Apple to Fix Security Flaws in Jaguar

[MacRumors]

Apple released a statement today indicating that it would release fixes to potential security flaws revealed earlier this week.

Apple allays some concerns by stating: "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible".

[Lancetx]

Quote:

Originally posted by Macrumors
Apple released a statement today indicating that it would release fixes to potential security flaws revealed earlier this week.

Apple allays some concerns by stating: "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible".

So much for the conspiracy theories so wildly thrown about by @Stake, CNET, ZDNET and the rest that Apple was forcing a $129 upgrade on poor Mac users in order to fix security issues huh? Sorry guys, but your FUD has been disproven...yet again. Try writing the truth instead for a change.

[usingmac]

what kind of feasible...

financial, technical, motivated....

[1macker1]

yeah i'm wondering what they mean by "feasible" also.

[sethypoo]

What exactly are the holes?

[ryaxnb]

Though I already have Mac OS X v10.3, it's good to know Mac OS X v10.2 users will be all right too. Now we can stop complaining.

[ITR 81]

And everyone doubted Apple even Tech Tv..ehehe

[Mindfield]

All I can say is kudos for Apple

[stockscalper]

They ain't Microsoft, so what did the press expect?

[Knox]

Quote:

Originally posted by Lancetx
So much for the conspiracy theories so wildly thrown about by @Stake, CNET, ZDNET and the rest that Apple was forcing a $129 upgrade on poor Mac users in order to fix security issues huh? Sorry guys, but your FUD has been disproven...yet again. Try writing the truth instead for a change.

What we don't know is whether this is a change of heart or was the plan all along. It's quite possible that all the negative publicity made Apple realise that it had to keep updating the older versions.

[Lanbrown]

Quote:

Originally posted by Knox
What we don't know is whether this is a change of heart or was the plan all along. It's quite possible that all the negative publicity made Apple realise that it had to keep updating the older versions.

At this point, does it matter? If they had a change of heart, then they learned a valuable lesson. If they planned all along to fix the vulnerabilities, then they still got the message from the customer base. So it's a win win no matter how you look at it.

[JoeMacDaddy]

I'm very happy that Apple has taken the high road with the @Stake (Micro$oft backed hatchetmen), ZDnet and CNET and opted to supply updates to Jaguar. I am in the IT security business and while the @Stake report is true, the High rating is unwarranted. Since a malcontent must gain physical access to your machine and know precisely what to do, it highly unlikely the vulnerability would be exploited enmass. Therefore the threat was VERY overblown. This just shows the extent of YELLOW Journalism that is sytemic in the computer industry today. They will sell themselves on the street for a nickel. Whatever happend to the truth and unbiased journalism?

Just my $.02

[robbents99]

Quote:

Originally posted by ITR 81
And everyone doubted Apple even Tech Tv..ehehe

Did Leo say he would eat his Mac if they did or didn't?

It'll probably be one of the top stories on TSS tonight...

[duce]

Apple cannot be as draconian as M$ lemmings learned to accept. To abandon previous releases of the OS at this time would kill all the gains the Mac is making with OS X. I have less and less respect for reporters and people like those at @Stake to presume Apple will do this. Maybe this is normal (standard) behavior of the likes at M$. People we need to have a little faith on normalcy.

[beg_ne]

Quote:

Originally posted by Knox
What we don't know is whether this is a change of heart or was the plan all along. It's quite possible that all the negative publicity made Apple realise that it had to keep updating the older versions.

Jeez, what's with you people. You get some stupid FUD laced, "Looks like Apple is forcing users to upgrade to Panther" statement which they have NO facts to back up and practically everyone follows along like lemmings.

Maybe you should switch to Windows if you have that little faith in Apple and are willing to take unsubstantiated comments from a PeeCee site as gospel.

[Bruja]

Way to go Apple!!

[robmorton]

Quote:

Originally posted by Lancetx
So much for the conspiracy theories so wildly thrown about by @Stake, CNET, ZDNET and the rest that Apple was forcing a $129 upgrade on poor Mac users in order to fix security issues huh? Sorry guys, but your FUD has been disproven...yet again. Try writing the truth instead for a change.

Yeah, that is absurd. It was like the 10.1.5 Servers that Apple started the QuickTime Streaming Server Admin program on by default. I mean Apple would not just leave those people out to be hacked on the internet or pay for the upgrade to 10.2. They especially would not even warn those users that they are vulnerable.

Apple is improving their policies as the go. They basically jumped quickly into a UNIX world that they did not fully understand the realities to. They did a mostly great job and are constantly improving. This is one time that the FUD probably forced Apple's hand a bit more. No security update should come in an OS update alone. There are too many machine out there that can only get security patches and not a completely new system.

[SiliconAddict]

Now everyone please go bombard zdnet.com with shut the **** up. I was more then a little sickened the day they announced the sec flaw and zdnet's article was speculating that Apple wasn't going to fix panther. ***wipes.

[nacl99]

From what i have ready the "Hole" can only be taken advantage of when a person is sitting at your computer/in possession of it. NOT over the internet/network like most security flaws.

I don't understand all the bitching, I'm sure the average joe has left several holes that could be used by a hacker sitting at your computer without even needing this one in the OS.

I mean security is a relative thing, it all depends on who your trying to secure yourself against, and what your securing.

For most of us, if a "pro" sat at our computer, we'd be screwed, but then again I know i don't have any gov. secrets on my laptop either :-)

[idea_hamster]

Was anyone else insensed by the way the article ended:

"The flurry of security flaws in Apple's OS X shows "there's no piece of commercial software that doesn't have security problems," says John Pescatore, a security analyst at Gartner."

If OS X's security flaws amount to a flurry, then what's MS's? The winter of '92? I don't think that anyone ever said any Mac OS was some sort of ant-proof case, rather that OS X is far more secure than any version of Windows.

What would interest me is the answer to this:

Lots of the recent crop of major security flaws seem to stem from a system's succeptibility to "buffer overflows" in various parts of the programming. So who has more "buffers" that could (theoretically) be "overflowed"? Win? Mac?

[Totalshock]

Quote:

Originally posted by idea_hamster
"The flurry of security flaws in Apple's OS X shows "there's no piece of commercial software that doesn't have security problems," says John Pescatore, a security analyst at Gartner."

I think that's fair comment from a respected analyst in the field, a very smart man, and a guy who's been very critical of Microsoft for its security errors in the past.

It's a very fair argument. There ARE holes in Mac OS, in Linux, in anything. What there haven't been, to date, are massive exploits for those holes. That is a good thing for the Mac user community, but it doesn't mean we're bullet-proof.

However, I do wonder about the context of the quote above, because it's a quote that forms the back-end of a statement by the author. We, the reader, have no way of knowing if Pescatore volunteered that "these vulnerabilities in OS X show that there's no piece of commercial software that doesn't have security problems," or if the part of the sentence quoted comes from an entirely different question.

ie:

Interviewer: Are you surprised to see that these types of security holes are being found in Mac OS X?
Pescatore: No, because there's no piece of commercial software that doesn't have security problems.

The context is different, clearly, in what Pescatore was trying to say... and it's not totally unheard-of for a reporter to bend an analyst's comments to match his or her hypothesis in the worst case, or simply to provide a more flashy bit of commentary in a slightly better case.

Quote:

Originally posted by idea_hamster
If OS X's security flaws amount to a flurry, then what's MS's? The winter of '92? I don't think that anyone ever said any Mac OS was some sort of ant-proof case, rather that OS X is far more secure than any version of Windows.

Microsoft's security woes have been well-documented in the press and elsewhere, and they've been largely taken to the cleaners for it... many writers, even those who are clearly not MS-bashers, have taken to outright sarcasm in pieces about Microsoft's security problems. I know I find myself doing so, and I do not consider myself either pro- or anti-Microsoft.

They've been taken to task on their security problems, and I think fairness dictates when they show up on Apple software, they should be taken to task there too.

Apple has a bad PR problem going for them, in that they don't want to talk about things until they're damned good and ready to. I'm not going to apologize for what I saw as some pretty bad reporting (well... the reporting itself was sound... the editorializing in the resulting story was bad), but Apple does not do itself any favours. If they had simply said three days ago that yes, there will be a release out for Jaguar, then this whole "crisis" could have been avoided. But because they likely refused to return the journalist's phone call, or at least to make comment on the questions posed, they opened the door for a reporter to run with the most exciting, biggest-headlined, worst-case-scenario version of the story.

I'm not advocating calling up a company and asking them the equivalent of "When did you stop beating your wife? questions to trap them into soundng stupid, but there's some pretty obvious and clear questions that should be asked, and warrant a response from Apple.

1) You've patched Panther, will you be patching Jaguar as well?
2) What is the reason for the patch for Jaguar being released after the patch for Panther?

I'm sure neither of these questions were answered honestly, leaving the door open.

[hulugu]

Which is outright rediculous in cases like this. I knew they were going to patch OSX.2, but their priority was with newly shipping Panther, this is not a problem. But, as soon as the patch was ready for Panther, they should have immediately stated the fix would be out 'soon' for Jaguar. Don't give us a specific time to hang yourself on Apple, but please disfuse FUD ASAP you can't afford it.

[Lancetx]

Quote:

Originally posted by Totalshock
Apple has a bad PR problem going for them, in that they don't want to talk about things until they're damned good and ready to. I'm not going to apologize for what I saw as some pretty bad reporting (well... the reporting itself was sound... the editorializing in the resulting story was bad), but Apple does not do itself any favours. If they had simply said three days ago that yes, there will be a release out for Jaguar, then this whole "crisis" could have been avoided.

Well, either way, the original story has apparently now been pulled from both CNET and ZDNET's sites here in the last hour, so that pretty much says it all. But when you have a headline of "Apple charges $129 for Security Fix" and you have received NO official comment yet from the company at all, maybe you shouldn't be so flamboyant in your "reporting." In the end it still turns out to be nothing but FUD seeing as how Apple issues a statement less than 48 hours later debunking this entire conspiracy theory of theirs.

And no, I don't see them flogging Microsoft in this same type of fashion at all, they are literally given months on several occassions to respond to security issues far more severe than any of this was. So now Apple can't even get 48 hours to come up with their response to this? I don't see how anyone can think Apple deserves any blame whatsoever in this particular manufactured PR fiasco. This was simply a case of FUD gone wild.

[idea_hamster]

Quote:

Originally posted by Totalshock
I think that's fair comment...

Fair enough.

Your point's well taken that the bias can certainly be added in the writing and editing of the article, and I'm not nearly familiar enough with the author to know his bias/objectivity, so I'm more than willing to defer on that.

However, even though we can all agree that no OS is unassailable, I think that the article seemed to put OS X and Windows in the same boat of "systems with flaws" rather than drawing contrast between "few" and "lots". I don't think any of us expects our OS to be perfect, but sometimes MS seems plainly reckless. I guess my point was that they can say Mac's not perfect as long as they admit its superiority...hmmm...now who sounds biased!?
...
Anyone have any thoughts on which operating system is the most "buffer-riddled"?

[Lanbrown]

Why not send mail to @stake as well? If you go to their homepage, all they mention is OS X, BT and other items, but nothing about MS. Not even the huge vulnerability that affected every supported OS by MS.

Advisories from companies that are selling something should be taken with a grain of salt.