Apple released a statement (http://maccentral.macworld.com/news/2003/10/31/jaguarfix/index.php?redirect=1067596943000) today indicating that it would release fixes to potential security flaws revealed earlier this week (http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15800248).

Apple allays some concerns by stating: "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible".

Originally posted by Macrumors
Apple released a statement (http://maccentral.macworld.com/news/2003/10/31/jaguarfix/index.php?redirect=1067596943000) today indicating that it would release fixes to potential security flaws revealed earlier this week (http://www.internetwk.com/breakingNews/showArticle.jhtml?articleID=15800248).

Apple allays some concerns by stating: "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible".

So much for the conspiracy theories so wildly thrown about by @Stake, CNET, ZDNET and the rest that Apple was forcing a $129 upgrade on poor Mac users in order to fix security issues huh? Sorry guys, but your FUD has been disproven...yet again. Try writing the truth instead for a change. :rolleyes:

what kind of feasible...

financial, technical, motivated....

yeah i'm wondering what they mean by "feasible" also.

What exactly are the holes?

Though I already have Mac OS X v10.3, it's good to know Mac OS X v10.2 users will be all right too. Now we can stop complaining.

And everyone doubted Apple even Tech Tv..ehehe

All I can say is kudos for Apple :cool:

They ain't Microsoft, so what did the press expect?

Originally posted by Lancetx
So much for the conspiracy theories so wildly thrown about by @Stake, CNET, ZDNET and the rest that Apple was forcing a $129 upgrade on poor Mac users in order to fix security issues huh? Sorry guys, but your FUD has been disproven...yet again. Try writing the truth instead for a change. :rolleyes:

What we don't know is whether this is a change of heart or was the plan all along. It's quite possible that all the negative publicity made Apple realise that it had to keep updating the older versions.

Originally posted by Knox
What we don't know is whether this is a change of heart or was the plan all along. It's quite possible that all the negative publicity made Apple realise that it had to keep updating the older versions.

At this point, does it matter? If they had a change of heart, then they learned a valuable lesson. If they planned all along to fix the vulnerabilities, then they still got the message from the customer base. So it's a win win no matter how you look at it.

:)

I'm very happy that Apple has taken the high road with the @Stake (Micro$oft backed hatchetmen), ZDnet and CNET and opted to supply updates to Jaguar. I am in the IT security business and while the @Stake report is true, the High rating is unwarranted. Since a malcontent must gain physical access to your machine and know precisely what to do, it highly unlikely the vulnerability would be exploited enmass. Therefore the threat was VERY overblown. This just shows the extent of YELLOW Journalism that is sytemic in the computer industry today. :rolleyes: They will sell themselves on the street for a nickel. Whatever happend to the truth and unbiased journalism?

Just my $.02 :p

Originally posted by ITR 81
And everyone doubted Apple even Tech Tv..ehehe

Did Leo say he would eat his Mac if they did or didn't?

It'll probably be one of the top stories on TSS tonight...

Apple cannot be as draconian as M$ lemmings learned to accept. To abandon previous releases of the OS at this time would kill all the gains the Mac is making with OS X. I have less and less respect for reporters and people like those at @Stake to presume Apple will do this. Maybe this is normal (standard) behavior of the likes at M$. People we need to have a little faith on normalcy.

Originally posted by Knox
What we don't know is whether this is a change of heart or was the plan all along. It's quite possible that all the negative publicity made Apple realise that it had to keep updating the older versions.

Jeez, what's with you people. You get some stupid FUD laced, "Looks like Apple is forcing users to upgrade to Panther" statement which they have NO facts to back up and practically everyone follows along like lemmings.

Maybe you should switch to Windows if you have that little faith in Apple and are willing to take unsubstantiated comments from a PeeCee site as gospel.

Way to go Apple!!

Originally posted by Lancetx
So much for the conspiracy theories so wildly thrown about by @Stake, CNET, ZDNET and the rest that Apple was forcing a $129 upgrade on poor Mac users in order to fix security issues huh? Sorry guys, but your FUD has been disproven...yet again. Try writing the truth instead for a change. :rolleyes:

Yeah, that is absurd. It was like the 10.1.5 Servers that Apple started the QuickTime Streaming Server Admin program on by default. I mean Apple would not just leave those people out to be hacked on the internet or pay for the upgrade to 10.2. They especially would not even warn those users that they are vulnerable.

Apple is improving their policies as the go. They basically jumped quickly into a UNIX world that they did not fully understand the realities to. They did a mostly great job and are constantly improving. This is one time that the FUD probably forced Apple's hand a bit more. No security update should come in an OS update alone. There are too many machine out there that can only get security patches and not a completely new system.

Now everyone please go bombard zdnet.com with shut the **** up. I was more then a little sickened the day they announced the sec flaw and zdnet's article was speculating that Apple wasn't going to fix panther. ***wipes. :mad:

From what i have ready the "Hole" can only be taken advantage of when a person is sitting at your computer/in possession of it. NOT over the internet/network like most security flaws.

I don't understand all the bitching, I'm sure the average joe has left several holes that could be used by a hacker sitting at your computer without even needing this one in the OS.

I mean security is a relative thing, it all depends on who your trying to secure yourself against, and what your securing.

For most of us, if a "pro" sat at our computer, we'd be screwed, but then again I know i don't have any gov. secrets on my laptop either :-)

Was anyone else insensed by the way the article ended:

"The flurry of security flaws in Apple's OS X shows "there's no piece of commercial software that doesn't have security problems," says John Pescatore, a security analyst at Gartner."

If OS X's security flaws amount to a flurry, then what's MS's? The winter of '92? I don't think that anyone ever said any Mac OS was some sort of ant-proof case, rather that OS X is far more secure than any version of Windows.

What would interest me is the answer to this:

Lots of the recent crop of major security flaws seem to stem from a system's succeptibility to "buffer overflows" in various parts of the programming. So who has more "buffers" that could (theoretically) be "overflowed"? Win? Mac?

Originally posted by idea_hamster
"The flurry of security flaws in Apple's OS X shows "there's no piece of commercial software that doesn't have security problems," says John Pescatore, a security analyst at Gartner."

I think that's fair comment from a respected analyst in the field, a very smart man, and a guy who's been very critical of Microsoft for its security errors in the past.

It's a very fair argument. There ARE holes in Mac OS, in Linux, in anything. What there haven't been, to date, are massive exploits for those holes. That is a good thing for the Mac user community, but it doesn't mean we're bullet-proof.

However, I do wonder about the context of the quote above, because it's a quote that forms the back-end of a statement by the author. We, the reader, have no way of knowing if Pescatore volunteered that "these vulnerabilities in OS X show that there's no piece of commercial software that doesn't have security problems," or if the part of the sentence quoted comes from an entirely different question.

ie:

Interviewer: Are you surprised to see that these types of security holes are being found in Mac OS X?
Pescatore: No, because there's no piece of commercial software that doesn't have security problems.

The context is different, clearly, in what Pescatore was trying to say... and it's not totally unheard-of for a reporter to bend an analyst's comments to match his or her hypothesis in the worst case, or simply to provide a more flashy bit of commentary in a slightly better case.

Originally posted by idea_hamster
If OS X's security flaws amount to a flurry, then what's MS's? The winter of '92? I don't think that anyone ever said any Mac OS was some sort of ant-proof case, rather that OS X is far more secure than any version of Windows.

Microsoft's security woes have been well-documented in the press and elsewhere, and they've been largely taken to the cleaners for it... many writers, even those who are clearly not MS-bashers, have taken to outright sarcasm in pieces about Microsoft's security problems. I know I find myself doing so, and I do not consider myself either pro- or anti-Microsoft.

They've been taken to task on their security problems, and I think fairness dictates when they show up on Apple software, they should be taken to task there too.

Apple has a bad PR problem going for them, in that they don't want to talk about things until they're damned good and ready to. I'm not going to apologize for what I saw as some pretty bad reporting (well... the reporting itself was sound... the editorializing in the resulting story was bad), but Apple does not do itself any favours. If they had simply said three days ago that yes, there will be a release out for Jaguar, then this whole "crisis" could have been avoided. But because they likely refused to return the journalist's phone call, or at least to make comment on the questions posed, they opened the door for a reporter to run with the most exciting, biggest-headlined, worst-case-scenario version of the story.

I'm not advocating calling up a company and asking them the equivalent of "When did you stop beating your wife? questions to trap them into soundng stupid, but there's some pretty obvious and clear questions that should be asked, and warrant a response from Apple.

1) You've patched Panther, will you be patching Jaguar as well?
2) What is the reason for the patch for Jaguar being released after the patch for Panther?

I'm sure neither of these questions were answered honestly, leaving the door open.

Which is outright rediculous in cases like this. I knew they were going to patch OSX.2, but their priority was with newly shipping Panther, this is not a problem. But, as soon as the patch was ready for Panther, they should have immediately stated the fix would be out 'soon' for Jaguar. Don't give us a specific time to hang yourself on Apple, but please disfuse FUD ASAP you can't afford it.

Originally posted by Totalshock
Apple has a bad PR problem going for them, in that they don't want to talk about things until they're damned good and ready to. I'm not going to apologize for what I saw as some pretty bad reporting (well... the reporting itself was sound... the editorializing in the resulting story was bad), but Apple does not do itself any favours. If they had simply said three days ago that yes, there will be a release out for Jaguar, then this whole "crisis" could have been avoided.

Well, either way, the original story has apparently now been pulled from both CNET and ZDNET's sites here in the last hour, so that pretty much says it all. But when you have a headline of "Apple charges $129 for Security Fix" and you have received NO official comment yet from the company at all, maybe you shouldn't be so flamboyant in your "reporting." In the end it still turns out to be nothing but FUD seeing as how Apple issues a statement less than 48 hours later debunking this entire conspiracy theory of theirs.

And no, I don't see them flogging Microsoft in this same type of fashion at all, they are literally given months on several occassions to respond to security issues far more severe than any of this was. So now Apple can't even get 48 hours to come up with their response to this? I don't see how anyone can think Apple deserves any blame whatsoever in this particular manufactured PR fiasco. This was simply a case of FUD gone wild.

Originally posted by Totalshock
I think that's fair comment...
Fair enough.

Your point's well taken that the bias can certainly be added in the writing and editing of the article, and I'm not nearly familiar enough with the author to know his bias/objectivity, so I'm more than willing to defer on that.

However, even though we can all agree that no OS is unassailable, I think that the article seemed to put OS X and Windows in the same boat of "systems with flaws" rather than drawing contrast between "few" and "lots". I don't think any of us expects our OS to be perfect, but sometimes MS seems plainly reckless. I guess my point was that they can say Mac's not perfect as long as they admit its superiority...hmmm...now who sounds biased!? :eek:
...
Anyone have any thoughts on which operating system is the most "buffer-riddled"?

Why not send mail to @stake as well? If you go to their homepage, all they mention is OS X, BT and other items, but nothing about MS. Not even the huge vulnerability that affected every supported OS by MS.

Advisories from companies that are selling something should be taken with a grain of salt.

Originally posted by beg_ne
Jeez, what's with you people. You get some stupid FUD laced, "Looks like Apple is forcing users to upgrade to Panther" statement which they have NO facts to back up and practically everyone follows along like lemmings.

Maybe you should switch to Windows if you have that little faith in Apple and are willing to take unsubstantiated comments from a PeeCee site as gospel.

I find your statement overzealous. It's very possible that this was a reactionary move by Apple.

Case in point. I am a G4 MDD owner. As you may or may not know, these are affectionaltely known as "windtunnels" because of their *VERY* loud fans. It took months of letter writing, press releases and even the formation of a G4 Noise (http://www.g4noise.com/) website to elicit a reaction from Apple to provide a fix. Eventually they caved to the bad publicity and offered a Power Supply Exchange Program (http://maccentral.macworld.com/news/2003/02/21/exchange/). For a few months there though, Apple was ignoring this problem. My point is that they aren't this all benevolent organization, they're a business. They will create strategies to make or save a buck and they do cave to bad press, like any *good* company should.

Originally posted by JoeMacDaddy
:)

I'm very happy that Apple has taken the high road with the @Stake (Micro$oft backed hatchetmen), ZDnet and CNET and opted to supply updates to Jaguar. I am in the IT security business and while the @Stake report is true, the High rating is unwarranted. Since a malcontent must gain physical access to your machine and know precisely what to do, it highly unlikely the vulnerability would be exploited enmass. Therefore the threat was VERY overblown. This just shows the extent of YELLOW Journalism that is sytemic in the computer industry today. :rolleyes: They will sell themselves on the street for a nickel. Whatever happend to the truth and unbiased journalism?

Just my $.02 :p

You have to wonder about Microsoft's customer-vendor relationship with @Stake, especially after a very high profile person recently left the company over a report that Microsoft has security problems.

The eWeek article was mentioning that @Stake was concerned about the Core files problem, even though they couldn't re-create it, and that the Core files business isn't accessible normally.

Odd, these problems are blown out of proportion and iTunes for Windows is inflexible.

Conspiracies? Everybody needs at least one. :D

Originally posted by beg_ne
Jeez, what's with you people. You get some stupid FUD laced, "Looks like Apple is forcing users to upgrade to Panther" statement which they have NO facts to back up and practically everyone follows along like lemmings.

Maybe you should switch to Windows if you have that little faith in Apple and are willing to take unsubstantiated comments from a PeeCee site as gospel.

I find your statement overzealous. It's very possible that this was a reactionary move by Apple.

Originally posted by greenstork
I find your statement overzealous. It's very possible that this was a reactionary move by Apple.

Case in point. I am a G4 MDD owner. As you may or may not know, these are affectionaltely known as "windtunnels" because of their *VERY* loud fans. It took months of letter writing, press releases and even the formation of a G4 Noise (http://www.g4noise.com/) website to elicit a reaction from Apple to provide a fix. Eventually they caved to the bad publicity and offered a Power Supply Exchange Program (http://maccentral.macworld.com/news/2003/02/21/exchange/). For a few months there though, Apple was ignoring this problem. My point is that they aren't this all benevolent organization, they're a business. They will create strategies to make or save a buck and they do cave to bad press, like any *good* company should.

You aren't seriously compairing patching security holes against your loud fans are you? :rolleyes:

I don't recall Apple normally commenting on a security issue except to acknowledge it in the release notes for the patch. So why should we have expected them to do any different with these?

I find it laughable that so many people were able to fall victim to CNet's very obvious FUD. Doesn't anyone think for themselves anymore?

Apple patched 10.1 after the release of Jaguar too. This isn't news.

Tech TV annouced yesterday that Apple offically stated they had the patched planned all along but wanted to get Panther out to customers first.

I think Leo said he eat his Mac if Apple didn't patch it by next week and Apple made the offical statement about the patch the very next day.

I have to say that I was having some doubts too as to whether Apple was going to address those problems in 10.2. Now I can breath a sigh of relief.

Darwin being an open source project probably helped in having Apple pushing out those updates. But I suppose unless something else major surfaces after this update, this will probably be the last major update release for 10.2 from Apple. After that we will have to compile our own codes, huh? :)

Originally posted by Lanbrown
At this point, does it matter? If they had a change of heart, then they learned a valuable lesson. If they planned all along to fix the vulnerabilities, then they still got the message from the customer base. So it's a win win no matter how you look at it.

It doesn't. I was simply pointing out that it's quite possible that what was written by CNET and the others *was* the truth at the time and not just some made up FUD. After all, why didn't Apple say that they were going to release fixes for earlier versions at the time the 10.3 fixes were released (even if they didn't actually release the fixes at the same time).

Originally posted by beg_ne
Maybe you should switch to Windows if you have that little faith in Apple and are willing to take unsubstantiated comments from a PeeCee site as gospel.

The comments that "Apple were always going to fix earlier versions" is equally unsubstantiated. In other words, no-one knows, as I stated originally.

Apple released fixes for 10.1 after they released Jaguar, so no, it wasn't unsubstantiated to assume they'd similarly support Jaguar.

I guess everyone forgot about Apple to be rurmored to having an update as soon as 10.3 released?? Some said it was going to be extra programs and eyecandy but it was sec. patch. To me why would they release a patch for 10.2 when your trying to make 10.3 run as smoothly as possible. It's funny how folks get all crazy when OSX has error somewhere in the coding but if MS has one folks just take it with grain of salt.

Anyways I think sec. companies need report all exploits not just mostly Open Source based OS's like @Stake seems to do.

Plus, I could've went without the update because most folks don't get use my Mac.