Apple and Microsoft Release Critical Patches 194
SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."
orly? (Score:5, Interesting)
[...] but this mega-update-in-a-patch is still interesting for other reasons.
Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.
Re:orly? (Score:5, Interesting)
Of course, there may be a small bit of reason 3: "Windows customers are more important" in there, but it's a justifiable decision on points 1 and 2 alone.
Re:Software vulnerabilities (Score:5, Interesting)
A bit of a logical fallacy [wikipedia.org] there. Even if we assume that the switch to x86 was the trigger for more exploits (increased popularity of the OS being another possibility), it doesn't necessarily mean x86 is more vulnerable. The vast majority of exploits don't need to rely on processor specific characteristics after all.
What it means is that virus writers have limited time and experience. Ignoring trivial Trojans and the like that any script kiddie can bang out, an effective virus (e.g. worms) requires a lot of skill in the assembly language for the CPU, in order to write code that can fit in the available exploit "space". Writing worms for the Power PC architecture was a losing proposition since you didn't have a lot of targets. Now, if you have knowledge of x86 assembly, you can transfer your skills to Macs more easily.
Of course, porting programs to run in 64 bit mode *is* an effective security obstacle; one example is that since 64 bit addresses (in the current implementation) always contain nulls, buffer overruns are much harder to exploit. So yes, Power PC 64 bit is more secure, but if you wrote for an x86-64 target, you'd have roughly the same benefits.
Re:orly? (Score:3, Interesting)
Point #1 is false.
Microsoft alternates paid updates to Office between years for Macintosh and Windows. There are features in each version that may not be in the other, so the statement that the Mac version is delayed is false. The Mac version lags behind the Windows one year, then the same happens to the Windows version behind the Mac the next.
Also, how is reason 3 justifiable based on 1 and 2? I would see this as the other way around (if point 1 were true.) Reason 3 dictates that Windows gets precedence, which would make sense for Microsoft to do, considering that it is their OS.
The write up fails to mention (Score:2, Interesting)
There are nearly 70 security flaws OS X is patching. The 14 for MS is prominently displayed...
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=217400595&subSection=Macintosh+Platform
Re:I agree, (And have reasons) (Score:4, Interesting)
Simple. Botnets don't generate all that great loads of upload traffic like BitTorrent does. Sure, the outgoing mails is irritating, but it's not exactly completely continuous and it's not exactly of such concentrated volume.
Re:I agree, (And have reasons) (Score:3, Interesting)
Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.
Was that rhetorical? Because we know why. The spammers pay for connections, and the *AA's pay them to crack down on bittorrent. No one's paying them to stop botnets.
Re:obvious conflict of interest (Score:3, Interesting)
Should Microsoft still be supporting DOS 6.22 or Windows 95? Or, cough, Windows ME? Linux can keep going without deprecating old versions because no one's responsible for its upkeep. I mean, there are developers who maintain packages, but if shit hits the fan, no one is liable for it. If Microsoft maintains support for Windows 2000, that means it has to provide security updates and field service calls for that OS. The fixes may take forever or may never come at all, but MS has to take care of that operating system. Linux has no such obligations.
That's not to say that MS has an inherent interest in getting its customers to upgrade but there's a valid reason for them to discontinue support of old operating systems.
size matters? (Score:3, Interesting)
Re:Solution seems straightforward enough (Score:5, Interesting)
Also don't trust MS reports on their own security. They deliberately fudge numbers to make their OS look good by redefining metrics. For example, MS says that they actually patch faster than RedHat, Apple, or SuSE. [computerworlduk.com] Of course what MS doesn't tell you is that they define "time to patch" as the time between when they publicly disclose a bug and when they patch it. Linux and some parts of Apple systems (the parts based on open source) define "time to patch" as the time between when a bug is verified and when it is patched. Recently MS patched a bug that has been lingering for 7 years [slashdot.org]. The "time to patch" for this bug was one month according to MS since it was released in Nov. 2008 and fixed in Dec. 2008.
Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different. That bug required conditions that didn't exist until present day conditions: Namely if you are using Samba on BSD and your directory has more than up to 250,000 items. As such the BSD bug has been present for 25 years, but could be not triggered much less verified until recent years. The 7 year old MS bug was verified and has been present on all Windows versions since that time.
Re:Solution seems straightforward enough (Score:2, Interesting)
That way the affected users - ALL affected users - can take steps to mitigate their exposure.
You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.
Re:obvious conflict of interest (Score:3, Interesting)
There's a gigantic conflict of interest here. [...] A similar situation applies to old versions of Windows.
It's similar in that Microsoft's goals and society's goals do not intersect. It's different in that if you're trying to stick to an old version of Windows then that's your fault (Especially given how long Windows releases last!) but if you're trying to manipulate a file in a format mandated by those you must do business with, then that's not. The schools chose the Microsoft path knowing that Windows releases have a finite lifespan. They bought into the false "windows vs. mac" dichotomy and now we are all paying. But that in itself is not evidence of any wrongdoing, which is what we usually talk about when we talk about Microsoft... because there's so much of it to talk about.
Re:orly? (Score:3, Interesting)
Yes, they do add features in between, but the development work for each Windows version is reused by the Mac team.
I was under the impression that the last (and first) time MS used the same code base for both Mac and Windows versions of MS Word was Word 6.0. However, because of the massive outcry by the Mac users because Word 6 did not feel like a Mac application and decided to keep using Word 5.x Microsoft created the Macintosh Business Unit for developing future versions. Also, new features are often introduced in the Mac versions first, like self healing in Office 98, because the risks of pissing off a large user base are reduced, and then they later show up in the next version for Windows.
Re:obvious conflict of interest (Score:3, Interesting)
Re:10 years (Score:4, Interesting)
No, I can't. I didn't intend to imply that MS was worse than other proprietary OS vendors. I just meant that proprietary OS vendors were worse than open-source OS vendors.
Do you believe you could purchase a support contract for a 10-year-old distribution of Linux today? I don't mean a guy with a pony tail and beard who will help you out and charges by the hour, I mean a support contract from a stable provider with multiple levels of escalation, 24x7 call center, etc.
I think you're comparing apples and oranges. It's no problem to purchase a support contract for any current and popular Linux distribution because upgrades are free (as in beer). If Microsoft upgrades were also free (as in beer) you'd have no problem obtaining support for the current version of software from them either.
I don't mean to imply that you should be running a MS OS instead of Ubuntu, or vice-versa. Pick whatever tool suites your requirements. I think that your analysis of the reasons for doing one or the other appears to be flawed, though.
Re:orly? (Score:3, Interesting)
The most interesting thing I got out of the linked commentary was that the patch doesn't seem to fix the vulnerabilities by changing how Powerpoint processes the data in Powerpoint 4 (PP4) format files.
Instead, it simply disables support for the PP4 format. Additionally, you can re-enable support for PP4-format files by editing the registry -- potentially re-introducing security vulnerabilities onto a system you may have thought was patched.
Re:obvious conflict of interest (Score:2, Interesting)
There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.
I talk a walk around my office the other day - not one desktop machine was running OS X or Linux.
Then I went into our server room - lots of machines running Linux, Windows, Solaris but... nope, not one OS X machine in their either.
This tells me Linux and Solaris compete with Windows in the server space but nothing competes with Windows on the desktop.
So get used to it - OS X is no competition on the desktop. Neither is Linux but I still love it and use it for most of my computing tasks and find that XP fills in for the things Linux cannot do. Thus my computing needs are fulfilled by both OSes and I'm a happy bunny who doesn't give a shit about "The Battle For The Desktop".
You Apple fanbois have a real chip on your shoulders about reminding the rest of the world how wonderful your platforms of choice are - despite the fact that most of the world doesn't give a toss about OS X.
i agree. i am considering buying a new desktop. i looked at dell and hp. for about 60000inr i am getting a core 2 quad 2.4 ghz, with 6gb ram, 21" lcd, 32 gb ssd for vista ultimate x64, and a 750gb hdd. yesterday i just went into the new istore here. i looked at the imac with the price 80000inr (20000 more than hp/dell). and what are the specs? core 2 duo 2ghz, 500gb hdd, 1(!)gb ram, and yes a big shiny lcd the size of which i did not care to find out.
why the fuck are macs so expensive? i mean, there is one less company in the middle. so it should actually cost me less. and then there are no game-changing features in osx that i can't get from vista or ubuntu.
but let me come to the main point. osx is a BIG contender in the desktop space now. people don't care that they are getting less value in hardware. they perceive the image makeover that comes with a mac as enough to justify spending a LOT more. especially since there is not a very huge glaring difference in speed for usual apps like browsers and spredsheets between a core 2 duo with 1gb ram and a quad with 6gb.
Re:What is so suprising about a 400mb update? (Score:1, Interesting)
but for OS X, we just received what is comparable to a service pack upgrade
The 10.5.7 update includes a lot of under-the-hood improvements in reliability and speed, but it also includes fixes for 44 security vulnerabilities.
Yes, many of them are obscure, and many do not affect a default configuration, but some of them can be exploited by the victim viewing a web page with malicious content, so I would call that critical.
Re:numbers wrong (Score:2, Interesting)
Re:numbers wrong (Score:1, Interesting)
That is incorrect.
The largest 729MB is the combo any-10.5.x=>10.5.7.
And there is the 442MB incremental 10.5.6=>10.5.7 update.
Then there's the 286MB 10.5.6=>10.5.7 patch update. It's universal, but is smaller because it doesn't contain whole files, instead having just enough to be patched with bspatch. But it will patch universal binaries and contains code for both PPC and Intel.
Re:The write up fails to mention (Score:3, Interesting)
If MS fixes more security related issues, M$ SUCKS!
If Apple fixes shitload of more security related issues, APPLE IS AWESOME!
This is not my opinion, this is FACT!!!!!!!!111