Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Releases Security Update 2010-003 for Snow Leopard and Leopard
- Thread starter MacRumors
- Start date
- Sort by reaction score
When you get those emails from Security@MicroSoft.com - don't click the link and say "install". Please.
"Every other day" is about 15 times more often than the rest of us are offered updates.
http://en.wikipedia.org/wiki/Patch_Tuesday
Your servers aren't well managed, then.
Most of the patches don't apply to any particular server - there's no benefit from applying and rebooting. (You don't run Office or surf the web from your servers - no need for IE or Office patches.)
If you use "roles" for servers, then you won't even be offered patches that are irrelevant to the task that server is performing.
Just about every patch Tuesday includes a remote kernel vulnerability and there's often an IIS or RDP vulnerability so that generally hits every system. I don't NEED to apply every patch, but if I have to apply one I might as well apply all once I've QA'd them through our apps.
Patches this Tuesday that matter to me:
- SMB client remote code execution (2003/2008)
- Priv escalation vulnerability in kernel (2003/2008)
- Remote code execution (2 in 2003 and 1 in 2008)
I agree with you that all patches don't matter. I'm not worried in the slightest about the IE6/7/8 rollup, vulnerability in poorly crafted MP3s, or vbscript.
The same thing applies in OS X. Last years big batch of vulnerabilities for OS X from this security conference included a lot of malformed data exploits for apps like iPhoto, Preview, and TextEdit. If you're running servers who cares. Don't open things on your server. If you do, then you deserve that happens.
I'm sorry but thats a load of bull. Redhat only releases patches in one big blob as well, and they have the arguably the best quality and most secure enterprise Linux distro. To be more specific, redhat releases security patches mainly as a point upgrade.
If you were to take what microsoft does but further you end up with the non-enterprise Linux distros and updates range from deiculously large numbers to just a few, sometimes days after another.
EDIT: What I said above can also be applied to SLED.
Perhaps he's taking a page from the Mac vs PC commercials and exaggerating things.
Trying to remember the last Windows patch I got. It was about two years ago I last turned on one of my Windows computers. That was probably when.
Windows does updates on Tuesdays to, if your getting em every other day, YOUR doing something wrong..not MS
Microsoft release monthly, not weekly, except for bugs that get a widely publicized exploit.
http://en.wikipedia.org/wiki/Patch_Tuesday
But "monthly" is a "small increment" compared to Cupertino's schedule.
On how long it takes to reboot? Seems like an odd response. Obviously what he said was slightly tongue in cheek and reboot times can vary widely on both platforms.
But really you want a source for a smart ass comment, what are you Bill Gates?
Or Microsoft wildly throws patches out because they have no release management policy and Apple has a solid release management strategy that sticks to a schedule that is less frequent than Microsoft. Of course we are both full of it, but you have bigger problems than I do because you thought you sounded smart.
And releasing a patch on the day of the product release constitutes solid release management strategy
Right.Ouch. You don't have the faintest idea of what you're talking about, huh?
Let me ask you this: When was the last time a windows update caused problems akin to the problems caused when 10.6.3 was released? Would it be somewhere in the area of never? I've never had problems with a single update from MS, but have seen the same macbook go down twice during OS X point upgrades. And just today apple released 10.6.3.1.1 in order to fix bugs in their most recent combo upgrade. That's right, an update to update your update so that the OS works correctly again. Early point updates to Leopard were no different, coming fast and furious until about 10.5.4 as each update crippled some functionality on a subset of machines. So don't go on about how MS has no release management strategy. It's apple that needs to get their act together.
Nobody?
Does Apple only offer Core 2 Duos, exclusively, for all of their machines?
Seems a bit extreme - 'off-thread' post much?
10.2.4, 10.3.4, 10.4.4, and 10.5.4 all came out in approximately the same timeframe - 7 to 9 months - after the initial OS release. With minor variations, Apple is fairly predictable with their update schedules.
Don't be such a lying moron. It takes 1 minute to 1.5 minutes.
And I thought Crapple computers were "perfect"? Oh, an updated patch to fix a vulnerability. According to the outright fraudulent "I'm a PC, I'm a Mac", I thought there WERE nooooooo security flaws.
Show how spit-for-brains Crapple buyers are.
At least they are kind enough to stick to one thread. You on on the other hand...
I nearly sprayed coffee reading that. Thanks for the laugh, got my day off to a good start
I feel the pain because it got me too. Just 12 machines and 5 servers and it took me almost 7 hours to babysit each machine to make sure nothing screwed up.
You sound really love the CISCO IOS upgrades.
If you're babysitting 400 servers every time there is a simple Windows Update, then you are poorly managing them.
Apple was only made aware of the issues last month and the details are NOT available to the public.
Most of these vulnerabilities are very difficult to actually exploit in a manner that would compromise your machine. In most cases they result in just an application crash. The hard part is making it a controlled crash that can expose the user in some way.
Testing any change to an OS is a rigorous process. The risk of an under-tested patch being deployed to tens of millions of machines is not justified, unless the issue is actively being exploited in the wild.
Interesting.
Security updates —when downloaded in full —are cumulative. That is, Security Update - 2010-003 will contain everything that came before it (e.g., Security Update - 2010-001 and Security Update - 2010-002). The small size of your delta there, as well as the shortness of this listing (compared to the previous one), seem to indicate that most of the Pwn2Own stuff got covered by the March 29th update (as well as QuickTime 7.6.6), and yesterday's release was just a minor follow up. Well, "minor" in terms of what was new since last time.
Maybe it took a little convincing ($$) to bring Charlie around.
The 6.3MB download only updates the following folder:
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/Frameworks/ATS.framework/Versions/A/