Apple Patch Released, But Is It Enough? 338
entenman writes "Apple Computer's security update train rumbled into the station with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities. The Security Update patches 31 flaws in the Mac OS X, most of them serious enough to cause 'arbitrary code execution attacks.'" Unfortunately, InfoWorldMike writes "InfoWorld.com reports that Independent researcher Tom Ferris said there were still holes in Safari, QuickTime, and iTunes that he reported to Apple but were not patched in the latest release on Thursday. Ferris told InfoWorld he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence."
Stupidity (Score:5, Insightful)
Let's settle this debate.
No.
Changing CPU architectures will have absolutely effect on security.
Switching to Intel will make it easier for game developers to port their code, which will lead to more games available for the Mac. This, combined with the ability to dual-boot to Windows and eventually the ability to run Windows apps through virtualization, makes the Mac platform more appealing to consumers, which will probably lead to an increase in Apple's market share. This could lead to more malware creators taking an interest in the Mac platform, which would lead to more security holes in Mac OS X being exploited (which is not the same as more security holes existing).
Comment removed (Score:4, Insightful)
Re:What purpose? (Score:4, Insightful)
In theory, it's possible that black-hats have already discovered the flaw, and will exploit it without telling anyone. If they've already figured it out, then releasing details to the public won't make the situation significantly worse. However, public embarassment will prompt the company to release a fix more quickly.
I'm not saying I agree with this theory.
Re:Stupidity (Score:5, Insightful)
You have to make the initial exploit to get "in." Once you are in you can use most standard unix libraries to do whatever you want. The hard part with PPC was finding someone who knew how to code the inital exploiit and the carefully crafted shellcode (with no null bytes, etc.). With Mac moving to Intel this part is MUCh easier for the people who know x86 ASM.
Re:what a ego (Score:2, Insightful)
I guess Apple is still small enough that they can do no wrong.
Open "safe" files strikes again (Score:4, Insightful)
OK, second time this "Open 'safe' files is a lie. WHY THE HELL IS THAT OPTION STILL THERE?" I never trusted that open from the moment I first saw the checkbox. I guess that's why they put "safe" in quotes. Buy our "free" product for only $9.95!
Re:Relativity (Score:5, Insightful)
Anyway. The difference between Mac OS X and XP can be summarized thus:
Every time a potential breach of OS X security is discovered, it's front-page headline news on Slashdot.
If a new actual virus or worm comes along for Windows, making it ever more sure that you still can't even put a new Windows box online to download patches until after the patches you need are already installed... it's business as usual.
Windows users concerned about they penis size go on chanting "B B B But that's only because the Mac is less popular, so nobody bothers to write malware for it. Wait until the Mac gets more popular, then you'll be in a world of hurt!!!1!"
Whatever. The Mac is probably never going to see double-digit market share, and even if it does, it's still vastly more secure than Windows is, and you all know it. So there's no need to worry about such a scenario ever happening.
So I use Macs.
If the market dominance of Windows has anything to do with Macs being relatively free of haX0r attention, then I just gotta say to all you stubborn Windows users out there:
Hey man, thanks for taking one for the team.
Is it enough? Yes. (Score:4, Insightful)
Sue Sue Sudio (Score:1, Insightful)
Apple will then just have to take him to court like they do with everybody else, won't they?
Would it be better if they waited another month? (Score:4, Insightful)
Re:Stupidity (Score:5, Insightful)
Only learning that first assembly language is hard (Score:5, Insightful)
I think you overestimate the effort required to learn PPC once you know x86. The first assembly language you learn is difficult, especially if it is x86, but for subsequent ones it is far less difficult. After many years of x86 I wrote my first serious PPC code, it beat Apple's MrC compiler quite easily.
Re:extortion? (Score:3, Insightful)
Well, Apple *is* advertising their security in their latest ads, so they should have no problems meeting these expectations.
Re:Its been stated before but... (Score:2, Insightful)
Re:what a ego (Score:5, Insightful)
1. Falco5768 is not slashdot.
2. There are at at least [slashdot.org] a few [slashdot.org] articles [slashdot.org] which are critical of Apple's security policies.
3. Apple has not actually stifled this person. They patched something. They may have failed to patch other holes. I hope they will work as quickly as possible to patch all exploits they know.
4. Note that the grandparent post is not yet modded very highly.
In future posts, please do not clump everyone on slashdot in to one unified entity.
In future posts, only include actual facts instead of implied conjecture into actions that have not occurred.
Re:Since I hate smug Mac users, let me be the firs (Score:3, Insightful)
I mean, note the word "potential". There are thousands of vulnerabilities that have been exploited on Windows, and like 20 potential on Macs, and that's equal? The day you'll trade me 100,000 dollars for a chance at 20 bucks is the day I'll toss my Apple in the trash.
Grow up kids! (Score:5, Insightful)
What do you mean? That he doesn't have the right to disclose what he found? Does his constitutional rights make you sick? Well then I think that YOU are the one with a problem. You should be thanking him for warning Apple. I know many who would have kept it secret and written all kinds of worms just to make fun of fanboys like you, and I guess that's what you're really asking for with your complaints.
Here goes my karma...
Give me REAL WORLD proof (Score:2, Insightful)
Please someone, give me a web address that will install spy/crudware without my consent automaticly, show me how, with no user intervention, an unpatched box can be hacked to hell by spamers to use in botnets in under 2 minutes...show me this or shut the fuck up!
I understand that OSX isnt perfectly secure, it has its bugs, so does BSD as a whole, but the holes get FIXED and not denied for months untill the hole is used to destry hundreds of thousands of PCs.
Re:Stupidity (Score:3, Insightful)
That's not entirely true. Buffer overflows are exploited at the assembly level, not at the source code level. So the point is that, even if a PPC is running the same source code, it's not running the same assembly, since it uses a different ISA.
More to the point, the simplest and most common buffer overflow attacks rely on the fact that the user stack traditionally grows down. Since buffers are addressed upwards, writing of the end of a buffer can overwrite a previous stack frame and return address. If the user stack were to grow upwards instead, this wouldn't be nearly the problem it is, since writing past the end of a buffer would result in corruption of other user variables or some unused memory, instead of changing the return address of a function.
Even though stacks growing down is really just a convention which could be changed by the compiler, the x86 instruction set supports and almost enforces that convention. The x86 push and pop instructions that are used to handle stack frames expect that the stack grows down and wouldn't work for a stack growing upward. I don't know PPC assembly, so I can't say if it does the same thing.
Put simply, it is possible to create and instruction set architecture that is less vulnerable to buffer overflows than x86 is. Whether PPC is that ISA, I don't know, but it would be possible to create one.
Re:Relativity (Score:3, Insightful)
Re:Relativity (Score:5, Insightful)
I've (very) occasionally caught a virus present on the machine before it was ever executed or did any harm. I've (very) rarely wound up with spyware - but nothing major, and nothing that couldn't either be uninstalled via its own well-behaved uninstaller or removed easily via something like adaware.
Why? Because I don't run or install software if common sense says the source might be shady. The one or two spyware incidents I've had were with semi-legit software - it probably told me in a Eula all about the nasty reporting it wanted to do, and I clicked through - that, as spyware goes, was relatively benign.
Now my old roommate's machine, with the same basic setup, was another story. It was amazing she could move the mouse with all the crap going on in the background from various malware. Different computing use habits, I suppose.
Re:Is it enough? Yes. (Score:3, Insightful)
Are you arguing that it's "enough" for Apple to not patch known problems? That because Apple has a good track record that they can be lax? That Apple should imitate Microsoft's policies of the late 1990s and not take "gray hats" seriously?
If so, that's a pretty stupid and reactionary attitude. I think most Mac users, including myself, are not slobbering "macz rulez" and want Apple to take an aggressive stance towards security issues in order to prevent the Windowns situation from ever happening.
Hey, some of us remember the days when Windows NT 4.0 was considered relatively immune to hackers when compared to *nix systems. Things can change if the vendor is idiotic.
Re:Stupidity (Score:3, Insightful)
Re:Stupidity (Score:2, Insightful)
Re:Stupidity (Score:3, Insightful)
I've built literally hundreds of PCs for myself, friends, family, co-workers and clients. I couldn't craft an exploit if you paid me too.
Re:extortion? (Score:3, Insightful)
Or maybe having an open-source license excuses them from your standards?
Plus, posting exploit information before sending a nice email to the developer is just irresponsible. How would that benefit anyone other than script kiddies?
Re:Give me REAL WORLD proof (Score:1, Insightful)
heck, show me osx malware at all (besides norton antivirus), even something i'd have to be an idiot and run myself. and not that proof of concept virus with no payload, something that actually does something negative. seems to me everyone likes speculating about how bad osx security is since patch X came out, but for whatever reason the hackers never bother exploiting it.
Re:Relativity (Score:3, Insightful)
So to get this straight, you run an operating system that has so many security problems that you need to run at least two other programs just to make sure that you aren't infected by anything. At least one of those programs is an intensive application that has to scan every potentially harmful file before it can be used.
Despite having effectively ended up with a less powerful computer with less memory, and still having to very carefully modify your behaviour while using your computer because of the OS vendors poor security practices you're still defending their operating system (and effectively their reputation). Bizarre.
And people say Apple and Linux fans are zealots.
Re:Security by oscurity (Score:5, Insightful)
That being said, I disagree with your assertion that 20 dictionary attacks a day is 20 times more likely to get into an SSH server than 0 dictionary attacks. If your passwords are any good, they won't get in either way.
Yes, your "obscure" port protects you from the dumber automated scripts. That could buy you a little time if a genuine vulnerability shows up in the sshd. But it's only a matter of time before the stupid scripts scan for sshd on other ports.
Then you'll have to switch to port knocking
Re:Security by oscurity (Score:3, Insightful)
True, especially since it's easier to defend against broad, repeated scans (assuming they don't have a good way of doing it from distributed hosts).
Still, I'd argue your defense isn't as much one of obscurity as it is one of heterogeneity. If everyone ran sshd on a different port, the attack vectors would be different.
t's also probably safe to assume that if someone has the intelligence to change the port that SSH is listening on that they are also clever enough to keep it up to date and securely configured.
I wasn't suggesting that you weren't keeping your sshd up to date. I was thinking more along the lines of a 0-day exploit kind of situation. The first attack scripts will go for the easy targets.
Which kind of brings me full circle. Obscurity, in this case, is more a means to heterogeneity. One powerful way of being secure is just being a little more difficult a target than the next guy. Burglars will go to the house without a dog (or without an alarm system). Sure, a determined burglar will still be able to get into a protected house, but why bother? As the marketing folks say, they'll go for the low hanging fruit.
That is, unless the fruit you're protecting is really, really juicy.
OK, I've mangled enough metaphors to traumatize an entire English Department, so I'd best stop here.
Unfortunately the soft pink human underbelly of your network is the most glaring weak point for attackers targetting your systems, and we can't really firewall their voice-boxes and fingers if we expect to keep doing business.
I often think security would be so easy if we just didn't have those darn users...
Re:Security by oscurity (Score:2, Insightful)
Of course, we all know there's a big difference between theory and practice... I agree that obscurity is a valuable tool in the arsenal, but it's only a bandaid compared to the theory side of things... obscurity may protect you against the common script kiddie nuisance, but you need theory to protect you against the professional cracker, which is the real danger to whatever you're trying to protect.
From that perspective, one could argue it's better to let the script kiddies bang on your system to ensure it's secure. If they do get through, the worst you get is a spambot or some other relatively obvious, but minor, mess to clean up, and you know you've got a hole to fix. But if you left that unknown hole sitting around, when the real cracker comes, he's going after your corporate business plans and new prototypes, and he's probably not going to be as obvious about it... which leaves you in for a surprise when your competitors beat you to market with a cheap copy of what you've been working on, costing you far more than the script kiddie cleanup ever would. Just a thought.