Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac OS X Security Update 2004-04-05
- Thread starter MacRumors
- Start date
- Sort by reaction score
i think it quite funny that you guys whine about windows always having security updates all the time and man, how horrible it must be to run windows and always have all these security problems, and blah blah blah.
do those of you that feel this way realize that we get an OS X security update every couple of weeks just like XP users?
There are 2 reasons you don't hear about the OS X security issues:
1. in comparison to windows, nobody uses OS X...especially not hackers.
2. apple likes to be extremely vague about their security problems. this is a good and bad policy. It is good because it makes it more difficult for hackers (if there were any) to find and exploit weaknesses before they are patched. it is bad because a 'power' user will always be better off with more information instead of less...and apple in general prefers to give less.
we're all just lucky that OS X is 1% of the market, if that...if it gets too popular, we could be in trouble...
do those of you that feel this way realize that we get an OS X security update every couple of weeks just like XP users?
There are 2 reasons you don't hear about the OS X security issues:
1. in comparison to windows, nobody uses OS X...especially not hackers.
2. apple likes to be extremely vague about their security problems. this is a good and bad policy. It is good because it makes it more difficult for hackers (if there were any) to find and exploit weaknesses before they are patched. it is bad because a 'power' user will always be better off with more information instead of less...and apple in general prefers to give less.
we're all just lucky that OS X is 1% of the market, if that...if it gets too popular, we could be in trouble...
Mac/Win Security
Windows updates come out every time someone finds a new 'hole'. (And they only know its been found, once its been exploited.)
The first you usually hear about Mac security holes is when Apple patch them. The problem is therefore shortlived.
Prevention versus Cure.
As for hackers NOT using OS X, a guy from the FBI was quoted a little while ago as saying: "If you're a hacker, and you don't want to get caught, use a Mac." Or words to that effect.
I'm sure someone must have given him a good reason to hold such an opinion.
Windows updates come out every time someone finds a new 'hole'. (And they only know its been found, once its been exploited.)
The first you usually hear about Mac security holes is when Apple patch them. The problem is therefore shortlived.
Prevention versus Cure.
As for hackers NOT using OS X, a guy from the FBI was quoted a little while ago as saying: "If you're a hacker, and you don't want to get caught, use a Mac." Or words to that effect.
I'm sure someone must have given him a good reason to hold such an opinion.
benpatient said:
Considering how few of these will affect the average user, we're not in that much distress as Windows users in general. Most of the issues end up being server issues and the services are turned off in the client. While they should be patched, they are not security risks with the same immediacy as those in Windows.
Mac OS X is much more secure by design even though there are portions which have had problems. If those portions aren't running, what risk is there?
The difference is that their flaws are much easier to find while ours are much more difficult. For both hackers and developers I assume.
Woah! Not true at all. BSD, the core of Mac OS X (Also known as Darwin), is probably the second choice of a hacker (next to Linux). If you don't believe me look at a respectable hacker forum sometime. Windows on the other hand is very looked down upon and is considered the choice of script kiddies.
Script Kiddies, for those who don't know are usually dumb teenagers who think they are cool because they download other people's software without knowing what is going on besides the appearance of the GUI interface.
Don't get me wrong though windows isn't that bad of an OS as people make it out to be. They still have quite a few problems that they have to hammer out but they are gettting better.
iMeowbot said:
Figuring out what programs are using the libraries is trivial, since the OS knows this stuff. It's also not a big deal to leave the programs running while you update the library. They'll continue to use the old version of the library that's still in memory. They won't interact at all with the new library until you restart them.
Elektronkind said:
Generally you do have to reboot then. But, OS X uses a microkernel which theoretically means you can even replace parts of the kernel without a reboot.
Personally, I don't mind the reboots. They are just easier than making software update figure out exactly which programs and components it needs to restart. It's possible to do though, and I wouldn't be surprised to see a new feature in a future version of OS X: "No more rebooting after updates." Just give Apple some time.
Waragainstsleep said:
To be fair, if the openssl vulnerability is what I think it is, it was found several weeks ago. The vulnerability I'm thinking of allows the attacker to crash the process using openssl. This doesn't really affect ssh though, since each connection spawns a new process. All the attacker can do in that case is crash the process they caused the creation of. Ultimately, harmless. You can do a similar thing with apache, where each connection is a new process, but I'm not sure if that's the default. If you use the main process to handle the all https connections, then maybe you would be able to crash the webserver. Otherwise, it's as unaffected as ssh is.
Well, that's all only if the vulnerability fixed is the one that I think is fixed. If it was more severe, I might not have waited for Apple to release the update and have rebuilt openssl myself.
AppleMatt said:
Not got a source at hand -- just remember noises coming out of Apple about it being something they're looking at. (I'll try to dig up sources later... going out in a mo)
I tend to believe they're working on it. Why? Because OS X is a server strength OS, and I'd say update-without-reboot would be a very good feature to have. With experience of unix and windows development/admin, I'm also kinda asking myself why it's not there -- it seems too attainable a target for them not to be considering it
Unscientific, I know
benpatient said:
Every couple of weeks? My Software Update log shows:
Nov 01, Nov 05, Nov 20, Dec 20, Jan 26, Feb 23, Apr 05
(yeah, November was busy ... if I had time I'd go find out what they were... but anyway)
To my mind, this isn't too bad -- compare this to the numbers of Windows updates available to Windows admins like myself -- here's a thread where I list the figures direct from our Microsoft Windows Update Services server.
Compared to the breadth and scope of MS updates, these OS X updates are small change.
Also, more often than not, these updates simply bring to OS X improvements that F/OSS developers have made to standard UNIX libraries or daemons which are used in almost every modern UNIX system. This latest update to cups (Common Unix Printing System) will, for example, be implemented on Linux distributions too.
This also puts paid to your comments regarding OS X's userbase. This software is common to many other Unix systems (Linux, Solaris, SCO [shudder] -- both desktop and server.
eh?
You may be correct regarding Apple-owned software... although I can only remember one security issue with Cocoa in the past 2 1/2 years. But regarding libssl, apache, cups, etc... there's absolutely nothing preventing you from going to the project's site, reading their version histories, and even jumping in there and looking at the code yourself. Probably even able to grab the diff's for the patch and find the exact lines of code that've been changed.
And security through obscurity is no security at all. This doesn't help hackers by not showing them the code. For these unix tools, the code is available to everyone, all of the time. If a hacker wants to look for exploitable bugs in these tools, they can go straight to the horse's mouth. If they find an exploit, good luck to them -- it may well be possible to multiple unix variants.
But wait -- as soon as the exploit's discovered, absolutely anyone with a patch can submit it and get the hole fixed. Anyone can look at the code, and anyone with the ability can suggest a patch. And that patch will be distributed not only to every other unix variant, but to OS X too.
Seriously, I'm not practising fanboyism. Network and security management is my job and my interest .... just trying to share some knowledge and learn some myself.
SHA1= 30c78daca1859ddc84a6c8e5c1d31de32b4aa979
Hey... look at the Apple document on this, in the lower-right corner, under System Requirements.
I see:
System Requirements
Mac OS X 10.3.3 or later
Client and Server
SHA1= 30c78daca1859ddc84a6c8e5c1d31de32b4aa979
Where do I get one of those?
Hey... look at the Apple document on this, in the lower-right corner, under System Requirements.
I see:
System Requirements
Mac OS X 10.3.3 or later
Client and Server
SHA1= 30c78daca1859ddc84a6c8e5c1d31de32b4aa979
Where do I get one of those?
Toe said:
Well, I haven't installed this yet, and I have Mail.app version 1.3.4. So, if this update takes it to 1.3.7, that's really not that big a step. And, I believe that they do mention that Mail is updated...
Ahhh.... printer is working again....
Someone mentioned the Safari "Debug" Menu.... this is not new, it has been around a long time, some haxies make it appear (or terminal commands) I use it to spoof web pages into thinking I am on a windows....
Someone mentioned the Safari "Debug" Menu.... this is not new, it has been around a long time, some haxies make it appear (or terminal commands) I use it to spoof web pages into thinking I am on a windows....
That SHA1 number is an encrypted checksum that can be used to verify the download as authentic and unmodified. It's there for those of us that are paranoid when it comes to security.Toe said:
Toe said:
You're welcome. By the way...I've installed the update on my 17" iMac and have had no problems so far.
It's very simple.
MS sometimes puts out several Security Updates more than once a week or weekly. We get them every once in a while and while we might be getting them more often recently, we don't really have to worry about it. If you don't want to install it, then don't. No big deal.
benpatient said:
MS sometimes puts out several Security Updates more than once a week or weekly. We get them every once in a while and while we might be getting them more often recently, we don't really have to worry about it. If you don't want to install it, then don't. No big deal.
It doesn't have the same thrill
It is not the same. You don't have the thrill of rushing from box to box making sure that you beat worms to your machine. Or, the joy of cleaning up the mess they make.
Not to be too smug, because you know when there is a real security bug on osx paired with an exploit you know people are going to go around saying the mac is just as insecure as windows. So be happy Apple is putting out patches, in fact I wish they would turn around on them faster.
Low said:woohoo! security update!! wait..starting to feel like windows a bit..security update here, security update there...
It is not the same. You don't have the thrill of rushing from box to box making sure that you beat worms to your machine. Or, the joy of cleaning up the mess they make.
Not to be too smug, because you know when there is a real security bug on osx paired with an exploit you know people are going to go around saying the mac is just as insecure as windows. So be happy Apple is putting out patches, in fact I wish they would turn around on them faster.