Forgot your password?
typodupeerror

Apple Patch Released, But Is It Enough? 338

Posted by Zonk
from the conflicting-viewpoints dept.
entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."
This discussion has been archived. No new comments can be posted.

Apple Patch Released, But Is It Enough?

Comments Filter:
  • Stupidity (Score:5, Insightful)

    by Phroggy (441) * <slashdot3@[ ]oggy.com ['phr' in gap]> on Saturday May 13, 2006 @02:22PM (#15325651) Homepage
    and there is debate about whether Apple's shift to the same Intel architecture used by Microsoft Windows will change the security posture of Mac systems.

    Let's settle this debate.

    No.

    Changing CPU architectures will have absolutely effect on security.

    Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).
    • Re:Stupidity (Score:5, Insightful)

      by Anonymous Coward on Saturday May 13, 2006 @02:30PM (#15325698)
      I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

      You have to make the initial exploit to get "in." Once you are in you can use most standard unix libraries to do whatever you want. The hard part with PPC was finding someone who knew how to code the inital exploiit and the carefully crafted shellcode (with no null bytes, etc.). With Mac moving to Intel this part is MUCh easier for the people who know x86 ASM.
      • Re:Stupidity (Score:5, Insightful)

        by CODiNE (27417) on Saturday May 13, 2006 @02:52PM (#15325797) Homepage
        You mentioned avoiding null bytes, I seem to recall reading that on PPC that's much harder to pull off because of many RISC ops tend to have a byte of null padding that smaller CISC ops don't need. So besides having to learn a new asm, its also much harder to exploit... PPC did have a real advantage here.
        • Perhaps I misunderstand, but isn't the whole point of RISC that its ops are smaller and of uniform size?
          • Re:Stupidity (Score:3, Insightful)

            by dfghjk (711126)
            no. the whole point of risc is an instruction set that's easier to execute. that includes uniform size but not necessarily smaller.
          • Re:Stupidity (Score:2, Insightful)

            by strstrep (879828)
            Right. On a CISC machine, an opcode could require anything from (as an example) 1-18 bytes to encode. On a RISC machine, everything would be a certain length, say 4 bytes. Now if the specified instruction (noop for example) only requires one byte, then the rest of the opcode would be insignificant.
      • On x86, you can reliably execute code that has been freshly written to memory. This is because the CPU invalidates the instruction cache automatically as needed.

        PowerPC chips don't do this. If you try to execute something freshly written to memory, you may instead execute the prior data.
      • by AHumbleOpinion (546848) on Saturday May 13, 2006 @03:01PM (#15325828) Homepage
        I think you underestimate the importance of assembly language when coding exploits. There are plenty of crackers out there who know x86 ASM. There are *far* fewer who know PPC ASM.

        I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.
        • by Anonymous Coward
          Back in 1999, LinuxPPC decided to mock Microsoft's putting a Windows 2000 machine on the internet to see who would break into it by putting their own up and saying that whoever cracked it first would get the machine.

          Their machine had a default install, with default sets of applications.

          It took months before anyone cracked the machine. When it was cracked, the hole used to do it was a well-known buffer overflow that had widely known x86 exploits at the time they put the machine up. An Intel machine treated
          • Well, a prepared exploit is of course dependent on the architecture. But that's not the ONLY thing it needs. It would reasonably also need some system call (or be highly dependent on the specific calling convention the application was compiled with, to modify the stack to indirectly trick other code into full exploitation). Those will generally still be different.
      • Guess what, security by oscurity is no security. It's the same as if you just had a taller fence. Sure it'll slow them down, but if someone WANTED to exploit a PPC based OS, they would spend the time to learn PPC. So why don't people want to spend the time to exploit PPC? Because 90% of the potential systems to hack is Windows.
        • I think someone hacked your spellchecker and caused a buffer overflow. I'd look into it, no matter how oscure it is.
        • by steeviant (677315) on Saturday May 13, 2006 @07:15PM (#15326887)
          I'm so sick of hearing people tout this crap over and over... the truth is that security by obscurity does work, and you just highlighted that it does in fact work by noting that there are far fewer people attacking PPC than x86, that situation is only going to get better not worse, with Apple moving away from the PPC platform.

          Ever since my company made it policy to move SSH away from the standard ports, the number of dictionary attacks and exploits has gone down from upwards of 20 a day across all our machines down to zero (0). Even though any automated scanning tool worth it's salt could easily identify that it's SSH running on an obscure port from the banner.

          Security by obscurity is enough to break the default configuration of most automated scanning tools, which in turn is enough to stop most of the people out there attacking servers at random.

          The great thing about using security by obscurity is that by effectively foiling most automated scanning tools, we limit our focus to only people who are genuinely trying to hack us, rather than just anyone, and can focus on tracking them down and turning them over to the authorities.

          Security by obscurity does work, it doesn't devalue your other forms of security, and should be considered a useful and valid part of the arsenal of security defences that can be deployed to protect things.

          Anyone who says otherwise has obviously never worked in a situation where their security knowledge actually made any difference. It's obvious that an SSH server getting blasted 20 times a day by attackers is at least 20 times more likely to be hacked than one that's hit 0 times a day, and security by obscurity can make that difference.
          • by angst_ridden_hipster (23104) on Saturday May 13, 2006 @08:26PM (#15327182) Homepage Journal
            I agree that people repeat that "security by obscurity doesn't work" without really understanding the concept. I mean, what is a password but an obscured piece of information? Still, the origin of the phrase is attacking the idea that an obscured algorithm will protect you; you have to assume that an attacker will capture one of your en/de-cryption devices, and learn the algorithm.

            That being said, I disagree with your assertion that 20 dictionary attacks a day is 20 times more likely to get into an SSH server than 0 dictionary attacks. If your passwords are any good, they won't get in either way.

            Yes, your "obscure" port protects you from the dumber automated scripts. That could buy you a little time if a genuine vulnerability shows up in the sshd. But it's only a matter of time before the stupid scripts scan for sshd on other ports.

            Then you'll have to switch to port knocking ;)
            • by steeviant (677315) on Saturday May 13, 2006 @09:16PM (#15327406)
              Heh, we have yet to encounter even a port scan on our obscure SSH port, let alone any kind of attack, so it's safe to say that script kiddies don't want to spend the time scanning all 65,000 ports on every computer when they can get a similar yield by only harvesting those computers that answer on port 22.

              It's also probably safe to assume that if someone has the intelligence to change the port that SSH is listening on that they are also clever enough to keep it up to date and securely configured. :)

              Moving your potentially vulnerable services to a different port is effectively putting yourself in the too-hard basket as far as auto-scanning script kiddies are concerned, but doesn't do anything to stop attackers who are targetting you.

              Unfortunately the soft pink human underbelly of your network is the most glaring weak point for attackers targetting your systems, and we can't really firewall their voice-boxes and fingers if we expect to keep doing business.
              • Heh, we have yet to encounter even a port scan on our obscure SSH port, let alone any kind of attack, so it's safe to say that script kiddies don't want to spend the time scanning all 65,000 ports on every computer when they can get a similar yield by only harvesting those computers that answer on port 22.

                True, especially since it's easier to defend against broad, repeated scans (assuming they don't have a good way of doing it from distributed hosts).

                Still, I'd argue your defense isn't as much one of obscur
    • You don't think that NX support [wikipedia.org] within the CPU could help at all?

      Sure it's not a complete solution, it is at least another layer of protection to keep users safe and is more than what they had with PPC's... provided they are using it today.
      • Although this sort of mechanism has been around for years in various other processor architectures such as Sun's SPARC, Alpha, IBM's PowerPC, and even Intel's IA-64 architecture...
      • The standard desktop chips provide it with 256 MB resolution. This is decent. You could make the stack unexecutable this way, and probably the heap too.
        • The standard desktop chips provide it with 256 MB resolution.

          And, at least according to "PowerPC Operating Environment Architecture Book III Version 2.01", there's also a per-page no-execute bit; I don't know whether that's a feature that was added later than the per-segment no-execute bit (which I assume is what you were referring to).

    • "Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac."

      Actually, no.

      For the time being it means developers must make universal binaries of games. Many Mac game developers have noted that ports will have increased development times for the next few years.

      Porting will speed up when PPC hardware is irrelevant and Intel only builds are acceptable.
      • I didn't say that switching to Intel has made it easier, I said it will make it easier; I expect to start seeing Intel-only games pretty soon, while other apps will be universal for a long time.
    • Re:Stupidity (Score:3, Informative)

      by neonstz (79215) *
      Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac.
      No. Most, if not all, games today are coded in C/C++ (with maybe a tiny bit of assembler). The problem with porting games to the Mac is not the CPU instruction set but the available APIs. There is no DirectX on Mac. In addition many games are using 3rd party libraries so these have to be available for Mac too.
      • On the other hand, it's easy to introduce endian dependencies in C/C++ code. Those will be a non-issue for a MacTel-only port.
    • Changing CPU architectures will have absolutely effect on security.

      Wrong. For example, to exploit buffer overflows, you need to write assembly. More people know Intel assembly than PPC assembly. That makes attacks on Intel Macs more likely than on PPC Macs. This is most definitely "an effect on security."

      Switching to Intel will make it easier for game developers to port their code

      Wrong. Most modern games contain no or very little assembly code. The chipset doesn't matter when porting games. Dire

  • What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?
    • Re:What purpose? (Score:4, Insightful)

      by Phroggy (441) * <slashdot3@[ ]oggy.com ['phr' in gap]> on Saturday May 13, 2006 @02:27PM (#15325681) Homepage
      What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

      In theory, it's possible that black-hats have already discovered the flaw, and will exploit it without telling anyone. If they've already figured it out, then releasing details to the public won't make the situation significantly worse. However, public embarassment will prompt the company to release a fix more quickly.

      I'm not saying I agree with this theory.
    • What purpose would publishing the details on his site serve, other than as a kind of security vulnerability "first post!" type of thing?

      The theory is that a policy of reporting security vulnerabilities to vendors and then revealing them publicly after a reasonable amount of time, regardless of if a patch is available, will encourage vendors to patch holes more quickly (since they know they're working against the clock). Of course, there are debates about whether this is effective, whether it's a good th
    • Re:What purpose? (Score:5, Informative)

      by lancejjj (924211) on Saturday May 13, 2006 @02:36PM (#15325726) Homepage
      Purpose? Easy... he makes money by promoting himself.

      If you check out his web site, it seems that he's trying to maximize advertising revenue. Not only does he have many ads, he also has many Amazon referal links. In addition, he is directly selling advertising:

      From his website:

      Want to advertise on the Security-Protocols website?

      Below are our rates:
      Banner Advertising:
      10,000 impressions = $75
      20,000 impressions = $135
      30,000 impressions = $180

  • Relativity (Score:5, Funny)

    by ImaNihilist (889325) on Saturday May 13, 2006 @02:25PM (#15325662)
    Good thing I use Microsoft® Windows XP so I don't have to worry about things like this.
    • Re:Relativity (Score:5, Insightful)

      by Golias (176380) on Saturday May 13, 2006 @02:37PM (#15325734)
      Whoever modded you down "Troll" has obviously not heard of sarcasm.

      Anyway. The difference between Mac OS X and XP can be summarized thus:

      Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.

      If a new actual virus or worm comes along for Windows, making it ever more sure that you still can't even put a new Windows box online to download patches until after the patches you need are already installed... it's business as usual.

      Windows users concerned about they penis size go on chanting "B B B But that's only because the Mac is less popular, so nobody bothers to write malware for it. Wait until the Mac gets more popular, then you'll be in a world of hurt!!!1!"

      Whatever. The Mac is probably never going to see double-digit market share, and even if it does, it's still vastly more secure than Windows is, and you all know it. So there's no need to worry about such a scenario ever happening.

      So I use Macs.

      If the market dominance of Windows has anything to do with Macs being relatively free of haX0r attention, then I just gotta say to all you stubborn Windows users out there:

      Hey man, thanks for taking one for the team.
      • Hey man, thanks for taking one for the team.

        You can thank me when I've actually taken one. I've been a Windows user for going on 15 years now, and I still haven't ever been hacked, rooted, afflicted with spyware, or even infected by a single virus of any sort.

        I wonder what I'm doing wrong...
        • Apparently your not visiting enough warez and shaddy porn sites. Get with it man! ;-)
        • I've been a Windows user for going on 15 years now, and I still haven't ever been hacked, rooted, afflicted with spyware, or even infected by a single virus of any sort.
          That you know of.
        • Re:Relativity (Score:3, Insightful)

          by BasilBrush (643681)
          15 years? Child. Yes in all probability you have been "hacked, rooted, afflicted with spyware, or even infected by a single virus". You just haven't noticed.
          • Good job being a prick and getting modded up for it.

            But just rhetorically, are you 100.000% positive that your Mac hasn't been rooted? Absolutely 100%? Running tripwire scans ain't exactly normal practice.
          • It's not that hard if you know what you're doing and most importantly, use your common sense. I can't make the claim that the parent did, as I did get a virus from a floppy disk back when Windows 3.1 was all the rage, but I can say I have managed 10 years without anything nastier than a tracking cookie on my Windows boxes.
      • Re:Relativity (Score:3, Interesting)

        by skinfitz (564041)
        Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.

        ...and every time an actual [slashdot.org] breach [slashdot.org] is discovered [slashdot.org], it oddly never appears on the front page.

        Weird huh?
        • Re:Relativity (Score:3, Informative)

          by Golias (176380)
          Wow. That was the best you could do, combing through past articles over a two-year span.

          A virus which requires telnet to be on (it's off by default), another that requires ssh to be turned on (ditto), and a third which requires physical access to the machine.

          All of which were hyped up on slashdot as if Mac users actually had a reason to be worried, when almost all of them did not.

          Thanks for proving my point.
      • Maybe that's because you're only reading the Apple section of Slashdot.

        I read the front page headlines only, and I can promise you that every little exploit that affects IE or Windows makes it to the headlines here. Slashdot effectively goes out of its way to point out these exploits.

        On the other hand, of the 40-some patches that were just released according to today's article, I had no idea about. Maybe 2 or 3 of them made it to headlines, the rest were very quiet.
  • what a ego (Score:4, Insightful)

    by falcon5768 (629591) <Falcon5768@comcasTEAt.net minus caffeine> on Saturday May 13, 2006 @02:26PM (#15325670) Journal
    Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site.

    I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.

    Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

    • Re:what a ego (Score:2, Insightful)

      by 0racle (667029)
      Yet when MS, Oracle or Cisco ask that security researchers hold back found flaws until they can fix them Slashdot gets all up in arms about them trying to stifle researchers.

      I guess Apple is still small enough that they can do no wrong.
      • no I feel the same way there too. Its not stifling research its preventing exploits from happening before they are ready to patch them. All releasing these things does is cause a exploit to happen much faster than a patch can be made to fix it.

        Now if the SAME people coded a patch AND released the exploit, then I wouldnt feel the way I do. But they arnt, they are just feeling smug in proving something doesnt work while not helping in any wya to address it.

        • But you need to put a bit of pressure onto the company, otherwise they will wait forever because after all, it's not like anyone's gonna know about this. Meanwhile blackhats discover and exploit the vuln. Zero-days would look god-sent in comparison.
        • Now if the SAME people coded a patch AND released the exploit, then I wouldnt feel the way I do. But they arnt, they are just feeling smug in proving something doesnt work while not helping in any wya to address it.

          So you don't think letting users know there's a problem is helpful? Nobody should ever say anything, because someone else will exploit the knowledge? More than likely if there's a problem more than one person can find it and it's not just the good guys who find them.

          Falcon

          • So you don't think letting users know there's a problem is helpful?

            I think he's saying they can tell them there is a problem, but not tell them what the problem is. That seems a bit silly to me, but seems a popular view now-a-days. Personally, reguardless of what company it is I think it is thier responsibility to keep the product secure and anyone who finds a problem is free to tell whoever they want about it. I know this is "bad" now, but isn't that what we always used to do? But now there are bad
            • I think he's saying they can tell them there is a problem, but not tell them what the problem is.

              Not according to the blurb ("InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple") or the article ("the latest patch doesn't cover other critical holes he reported to Apple").

              If you find there is a flaw in all cars which could cause them to spontaniously explode, should you have to wait until the car companies fix th
      • Re:what a ego (Score:5, Insightful)

        by PhrackCreak (136718) on Saturday May 13, 2006 @03:36PM (#15325965)
        Puh-lease.

        1. Falco5768 is not slashdot.
        2. There are at at least [slashdot.org] a few [slashdot.org] articles [slashdot.org] which are critical of Apple's security policies.
        3. Apple has not actually stifled this person. They patched something. They may have failed to patch other holes. I hope they will work as quickly as possible to patch all exploits they know.
        4. Note that the grandparent post is not yet modded very highly.

        In future posts, please do not clump everyone on slashdot in to one unified entity.
        In future posts, only include actual facts instead of implied conjecture into actions that have not occurred.
    • He could sell the exploits to:

      a. spammers
      b. Chinese government
      c. US government
      d. credit card fraud groups (mafia-like)
      e. Israeli government
      f. French government
      g. Russian government

      It all depends: does he like dollars, euros, credit card numbers, whores...?
    • I.E Im a giant penis and I would rather expose vulnerabilites that could potentially damage systems rather than wait for the coders at Apple to make sure everything is accounted for and put into a patch that wont effect other things that I didnt forsee.

      Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserabl

    • Grow up kids! (Score:5, Insightful)

      by Deorus (811828) on Saturday May 13, 2006 @03:42PM (#15325999)
      > Its one thing to find holes and tell Apple and people you did, and send the info to Apple. But I am so sick of these people who feel that if said company doesnt respond NOW they are then in the right to exploit said holes and make everyones life misserable.

      What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.

      Here goes my karma... ;-)
  • extortion? (Score:5, Interesting)

    by v1 (525388) on Saturday May 13, 2006 @02:30PM (#15325690) Homepage Journal
    I'd like to see Apple fix security problems as quickly as possible, but this guy threatening to release exploit information a few days after the first patch to go out after the notification? That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things. Apple should not be forced to make an ill-prepared and possibly buggy patch release due to the threats of this "analyst". If he had given several months of warning I could see the justification, but it looks like he is doing this to get some publicity because he knows Apple won't rush something like this, not to the degree this fellow is demanding.
    • If he had given several months of warning I could see the justification,...

      Well, the article says the vulnerabilities he's considering disclosing were reported to Apple before this patch, though when isn't specified. So it's possible Apple's had the info for some time.
    • That seems like they are expecting an awful lot from Apple - certainly they want to take a few weeks to analyze their patch and make sure it doesn't break a bunch of things.

      No shit, eh. I wonder how it's expecting an awful lot from Apple, but when Microsoft is in the same situation we have the default thread with posts about how Microsoft is slow and sucks.

      Also isn't everyone sick of having the same discussion over and over and over when someone mentions "Microsoft" or "Apple" (or both).

      They'll just release
    • Re:extortion? (Score:3, Insightful)

      "That seems like they are expecting an awful lot from Apple "

      Well, Apple *is* advertising their security in their latest ads, so they should have no problems meeting these expectations.
  • by noidentity (188756) on Saturday May 13, 2006 @02:37PM (#15325728)
    from the updater notes: " When Safari's "Open `safe' files after downloading" option is enabled, archives will be automatically expanded. If the archive contains a symbolic link, the target symlink may be moved to the user's desktop and launched."

    OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!
  • Is it enough? Yes. (Score:4, Insightful)

    by sootman (158191) on Saturday May 13, 2006 @02:39PM (#15325741) Homepage Journal
    Considering that there has not been one real, severe, in-the-wild, massively spread, substantial, damage-causing virus in the five year history of Mac OS X, I would say yes, the boys and girls in Cupertino are doing just fine. Thank you very much for all your hard work, and all naysaying columnists and pundits can go screw.
    • I'm trying to figure out your point in the relationship to the story and why it's insightful.

      Are you arguing that it's "enough" for Apple to not patch known problems? That because Apple has a good track record that they can be lax? That Apple should imitate Microsoft's policies of the late 1990s and not take "gray hats" seriously?

      If so, that's a pretty stupid and reactionary attitude. I think most Mac users, including myself, are not slobbering "macz rulez" and want Apple to take an aggressive stance toward
  • by ShyGuy91284 (701108) on Saturday May 13, 2006 @02:40PM (#15325747)
    The way I see it, they probably intend on patching the other problems, but they decided to get a decent amount done, and then release the update. Much like how Microsoft's once-a-month releases could give some time for the vulnerabilities to be taken advantage of (I recall that release cycle, I'm not sure if they are still done anymore though), if they waited for all patches to be done in this case, it may have prolonged the wait by quite a bit longer.
  • Not surprised (Score:4, Interesting)

    by frostilicus2 (889524) on Saturday May 13, 2006 @02:46PM (#15325777)
    I think that this is inevitable. Mac OS X is a desktop OS, desktop customers demand shiny new features and Apple needs to compete with Microsoft in adding such features, otherwise it will fall behind in market share. These new features make for a supremely usable OS, but it means that development is always too fast. Security flaws are invariably human logic errors, and when a lot of new code is written really fast, errors are made. Conversely, take OpenBSD [openbsd.org], its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code. As complexity escalates, so will the number of bugs and until Apple's workforce is replaced with androids (Which I'm sure will have a negative impact on its cool reputation) errors will continue to be made.

    Although inevitable, we need not accept that there should be quite as many flaws as there are - Apple is in a uniquely privilege position over microsoft in using the unix permission system and the mature core that mach and FreeBSD provides, it must not become complacent. Increasingly, it appears that Apple is becoming sloppy - There are reports of Apple not using automated bound checking and the such. Such arrogance is inexcusable from any developer, and as Apple's popularity increases poor security will invariably become more of an issue. Its time for Apple to seriously take stock of this issue.
    • Conversely, take OpenBSD, its pace of development is slow and thorough and due to its comprehensive code audit (which slows development) very few security holes are found in the code.

      Depends what you mean by "slow", since it's a question of scope. Apple does alot of graphical userland applications, the most visible part to most users, but that is clearly not a priority of OpenBSD (unluss you want them to develop their own "KDE" look-alike). Apple development hardware drivers are limited to the limited s

  • by UOZaphod (31190) on Saturday May 13, 2006 @03:02PM (#15325829)
    I enjoyed today's (semi-relevant) Ctrl+Alt+Del comic [ctrlaltdel-online.com]
     
    • Heh. Okay, granted, the Apple commercials are pretty transparent, but I doubt a comic called Ctrl+Alt+Del is going to have an objective opinion of them.

      It also looks like the classic "if you have no rebuttal, just make fun of them" deal.
  • I hear, every nonth or so, now a days that "OSX is as volnerable as Windows" yet I have yet to see one attack in the real world that doesnt requier utter user stupidity (hint -- a web-app should never need your root/"admin" password)

    Please someone, give me a web address that will install spy/crudware without my consent automaticly, show me how, with no user intervention, an unpatched box can be hacked to hell by spamers to use in botnets in under 2 minutes...show me this or shut the fuck up!

    I understand t

    • Sorry to reply to self but I have one more thought:

      They could have waited untill Monday, but Apple acctually released them in a HOLIDAY weekend...Someone (maybe a whole dev group) acctually came in, and got the patches out today, they could have waited till next week, hell, they could have waited till 10.4.7 if they wanted to, they didnt, THAT is what sets them apart from MS

Them as has, gets.

Working...