Apple and Microsoft Release Critical Patches

SkiifGeek writes "Both Microsoft and Apple have released major security updates in the last 24 hours. Microsoft's single update (MS09-017) addresses fourteen distinct vulnerabilities across all supported versions of PowerPoint, but it isn't the number of patched vulnerabilities that is causing trouble. Instead, the decision to release the patch for Windows versions while OS X and Works versions remain vulnerable to the same remote code execution risks (including one that is currently being exploited) hasn't gone down well with some people. Microsoft have given various reasons why this is the case, but this mega-update-in-a-patch is still interesting for other reasons. Meanwhile, Apple has updated OS X 10.5 to 10.5.7 as part of the 2009-002 Security Update, as well as a cumulative update for Safari 3 and the Public Beta for 4. As well as addressing numerous significant security risks, the 10.5.7 update provides a number of stability and capability enhancements and incorporates the Safari 3 update patch. Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

Slashdot said patch

[olddotter]

If a patch is important enough to be on Slashdot I apply it? (well not really) Keep up the work /. and remember the internet depends on you.

Re:

[BlueKitties]

http:///..org [..org], making clear sense since of things other than URLs since a long time ago.

orly?

[gardyloo]

[...] but this mega-update-in-a-patch is still interesting for other reasons.

Why not just say what those reasons are? I'd like to know, because I followed the link which suggests it'll tell me what the reasons are, and it's---so far as I can tell---only interesting because it contains so little detail. Please be careful with futzing about with infinite regress like that. Eventually you're going to divide by zero, and then we're all fucked.

Re:orly?

[ShadowRangerRIT]

I suspect there were two reasons for the delay in a Mac patch (I base this on previous experience as an MS programmer):

1. Macs in general have a slightly lower priority for development, and less developers. Note the release years; each version of Office for the Mac is released a year behind the Windows equivalent. If they held off until the Mac team was ready to release, they'd leave Windows vulnerable longer.
2. Pre-Vista versions of Windows are more vulnerable to the exploits than a Mac is. Both Macs and Vista don't grant programs admin privileges by default, so the damage is limited. On XP and earlier OSes, the exploits could root the system on a default home user installation. So leaving Windows vulnerable longer would mean disproportionate damage to pre-Vista Windows users.

Of course, there may be a small bit of reason 3: "Windows customers are more important" in there, but it's a justifiable decision on points 1 and 2 alone.

Re:

[iphayd]

Point #1 is false.

Microsoft alternates paid updates to Office between years for Macintosh and Windows. There are features in each version that may not be in the other, so the statement that the Mac version is delayed is false. The Mac version lags behind the Windows one year, then the same happens to the Windows version behind the Mac the next.

Also, how is reason 3 justifiable based on 1 and 2? I would see this as the other way around (if point 1 were true.) Reason 3 dictates that Windows gets precedence, w

Re:

[ShadowRangerRIT]

Yes, they do add features in between, but the development work for each Windows version is reused by the Mac team. Most Microsoft products separate view from control; the control is under constant development, with stabilized branches being spun off for release. The view is developed independently for different OSes. I oversimplified, but it's not wrong either.

You misread my post with regard to point 3. "it's justifiable" refers to the decision to release for Windows first. That decision is justifiable

Re:

[mcmaddog]

Yes, they do add features in between, but the development work for each Windows version is reused by the Mac team.

I was under the impression that the last (and first) time MS used the same code base for both Mac and Windows versions of MS Word was Word 6.0. However, because of the massive outcry by the Mac users because Word 6 did not feel like a Mac application and decided to keep using Word 5.x Microsoft created the Macintosh Business Unit for developing future versions. Also, new features are often introduced in the Mac versions first, like self healing in Office 98, because the risks of pissing off a large user bas

Re:

[LoudMusic]

Macs in general have a slightly lower priority for development, and less developers. Note the release years; each version of Office for the Mac is released a year behind the Windows equivalent. If they held off until the Mac team was ready to release, they'd leave Windows vulnerable longer.

I think the point is not that the Windows version wait on the Mac version but that the Mac version be worked on just as hard as the Windows version, in reference to fixing vulnerabilities.

Re:

[teridon]

The most interesting thing I got out of the linked commentary was that the patch doesn't seem to fix the vulnerabilities by changing how Powerpoint processes the data in Powerpoint 4 (PP4) format files.

Instead, it simply disables support for the PP4 format. Additionally, you can re-enable support for PP4-format files by editing the registry -- potentially re-introducing security vulnerabilities onto a system you may have thought was patched.

Re:

[Leafheart]

Which makes exploring this vulnerability just a matter of taking one first step. Changing the registry.

Legal Copy

[Shifty Jim]

Do you have any idea how much legal copy [youtube.com] would be involved to release concurrent patches for all those vulnerabilities? The mere thought boggles the mind.

Size...

[courcoul]

> Probably the most surprising element of the Apple update is the overall size of it; 442MB for the point update, and 729MB for the ComboUpdate."

Well, the Server version of the Combo updater runs close to the whole GB. In other words, it would seem the patch is virtually overwriting the entire OS.

Wonder if the the Vista patch is doing the same, overwriting with Windows 7? :D

Re:

[Anonymous Coward]

Windows 7 isn't really Windows 7, it is Win 6.5, and is basically Vista SP2 (now with better PR).

Dashboard patched thoroughly

[Sh1r0wgmx.de]

Yeah the size of the update was a shock this morning, let me miss my usual train too. From what i've read http://www.macworld.com/article/140578/2009/05/1057update.html [macworld.com] the update does a lot more than is actually said (big surprise with the size), even though most of those things aren't directly visible. What i have found is that my dashboard updates a lot faster than before, as i have two standard weather widgets open at all times i guess they really optimized the code there. Normally it would take at least 5-10 seconds to update the display after opening the dashboard, now it's almost instantenous. Anyone else notice this too?

Re:

[0xdeadbeef]

let me miss my usual train too

The next Microsoft commercial: Apple makes you late for work.

Re:

[djdavetrouble]

This speed boost that you are referring to is of course one of the best things about apple updates.
You call it faster, we (the hive mind of apple fandom) call it "SNAPPIER".

Seems that Dashboard is the recipient of some of Apples secret snappy sauce (ASSS) this time.

Re:

[Jugalator]

Actually, that change was brought up in the patch release notes [apple.com].

Improves the reliability and accuracy of Unit Converter, Stocks, Weather and Movies Dashboard widgets.

Re:

[ShadowRangerRIT]

float->double->long doubles->infinite precision decimals

Take the current type, up it to the next, and you can make ever more precise calculation conversions. If the storage type is too small, converting, say, a million miles to micrometers is going to come out wrong.

Re:

[Gary W. Longsine]

The first load after a login isn't faster, but subsequent loads of Dashboard are really quite zippy.

What is so suprising about a 400mb update?

[jellomizer]

Granted it is bigger then the ones you normally get. But it has been a rather long time since we got an update to the OS. Almost twice as long for this one and oddly enough it is about twice the size.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Jugalator]

Yes, I don't think it's a big deal. The odd part is that Slashdot calls both "critical patches", as if these are mostly security related.

Well, for MS, it was, but for OS X, we just received what is comparable to a service pack upgrade. Of course it'll be big, and it's in line with what I think one can expect these days.

Solution seems straightforward enough

[93 Escort Wagon]

The SANS link makes some great points about Microsoft and responsible disclosure. After reading that, I think it's obvious what needs to be done. Quit helping Microsoft cover their rear when they're going to turn around and attempt to use it as a cudgel against their perceived competition.

If you're a security researcher, and you discover a flaw in a Microsoft product - stop buying into the flawed MS version of responsible disclosure. Notify Microsoft right away, certainly; but from now on also announce it to SANS and the other responsible security organizations at the same time. That way the affected users - ALL affected users - can take steps to mitigate their exposure.

Re:Solution seems straightforward enough

[UnknowingFool]

Also don't trust MS reports on their own security. They deliberately fudge numbers to make their OS look good by redefining metrics. For example, MS says that they actually patch faster than RedHat, Apple, or SuSE. [computerworlduk.com] Of course what MS doesn't tell you is that they define "time to patch" as the time between when they publicly disclose a bug and when they patch it. Linux and some parts of Apple systems (the parts based on open source) define "time to patch" as the time between when a bug is verified and when it is patched. Recently MS patched a bug that has been lingering for 7 years [slashdot.org]. The "time to patch" for this bug was one month according to MS since it was released in Nov. 2008 and fixed in Dec. 2008.

Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different. That bug required conditions that didn't exist until present day conditions: Namely if you are using Samba on BSD and your directory has more than up to 250,000 items. As such the BSD bug has been present for 25 years, but could be not triggered much less verified until recent years. The 7 year old MS bug was verified and has been present on all Windows versions since that time.

Re:

[drinkypoo]

Now before anyone starts linking the 25 year old bug in BSD realize that the situations were different.

Please explain why that bug didn't get fixed when the Samba developers discovered it, since they knew about it already when the current flap happened.

Re:

[UnknowingFool]

I don't have any specific information about that other than googling for it. But my point is still valid. The bug has been present in the code for 25 years but conditions didn't exist until recent years that could trigger it. When a BSD developer found the bug, he fixed it right away. The situation with MS was 8 years ago people showed a working exploit. They didn't get around to fixing it until last year.

Re:

[drinkypoo]

OpenBSD's claim to fame is their security. They claim to achieve it through exhaustive code review which has reputedly allowed them to fix tons of bugs before they were even discovered through error or exploit. Yet somehow they failed to locate a bug which was well known to developers of one of the most relevant pieces of OSS in existence until it actually bit someone. Okay, shit happens, but it's still not easily defensible.

Re:

[UnknowingFool]

The conditions which triggered the bug didn't exist 25 years ago when the code was written as it requires large directories (250,000+) to trigger. 25 years ago, no one has such large directories and very few people today have them. Whether BSD developers could foresee such a problem well ahead of time would require a level of omnipotence. Also the Samba team didn't tell the BSD team about the bug when they found it; they simply issued a workaround.

Re:

[blowdart]

That way the affected users - ALL affected users - can take steps to mitigate their exposure.

You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.

Re:

[93 Escort Wagon]

You are assuming that you can take steps. Take the DNS flaw. It affected everyone on the internet. There was no mitigation. Should Dan have announced it to SANS et al, rather than talking to MS (because he was contracting with them at the time) and getting all the DNS companies in quietly to discuss it? Like hell. It would have leaked, and it would have been disastrous.

When we're talking about a discovered flaw in a Microsoft product - which is what I specifically stated - you can most certainly take steps to protect yourself. The DNS flaw was not Microsoft-specific.

As an aside, it's also worth noting that Kaminsky did not limit his discussions to only include Microsoft people, which (had he done so) would have more closely paralled the MS responsible disclosure stance.

obvious conflict of interest

[bcrowell]

There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.

A similar situation applies to old versions of Windows. The California community college where I teach has a whole bunch of student computer labs with machines from about 2001, which all have Windows 2000 on them. MS's support for Win2k ends in July of 2010, and that means no more security patches. We could upgrade to XP, but although our machines do theoretically satisfy XP's hardware requirements, it's not clear whether they'd have acceptable performance with XP. Again, MS's interests are diametrically opposed to ours. They want to keep us on the upgrade treadmill. They're happy to let Win2k become a non-viable platform, so that we'll be forced to buy new hardware, which will come with Vista preinstalled. Except, uh, the California state budget crisis means that we can't afford to buy new hardware. Of course they MS never promised us to support Win2k indefinitely, and our managers should have done a better job of planning ahead so that this wouldn't become a crisis. But it really does strike me that this is the kind of problem that would have never happened with Linux. I can run Ubuntu for as long as I want, and just keep upgrading to the latest version. Linux runs well on old hardware, so there's no upgrade treadmill. No big mystery why it's this way: it's because Linus Torvalds, Mark Shuttleworth, etc. don't have interests that conflict with the user's.

Re:obvious conflict of interest

[Anonymous Coward]

That is the longest explanation of a "for profit business" that I've ever seen.

Re:

[Chlorine Trifluoride]

Why is this flamebait? If GP had complained that he no longer got Win95 patches, he would have been laughed out of the room.

The limits capitalism (and GDP as a measure)

[jonaskoelker]

I'm going to commit an act of slashdot heresy now (aka "I'm going to get modded down for this, but I have karma to burn").

But my parent's saying "for profit business" got me thinking.

I don't object to profit; people want material wealth (among other things), and the free market idea of giving it to people who also give it to others has some merit.

But there's a difference between "profitably meeting your customers' needs" and "profiting by exploiting your customers' needs".

I haven't done the numbers; I don't

10 years

[Frankie70]

Can you please list other commercial OS'es which are still supported after 10 years?

Re:10 years

[Anonymous Psychopath]

Can you please list other commercial OS'es which are still supported after 10 years?

No, I can't. I didn't intend to imply that MS was worse than other proprietary OS vendors. I just meant that proprietary OS vendors were worse than open-source OS vendors.

Do you believe you could purchase a support contract for a 10-year-old distribution of Linux today? I don't mean a guy with a pony tail and beard who will help you out and charges by the hour, I mean a support contract from a stable provider with multiple levels of escalation, 24x7 call center, etc.

I think you're comparing apples and oranges. It's no problem to purchase a support contract for any current and popular Linux distribution because upgrades are free (as in beer). If Microsoft upgrades were also free (as in beer) you'd have no problem obtaining support for the current version of software from them either.

I don't mean to imply that you should be running a MS OS instead of Ubuntu, or vice-versa. Pick whatever tool suites your requirements. I think that your analysis of the reasons for doing one or the other appears to be flawed, though.

Re:

[jonaskoelker]

I mean a support contract from a stable provider with multiple levels of escalation, 24x7 call center, etc.

Staffed by pony-tailed bearded guys who charge their employer by the hour.

I'm not really sure what my point with that is; but here's one: why is the physical appearance and pricing structure the important issue?

What if that pony-tailed one-man company is the highest level of tech skills around and he's on call 24x7?

If having more people in the call center means there's always someone available, you're paying wages to people who just monitor the phones but don't have any calls to take.

I think it all comes do

Re:

[Anonymous Psychopath]

I mean a support contract from a stable provider with multiple levels of escalation, 24x7 call center, etc.

Staffed by pony-tailed bearded guys who charge their employer by the hour.

I'm not really sure what my point with that is; but here's one: why is the physical appearance and pricing structure the important issue?

What if that pony-tailed one-man company is the highest level of tech skills around and he's on call 24x7?

If having more people in the call center means there's always someone available, you're paying wages to people who just monitor the phones but don't have any calls to take.

I think it all comes down to this: what are your needs, and who meets them with the best quality/price trade-off?

I guess we can collect data on how often a one-man show is the answer, relative to the alternative(s), but I don't have that; it doesn't a priori follow that it's a bad idea, though.

My pony-tailed bearded comment was tongue in cheek. What I was really referring to is a support agreement that would be in jeopardy if one person keels over from a heart attack or decides he'd rather live in Bolivia now. Or kills his wife.

You're right about balancing price versus needs. Unless your operation is very, very small, you'll need more than just one guy who's really good at fixing problems.

Re:

[drsmithy]

No, I can't. I didn't intend to imply that MS was worse than other proprietary OS vendors. I just meant that proprietary OS vendors were worse than open-source OS vendors.

Say what ? Apart from a handful of examples, you're lucky to get more than a year or two worth of "support" out of pretty much any piece of OSS software.

For certain things (eg: kernel modules) you're lucky to get more than a few _months_ worth.

No, "upgrade to the next version" (even when it's free) is not "support".

Re:

[DCstewieG]

There's not much difference between Ubuntu and Windows besides Ubuntu always having the advantage of free. Even LTS [ubuntu.com] releases only have support for 3 years on the desktop. Meanwhile Windows 2000 is on it's 10th year or so? That's not bad.

You say there's no upgrade treadmill on Linux but there is...it just happens to be free.

/Devil's advocate

Re:

[hob42]

When I had a hard drive go bad, I threw a lastest-release distribution on a 1-year-old laptop and it was staggeringly slow. That experiment quickly ended and XP was promptly re-installed.

Even back in 2002, the last time I had a full-time Linux router/firewall/server running, it was difficult to keep upgrading on the same 6+ year old hardware. I gave up and bought a consumer router instead, because I didn't want to deal with the wierd issues that would creep up with new kernel releases, and the system kept t

Re:

[darkmeridian]

Should Microsoft still be supporting DOS 6.22 or Windows 95? Or, cough, Windows ME? Linux can keep going without deprecating old versions because no one's responsible for its upkeep. I mean, there are developers who maintain packages, but if shit hits the fan, no one is liable for it. If Microsoft maintains support for Windows 2000, that means it has to provide security updates and field service calls for that OS. The fixes may take forever or may never come at all, but MS has to take care of that operating

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[iamhigh]

How long does Red Hat provide support for a release? Are upgrades free? Does the purchase of RHEL entitle you to security updates for 10 years? You can't put down his argument without opening up to the same problems of any other proprietary OS. So yes, you solved the problem with Linux having nobody to answer for issues, but you just ended up where we started, only now the questions are directed at Red Hat, not Redmond.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[iamhigh]

Well this is how I saw it in my mind...
MS can't keep supporting old releases forever, you need to upgrade
That's why you use linux, it's free and easy to upgrade
but nobody backs linux and you have no real support
use red hat, they support it
does red hat support a release indefinitely, for free?
no they can't keep supporting old releases foreve, you need to upgrade

that is where we were. But again that might have just been in my head.

Re:

[drinkypoo]

There's a gigantic conflict of interest here. [...] A similar situation applies to old versions of Windows.

It's similar in that Microsoft's goals and society's goals do not intersect. It's different in that if you're trying to stick to an old version of Windows then that's your fault (Especially given how long Windows releases last!) but if you're trying to manipulate a file in a format mandated by those you must do business with, then that's not. The schools chose the Microsoft path knowing that Windows releases have a finite lifespan. They bought into the false "windows vs. mac" dichotomy and now we are all pa

Re:

[perryizgr8]

There's a gigantic conflict of interest here. By treating MacOS as a second-class citizen, they can hurt a competitor in the OS market. If MS can make people perceive Windows as the only first-class platform on which to run Office, it makes MS more likely to retain market share for Windows. MS's interests in this case are diametrically opposed to the interests of their users.

I talk a walk around my office the other day - not one desktop machine was running OS X or Linux.

Then I went into our server room - lots of machines running Linux, Windows, Solaris but... nope, not one OS X machine in their either.

This tells me Linux and Solaris compete with Windows in the server space but nothing competes with Windows on the desktop.

So get used to it - OS X is no competition on the desktop. Neither is Linux but I still love it and use it for most of my computing tasks and find that XP fills in for the things Linux cannot do. Thus my computing needs are fulfilled by both OSes and I'm a happy bunny who doesn't give a shit about "The Battle For The Desktop".

You Apple fanbois have a real chip on your shoulders about reminding the rest of the world how wonderful your platforms of choice are - despite the fact that most of the world doesn't give a toss about OS X.

i agree. i am considering buying a new desktop. i looked at dell and hp. for about 60000inr i am getting a core 2 quad 2.4 ghz, with 6gb ram, 21" lcd, 32 gb ssd for vista ultimate x64, and a 750gb hdd. yesterday i just went into the new istore here. i looked at the imac with the price 80000inr (20000 more than hp/dell). and what are the specs? core 2 duo 2ghz, 500gb hdd, 1(!)gb ram, and yes a big shiny lcd the size of which i did not care to find out.
why the fuck are macs so expensive? i mean, there is one

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Lars T.]

Oh, sorry, I didn't know that the recession was over in happy Microsoft-la-la-land. Oh, wait, MS is actually firing over 3 times as many people - none of them store employees.

Re:

[Lars T.]

Apple is closing stores? Where did you get that from? Apple sold more stuff than last in in their stores, just less per store. Which, in case you hadn't noticed, comes from the fact that they opened stores.

I don't know if you are a Fanboy - but you sure are dumb as shit.

Size of updates of OS X

[aristotle-dude]

One of the reasons for the size of the updates is that OS X is a multilingual OS by default so everything in the UI is localized with multiple sets of resource files for each language. With Vista/WIndows 7, you have to be running the most expensive version (Ultimate) in order to download additional language packs while that functionality is included by default on each OS X install.

This localization does not just go down to the level of text strings but also images, icons and even the complete form layout

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[LanMan04]

ahem

bandwidth caps

The write up fails to mention

[Anonymous Coward]

There are nearly 70 security flaws OS X is patching. The 14 for MS is prominently displayed...
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=217400595&subSection=Macintosh+Platform

Re:

[Colonel Korn]

There are nearly 70 security flaws OS X is patching. The 14 for MS is prominently displayed...
http://www.informationweek.com/news/hardware/mac/showArticle.jhtml?articleID=217400595&subSection=Macintosh+Platform [informationweek.com]

I don't think that the number of flaws patched is ever a really useful fact. I assume you're trying to imply that Apple is somehow worse for having more flaws, or maybe you're trying to show that they're better for fixing more. Either way, I don't think it's very useful.

Or maybe you're just being informative for the curious among us, in which case that's fine.

Re:

[E IS mC(Square)]

What bias are you talking about? There is no pro-Apple bias here on /.

If MS fixes more security related issues, M$ SUCKS!

If Apple fixes shitload of more security related issues, APPLE IS AWESOME!

This is not my opinion, this is FACT!!!!!!!!111

What about Adobe?

[Briareos]

They've released (long overdue) patches for Acrobat and Acrobat Reader today...

np: Moderat - Porc#1 (Moderat)

Re:

[NatasRevol]

Hope you don't use Acrobat on a Mac at work...

http://www.bynkii.com/archives/2009/05/oh_my_god.html [bynkii.com]

Damned if you do, damned if you don't.

[Beelzebud]

So MS even gets bashed when they fix security problems. Amazing!

Re:

[jisatsusha]

They're not being bashed for fixing security problems, they're being bashed for leaving Office on OSX vulnerable.

Apple software updates tend to be big standalone

[jht]

Delta updates contain both PPC and Intel code for all changes since the last point release (10.5.6). Combo updates contain all updated code for both platforms since 10.5 was released in 2007. This is why the standalone installers are so huge.

If you install via Software Update, the update will only be delta code for your processor platform - much smaller.

MS does similar with Windows Update/Microsoft Update, which is one of the reasons it takes a longer time to process. In most cases, you can download a ve

Only 286MB for me

[SoupIsGoodFood_42]

I'm upgrading from 10.5.6

Re:Apple, Microsoft and Ninnle Labs

[gardyloo]

Thanks, A Noways Cum Donor

Re:

[Myrimos]

It has come to my attention that the entire Linux community is a hotbed of so called 'alternative sexuality'...

Should... should we mark this as funny?

Re:

[bondsbw]

Actually, the MOST surprising thing is that your mom paid $150 for it.

* BOOM, Roasted! *

I agree, (And have reasons)

[Anonymous Coward]

The MS patch is going to be more serious for several reasons. One is the fact that people will actually exploit MS's holes with large automated botnets.

But the other reason, is while Apple may have patched Apache, BIND, the kitchen sink and my left sock, most of those ARE NOT enabled by default.

Using some super-rough numbers, lets suppose The OSX install base is 10%
Suppose even 5% have Apple or BIND, etc enabled. Heck, lets suppose 5% have EVERYTHING enabled....

and if 1 in 5 of those machines actually has a public IP or forwarded ports,

then you're taking something like 1 in 1000 computers, is a mac, with an exploitable version of bind/apache/whathaveyou with a public IP.

vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?

YES, the OSX patch and security updates are good, welcome improvements, but the sad reality is that windows 98/ME/2000/XP/Vista are all bigger targets and a bigger security threat right now.

Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.

Re:I agree, (And have reasons)

[ivucica]

Simple. Botnets don't generate all that great loads of upload traffic like BitTorrent does. Sure, the outgoing mails is irritating, but it's not exactly completely continuous and it's not exactly of such concentrated volume.

Re:I agree, (And have reasons)

[Spatial]

At least in America, a lot of the network providers are also media publishers and distributors.

Re:

[twidarkling]

Why is it that network providers are working their hardest to stop bittorrent, yet are perfectly willing to let the viruses, the botnets, the port scans, and untold mountains of spam propagate on their networks.

Was that rhetorical? Because we know why. The spammers pay for connections, and the *AA's pay them to crack down on bittorrent. No one's paying them to stop botnets.

Re:I agree, (And have reasons)

[inject_hotmail.com]

vs what? 3 out of 5 windows users that don't know how to tell if their machine is part of a botnet?

Nice troll. I wonder how many of the Apple users can tell?

Actually, I don't. My experience (which is 2 decades in the field) is the Apple users are just as clueless as to the operation of their computer as PC users.

Being 0wn3d has nothing to do with the platform, it's about the behavior/knowledge/understanding of the user.

Re:I agree, (And have reasons)

[tsa]

You also didn't pay much attention. The parent was talking about the ability of the users of certain operating systems to recognize the fact that their computer was part of a botnet. That has nothing to do with the security of the OS.

numbers wrong

[goombah99]

I just downloaded the patch. it's 286Mb. Which is still a lot but it's not 729Mb.

Re:numbers wrong

[sgt scrub]

Wow! It is amazing how those numbers look like the minimal and maximum iso install downloads for a Linux distro.

Re:

[ulzeraj]

Call me as clueless but from what I know Mac OS X binaries are much bigger than the Windows and Linux format because they contain multiple instruction set architectures. http://en.wikipedia.org/wiki/Mach-O [wikipedia.org]

Re:numbers wrong

[Chaos Incarnate]

It's 729 MB for the complete, standalone, works-on-both-architectures, includes-10.5.1-forward patch. If you download via Software Update you'll see a smaller download (since you'll only download for PowerPC or x86, and you'll only download the needed bits instead of all the point updates rolled together).

Re:

[Richard_at_work]

Not much smaller though - 450MB on my installed-last-week-and-patched-to-the-hilt Macbook Air.

bspatch...

[yabos]

I've never heard of Apple using something like bspatch. The combo update is so big because it will work on machines with 10.5.0 installed. It contains everything that has changed from that version to 10.5.7. The incremental updates take you from 10.5.6 to 10.5.7 which is why they are smaller. If you look at the packages it's actually whole applications that are replaced not diffs to the binaries. Also all updates now contain universal binaries meaning they have x86 and PPC code in one binary file.

Re:

[Achromatic1978]

Oh, well if your AUTO update was different, it must be wrong, right?

$ wget http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg [apple.com]
--20:22:16-- http://support.apple.com/downloads/DL827/MacOSXUpdCombo10.5.7.dmg [apple.com]
--20:22:16-- http://supportdownload.apple.com/download.info.apple.com/Apple_Support_Area/Apple_Software_Updates/Mac_OS_X/downloads/061-6421.20090512.CdwEX/MacOSXUpdCombo10.5.7.dmg [apple.com]
Resolving supportdownload.apple.com... 70.183.191.138, 70.183.191.144
Connecting to supportdownload.apple.

Re:

[sgt scrub]

No doubt! The volume of virus/botnet traffic transferred per connection isn't significant. The number of connections is. If you run 1M of traffic through a cisco router, so you can watch a monitor, using normal sized packets (mtu 1500) the amount of strain on the router will be minimal. Then run 1M of traffic through the router where every packet is a new packet (ack flood) or connection attempt (syn flood). The strain won't kill the router but you will see a big difference in processor usage.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:Software vulnerabilities

[ShadowRangerRIT]

A bit of a logical fallacy [wikipedia.org] there. Even if we assume that the switch to x86 was the trigger for more exploits (increased popularity of the OS being another possibility), it doesn't necessarily mean x86 is more vulnerable. The vast majority of exploits don't need to rely on processor specific characteristics after all.

What it means is that virus writers have limited time and experience. Ignoring trivial Trojans and the like that any script kiddie can bang out, an effective virus (e.g. worms) requires a lot of skill in the assembly language for the CPU, in order to write code that can fit in the available exploit "space". Writing worms for the Power PC architecture was a losing proposition since you didn't have a lot of targets. Now, if you have knowledge of x86 assembly, you can transfer your skills to Macs more easily.

Of course, porting programs to run in 64 bit mode *is* an effective security obstacle; one example is that since 64 bit addresses (in the current implementation) always contain nulls, buffer overruns are much harder to exploit. So yes, Power PC 64 bit is more secure, but if you wrote for an x86-64 target, you'd have roughly the same benefits.

Re:

[Chlorine Trifluoride]

Another logical fallacy would be criticizing GP's post without looking at who the author of the post is.

In other words, woosh!

Re:

[ShadowRangerRIT]

But it wasn't a bad analogy! There were no analogies at all! If I were responding to "LogicalFallacyGuy" I'd feel stupid, but as is, I feel justified.

Of course, if he's a frequent troll I hadn't picked up on before, mea culpa.

Re:Software vulnerabilities

[FiloEleven]

Another logical fallacy would be criticizing GP's post without looking at who the author of the post is.

Nec hominem fallacy?

Re:Software vulnerabilities

[ShadowRangerRIT]

If anything deserves a +1 Funny, it's unnecessary use of Latin for satiric purposes.

author of the post

[Gary W. Longsine]

Is BadAnalogyGuy a well known troll, then? Why so many funny, insightful and other positive mod points raining down on him, then? Oh, this is Slashdot.

Re:

[Repossessed]

More vulnerabilities and more exploits aren't quite the same thing though.

Re:Software vulnerabilities

[ohcrapitssteve]

All that switching from RISC/PPC to x86_xx should change is "endianness." I hear passing worries of Intel chip-level vulnerabilities, but to my (admittedly limited to hitting up Google just now) knowledge is that these never really end up in mainstream exploits. Maybe, because there are plenty of much more easily exploitable vulnerabilities already known.

Again, not a security researcher or a system arch. expert myself, but what I've heard from those researching OS X vs. Windows vulnerabilities, Address Space Layout Randomization (ASLR) would make it much harder to exploit vulnerabilities on the Apple end. This feature appears to be slated for the next point release ("Snow Leopard") of Mac OS X. Essentially, the exploiter must try much harder to "find" the code planted in the target box's memory, when the vulnerability was exploited, in order to execute it.

Re:

[SteeldrivingJon]

Everyone knows how to hit an x86 in its vulnerables.

security is complex (MODS: get a grip)

[Gary W. Longsine]

Clearly your post demonstrates that you don't understand the subject well, but it doesn't *seem* like you're Trolling. Perhaps in context... hrm... over half of your recent posts were up-modded, so you don't appear to be a well known Troll. MODS! Get a grip. Security issues are complex. Obviously you mods don't know the subject any better. Meta moderation will punish you.

Mac OS X has had potential buffer overflow exploits, corrected in security updates and OS updates, Since the Earth Cooled (TM). Apple might be taking them a little more seriously, or they might be receiving more attention from others, now that the assembly language required to exploit them is understood by all the crax0rs, instead of merely 20% of them. Apple isn't suddenly experiencing the same type of security problems. Some defects exist (you typically learn of them when a patch becomes available) but have not yet been exploited by worms and viruses. The relative seriousness and amount of defects between the platforms is a matter of some debate.

Moreover, some of the mechanisms used to propagate malware on Windows rely on tricking the user (social engineering) into installing the malware. Those techniques, independent of exploitable defects, are certainly possible to apply to the Mac. Apparently a few attempts have been made (such as trojans planted in cracked pirate warezs recently). Widespread damage hasn't yet resulted, but isn't out of the question.

To p0wn a million Macs, one need only trick about 3% of Mac users into installing your malware. I've seen a couple clever Windows email viruses which tricked from 1/3 to 1/2 of the users who got the email within the first hour, infecting over 1% of an enterprise network, before the alerts went out and antivirus definitions were updated. I think the success of some of these tricks on Windows indicates pretty clearly that a malware outbreak on the Mac on the scale of a million victims or more is certainly possible, even without finding a defect and engineering the exploit. An email based scam, seeded with a list of known Mac users might do the trick. The Bad Guys (TM) could easily generate such a list by reading the emails on the millions of infected Windows computers, and snarfing the addresses out of received emails which came from known Mac email clients.

Of course, even those malware which relied primarily on social engineering, also rely on their ability to masquerade as a spreadsheet when they are really an exe, in the most popular Windows email clients, so it might be quite a bit harder to exploit social engineering on the Mac. It's hard to say, and I haven't seen any evidence that it's been tried yet.

If it does happen, the Mac community is not really prepared for it. AntiVirus software doesn't appear to be in use by most Mac users. There isn't a legion of companies rushing cleanup tools out the door every day. Mac users are not in the habit of looking for such regardless.

Re:

[DavidR1991]

That download is a standalone multilingual install. The single language updater version is ~290MB. No "price is being paid" so to speak

Re:

[Halo1]

There are no "single language" versions of Mac OS X system software updates (at least not until now). What you are talking about is the delta version [apple.com] of the update. All updates always update all languages.

Re:Static linking

[TheRaven64]

Insightful? Absolute nonsense. This patch is entirely for Apple-supplied software. This all links against the system frameworks, and does not include its own version of anything. Frameworks shared between more than one Apple app are bundled in to the global frameworks directory. Also, most of the stuff being updated (e.g. Apache, which has had several security holes fixed in this update) isn't in a .app bundle.

Re:

[blueg3]

I'm not sure how this is insightful. A .app is a directory. While everything is bundled in it (not strictly true, but close enough), they're still separate files, and dynamic linking works just fine. Another thing that works just fine is updaters that replace only some of the files in the .app.

Re:

[Jugalator]

Hm, I'm not really convinced there. Microsoft's service packs are also comparable in size, and this is essentially a service pack for OS X Leopard. It's a roll up of all security fixes released thus far, and much more.

size matters?

[Gary W. Longsine]

Apple packages their OS updates based on the delta from the starting position of the users applying it, and wether the platform of the update is known at download time. Updates which include both PowerPC and Intel, and which span more than the most recent OS update tend to be quite large. However, for users this can be quite convenient. Your claim that one can learn something from the security of the platform from the size of an update is bogus, particularly as you don't cite any relevant evidence or pro

Re:Apple is Bad Too

[UnknowingFool]

*Sigh*. First of all, 10.5.7 [apple.com] contains both enhancements and fixes. Apple patches all the software that came bundled with OS X. In some cases, this software is not their own. If you look at just the security fixes for 10.5.7 [apple.com], you would see that the non-Apple software is being patched:

• Apache
• BIND
• CUPS
• Flash
• libxml
• Kerebros
• Net-SNMP
• OpenSSL
• PHP
• ruby
• telnet
• WebKit
• X11

That is being bundled with fixes and enhancements to their own software like "iCal: Improves overall reliability with CalDav." The MS update is all labeled "Vulnerability to . . ."

Re:

[Achromatic1978]

That is being bundled with fixes and enhancements to their own software like "iCal: Improves overall reliability with CalDav." The MS update is all labeled "Vulnerability to . . ."

Drunk the kool-aid much? Hint, "improves overall reliability" != Enhancement. = BUG fix. What made the software unreliable? It contains fixes and fixes, not "fixes and enhancements". A new feature is an enhancement. No longer crashes / acts in an unspecified manner is not an enhancement.

Let's not get too carried away. It's 10.5.7

Re:

[UnknowingFool]

I did not say that 10.5.7 did not contain fixes. I said 10.5.7 contained fixes and enhancements. If you read the patch notes you would see that. The first 3 things of 10.5.7 patch notes:

General

• Includes latest security fixes.
• Includes additional RAW image support for several third-party cameras.
• Improves performance of video playback and cursor movements for recent Macs with NVIDIA graphics.

If you've read anywhere else on this forum, you would see anecdotes on how 10.5.7 makes improves performance in a n