Apple Releases Security Update 2010-003 for Snow Leopard and Leopard

[greenmeanie]

I don't know what he is talking about but I don't get many either.

Today I was thinking about how I hadn't gotten one in a long time.

 

[lilo777]

I don't know what he is talking about but I don't get many either.

The truth is he does not know what he is talking about either 😀

 

[york2600]

When you get those emails from Security@MicroSoft.com - don't click the link and say "install". Please. 😉

"Every other day" is about 15 times more often than the rest of us are offered updates.

http://en.wikipedia.org/wiki/Patch_Tuesday




Your servers aren't well managed, then.

Most of the patches don't apply to any particular server - there's no benefit from applying and rebooting. (You don't run Office or surf the web from your servers - no need for IE or Office patches.)

If you use "roles" for servers, then you won't even be offered patches that are irrelevant to the task that server is performing.

Just about every patch Tuesday includes a remote kernel vulnerability and there's often an IIS or RDP vulnerability so that generally hits every system. I don't NEED to apply every patch, but if I have to apply one I might as well apply all once I've QA'd them through our apps.

Patches this Tuesday that matter to me:
- SMB client remote code execution (2003/2008)
- Priv escalation vulnerability in kernel (2003/2008)
- Remote code execution (2 in 2003 and 1 in 2008)

I agree with you that all patches don't matter. I'm not worried in the slightest about the IE6/7/8 rollup, vulnerability in poorly crafted MP3s, or vbscript.

The same thing applies in OS X. Last years big batch of vulnerabilities for OS X from this security conference included a lot of malformed data exploits for apps like iPhoto, Preview, and TextEdit. If you're running servers who cares. Don't open things on your server. If you do, then you deserve that happens.

 

[MorphingDragon]

MS releases updates in small increment as soon as it patches things. Apple makes huge updates once in a while. It looks like Apple lacks a good software management/release flow and thus is unable to patch things quicker.

I'm sorry but thats a load of bull. Redhat only releases patches in one big blob as well, and they have the arguably the best quality and most secure enterprise Linux distro. To be more specific, redhat releases security patches mainly as a point upgrade.

If you were to take what microsoft does but further you end up with the non-enterprise Linux distros and updates range from deiculously large numbers to just a few, sometimes days after another.

EDIT: What I said above can also be applied to SLED.

 

[inlovewithi]

I don't know what he is talking about but I don't get many either.

Perhaps he's taking a page from the Mac vs PC commercials and exaggerating things.

 

[RalfTheDog]

Trying to remember the last Windows patch I got. It was about two years ago I last turned on one of my Windows computers. That was probably when.

 

[AidenShaw]

Windows does updates on Tuesdays to, if your getting em every other day, YOUR doing something wrong..not MS 😛

Actually no, I'm not doing anything wrong, it just seems like once a week is crazy.

MS releases updates in small increment as soon as it patches things.

Microsoft release monthly, not weekly, except for bugs that get a widely publicized exploit.

http://en.wikipedia.org/wiki/Patch_Tuesday

But "monthly" is a "small increment" compared to Cupertino's schedule.

 

[troop231]

Microsoft release monthly, not weekly, except for bugs that get a widely publicized exploit.

http://en.wikipedia.org/wiki/Patch_Tuesday

But "monthly" is a "small increment" compared to Cupertino's schedule.

Thanks man.

 

[wovel]

Got a source?

On how long it takes to reboot? Seems like an odd response. Obviously what he said was slightly tongue in cheek and reboot times can vary widely on both platforms.

But really you want a source for a smart ass comment, what are you Bill Gates?

MS releases updates in small increment as soon as it patches things. Apple makes huge updates once in a while. It looks like Apple lacks a good software management/release flow and thus is unable to patch things quicker.

Or Microsoft wildly throws patches out because they have no release management policy and Apple has a solid release management strategy that sticks to a schedule that is less frequent than Microsoft. Of course we are both full of it, but you have bigger problems than I do because you thought you sounded smart.

 

[Burger Thing]

They're on the thread agreeing with the turtlecked one that nobody needs more than a Core 2 Duo.

At least they are kind enough to stick to one thread. You on on the other hand...🙄

 

[waloshin]

The Macbook in my sig.

The Macbook in my sig only gts a 6.3 MB download.

 

[Consultant]

On how long it takes to reboot? Seems like an odd response. Obviously what he said was slightly tongue in cheek and reboot times can vary widely on both platforms.

But really you want a source for a smart ass comment, what are you Bill Gates?

Oops I thought the person was saying something about the pwn2own myth. Doh!

 

[lilo777]

On how long it takes to reboot? Seems like an odd response. Obviously what he said was slightly tongue in cheek and reboot times can vary widely on both platforms.

But really you want a source for a smart ass comment, what are you Bill Gates?




Or Microsoft wildly throws patches out because they have no release management policy and Apple has a solid release management strategy that sticks to a schedule that is less frequent than Microsoft. Of course we are both full of it, but you have bigger problems than I do because you thought you sounded smart.

And releasing a patch on the day of the product release constitutes solid release management strategy 😀 Right.

 

[BigJimmyC]

Or Microsoft wildly throws patches out because they have no release management policy and Apple has a solid release management strategy that sticks to a schedule that is less frequent than Microsoft. Of course we are both full of it, but you have bigger problems than I do because you thought you sounded smart.

Ouch. You don't have the faintest idea of what you're talking about, huh?

Let me ask you this: When was the last time a windows update caused problems akin to the problems caused when 10.6.3 was released? Would it be somewhere in the area of never? I've never had problems with a single update from MS, but have seen the same macbook go down twice during OS X point upgrades. And just today apple released 10.6.3.1.1 in order to fix bugs in their most recent combo upgrade. That's right, an update to update your update so that the OS works correctly again. Early point updates to Leopard were no different, coming fast and furious until about 10.5.4 as each update crippled some functionality on a subset of machines. So don't go on about how MS has no release management strategy. It's apple that needs to get their act together.

 

[DMann]

They're on the thread agreeing with the turtlecked one that nobody needs more than a Core 2 Duo.

Nobody?

Does Apple only offer Core 2 Duos, exclusively, for all of their machines?

Seems a bit extreme - 'off-thread' post much? 🙄

 

[Eric S.]

Early point updates to Leopard were no different, coming fast and furious until about 10.5.4 as each update crippled some functionality on a subset of machines.

10.2.4, 10.3.4, 10.4.4, and 10.5.4 all came out in approximately the same timeframe - 7 to 9 months - after the initial OS release. With minor variations, Apple is fairly predictable with their update schedules.

 

[liamhemsworth]

Difference is that Mac takes a minute, Windowze takes 5-10.

Don't be such a lying moron. It takes 1 minute to 1.5 minutes.

And I thought Crapple computers were "perfect"? Oh, an updated patch to fix a vulnerability. According to the outright fraudulent "I'm a PC, I'm a Mac", I thought there WERE nooooooo security flaws.

Show how spit-for-brains Crapple buyers are.

 

[kallisti]

At least they are kind enough to stick to one thread. You on on the other hand...🙄

I nearly sprayed coffee reading that. Thanks for the laugh, got my day off to a good start 🙂

 

[satcomer]

Try rebooting 400 Windows servers on patch Tuesday. Windows takes long enough to boot, but initializing RAID controllers takes all day. I've been very busy today.

I feel the pain because it got me too. Just 12 machines and 5 servers and it took me almost 7 hours to babysit each machine to make sure nothing screwed up.

You sound really love the CISCO IOS upgrades. 😱

 

[overcast]

Seems to me every other day I get Windows updates, it gets pretty annoying.

Yeh, more annoying then getting your computer exploited! 🙄

 

[overcast]

Try rebooting 400 Windows servers on patch Tuesday. Windows takes long enough to boot, but initializing RAID controllers takes all day. I've been very busy today.

If you're babysitting 400 servers every time there is a simple Windows Update, then you are poorly managing them.

 

[enberg]

If you have to reboot your servers for anything other than kernel updates, you're using the wrong servers.

 

[err404]

So these security holes were discovered last month and a fix was released today? So nobody took advantage? I guess security through obscurity does work.

Apple was only made aware of the issues last month and the details are NOT available to the public.
Most of these vulnerabilities are very difficult to actually exploit in a manner that would compromise your machine. In most cases they result in just an application crash. The hard part is making it a controlled crash that can expose the user in some way.
Testing any change to an OS is a rigorous process. The risk of an under-tested patch being deployed to tens of millions of machines is not justified, unless the issue is actively being exploited in the wild.

 

[Hal Itosis]

The Macbook in my sig only gts a 6.3 MB download.

Interesting.

Security updates —when downloaded in full —are cumulative. That is, Security Update - 2010-003 will contain everything that came before it (e.g., Security Update - 2010-001 and Security Update - 2010-002). The small size of your delta there, as well as the shortness of this listing (compared to the previous one), seem to indicate that most of the Pwn2Own stuff got covered by the March 29th update (as well as QuickTime 7.6.6), and yesterday's release was just a minor follow up. Well, "minor" in terms of what was new since last time.

Maybe it took a little convincing ($$) to bring Charlie around. 😉

 

[Master Chief]

Interesting.

Security updates —when downloaded in full —are cumulative. That is, Security Update - 2010-003 will contain everything that came before it (e.g., Security Update - 2010-001 and Security Update - 2010-002). The small size of your delta there, as well as the shortness of this listing (compared to the previous one), seem to indicate that most of the Pwn2Own stuff got covered by the March 29th update (as well as QuickTime 7.6.6), and yesterday's release was just a minor follow up. Well, "minor" in terms of what was new since last time. ..

The 6.3MB download only updates the following folder:

/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/