Forgot your password?
typodupeerror
Security Businesses Microsoft Apple

Apple and Microsoft Release Critical Patches 194

Posted by Soulskill
from the that-time-of-the-month dept.
SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
This discussion has been archived. No new comments can be posted.

Apple and Microsoft Release Critical Patches

Comments Filter:
  • by olddotter (638430) on Wednesday May 13, 2009 @10:19AM (#27937337) Homepage
    If a patch is important enough to be on Slashdot I apply it? (well not really) Keep up the work /. and remember the internet depends on you.
  • orly? (Score:5, Interesting)

    by gardyloo (512791) on Wednesday May 13, 2009 @10:19AM (#27937345)

    [...] but this mega-update-in-a-patch is still interesting for other reasons.

    Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.

    • Re:orly? (Score:5, Interesting)

      by ShadowRangerRIT (1301549) on Wednesday May 13, 2009 @10:28AM (#27937491)
      I suspect there were two reasons for the delay in a Mac patch (I base this on previous experience as an MS programmer):
      1. Macs in general have a slightly lower priority for development, and less developers. Note the release years; each version of Office for the Mac is released a year behind the Windows equivalent. If they held off until the Mac team was ready to release, they'd leave Windows vulnerable longer.
      2. Pre-Vista versions of Windows are more vulnerable to the exploits than a Mac is. Both Macs and Vista don't grant programs admin privileges by default, so the damage is limited. On XP and earlier OSes, the exploits could root the system on a default home user installation. So leaving Windows vulnerable longer would mean disproportionate damage to pre-Vista Windows users.

      Of course, there may be a small bit of reason 3: "Windows customers are more important" in there, but it's a justifiable decision on points 1 and 2 alone.

      • Re: (Score:3, Interesting)

        by iphayd (170761)

        Point #1 is false.

        Microsoft alternates paid updates to Office between years for Macintosh and Windows. There are features in each version that may not be in the other, so the statement that the Mac version is delayed is false. The Mac version lags behind the Windows one year, then the same happens to the Windows version behind the Mac the next.

        Also, how is reason 3 justifiable based on 1 and 2? I would see this as the other way around (if point 1 were true.) Reason 3 dictates that Windows gets precedence, w

        • Yes, they do add features in between, but the development work for each Windows version is reused by the Mac team. Most Microsoft products separate view from control; the control is under constant development, with stabilized branches being spun off for release. The view is developed independently for different OSes. I oversimplified, but it's not wrong either.

          You misread my post with regard to point 3. "it's justifiable" refers to the decision to release for Windows first. That decision is justifiable

          • Re: (Score:3, Interesting)

            by mcmaddog (732436)

            Yes, they do add features in between, but the development work for each Windows version is reused by the Mac team.

            I was under the impression that the last (and first) time MS used the same code base for both Mac and Windows versions of MS Word was Word 6.0. However, because of the massive outcry by the Mac users because Word 6 did not feel like a Mac application and decided to keep using Word 5.x Microsoft created the Macintosh Business Unit for developing future versions. Also, new features are often introduced in the Mac versions first, like self healing in Office 98, because the risks of pissing off a large user bas

      • by LoudMusic (199347)

        Macs in general have a slightly lower priority for development, and less developers. Note the release years; each version of Office for the Mac is released a year behind the Windows equivalent. If they held off until the Mac team was ready to release, they'd leave Windows vulnerable longer.

        I think the point is not that the Windows version wait on the Mac version but that the Mac version be worked on just as hard as the Windows version, in reference to fixing vulnerabilities.

    • Re: (Score:3, Interesting)

      by teridon (139550)

      The most interesting thing I got out of the linked commentary was that the patch doesn't seem to fix the vulnerabilities by changing how Powerpoint processes the data in Powerpoint 4 (PP4) format files.

      Instead, it simply disables support for the PP4 format. Additionally, you can re-enable support for PP4-format files by editing the registry -- potentially re-introducing security vulnerabilities onto a system you may have thought was patched.

      • Which makes exploring this vulnerability just a matter of taking one first step. Changing the registry.
  • Do you have any idea how much legal copy [youtube.com] would be involved to release concurrent patches for all those vulnerabilities? The mere thought boggles the mind.
  • Size... (Score:4, Funny)

    by courcoul (801052) on Wednesday May 13, 2009 @10:28AM (#27937497)

    > Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

    Well, the Server version of the Combo updater runs close to the whole GB. In other words, it would seem the patch is virtually overwriting the entire OS.

    Wonder if the the Vista patch is doing the same, overwriting with Windows 7? :D

    • Re: (Score:3, Funny)

      by Anonymous Coward
      Windows 7 isn't really Windows 7, it is Win 6.5, and is basically Vista SP2 (now with better PR).
  • by Sh1r0wgmx.de (747868) on Wednesday May 13, 2009 @10:29AM (#27937511)
    Yeah the size of the update was a shock this morning, let me miss my usual train too. From what i've read http://www.macworld.com/article/140578/2009/05/1057update.html [macworld.com] the update does a lot more than is actually said (big surprise with the size), even though most of those things aren't directly visible. What i have found is that my dashboard updates a lot faster than before, as i have two standard weather widgets open at all times i guess they really optimized the code there. Normally it would take at least 5-10 seconds to update the display after opening the dashboard, now it's almost instantenous. Anyone else notice this too?
    • Re: (Score:3, Funny)

      by 0xdeadbeef (28836)

      let me miss my usual train too

      The next Microsoft commercial: Apple makes you late for work.

    • Re: (Score:3, Funny)

      by djdavetrouble (442175)

      This speed boost that you are referring to is of course one of the best things about apple updates.
      You call it faster, we (the hive mind of apple fandom) call it "SNAPPIER".

      Seems that Dashboard is the recipient of some of Apples secret snappy sauce (ASSS) this time.

    • by Jugalator (259273)

      Actually, that change was brought up in the patch release notes [apple.com].

      Improves the reliability and accuracy of Unit Converter, Stocks, Weather and Movies Dashboard widgets.

    • The first load after a login isn't faster, but subsequent loads of Dashboard are really quite zippy.
  • by jellomizer (103300) on Wednesday May 13, 2009 @10:33AM (#27937585)

    Granted it is bigger then the ones you normally get. But it has been a rather long time since we got an update to the OS. Almost twice as long for this one and oddly enough it is about twice the size.

    • Re: (Score:3, Informative)

      by MoonBuggy (611105)

      This update alone isn't even that big - if you're using auto update on a machine that was previously patched up to date, 10.5.7 is only 286MB.

    • Re: (Score:3, Insightful)

      by Jugalator (259273)

      Yes, I don't think it's a big deal. The odd part is that Slashdot calls both "critical patches", as if these are mostly security related.

      Well, for MS, it was, but for OS X, we just received what is comparable to a service pack upgrade. Of course it'll be big, and it's in line with what I think one can expect these days.

  • by 93 Escort Wagon (326346) on Wednesday May 13, 2009 @10:47AM (#27937781)

    The SANS link makes some great points about Microsoft and responsible disclosure. After reading that, I think it's obvious what needs to be done. Quit helping Microsoft cover their rear when they're going to turn around and attempt to use it as a cudgel against their perceived competition.

    If you're a security researcher, and you discover a flaw in a Microsoft product - stop buying into the flawed MS version of responsible disclosure. Notify Microsoft right away, certainly; but from now on also announce it to SANS and the other responsible security organizations at the same time. That way the affected users - ALL affected users - can take steps to mitigate their exposure.

    • by UnknowingFool (672806) on Wednesday May 13, 2009 @11:34AM (#27938527)

      Also don't trust MS reports on their own security. They deliberately fudge numbers to make their OS look good by redefining metrics. For example, MS says that they actually patch faster than RedHat, Apple, or SuSE. [computerworlduk.com] Of course what MS doesn't tell you is that they define "time to patch" as the time between when they publicly disclose a bug and when they patch it. Linux and some parts of Apple systems (the parts based on open source) define "time to patch" as the time between when a bug is verified and when it is patched. Recently MS patched a bug that has been lingering for 7 years [slashdot.org]. The "time to patch" for this bug was one month according to MS since it was released in Nov. 2008 and fixed in Dec. 2008.

      Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different. That bug required conditions that didn't exist until present day conditions: Namely if you are using Samba on BSD and your directory has more than up to 250,000 items. As such the BSD bug has been present for 25 years, but could be not triggered much less verified until recent years. The 7 year old MS bug was verified and has been present on all Windows versions since that time.

      • by drinkypoo (153816)

        Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different.

        Please explain why that bug didn't get fixed when the Samba developers discovered it, since they knew about it already when the current flap happened.

        • I don't have any specific information about that other than googling for it. But my point is still valid. The bug has been present in the code for 25 years but conditions didn't exist until recent years that could trigger it. When a BSD developer found the bug, he fixed it right away. The situation with MS was 8 years ago people showed a working exploit. They didn't get around to fixing it until last year.
          • by drinkypoo (153816)

            OpenBSD's claim to fame is their security. They claim to achieve it through exhaustive code review which has reputedly allowed them to fix tons of bugs before they were even discovered through error or exploit. Yet somehow they failed to locate a bug which was well known to developers of one of the most relevant pieces of OSS in existence until it actually bit someone. Okay, shit happens, but it's still not easily defensible.

            • The conditions which triggered the bug didn't exist 25 years ago when the code was written as it requires large directories (250,000+) to trigger. 25 years ago, no one has such large directories and very few people today have them. Whether BSD developers could foresee such a problem well ahead of time would require a level of omnipotence. Also the Samba team didn't tell the BSD team about the bug when they found it; they simply issued a workaround.
    • Re: (Score:2, Interesting)

      by blowdart (31458)

      That way the affected users - ALL affected users - can take steps to mitigate their exposure.

      You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.

      • You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.

        When we're talking about a discovered flaw in a Microsoft product - which is what I specifically stated - you can most certainly take steps to protect yourself. The DNS flaw was not Microsoft-specific.

        As an aside, it's also worth noting that Kaminsky did not limit his discussions to only include Microsoft people, which (had he done so) would have more closely paralled the MS responsible disclosure stance.

  • by bcrowell (177657) on Wednesday May 13, 2009 @10:49AM (#27937813) Homepage

    There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.

    A similar situation applies to old versions of Windows. The California community college where I teach has a whole bunch of student computer labs with machines from about 2001, which all have Windows 2000 on them. MS's support for Win2k ends in July of 2010, and that means no more security patches. We could upgrade to XP, but although our machines do theoretically satisfy XP's hardware requirements, it's not clear whether they'd have acceptable performance with XP. Again, MS's interests are diametrically opposed to ours. They want to keep us on the upgrade treadmill. They're happy to let Win2k become a non-viable platform, so that we'll be forced to buy new hardware, which will come with Vista preinstalled. Except, uh, the California state budget crisis means that we can't afford to buy new hardware. Of course they MS never promised us to support Win2k indefinitely, and our managers should have done a better job of planning ahead so that this wouldn't become a crisis. But it really does strike me that this is the kind of problem that would have never happened with Linux. I can run Ubuntu for as long as I want, and just keep upgrading to the latest version. Linux runs well on old hardware, so there's no upgrade treadmill. No big mystery why it's this way: it's because Linus Torvalds, Mark Shuttleworth, etc. don't have interests that conflict with the user's.

    • by Anonymous Coward on Wednesday May 13, 2009 @10:53AM (#27937877)
      That is the longest explanation of a "for profit business" that I've ever seen.
      • Why is this flamebait? If GP had complained that he no longer got Win95 patches, he would have been laughed out of the room.
      • I'm going to commit an act of slashdot heresy now (aka "I'm going to get modded down for this, but I have karma to burn").

        But my parent's saying "for profit business" got me thinking.

        I don't object to profit; people want material wealth (among other things), and the free market idea of giving it to people who also give it to others has some merit.

        But there's a difference between "profitably meeting your customers' needs" and "profiting by exploiting your customers' needs".

        I haven't done the numbers; I don't

    • Can you please list other commercial OS'es which are still supported after 10 years?

    • by DCstewieG (824956)

      There's not much difference between Ubuntu and Windows besides Ubuntu always having the advantage of free. Even LTS [ubuntu.com] releases only have support for 3 years on the desktop. Meanwhile Windows 2000 is on it's 10th year or so? That's not bad.

      You say there's no upgrade treadmill on Linux but there is...it just happens to be free.

      /Devil's advocate

    • Re: (Score:3, Interesting)

      by darkmeridian (119044)

      Should Microsoft still be supporting DOS 6.22 or Windows 95? Or, cough, Windows ME? Linux can keep going without deprecating old versions because no one's responsible for its upkeep. I mean, there are developers who maintain packages, but if shit hits the fan, no one is liable for it. If Microsoft maintains support for Windows 2000, that means it has to provide security updates and field service calls for that OS. The fixes may take forever or may never come at all, but MS has to take care of that operating

      • I mean, there are developers who maintain packages, but if shit hits the fan, no one is liable for it.

        That is precisely the reason why companies like Red Hat package up Linux into a (Red Hat) supportable distribution that they will accept liability for if something does go wrong - which is the reason why you pay them for the actual distro and for their support of it.

        • Re: (Score:3, Interesting)

          by iamhigh (1252742)
          How long does Red Hat provide support for a release? Are upgrades free? Does the purchase of RHEL entitle you to security updates for 10 years? You can't put down his argument without opening up to the same problems of any other proprietary OS. So yes, you solved the problem with Linux having nobody to answer for issues, but you just ended up where we started, only now the questions are directed at Red Hat, not Redmond.
          • I thought the statement was that no-one is liable for a package if something goes wrong - in which case I have stated how that can be possible by purchasing a Red Hat, or SuSE, or several other distros, support contract.

            I have no idea how long you get updates for - I assume it's for as long as the release is current, software companies usually support the current release and the one before it.

            I'm not sure I understand where we started, I think you've actually disappeared off tangentially somewhere...

            • by iamhigh (1252742)
              Well this is how I saw it in my mind...
              MS can't keep supporting old releases forever, you need to upgrade
              That's why you use linux, it's free and easy to upgrade
              but nobody backs linux and you have no real support
              use red hat, they support it
              does red hat support a release indefinitely, for free?
              no they can't keep supporting old releases foreve, you need to upgrade

              that is where we were. But again that might have just been in my head.
    • Re: (Score:3, Interesting)

      by drinkypoo (153816)

      There's a gigantic conflict of interest here. [...] A similar situation applies to old versions of Windows.

      It's similar in that Microsoft's goals and society's goals do not intersect. It's different in that if you're trying to stick to an old version of Windows then that's your fault (Especially given how long Windows releases last!) but if you're trying to manipulate a file in a format mandated by those you must do business with, then that's not. The schools chose the Microsoft path knowing that Windows releases have a finite lifespan. They bought into the false "windows vs. mac" dichotomy and now we are all pa

  • One of the reasons for the size of the updates is that OS X is a multilingual OS by default so everything in the UI is localized with multiple sets of resource files for each language. With Vista/WIndows 7, you have to be running the most expensive version (Ultimate) in order to download additional language packs while that functionality is included by default on each OS X install.

    This localization does not just go down to the level of text strings but also images, icons and even the complete form layout

    • I'm always amused by the defensiveness of the Apple fanbois...

      Does is actually *REALLY MATTER* what size the update is in these days of fast broadband connections? And who actually gives a toss how much of the update is bug fixes and how much is localizations, feature updates, etc.

      I'm not an OSX user but the update has a size that implies it's a Service Pack - so either install it or don't install it, just stop with the excuse making to the rest of us!

  • by Anonymous Coward

    There are nearly 70 security flaws OS X is patching. The 14 for MS is prominently displayed...
    http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=217400595&subSection=Macintosh+Platform

    • There are nearly 70 security flaws OS X is patching. The 14 for MS is prominently displayed...
      http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=217400595&subSection=Macintosh+Platform [informationweek.com]

      I don't think that the number of flaws patched is ever a really useful fact. I assume you're trying to imply that Apple is somehow worse for having more flaws, or maybe you're trying to show that they're better for fixing more. Either way, I don't think it's very useful.

      Or maybe you're just being informative for the curious among us, in which case that's fine.

  • They've released (long overdue) patches for Acrobat and Acrobat Reader today...

    np: Moderat - Porc#1 (Moderat)

  • So MS even gets bashed when they fix security problems. Amazing!
    • Re: (Score:2, Informative)

      by jisatsusha (755173)
      They're not being bashed for fixing security problems, they're being bashed for leaving Office on OSX vulnerable.
  • Delta updates contain both PPC and Intel code for all changes since the last point release (10.5.6). Combo updates contain all updated code for both platforms since 10.5 was released in 2007. This is why the standalone installers are so huge.

    If you install via Software Update, the update will only be delta code for your processor platform - much smaller.

    MS does similar with Windows Update/Microsoft Update, which is one of the reasons it takes a longer time to process. In most cases, you can download a ve

  • I'm upgrading from 10.5.6

Facts are stubborn, but statistics are more pliable.

Working...