS X and simply released a proof-of-concept exploit to show people the problem, Apple implemented the “nothing new without permission” policy within a few months. Thanks to this security mesaure, the one OS X virus (if you can call it that) to really get spread around in the wild can’t infect you unless you explicitly give it permission to run on your computer.
I agree, Apple has done a lot. But they have lost the “appliance” image.
Again another example of a crap rating system, since such stupidity can be easily modded up, but can’t be modded down.
much beyond very simple security mechanisms distinguishing osx from windows
There might be only very few architectural differences between you and an ape too, still apes seem to have more understajding of OS architecture differences.
I still see your trolling the same all line Justanothermacuser?
What you going to suggest they move to then which is better then OSX on security?
I can’t see what about this story is yet again make you think they should dump OSX and tell people to use XP
Well, ok, when was the last time you had to clean an OSX based mac for viruses, trojans and spyware?
(Edit: I was asking Justanothermacuser)
Edited 2006-05-13 23:22
Actually about 3 weeks ago, my Mac was owned.
No bullshit.
Actually about 3 weeks ago, my Mac was owned.
No bullshit.
====================================
This will get modded down, bullshit?, maybe or not, but your full of it
Actually about 3 weeks ago, my Mac was owned.
How? Date? Time? Proof/logfile?
I ask so that we all can take a look what happened to you and see if we’ve got the same back door open in our systems.
Well there was 43 vunerabilites fixes in this last OS update, plus there are more out there like the metadata file exploit that wasn’t fixed.
I have no idea which one it was that got the code on the box, but they had root because I gave it to them during a routine install. Quite clever, must have been monitoring another app waiting for the sudo call, waited a few moments and then asked for it with a legit looking window, even the process name sounded authentic. It looked like it was part of a original install.
The problem on Mac OS X is too many apps are demanding root access to install.
The problem on Mac OS X is too many apps are demanding root access to install.
And Windows does not?
BTW: OSX doesn’t ever give you root unless you specifically enable it deeply somewhere inside the preferences. I can’t remember where, because I’ve never used it. What you get is Administrator’s access. Not actual root.
And Windows does not?
Yea we know what that does for security too.
With Mac OS X most apps don’t need root access to install, but what’s happening is they are demanding it anyway to gain more control of a users system under the pretext of features.
What this does is allows more foriegn code in root space greatly increasing the exploit potential. McAfee, Norton AV “rar” exploit and Sony Root kit are prime examples. There has been exploits in Adobe’s software as well installing as root.
What you get is Administrator’s access. Not actual root.
On Mac’s the admin password gives access to root using “sudo”, we use it all the time to install OS updates, clone entire boot drives etc. It’s only a temporary window of root opportunity under admin user.
To enable the root user pernamently a certain program is run, the admin password is entered and the root user is enabled, which one has to log into. The root user can have a different password if need be. No sane user runs as root online.
Once you give a program the admin password it can do whatever it want’s, including turning on the root user. But it doesn’t need it to do damage.
The reason Mac OS X is supposely more secure is not just any old program or exploit can alter Mac OS X itself because it needs the Admin password to “sudo”.
The problem on Mac OS X is too many apps are demanding root access to install.
This is pretty much true for all platforms. My system isn’t compromised, despite the fact I’ve been installing all most all apps as root (or “Administrator” on Windows).
Root Access isn’t a problem when installing. It’s more of a problem if an application running as normal user “suddenly” acquires root access.
Root level app installs are a problem because it introduces application exploits in root space.
Norton AV “rar”, Sony root kit, even Adobe had a issue.
Of course applications installed as “root” (or “Administrator”) can create havoc in your system.
That’s why you only install software from trusted sources.
Software from the three mentioned companies are completely non-existent on my machine. Especially Norton AV, Sony is blacklisted, and Adobe create bloated software, so they are blacklisted as well.
Solution is (as it has always been) only to install software from trusted sources.
I agree. Root is sacred ground.
The problem comes from applicaiton exploits in root space, plus Apple changes things constantly.
Norton AV “rar”, McAfee and Sony/BMG rootkit for instance.
I have no idea which one it was that got the code on the box, but they had root because I gave it to them during a routine install. Quite clever, must have been monitoring another app waiting for the sudo call, waited a few moments and then asked for it with a legit looking window, even the process name sounded authentic. It looked like it was part of a original install.
Or, much more likely, the “routine install” actually included the trojan.
There is *nothing* any OS can do to prevent trojans, they are a form of social engineering and do not need to exploit any security vulnerability.
If a user downloads a program from a P2P network or launches one from a email and gives it their admin password, then yes, they deserve to be butt raped hard.
But in my case I had the new software update that checks downloads that appear to be files but are actually apps. I don’t run anything from emails and I try to visit safe sites.
How the trojan got to run in userland on my box is unknown. What I do know it was posing and waiting for me to do something with sudo. I then popped up a common Mac OS X window that names the process and asking for the admin password as well.
Two requests for the admin password in the same session? Only moments apart from each other? Well within the 5 minute window?
Then when I booted from my clone and repeated the same steps I only get the one request for admin password? Something fishy was going on all right.
The problem on Mac OS X is too many apps are demanding root access to install.
Questions:
1) Why did you enable your root account to begin with?
2) Don’t all installs on a properly set up *nix system ask for an Admin or Root password? I mean, isn’t this the *defacto* standard?
I have no idea which one it was that got the code on the box, but they had root because I gave it to them during a routine install. Quite clever, must have been monitoring another app waiting for the sudo call, waited a few moments and then asked for it with a legit looking window, even the process name sounded authentic. It looked like it was part of a original install.
You know how this thing got installed on your box yet can’t even tell us the name and are mightly slim on what, specifically, it did.
Frankly that sounds mighty fishy.
God is in the details.
How did you discover it? What was it doing?
1& 2) Admin user uses a Admin password which gives it a window to “root” for a short period. Root user is not enabled full time, but can be enabled with a program and the Admin password, then logged into.
We use the Admin password to do everything from cloning boot drives to OS updates. It’s root access at the command line using “sudo” (superuser do) before any command.
You know how this thing got installed on your box yet can’t even tell us the name and are mightly slim on what, specifically, it did.
Sorry I didn’t keep records or get a computer science degree. I just wiped from a OS write protected disk and cloned from backup. I just wanted to forget the whole thing as soon as possible at the time.
How did you discover it? What was it doing?
Process was hogging CPU, modem was going all night for no reason, outgoing packet count was insane, unusual requests for admin password, files no longer opened, outgoing firewall disabled. Just little things like that.
I didn’t sweat it, I got clones. I tightened up my box even more since. I guess now that I think about it I should have imaged the drive and sent it off to Apple. But they seem to expect us to find the bugs for them or something. Like I really want the glory of finding a bug in software, I rather get laid and catch a fish first.
You know how this thing got installed on your box yet can’t even tell us the name and are mightly slim on what, specifically, it did.
Sorry I didn’t keep records or get a computer science degree. I just wiped from a OS write protected disk and cloned from backup. I just wanted to forget the whole thing as soon as possible at the time.
How did you discover it? What was it doing?
Process was hogging CPU, modem was going all night for no reason, outgoing packet count was insane, unusual requests for admin password, files no longer opened, outgoing firewall disabled. Just little things like that.
I didn’t sweat it, I got clones. I tightened up my box even more since. I guess now that I think about it I should have imaged the drive and sent it off to Apple. But they seem to expect us to find the bugs for them or something. Like I really want the glory of finding a bug in software, I rather get laid and catch a fish first.
—
JustAnotherMacUser knows how to do all that and he doesn’t know how to check a system log or pull up a list of all the programs running on the machine.
Yeah. Right.
Dood. Pull the other one. It plays Jingle Bells.
JustAnotherMacUser knows how to do all that and he doesn’t know how to check a system log or pull up a list of all the programs running on the machine.
How can I read a system log? It’s all gibberish to me.
Many Mac users post their system log at the Apple forums hoping someone can read it to find out what caused their machine to kernel panic. Nobody can.
And yes I know how to “top” to get a list of running programs. But there are so many, each config has different programs and there is no database to confirm or deny. Doesn’t matter, this trojan used the name of a official Apple process anyway.
As you might not know, one can run multiple same named processes, each is given a “PID” or Process ID number which is different everything the process is run. So how am I, a above average user, is supposed to confirm that “lookupd” is actually “lookupd”?
So really you actually have no idea if this “owning programme” was actually a virus or just a process going haywire?
Why didn’t you report it? You’d be famous, the first OSX machine to get “owned”
Is this your owning
http://www.macfixitforums.com/php/showflat.php?Board=Forum35&Number…
Sorry thats not the name of the process that was duplicated as a trojan in my case.
My ‘trojaned process’ by it’s official name has nothing at all to do with networking or causing the behaviors I saw.
In fact without actually having a copy of the drive around anymore it’s really impossible to find out exactly what was going on. I can only report on what actually appeared on my screen and modem behavior, not what went on underneath.
I’m at my machine for hours everyday, I know when it purrs and I know when it’s sick. Like I said before, perhaps I should have imaged the drive and sent it off to Apple. But a trojan on the machine doesn’t necessarily reflect on how it got on there in the first place.
You full of shit, you mention a process that make a backtrack when asked if this i it?
If you did a search on the knowledge bases then you’d remember what it is why mention a substitute process?
I rememeber the “trojaned process” name all right and I have searched for any reference to it online.
It really doesn’t matter what the name of the process is, because there are hundreds of process names it can assume to make it appear legit in Mac OS X “top” and “Activity monitor”.
Mac OS X just gives it a PID and runs it, even if it’s a duplicate.
That’s another problem with Mac OS X security, we have no frigging idea what all those processes are and their validity. Each users machine is different, we can’t even compare notes, duplicate processes are common.
Please tell us then, as we might then know what to look for on our Macs.
Also, details such as OS version etc so we know what might be vunerable.
Don’t keep it a secret, let the world know the info of your discovery.
Your Mac was owned? Formatted then I take it? Fdisked? All data gone? Virus’s eating all your files? That is what Owned means. I somehow doubt that happened.
“Owned” doesn’t necessarily mean someone was malicous in my box, just that they had control of it.
Actually about 3 weeks ago, my Mac was owned.
Congratulations ! You’re part of the most exclusive club I know. Now that you are three to have had their OS X boxe owned, you can have a president, a vice-president and an accountant.
More than three my friend, a botnet of Mac’s. Read the article carefully, a app exploit was used to gain control over Macs and Mac OS X.
http://blog.washingtonpost.com/securityfix/2006/03/when_macs_attack…
More than three my friend, a botnet of Mac’s. Read the article carefully, a app exploit was used to gain control over Macs and Mac OS X.
====================================
Can someone reassure me that `I’m not being stupid but the article is onabout flaws in php???????????????
Right, but how did the php application exploit get root of Mac OS X?
That’s the question.
Once a malicious process gets to be running on a Mac, it’s just a matter of time before it gets root. It can do a heck of a lot without root in the meanwhile. I’ve learned that lesson.
With so many applications now demanding a root level install and Apple not doing a darn thing about it, we Mac users are all going to end up like Windows. The Admin password will be worthless and numerous application exploits will further erode Mac OS X security.
This is an interesting article for a simple reason: The value of those php running machines (probably 99.9999% webservers) is far beyond the value of a hundred or thousand times the desktops. Why?
Bandwidth.
Of course, if you want to do advertising they’re obviously useless. But if you want a DDoS army this is where you go. And it’s a good reason why LAMP should never be considered anything less than a majority shareholder in its market and a valuable player for black-hats to try and penetrate.
The only thing…Mac’s had going for it was security.
I know you’re just trolling, but I still have to call BS. Macs have a lot “going for” them. The fact that OS X is more secure than Windows is just one of many, many benefits of the Mac platform.
Apple has been releasing security patches for its software as long as they have been making software. This is no different. Macs are still far, far more secure than Windows. The vulnerabilities that get patched never get exploited. I don’t know a single person who’s ever had a virus on their Mac, or spyware on their Mac. How many Windows viruses are actively circulating? How many Mac viruses are circulating?
Case closed.
Well let me be your first, no trolling, dead serious.
I have been using Mac’s ever since they came out.
The only piece of malware I ever got since being owned a few weeks back was the WDEF virus on a game disk.
Mac OS X security sucks compared to OS 9, plain and simple.
http://www.ciac.org/ciac/bulletinsByType/vndr_apple_bulletins.html
Mac OS X security sucks compared to OS 9, plain and simple.
but the list of OS X bug fixes is nothing compared to the list of MS security risks
http://www.ciac.org/ciac/bulletinsByType/vndr_ms_bulletins.html
—
And, as somebody who has had to use Classic Mac OS, it’s a mess of spaghetti code.
but the list of OS X bug fixes is nothing compared to the list of MS security risks
You know your argument is like two whores arguing who is the more of a virgin by how many times they had sex.
So, if you can’t recommend OS X to newbies because it now has “security problems”, and you just admitted that Windows have much bigger security problems than OS X, then what will you recommend? I suppose your choice then would be to recommend Linux, BSD, or maybe Solaris.
As much as I love my Gentoo boxes, and BSD and Linux in general, I’m not sure I’d recommend either of them for a newbie. Ubuntu, Lindows, or Suse would probably work quite well, but only if the hardware is known to work properly with Linux.
I personally think the Macs are the better computers for newbies. Not only are they by default among the most secure computers on the market, but they are also by far of the easiest to maintain for a complete novice.
Well, pick your poisons, I guess…
I recommend newbies don’t even to get hot and bothered about computers until we can get a Mac OS that’s safe, reliable and secure again.
Mac’s made great educational computers because a person could use it without needing a computer science degree. This gave them confidence to learn more and spend more time without beating them to death early in the learning curve like Windows does.
and you just admitted that Windows have much bigger security problems than OS X, then what will you recommend? I suppose your choice then would be to recommend Linux, BSD, or maybe Solaris.
Where I work they run solaris on the most important servers. And it has had patches to fix potential exploits
I run ubuntu on one of my laptops, it, too has had security updates.
I think at this point there’s only one OS left that meet’s the OP’s criteria for being basically unhackable and ubersecure and that’s the mighty VAX.
[quote]but the list of OS X bug fixes is nothing compared to the list of MS security risks
You know your argument is like two whores arguing who is the more of a virgin by how many times they had sex.[/quote]
Technically they can have sex, and still be virgins. It’s called a.. …….
I at least would be very grateful if we could contrive to discuss technical matters without recourse to violent sexual imagery, which does not seem to illuminate the subjects nominally under discussion.
Showing my age doubtless…
Mac OS X security sucks compared to OS 9, plain and simple.
I’d love to see a more detailed comparison of the two. I must say, I’m a bit skeptical of the idea that OS X’s security could suck compared to OS 9’s, unless your reasoning is something along the lines of “OS 9 has no security, therefore it doesn’t suck at all, since there’s nothing to do the sucking. OS X, on the other hand, does have security, and it obviously has at least some issues, therefore some positive amount of sucking, no matter how small. Since a positive number is by definition greater than zero, OS X’s security sucks more.”
Personally, I think almost any security sucks less than no security. I mean, OS 9 didn’t even have memory protection worth speaking of.
“Mac OS X security sucks compared to OS 9, plain and simple.”
I’d love to see a more detailed comparison of the two. I must say
/*no, I’m not bashing either Apple or OSX this time*/
Ok, this more or less joking point of view, but it is also realistic.
Actualy parent is somehow right in some strange view.
OS9 didn’t give a shit about security. And it was worth at least shit.
With OSX they are preaching how secure it is. Can they? Can Linux? Can Solaris? Windows? Can any OS? Well, NO. As long as software exists, bugs will be there, becase people tend to make mistakes and no one can see THE COMPLETE PICTURE. It is not bugs that pose problems, the ones posing the problems are broken designs. Even Windows with Vista tend to solve most of these. Vista will introduce “least privilege”, “userland drivers” and no browser as core of OS. Those three were the most problematic things in Windows design and I wouldn’t act surprised if Vista would actualy get where MS would want us to believe XP is and catch up with the rest of the world on security.
Now the results:
Did OS9 achieved the level of security they bragged about? YES, security was greater than promised by PR department
Did OSX? NO, security is lower than promised by PR department
So, no matter how you look, which customer got more? The one getting more than promised (OS9 customer), but still less than the ones getting less than promised (OSX customer) but in the end both payed the same price?
And in the value of money, which money was better spent?
God, I love good conspiracy theory:)
Edited 2006-05-14 14:03
There is no such thing as “browser as core of OS” in Windows. IE is an application with the same privileges as any other browser. If a site was to take advantage of holes in Opera, or Firefox, it would be able to potentially do the same thing — install malware.
There is no such thing as “browser as core of OS” in Windows. IE is an application with the same privileges as any other browser. If a site was to take advantage of holes in Opera, or Firefox, it would be able to potentially do the same thing — install malware.
[again not really serious] You and I might said it so, yes:) But what MS said on the trial? [/again not really serious]
And please remember, my comment was not about bashing any OS, I was merely amused by conversation from two parent comments. As I pointed out, trying to be funny conspiracy theory which included the things MS said on trial too. Mere joke of the PR, promises and standards:)
So, hold on your horses and catch a breath:) Peace!
MS said IE is part of the OS, not part of the CORE of the OS
MS said IE is part of the OS, not part of the CORE of the OS
Yep, “too deeply integrated into the core of the OS for them to be able to remove it”
But then again we can also start searching the exact words by researching notes from the trial:) I think we both agree it would be pointless doing without any result;)
I consider the “core” the kernel, and anything else running in ring0, along with the subsystems.
I consider the OS, in the case of Windows, to be the whole package.
My only point here is that IE’s security woes do not have to do with it being integrated with the OS.
I consider the “core” the kernel, and anything else running in ring0, along with the subsystems.
I consider the OS, in the case of Windows, to be the whole package.
My only point here is that IE’s security woes do not have to do with it being integrated with the OS.
Now,… usualy are not so slow:)
Let me go trough all of the points, you just give me answers
1. Your viewpoint is the same as mine, I didn’t dispute that. Or did I?
2. Joke was based on PR selling value and what user really bought. In some strange viewpoint OS9 user got more security than OSX user. Even little is more than zero, OS9 didn’t almost even mentioned security. While OSX is using security as selling practice. And I think we both agree that there is no perfection (at least humanly possible bugs free) as PR is reselling in their annoucements. Agreed?
3. MS (not me) said that on trial, that IE is too “too deeply integrated into the core of the OS for them to be able to remove it” Since this started as PR I continued in PR sense. But you somehow you started with reality show (again, you’re right with what you say, but reality is not what PR sells or reality you say is not what MS said on trial). Ok, so far?
4. Now I saw (after reading your comments) why your reality show started, because I mentioned two real and one unreal thing. Well it was a way of the joke to somehow connected PR and trial, nothing else. MS PR is commercializing now “userland drivers” and “least privilege” while they were reselling exact opposite before and claiming the same as now when they claim with opposite. Will this do?:)
It was all about what they alone said and resell. About the case, what you like more “buying shoes and getting free bike with them or buying car and getting moped instead, but you both times payed the price of item you were buying”. Off course moped is faster and better than bike, but you still had to pay price for the car.
So, hold on your horses:) You don’t need to prove me you’re right, because I agreed from the start (or even better said, I was thinking like that too).
p.s. I don’t agree with OS9 having more security than OSX either. But which buyer got more of security for his money worth, the one getting less than he payed or the one getting more than he payed?
Edited 2006-05-14 21:49
Did they say “core of the OS”? did they actually use “core”, or just say it was too INTEGRATED with the OS?
I’m fairly certain it was the latter.
Did they say “core of the OS”? did they actually use “core”, or just say it was too INTEGRATED with the OS?
I’m fairly certain it was the latter.
I’m fairly certain it was former.
But does it really matter?
Sheesh if you think that OSX security sucks compared to OS9 to show a total misunderstanding of the issue.
Lets face it OS9 did not have any security at all, it is in the same game league as Windows 95, even worse, OS9 did not have any memory protection at all while Win95 at least has basic one.
If OS9 would have the usage OSX nowadays would have we would see one worm and virus after the other, just as it happens in Windows nowadays.
What do you mean by “this bad”?
God you guys are pathetic. I bet a majority of the posters who are and will be dissing Apple now are Mac users. Get a life. Everyone knows with complex pieces of software there will always be plenty of room for vulnerabilities. That Apple is fixing buttloads of them is a testament to their bug fixes and development team. At least they are finding the bugs and getting rid of them as fast as they humanly can. I am an XP user and am quite used to seeing vulnerabilties. I mean look at what MS does. They release 4 patches on a good day once a month and yet there are way more documented bugs than they are fixing. At least it seems like Apple is trying unlike Microsoft.
But this is Apple and we are Mac users. We have come to expect that things should just work for us without too many issues like we are seeing.
It comes from the OS 9 days, that OS was in use unchanged for many years. It was safe, secure and reliable.
I see what’s happening, it’s Steve Jobs relentless innovation cycle. Introducing so much new stuff that there isn’t time to check the old for stability and reliability.
It was safe, secure and reliable.
It also had shit multitasking, no protected memory, and you’d get the bomb of death when your extensions started conflicting.
Because yeah, setting up special sets of extensions to accomplish specific tasks — yeah, that was fun.
Oh, and that feature where when you pulled down the menu, all other activity on the machine stopped, which was why the menus could only stay open for 30 seconds at a stretch.
Classic OS looked pretty and ran fast and didn’t take a lot of memory to use. But technially speaking, it was a gold plated turd.
And the reason it was so “secure” is that classic OS had such a small user base that NOBODY BOTHERED TO CODE VIRUSES FOR IT. It was the ultimate in “security through obscurity”.
So, just please stop preaching the glories of Classic Mac OS.
Well if what we saw today with 43 vunerabilities fixed is a sign of future things to come I’m going to buy a cheap PC with Vista instead.
Well if what we saw today with 43 vunerabilities fixed is a sign of future things to come I’m going to buy a cheap PC with Vista instead.
Two points:
1. I would love to see more updates like this. It’s awesome to see that Apple cares about security as much as any other UNIX vendor.
2. Vista is not out yet. How do you know that you will get more reliability and security than with the current crop of OSX? The Titanic was also known to be unsinkable.
That’s 43 bugs FIXED. Mac OS X is now SAFER than it was before. Yes, I’m aware that you really mean to say it must not be particularly well written if they can easily find 43 bugs in it… but when you put it that way, it sounds like the smartest thing Apple could do to assuage your fears is to issue no bug fixes and pretend everything is fine.
Well if what we saw today with 43 vunerabilities fixed is a sign of future things to come I’m going to buy a cheap PC with Vista instead.
Good idea. Because Windows Update never prompts you to install critical security patches. And there will definitely never be any security vulnerabilities that need patching in Vista.
Seriously, dude, just go get your Windows box and see how much happier your life is fighting worms, spyware, browser hijacks, popups, and other malware of all sorts. Have fun connecting it to the internet and getting your box owned within minutes, before you can even download the hundreds of patches you need. We’re tired of your mininformed, nearsighted, trollish whining. Go buy Windows. You deserve each other.
Really? Show of hands…or posts…whatever…how many people ot affected because of at least one of those vulnerabilities that were just fixed by Apple. Show of hands people! Besides Justanothermacuser…I am giving him the benefit of the doubt.
You say humanly possible, but maybe the limitation isn’t strictly human at all. Perhaps the limitations are inherent in a mentality common to those using OS X, for example. Another key element here is “documented bugs”. How many eyes are looking for Microsoft bugs with the intent to get them documented, versus the number of eyes looking for Apple bugs with the intent to get them documented. Then there is the whole matter of testing to make sure that the patch doesn’t create a new problem. Then there is the problem of bug count and severety. Is a bug that only manifests itself due to the interaction of bad code in three areas one bug or three. On top of that, there is the question of whether to fix code or render it obsolete. It really isn’t as simple as you are making out.
you know all some of these bugs aren’t just in apple’s software. some of them are from open source apps like ruby, samba, curl, apache, php, rsync, and a bunch of other things. I don’t see why apple gets all the blame. Sure, their stuff has bugs and security holes too. But doesn’t this just prove that the same issues are there in linux?
No shit… complex software has bugs and security vunerabilities. Even apple and open source. I can’t believe this comment got modded up five points.
The aplogists and zealots are obviously out in full force on this one.
I don’t understand why there aren’t more kudos to Apple for tracking these down and fixing them.
Apple tracking them down?
Apple is abusing the Mac community to find all their flaws in Mac OS X and then fixing them afterwards, instead of using software/methods to stress test their code first.
How is it possible that one guy finds over a dozen vunerabilites at one time? in such a short period? What is he doing that Apple has failed to do?
Apple is abusing the Mac community to find all their flaws in Mac OS X and then fixing them afterwards, instead of using software/methods to stress test their code first.
==================================================
Can you tell me how Microsoft, Linux, Unix and others do it?
Cause I could be wrong here, but they all do it the same way
and as mentioned before, so of the fixes are not even for Apple programs
oh another url for you
http://www.dreamlight.com/insights/bugs/Apple/lookupd.html
I have had my /etc/hosts edited for this bug a long time ago.
Plus it wasn’t the lookupd that was the trojaned process.
Apple is abusing the Mac community to find all their flaws in Mac OS X and then fixing them afterwards, instead of using software/methods to stress test their code first.
==================================================
Can you tell me how Microsoft, Linux, Unix and others do it?
Well, I can tell you at least one thing. What you said about Linux.
[a bit of sarcasm] Linux was made by the same community that is fixing it. So how could you for example abuse your self? (I can’t think of anything else, but the case where you would forcefully sit on the pointy object, but this wouldn’t be abuse you talk about) [/a bit of sarcasm]
community can’t abuse it self, but if it can enlighten me please. In Apple, MS case product is made by company, in Linux case it is made by community. IBM, Novell, RH are just players that are using it (and helping fixing it too, just look at their track records) they’re not THE ONES WHO MADE LINUX
Edited 2006-05-14 16:50
Security increasements ? Bad ?
Bug fixes ? Bad ?
Are there any victims ?
Can we please heve the numbers ? Including the victims hurt by:
——————————
Mac-visues: (insert_here)
Mac-spyware: (insert_here)
Mac-worms: (insert_here)
Macs broken into’s: (insert_here)
——————————
Flash Player
CVE-ID: CVE-2005-2628, CVE-2006-0024
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.6, Mac OS X Server v10.4.6
Impact: Playing Flash content may lead to arbitrary code execution
Description: Flash Player contains critical vulnerabilities that may lead to arbitrary code execution when specially-crafted files are loaded. Further information is available via the Macromedia web site at http://www.macromedia.com. This update addresses the issue by incorporating Flash Player version 8.0.24.0.
Read more here:
http://docs.info.apple.com/article.html?artnum=303737
Edited 2006-05-13 23:27
oh boo hoo I had to reboot this month to prevent exploitation of *potential* vulnerabilities.
think I can take my mac back and go back to windows, I hear Vista will be more secure and you’ll never have to update it.
[/fake troll]
These Linux fukwads are really getting annoying. ANY post in any thread that sounds remotely positive about OS X or Windows and they get modded down; often without reply because the modder doesn’t have anything intelligent to add. And no MATTER HOW STUPID a comment about Linux is made, so long as it is positive it gets modded up.
Now, when I go to mod somebody; I’m greeted with some rules that apparently only I’m following.
This place is fast becoming a f–king joke. It used to be a decent bored to read until its infestation of asshole Linux fans turned it up to high.
agree, the whole “hey I am a mac user so i can troll other mac users” schtick is old. (its sort of like a stupider version of “hey I’m black so I can use the “n-word” LOL!!! “) If Macs are so bad, why doesn’t “Just Another Mac User” switch over to another OS?
I’m not a Linux user, I’m a Mac user that’s very upset with the security issue of Mac OS X over these last few years because I recommended Apple products to all my newbie friends and family.
It might not be too difficult if they resided near to me, but I purposely got them on Mac’s for the iChat and stability/security issues so we can remain close online.
Sure I could set up their boxes with ARD, but they want their privacy and security. So do I. Apple is not delivering.
Oh please change the record
Put your friends and family on Windows and be done with it if the Mac is so ridden with insecurities – How has Apple not delivered?
There is still almost zero accounts of Macs getting viruss or “owned”
I’m not a Linux user, I’m a Mac user that’s very upset with the security issue of Mac OS X over these last few years because I recommended Apple products to all my newbie friends and family.
It might not be too difficult if they resided near to me, but I purposely got them on Mac’s for the iChat and stability/security issues so we can remain close online.
Sure I could set up their boxes with ARD, but they want their privacy and security.
Tell you what: I think you should keep doing that, because your logic is backwards.
Apple is not delivering.
How are they not delivering? They have delivered security updates! It means that they care about security and it means they want security to improve on their platform. Would OSX have been better off, if they had not posted the security updates, sitting with their hands in their laps, hoping that no one will find the security issues?
Would it have been worse if they had fixed 80 flaws instead of 40?
You cannot measure the security of a platform based on the number of fixes. And you can definitely not do that if you have installed the required updates properly.
You must look at:
1. The number of known issues yet to be fixed.
2. The number of possible exploits already exploited.
3. The time between a security hole has been found until it has been fixed.
Should we stop recommending people buying cars, because they are now fitted with airbags and seatbelts?
Your logic is backwards.
Again I ask you how many hours, no, minutes, have you spent cleaning your friends’ and family’s Macs for viruses, trojans and spyware?
Apple is not checking their code enough, stress testing it with software whatever.
43 vunerability fixes in one update?
Again I ask you how many hours, no, minutes, have you spent cleaning your friends’ and family’s Macs for viruses, trojans and spyware?
I don’t bother spending a lot of time, I do what Windows IT users do, boot from a install disk and wipe the drive and reverse clone/ghost from a external drive. Takes about a hour and a half per machine, most of it done reading a magazine.
The problem is that they are far away from me and I set the newbies up on Mac’s so I wouldn’t have to bother with these problems.
Sure I could set up their boxes with ARD
You have heard of automatic updates haven’t you?!
Also pretty much all of these “exploits” are not actual exploits, they are just coding issues which could possibly (and a lot not even possibly) create issues in the future.
Apple is not delivering
You got that the wrong way around – they are delivering. They are analyzing their code like mad and fixing everything they possibly can. At least they don’t do what Microsoft does – wait for the exploits to be made known to them by hackers and then possibly make a patch, if they feel like it.
Seriously, you are just some loser linux/Windows user who feels like pissing people off because you know how much us Mac users defend the platform. Do you know why we defend it? Because we’ve tried the alternatives and always came back for incredibly obvious reasons.
You have heard of automatic updates haven’t you?!
Those auto-updates are dangerous, Apple has pulled some sometimes, forgot to do something other times, third party software gets broken too. I’ve found it’s better to give the newbies admin and only give the Software update a run with their Admin (aka root) password when I know the coast is clear.
Also pretty much all of these “exploits” are not actual exploits, they are just coding issues which could possibly (and a lot not even possibly) create issues in the future.
Well the future occured three weeks ago on my box.
You got that the wrong way around – they are delivering. They are analyzing their code like mad and fixing everything they possibly can.
Yea they are trying to stomp out all the loose bugs that fell out of the bug trap. Some they will get, others will scurry off undercover to reappear later. Would have been much easier to crush them all when they were in the trap at Apple before releasing their flawed OS to the public.
At least they don’t do what Microsoft does – wait for the exploits to be made known to them by hackers and then possibly make a patch, if they feel like it.
Windows is too legacy, it’s taking them longer and longer because so much can go wrong if they screw up a update.
Seriously, you are just some loser linux/Windows user who feels like pissing people off because you know how much us Mac users defend the platform. Do you know why we defend it? Because we’ve tried the alternatives and always came back for incredibly obvious reasons.
I love Apple, bought and recommend most of their products for 20 years now. Just I can no longer recommend them as a “starter box” to newbies due to too many exploits. Much like Windows already is. Of course Apple could change and then I’ll be back drinking the kool-aid again.
You can live in “Apple can do no wrong” world, but I need a safe, secure reliable OS with plenty of software. If I can’t get safe and secure, I’ll go with plenty of software and that means Vista most likely.
Just to let you know, automatic updates in OS X is not like Windows, it is where it automatically checks once a week, day, whatever if there are updates and then lets the user choose some to update, or just close the window. User still needs to enter their admin password.
I am a developer and use many other pro type apps as hobbies such as music software like Logic, and graphics software like Vue, and nothing has ever been “broken” by an update. And yes Apple has pulled an update once or twice however if you are in fear of updating, then you might as well just advertise that your computer may be at risk.
Also, if you cannot recommend OS X as a starter box, then what do you recommend? I know you say nothign but you don’t say that when someone asks for advice, you say the most logical option – such as OS X.
“if you cannot recommend OS X as a starter box, then what do you recommend?”
It depends what they want and how much money they have. If money is not a big issue, I tell them to buy XP preinstalled from one of the better regarded direct suppliers, going as high up the range as they feel like, and being guided in how far to go by how much graphical work they’ll be doing. I usually suggest Evesham in the UK. The support is really excellent – better than Apple – and the prices are fair. I tell them to use OO for Office, and Picasa for photo albums.
If money is a real issue, I tell them to buy a low end machine from Dell or Acer, with XP preinstalled.
If money is a showstopper issue, which it sometimes is, I tell them the cheap way to get secure computing with a whole load of applications included is Linux on an ex corporate, but not to try it alone. Only if you have support.
Several times I have helped people put together barebones, with either Windows or Linux installed on them. These seem to have worked very well and been rather cost effective for the people that went this route.
I tell them to buy a Mac if money isn’t an issue, they can live with the limited choice of software, and if they generally like designer brands.
Your box has been hacked in february. It has been owned three weeks ago. You’re decidedly an unlucky guy, and you have established a record among Mac users !
Every time there is a topic about OS X security you whine how horrible it is, and that you should use Windows that somehow you feel is most secure. Well, stop whining, and do it, for Godsake. It will be a relief for you, and for us. Or better, as Kadymae suggested, use VMS, if you must work with computer, or just stop using computers : you have an extreme proccupation with OS X security, and it’s dangerous to your health.
Mod Manik 10+ he has written eloquently just what I think
You need to know the general modding table reference:
OS | Praise | Bash
———————–
Windows | -2 | +3
Mac OS | -1 | +2
Linux general | +2 | -2
Ubuntu | +3 | -3
BeOS | +1 | -1
*BSD | -1 | +1
I’m a linux jerkoff, but I modded you up because I think you’re special.
There will be vulnerabilities. Any program more complex than hello world is going to have bugs and vulnerabilities. That’s true for Mac OS X and Linux and MVS. They’re all vulnerable somewhere and that’s just a fact of life.
The difference between Mac and Windows, or especially between Linux and Windows is how much more important security is in the OS design and to some extent in the culture of the users (this is much more true for Linux users than for Mac users). In Windows, users run as adminstrator, they and their programs strew files all over the filesystem, mess with system files, with system registry keys etc. The Windows shell just executes stuff with no regard for security or stability. The system and the user is easily tricked. This is all a result of the fact that even though XP is built on top of the NT kernel, userland and especially user and programmer culture still very much continues the 3.1/9x tradition where you didn’t get spyware from the internet and there was only one user and there was a bigger threat from bugs than from malware (everything crashed constantly). Users got used to being able to do anything and everything and most importantly, programmers got used to making programs that could mess with anything in the system and get away with it.
With Mac and Linux this is not the case. Linux programs know that they can’t touch system files. Linux users know not to login is root except to do system administration. You can’t just run programs downloaded from the internet for several reasons but one of which is that the files must first be marked as executable. File extensions are meaningless in Linux, it is the actual type of the file that counts, so tricks like changing the extension won’t work. These are just a few examples. In the case of Linux, the Unix tradition of least-user-privilege (which is a really good idea for big time-sharing systems) has lived on, whereas this was never needed in the Windows world until the virus/spyware outbreak of the past few years.
So what this means it that even though Linux and Mac OS X aren’t perfect (and you can certainly come up with really secure OSes using capabilities, for example), thye are more secure than Windows and will remain so until Windows gets serious about locking things down, not just in the kernel, but in userland too. And all of the OSes *will* have bugs and vulnerabilities. That’s just the way it works. Anybody who thought Macs were truly safe from viruses and vulnerabilites is an idiot. Yes, an idiot. I’m not afraid to say it. It’s not a problem with the Mac, it’s a problem with unrealistic expectations by said idiots.
i didn’t get affected by the flaws, so im not updated yet.
I think most of you don’t see the real problem behind all that mess.
The problem is that Apple don’t have much expertise when it comes to security. Why? Because they almost never had to deal with that before.
On the other hand, both Windows and Linux have dealt with security intensively for the past 10 years. Believe it or not, Microsoft learned alot… but it tooks them years to do so.
The end result? if Microsoft ever release a service pack 3 for XP, it will be almost secure enough for joe user. On the other hand, Apple is just starting to react. Why now? Why not before? Market share.
There’s no reason to attack a system if you dont get something back thats worth the time you spent compromising it. It’s just natural…
And hmm, I don’t want to make it worst than it is before I really believe that MacOS is full of vulnerabilities. With all the new features they add in every new release, I doubt they spend much time auditing code to find security holes.
My 0.02$
I can’t help noticing that an awful lot of the flaws are along the same lines. i.e some kind of overflow. Now to my mind that’s a lot less serious than many of the exploits other systems have seen. Still, it’s a shame that such overflows are a problem.
Also, slightly annoyed that this doesn’t fix some of the issues with odd images making anything on Webkit or ImageIO crash. Go to drunkenblog for a good example.
Good grief, I saw someone say that OS 9 was more secure than OS X. OS 9 didn’t even have protected memory!!! So any program could corrupt another program’s memory space! OS X is much more secure now because of the code from the NextStep and BSD systems. End of story. Take an OS class in college if you have any doubts.
OT: I wonder if OS News could implement a voteban system so that users could ban annoying people. That’s how many games take care of griefers and trolls.
/voteban 4898
I don’t comment here hardly at all and certainly try not to troll, this issue with Mac OS X security is my only beef because I know Apple can do a heck of a lot better than it has recently.
Having used Mac’s since they came out I think OS 9 was less of a problem than OS 10 currently is, from a users perspective.
Mac OS X may indeed be more secure, but it seems to have tons more exploits than OS 9 ever did. Things have changed perhaps since OS 9 days, more people have broadband connection that are always on, etc. etc. Also Mac OS X seems to be in constant change, sure some change is good, but too much at one time is problematic.
I don’t what Apple’s problem is. But if they can’t get things secure I simply cannot recommend their products as a “starter box” anymore.
I don’t wish this “worry about my computer security” trip on anyone and I don’t want to be a IT support tech.
Mac OS X may indeed be more secure, but it seems to have tons more exploits than OS 9 ever did. Things have changed perhaps since OS 9 days, more people have broadband connection that are always on, etc.
You’re confusing security updates with exploits, they’re not the same thing. OS X has indeed had way more security updates than OS 9. This is not because OS X is less secure. This is because OS 9 never had any security to update in the first place.
Your argument is a bit like trying to claim that a pup tent is warmer than a house because the house’s furnace turns on more often.
> I wonder if OS News could implement a voteban system so
> that users could ban annoying people.
You mean a censorship system so Mac users can get organized and then collectively ban people who dare to criticize Apple or OS X in some way, and dare to “annoy” you?
> That’s how many games take care of griefers and trolls.
I think we both know that in a discussion forum like this, such a system would be misused as a means to censor undesirable opinions and criticism, not some childish trolling in online games, and that it would most probbably be used in such a way by the group that is the most “enthusiastic”, i.e. fanatical and touchy to any sort of criticisms about their preferred computing environment. And I think we both know which group that would be.
Windows users? Linux users? Mac users?
Frankly the zealots are just as bad in all camps, so I don’t know which group you’re talking about.
> Windows users? Linux users? Mac users?
Mac users.
> Frankly the zealots are just as bad in all camps, so I
> don’t know which group you’re talking about.
The last one.
A “Linux is not ready for the desktop.” article doesn’t generate hunderds of hundreds of replies. Anything negative about windows neither. But dare to mention a fixed security flaw in Mac OS X, or list some reasons why not to buy a mac, and the OSNEWS servers and databases go down under the load of the angry Mac user swarm.
The zealots exist in all camps, that is certailnly true, but as someone who uses all three platforms, and is not emotionally, religiously or sexually tied to any of the three, I must say that in my observation Mac users tend to be the most aggressive when it comes to the defending of anything related to their computing platform choice. Every time I see a article heading negative about Apple, I _know_ that it will generate hundreds of postings accusing the writer of lying, propaganda, and so on. Of all the three groups, they tend to make the least pleasent public apperance.
The apperance they make is probbably as fierce for a potential new user, who is considering “switching”, as the pictures of fanatical islamists demonstrating against west countries and burning flags (because something as a caricature or a security flaw has been published) for someone considering moving to a islamic country.
“The apperance they make is probbably as fierce for a potential new user, who is considering “switching”, as the pictures of fanatical islamists demonstrating against west countries and burning flags (because something as a caricature or a security flaw has been published) for someone considering moving to a islamic country.”
Oh please! Is this really how low the discussion must sink?
>”Every time I see a article heading negative about Apple”
Such as every time you will see an article claiming that the X Unix system is better than Linux.
>”A “Linux is not ready for the desktop.” article doesn’t generate hunderds of hundreds of replies”
Aha, you are all wrong and I can proove it.
Just a search on OS news with your words, picking the first link gives the following
http://osnews.com/story.php?news_id=11284
“Why Linux Isn’t Ready for Desktops
214 comments”
Yes, their is hundreds of replies when someone dare to criticize Linux … And I pass the threads like “Windows more secure than Linux”, “Solaris 10 benchmark roxes” or “BSD is a good licence”
The fact is you don’t like Apple, so your opinion is biased.
OT: It is funny to see that on OSNews, there is a news each time Microsoft and Apple fixed a flaws, never when Red Hat, Mandriva, SuSE, Ubuntu do so … (And according to Secunia it happens often)
OT: I wonder if OS News could implement a voteban system so that users could ban annoying people. That’s how many games take care of griefers and trolls.
A vote ban won’t correct the issue; what will correct the issue is to firstly know what the hell a troll, FUD and flame bait is; they seem to be terms that are loosely thrown around here by idiots who don’t have the slightest idea what the f*ck they mean. Heck, I get called a ‘troll’, but by definition, I shouldn’t be here now, under this psuedonym, I should have created a new identity and flooded another discussion; the fact is, that hasn’t happened.
People here also need to know how to use the voting system; the system isn’t voting for ‘which opinions do I agree with’ it is, ‘does this person actually make a contributing point to the discussion’ – be it pro or against – it is about weeding out the flame bait so that valid, constructive contributions to the forum are added rather than it being a mini-kryoshin with people flaming each other like 8 year olds, with a chip on each sholder.
Edited 2006-05-14 08:24
Might I suggest you learn SSH? remote admining a Mac is not exactly difficult nor is it time consuming considering unless something goes wrong security updates are downloaded automatically.
Your logic on not reccomending OS X is seriously flawed IMHO. What do you suggest in its stead? Linux is great but not a Joe six-pack OS.
OS X is as vulnerable as the user willing to type in the administrative password. If you don’t trust a user to use it correctly don’t give his account root privileges. ANY os can be “owned” is the user is willing to give the program root privileges. Linux, Windows, OS X, BSD, it does not matter. The prevention fo this in any OS comes from education.
Boo hoo, flaws are being patched. Flaws are patched in Windows and Linux as well. Why is this a big deal when it is OS X? If you think any OS is invulnerable you are mistaken, it is merely a question of how difficult it is to hit and how big a target it is.
(For the record I am a Mac user, but my current primary desktop is Ubuntu and my servers are Slackware.)
Thank you for your nice response, I would give a few points if I had them.
SSH or ARD is not a option, I don’t even mention such a thing is possible. I respect the privacy of my newbies who are most likely off surfing for wierd goat porn or something.
Flaws are going to occur I know, 1 or 2 is no big deal, but 43 serious vunerabilities at one time? (with more still not fixed?). This is a sign of a serious problem at Apple. These problems have interupted the appearance of “ease of use” and “appliance nature” of Mac’s in general that made them so valuable as a starter boxes.
Since there is nothing to recommend at this time, I will recommend nothing to new computer users, unless things change for the better at Apple.
Flaws are going to occur I know, 1 or 2 is no big deal, but 43 serious vunerabilities at one time? (with more still not fixed?). This is a sign of a serious problem at Apple. These problems have interupted the appearance of “ease of use” and “appliance nature” of Mac’s in general that made them so valuable as a starter boxes.
Again your logic is backwards. You are still assuming the number of fixed flaws is inversely proportional to the general security of the system.
But it means the flaws are fixed, a thing of the past, no longer a problem, assuming you’ve installed the security update.
Would it not occur to you that Apple now simply are paying more attention to security?
Are you afraid that there are going to be 10000 more security holes that need to be fixed?
Edited 2006-05-14 06:02
Sorry your logic is backwards, those vulnerabilities should not have existed in the first place, especially in that amount.
You seem to think that it’s ok to ship shoddy code and fix the problems afterwards. If Boeing created a plane like that they would be sued out of existence.
People seem to think somehow a plane with millions of parts is different than millions of lines of code. If you ask me the latter is easier to fix and can be automated.
But the “salespeople” Steve Jobs so often hates and criticizes for the near death of Apple is the very ones pushing this software out before it’s adequately tested. And if it’s Steve that’s pushing this crap out the door then it’s really over for Apple. I can’t beleive the overpriced crap devices like the iPod (stereo?) HiFI and the $99 cheap leather cases that better ones sell for $25 online. Who is he trying to fool?
If Mac OS X security doesn’t improve then there is no use, both Windows Vista and Mac OS X security is worthless. Might as well go with the OS that has the most software and compatibility.
I’ll slap Vista right on my Intel-Mac and Mac OS X will just be a old relic. If Apple is lucky enough to get another hardware sale out of me.
Sorry your logic is backwards, those vulnerabilities should not have existed in the first place, especially in that amount.
You seem to think that it’s ok to ship shoddy code and fix the problems afterwards. If Boeing created a plane like that they would be sued out of existence.
Ah, I see now. You seem to think it’s actually possible to ship flawless and 100% secure operating systems and that’s why you think Vista is going to be the most secure and reliable software ever.
I guarantee you, the first one who does that is going to be a billionaire over night. Everyone will want to learn from him.
Flawless software doesn’t exist. That’s why we have software updates. Software updates are good, not bad. Learn it.
People seem to think somehow a plane with millions of parts is different than millions of lines of code. If you ask me the latter is easier to fix and can be automated.
Have you ever built a hugely complex airplane or a huge operating system? Did it occur to you that when an operating system crashes, it does not kill hundreds of people, which is why it takes 5-10-15 years to design and test a passenger airliner to make sure it doesn’t fall out of the sky? That it’s hundreds of times more expensive to develop a big airplane than an operating system?
By that rate, we would still be using MS-DOS 3.30 or the first UNIX’es. There would be no software market and no development. It would be heavily tested though. 🙂
Ah, I see now. You seem to think it’s actually possible to ship flawless and 100% secure operating systems and that’s why you think Vista is going to be the most secure and reliable software ever.
No, I realize there is faults to everything, but 43 vunerabilites at one time and more to come and dozens earlier? Come on give me a break.
I don’t care if VISTA is more or less secure than Mac OS X, if they are both always insecure, my choice is to go with the one with more software.
Have you ever built a hugely complex airplane or a huge operating system? Did it occur to you that when an operating system crashes, it does not kill hundreds of people, which is why it takes 5-10-15 years to design and test a passenger airliner to make sure it doesn’t fall out of the sky? That it’s hundreds of times more expensive to develop a big airplane than an operating system?
I bet they test those operating systems really well in those airplanes too. Should we deserve no less? Doesn’t need to cost billions of dollars either, just banks of computers automating exploit code and running it against a OS. Heck they could even distribute it like SETI.
By that rate, we would still be using MS-DOS 3.30 or the first UNIX’es. There would be no software market and no development. It would be heavily tested though. 🙂
Uh, how old is the roots of Mac OS X? How well tested?
So all Apple had to do is slap their GUI on top and stress test that. Did they? No. They just released it.
Jaquar was alpha, Panther was beta and Tiger is a beta2.0
Mac OS X was supposed to be “all so much more secure”. I can’t tell.
… are NOT a MacUser.
He speaks about thing he don’t know. 🙂
Sorry, I’m Mac user, if I understand your broken English correctly
Just because I don’t appear to be drinking the koolaid and raving like a zealot doesn’t mean I’m not a Mac user.
I cherish security and stability of my operating system, plus I’m still smarting from being rooted the first time in 20 something years.
Sorry for last night, but I’m not native English-speaking. I wrote my post after 4 hours at the disco. I was “a little bit” tired… I think you can understand.
Anyway, sorry me again, but I still think you aren’t a MacUser. It isn’t a matter of zealotry. It’s a matter of good sense and knowledge: you haven’t these. 🙂
“most of them serious enough to cause ‘arbitrary code execution attacks.”
I doubt the validity of this.
In general, it seems pretty standard to assume that any potential buffer overflow could lead to arbitrary code execution. This doesn’t necessarily mean that it’s likely, and it’s even less likely that the overflow can be used to reliably exploit a machine. I doubt that anybody spent much time figuring out just how serious any of these security holes really were; it’s probably easier to just fix it.
Some more information on the security update as well access to the download patch can be found here http://www.macnewsworld.com/story/50482.html
Edited 2006-05-14 04:44
Everybody could we please stop responding to JustAnotherMacUser’s mindless rants?
It’s blatantly obvious he has some grudge against OS X. 90% chance he has used OS9 (and earlier) for many many years and is the type of guy who still hates Apple because he does not know what the Dock is for.
Obviously he has not got much tech knowledge. “sudo” != “superuser do”.
So, JustAnotherMacUser:
1) Apple fixes 43 possible flaws. That can only be good news. Would you rather have them NOT fix anything?
2) a “flaw” does not mean an actual virus or other piece of malware in the real world is actually abusing it.
3) so you enterd your root password into an alert box that asked for it and then got “owned” (whatever that means). Entirely your OWN fault, a very stupid thing to do. Besides…. that is called a TROJAN and is not a virus and has NOTHING to do with the 43 fixed security flaws that Apple fixed.
> Obviously he has not got much tech knowledge. “sudo” != “superuser do”.
Oh yes it is.
http://en.wikipedia.org/wiki/Sudo
Just as “su” is super user.
Limp zealots don’t win the cake.
“Just as “su” is super user.”
this is incorrect, common enough mistake though. su == substitute user, as you can su to anybody, not just root.
I’ll let the other reply to your post educate you on “sudo”
1) Apple fixes 43 possible flaws. That can only be good news. Would you rather have them NOT fix anything?
I rather them find most of the faults before releasing a version which millions of Mac users trust their data to.
2) a “flaw” does not mean an actual virus or other piece of malware in the real world is actually abusing it.
And your sitting down 24/7 to examine all the packets to confirm that?
Just because it’s not widespread doesn’t mean it’s not occuring.
3) so you enterd your root password into an alert box that asked for it and then got “owned” (whatever that means). Entirely your OWN fault, a very stupid thing to do. Besides…. that is called a TROJAN and is not a virus and has NOTHING to do with the 43 fixed security flaws that Apple fixed.
Who said anything about virus? Not me.
And sure it has to do with the many flaws in Mac OS X or it wouldn’t have gotten on my box in the first place.
It even used the name of a offical Apple process, which I ran by the Knowledge Base for confirmation, sounded good so I gave it the go.
Now what was stupid about that?
Regarding the news since the last week, we can now rename osnews safely to trollnews …
@Duffman
I prefer Dramanews…
Bottom line is ALL OS will have security issues. Hell, ANY codebase that large has flaws. Of course there are security vulnerabilities..if you thought not you need to meet reality. Windows, OS X, Linux, FreeBSd, etc…all have vulnerabilities. Maintain your system properly…never connect it directly to the internet without it being behind a firewall. Then no matter what OS you will be better off. Not the built in firewalls either..but a hardware solution like Linksys or such. Is the way of the world folks..get used to it.
I see regular updates as a good thing on any platform.
Keep them coming <-;
Would it not be more helpful to distinguish between system security and security in social practice?
Windows has been insecure in both, because of Explorer, Active X and also the practice of signing on as Administrator for ordinary use.
What’s coming out about OSX seems to be that it is very secure in social practice, largely because people don’t sign on as root, but far more insecure at system level than most people had thought.
Linux, people may disagree, appears to be about as secure as OSX in social practice, and rather more secure at system level.
And then at the pinnacle we have OpenBSD, which is probably the most secure on both dimensions, but who uses it on the desktop?
I hear more and more things about mac and windows vulnerabilities but is this a common OS problem? I mean does Linux also have the same problems (I never see such articles/posts)?
I’m no expert so no bashing here but I’m just curious.
This is just merely an observation – but it seeems that OSNews spins and encourages anti-Mac information.
Eugenia does it less as of late, but it seems that now Thom has assumed the throne.
This is getting a little ridiculous, can the editors please give us an explanation as to why OSNews is so anti-Mac?
“This is just merely an observation – but it seeems that OSNews spins and encourages anti-Mac information.
Eugenia does it less as of late, but it seems that now Thom has assumed the throne.
This is getting a little ridiculous, can the editors please give us an explanation as to why OSNews is so anti-Mac?”
Considering Thom uses OS X and I’ve seen an equal number or pro-Mac articles on this site, I doubt they are anti-Mac. They are just trying to encourage conversation.
To be honest most of the row in this story isn’t about the news of the security updates, most people whether windows, linux or OSX understand, accept and welcome such news that fixes are being done for unexploited holes in programs
The problem seems to stem most people disbeliving anything Justanothermacuser has to say on the topic, without his input the topic would have about 25 posts on it
Edited 2006-05-14 18:02
I dont think this is pro or anti Mac. Its a update.
Linux had the recent more bug in the kernel, lets stop an fix it, issue.
Windows has its patches issued on a Wednesday most months.
Mac now has an update to parts of the os and quicktime.
FreeBSD 6.1 is out with fixes and perfprmance tweaks.
It all seem well balanced to me…
It doesn’t matter what all your arguments are (even mine). People will spin the news how they want it.
“Oh my god 43 vulnerabilities! OSX is insecure!”
“Wow they fixed 43 security holes! They’re really on top of things!”
People will read the information for themselves and make decisions. Or there will find the first thing that sounds best to them and stick with that.
If you ask me I rather have it that there is none to little security problems at all.
Missing 43 vulnerabilities begs the question:
What the hell else is wrong with Mac OS X?
If you ask me I rather have it that there is none to little security problems at all.
Missing 43 vulnerabilities begs the question:
What the hell else is wrong with Mac OS X?
=====================================
And troll how many of those 43 vulnerabilities are actually Apple’s programs?
But yes never let truth getting in the way of your trolling
Look it up yourself.
http://secunia.com/product/96/
Sadly that does little to prove your point; that’s actually a good looking secunia report. No outstanding major issues, and only 9% critical. It’s really nothing to cry about.
The bigger issue is actually, and it’s unproven, the issue of whether there are more that a certain security researcher may release soon because Apple didn’t fix them.
“Again another example of a crap rating system, since such stupidity can be easily modded up, but can’t be modded down.”
Man, you are certainly right. I think the same. I was going to send them a mail about this. It’s just pure stupidness. I can vote them up or vote them down only being unfair with those comments voting down as imflamatory or something else to justify the -1. It should be fair to vote them down if you don’t agree with them. Otherwise you end with a lot of comments with +5 because a couple of guys agreed with them.
Windows is insecure. We get that. Mac OS X is more secure then Windows. We get that too. Why? OS X has better security policies, such as running unprivaledged users and all that stuff. OS X does have major flaws though showing Apple isn’t as concerned about security as they should be and isn’t the ideal OS. Linux has taken the next step. Their kernel has the innovative new MAC security system (Mandatory Access Control) which drastically reduces the damage a security exploit can do with no user intervention needed like with firewalls. For programs that NEED some root powers, and programs that just use user powers, its an all or nothing approach. A system level program such as the dhcp client needs to be able to set the system’s IP address. This is usually considered a high level action. On OS X, this program has access to EVERYTHING on the system as its run as root. That means a security hole in it can potentially bring down the entire system. Linux deals with this better since SELinux has been included in the 2.6 kernel, and will allow permissions to be further refined granting access to each program, such as DHCP, access to exactly what it needs and nothing more. That means instead of a security flaw in a program being able to bring down teh entire computer when their is an remote code exection flaw, it will instead bring down a program and only its data. A DHCP flaw will allow a user to screw up IP addresses and DNS servers, but it won’t be able to go and start uploading my home files to a malicious hacker abusing the flaw. Linux distros like Fedora ship with this technology on by default and it makes sure then when their is a security flaw in Linux, its going to be a smaller issue then in competing operating systems. If you want to give a user a secure operating system, the ONLY option right now is using Linux, and thanks to the recent work on the usability as well, it has also become one of the easiest operating systems to use.
If Apple wants to stay competitive with Linux, I believe its necessary for them to start investing development in stuff that you can’t easily show off to the end user (like their search technology and all the eye candy everywhere) and start focusing on the backend technologies a bit more like implementing a Mandatory Access Control and other security systems and also working on improving performance, and other areas where Linux has been killing OS X for a long time.
One of the great things about the Linux community is how they disagree with each other on whats the most important thing, and they all work on different areas. A lot of the hackers on Linux are obsessed with performance, so they work hard on optimizing it and doing everything to make things faster. Then we get other people who are anal about security. They work hard on adding security features everywhere to reduce the chance of security bugs and the severity in the event they do exist (as can be seen in gcc which works to prevent buffer overflows now, the kernel which has MAC, etc)… recently, the people who want to sell Linux as a desktop started working on making the desktop extremely usable as well.
When you have a company like Microsoft, they can decide that marketing and keeping people locked into it is the most important thing, and doing whatever is necessary for that and ignoring the other areas, and also Apple which decided that “usability” is the most important thing and thats what they are going to focus on, it leads to the other areas getting the minimal resources and everything just getting focused on one area. I believe thats why Apple’s OS X performance and security architecture is horrible compared to Linux and why Microsoft stopped releasing new operating systems and Vista is taking way longer then it should. The company creates their focuses, whereas in Linux, every developer can have their own focus.
That’s a real problem you’ve had. Maybe it’ll take over your fridge and turn your milk sour.
Watch your back.
JustAnotherMacUser where are you going? Dell?
Don’t make me laugh. Cheapest computers in the world.
No AMD, No Linux, But lots of revenue for Antispyware, etc…
Suckers by Dell. Is that where you’re going next?