Apple forces upgrade for security
October 30, 2003 11:12 AM   Subscribe

I have a difficult time believing that Apple is not going to continue to release security updates for OS X 10.2 for the foreseeable future. I understand that is what the article says, but I simply don't believe that this is what Apple will do.
posted by waldo at 11:21 AM on October 30, 2003

I hope Apple clarifies this issue quickly.
posted by BlueTrain at 11:23 AM on October 30, 2003

Sounds like a C|Net article full of FUD and baseless speculation.

From the link:

The Mac Observer Spin: Let us first make it clear that Apple has not said it will not support Jaguar. C|Net's article says that Apple has not yet provided a security fix for Jaguar for a problem that has been fixed in Panther. The article also points out that some other problems remain unfixed in Jaguar, but any conjecture that this is a matter of policy is at this point just that, conjecture.

BTW, I looked up what those flaws were a couple of days ago. Pretty insignificant, especially for Joe Average User.
posted by ursus_comiter at 11:24 AM on October 30, 2003

hmmm. i just had a look at the so's pbook and checked if there were any downloads. 10.2.8 has security fixes that must have come out in the last week or so.

*i* just spent two days installing linux on my laptop. you just don't get that kind of fun if you're an apple owner (and boy, i've not even tried to configure x yet!).
posted by andrew cooke at 11:31 AM on October 30, 2003

aye, ursus_comiter , it's no biggie. Problems are caused by third party vendors. Try running diskutil repairpermissions / on a regular basis.
They will give out security updates for 10.2, I'm sure. Maybe then I'll bother to buy X, my mac shiped with that horried 10.0.4 BETA stuff.
posted by dabitch at 11:42 AM on October 30, 2003

horrid
posted by dabitch at 11:43 AM on October 30, 2003

Cool! For this to happen with an MS operating system, you have to PIRATE it! Apple has realised the best way to make people buy a new copy: Don't even bother providing the updates!

Nice. This will make some excellent cannon fodder, especially with pivx having admitted to the security of IE.

andrew cooke, 2 *days*? If I were near you, I'd have it done in under 10 minutes. Guaranteed!
posted by shepd at 11:43 AM on October 30, 2003

Here is the email sent out about security fixes in 10.3, username and password are "archives".
posted by rhyax at 11:46 AM on October 30, 2003

On of the vulnerabilties allows the attacker to get information on memory addresses of a crashed machine, which, according to the eWeek article "aren't normally considered to be sensitive material". The other one requires "interactive shell access" to the machine, which sounds to me like *the hacker would have to be sitting at the computer*, at which point if you ask me a fairly large degree of your computer's security becomes useless anyway. These are both minor; they were only reported a few days ago; Apple has *not* stated they will not patch them. Obviously the end is night for Mac OS X as a computing platform!! Alert the media!!
posted by bcwinters at 11:51 AM on October 30, 2003

shepd - oh yeah? it's an ibm x31 with no floppy or cd drive and a network card that's only supported in 2.4 i wanted dual boot with debian stable (which is 2.2) - windows is preinstalled and i don't want to lose it. and a pony. :oP
posted by andrew cooke at 12:03 PM on October 30, 2003

This article is such a pile of steaming-hot vapidity. Until Apple actually explains whether they are going to provide patches for older versions of their OS, this is just poorly-informed speculation. It's only C|Net, so I don't expect them to actually have a clue about software development, but that doesn't make their conclusions reasonable.

It basically works like this: company releases a version of their product. Some new bug reports come in, things none of the beta testers caught, and the company puts out a patch version or two. Now all the programmers start working on the next version. For the next year or two, all development work is focused on this next big version. Lots of bugs arise and are squashed. Every now and then, one of these bugs turns out to be an old bug that just didn't turn up for a long time. Programmers are busy, so they usually fix these in the current source code and make a note to patch the fix back into the old, archived source code later.

Every few months the company collects these old-bug fixes, merges them into the old-version source tree, and ships the result as a new patch version. But the programmers stay on the main development tree nearly all the time, so the old version is ancient history to them and after a while they can barely remember how it works. Making patches becomes increasingly hard since the new code they write to fix the bugs starts to rely on new features or architectural changes made during the course of work on the new version. Merging these changes into the old code is no longer a matter of just slapping in the diffs; somebody has to go switch to the old source tree and massage the code until it fits.

So here we are: Panther has just gone out the door. New bugs are discovered that turn out to have been hanging around unnoticed since Jaguar. So what do the developers do? They fix it in the code they've been working on for the last year and are familiar with, and make a note that this patch can probably be applied safely to Jaguar too.

Most likely, somebody is still going to go merge the changes into the old source tree, test everything to make sure the changes don't break anything new, prepare a release archive, etc. But that's a lot of work, and of course they are going to patch the new version first. The only way they'd be able to release patches for Jaguar and Panther simultaneously is if they delayed the Panther patch until the Jaguar changes were finished.

Now, if Apple comes out and says "Jaguar is dead; buy Panther if you want bug fixes", that'd be grounds for irritation. And if Apple hasn't put out a patch in another month or two, that'd be a good time to start getting worried. But this article is mere petty flamery.
posted by Mars Saxman at 12:04 PM on October 30, 2003

Notes:

There was a problem in 10.2.X where, if you copied files from a disk image, they didn't get proper permissions, they had all permissions. This was an error, but only cropped up if you did a "drag-and-drop" install. If the software package used the Installer (as Apple tells you to) the problem didn't happen.

If you have Jaguar, and you are worried, do what dabitch tells you. (Hmm, why do I suddenly sound like Shaft?) Run Disk Repair, repair permissions, this will lock down everything that needs to be locked down. Panther fixes the problem with Disk Images, I hope that this is backported to Jaguar, but I don't consider it ultra-critical if it isn't. It's not *good*, but it's not leaving your machine wide open. Given that OS X is sensitive to permission problems, repair-permissions is a good thing to run anyway. (And Ghugle Help Us if someone trojans that.)

Fixes for non-apple written software -- that is, most of the stuff in Darwin -- often take a few days to get migrated into Darwin, tested, and released. In general, this doesn't bother me -- most of the remote compromises are using buffer overflows and the like, and since the vast majority of the exploits out there are written with the assumption that you're running an Intel or Sparc processor, you're often still safe -- for a while. If/As OS X becomes more popular, this safety net will get weaker.

Third: I do want to see Apple make a clear statement on this position, and I will be very disappointed if they choose not to at least do security fixes for OS X 10.2 and 10.1. I can forgive them for calling EOL on 10.0, which shouldn't have been released in the first place, IMHO.

Finally: I am only somewhat worried about local root exploits -- and only on machines that are running external services. If you aren't running external services, a local root exploit only gets you if they have access to the console -- and if they do, there are *many* ways for them to take over your machine. One of the rules of security is that if they have physical access to the box, they will get in.

Local exploits were much more important in the days when you'd have sixty or so users on a large mini. Now that the processor-user ratio is probably over 1.0, they're not as important. (They are not unimportant, mind you.)
posted by eriko at 12:05 PM on October 30, 2003

Yeah, andrew, no problem. Network installs are the fastest. I'd get slackware 9.1 running on that thing faster than... uhhh... well... you know. :-) I bet it has USB ports......

Ahh, here would be the list of problems.

Solution:
Upgrade to Mac OS X 10.3 (Panther).

Description:
Multiple vulnerabilities have been reported in Mac OS X, where the impact spans from local DoS (Denial of Service) vulnerabilities to privilege escalation, security bypasses and information disclosure.

Seems pretty damn serious to me.

8) A vulnerability in OpenSSH can be exploited by users to access the system from IPs that they where not supposed to.

Scary.

12) The Mail application will silently fall back to plain-text authentication when an account is configered to use MD5 Challenge Response but the hashed login fails.

Equally not cool.
posted by shepd at 12:10 PM on October 30, 2003

Unlike Microsoft, which carries security issues onto new OS versions, Apple is a stable and secure OS. No support is provided for anyone living in an MS family.

Sounds like an open door for intentional software bugs and issues.
posted by boost ventilator at 12:20 PM on October 30, 2003

Hey, Apple, lemme clue you in:

You break it, you buy it.
posted by Civil_Disobedient at 12:57 PM on October 30, 2003

Shep's link states: "Where" local area network". So does that mean it only can be used against people on the same LAN?

Also, wouldn't the solution state download patch when a patch is available?
posted by infowar at 1:24 PM on October 30, 2003

I can't say I'm that worried. I'm staying on 10.2.6 until I can be bothered to download the update, so I suppose that I'm so far behind that I should just count my blessings that my laptop hasn't tried to dice, slice, cook and eat me at the behest of some malevolent script kiddie.

I'd be interested to hear how many of these potential exploits have actually even been, y'know, exploited. By people who don't work for security research firms, that is.
posted by zygoticmynci at 1:36 PM on October 30, 2003

Hey! How about you give Apple's developers at least a week before you jump down their f*cking throats!
Us Mac geeks are so damn whiney.

In other news, there is still not a single known virus for OS X.
posted by cinderful at 1:55 PM on October 30, 2003

bcwinters, "having interactive shell access" is not the same as sitting at the computer. For example, ssh and telnet provide remote interactive shell access. Badly written servers can sometimes be exploited to gain shell access also.

In general "local" exploits are still a problem, because they provide more vectors for a remote intruder once they've managed to get themselves a shell. You should not ignore updates merely because an exploit is local, if your machine is connected to a network.
posted by i_am_joe's_spleen at 2:13 PM on October 30, 2003

Andrew Cooke, it's actually relatively common to install Linux on an Apple. If you Google on it, you'll find plenty of sites and articles, even one hosted by O'Reilly. You can run X and everything. I've been toying with the idea myself, ever since I got my iBook (And I'd always owned PCs before, ever since high school. Never bought them whole, just got the parts at the local computer show, and later, at CompUSA/Fry's/etc.). I just haven't done it because I'm happy enough that I can do my day-to-day stuff and keep my consulting work running on OS X. After all, do I really need GIMP if I have Photoshop, and so on. And if I really want to be hardcore, I can shut down BBEdit and Dreamweaver, open up Terminal, and code my pages in vi.
posted by halonine at 2:17 PM on October 30, 2003

So does that mean it only can be used against people on the same LAN?

Last night's Screen Savers suggested it coould only be used on the same machine, not even the LAN.
posted by yerfatma at 2:20 PM on October 30, 2003

Given some recent @stake actions and also given the 48 hours of notice, I'm not going to jump to any conclusions just yet. AFAIK, Apple has provided security updates for 10.1 during 10.2's lifespan I think Apple just hasn't had time to do an update yet.

Regarding Core Files, I believe a user has to activate them to be vulnerable. SSH isn't even on by default so I'm curious as to how big an issue it is to begin with.

I think this is pro-MS FUD. You'd think all the Longhorn tooting would be enough for MS ATM.
posted by infowar at 3:06 PM on October 30, 2003

aren't most security vulns in the Darwin layer anyway? how hard would it be to have some dork working away fixing those and carrying them over to OS X proper? Hell, they still update linux 2.0 now and then.
posted by Space Coyote at 6:49 PM on October 30, 2003

http://www.macobserver.com/comments/commentindivdisplay.shtml?id=35990


The issue does not exist in earlier versions of Mac OS X or Mac OS X
Server.
posted by MrLint at 7:00 PM on October 30, 2003

There have been security updates for 10.1 since 10.2 was released. A quick search on Apple's site turned up one from March of this year.

The author of the CNET article should be forced to copy Mars's post on the blackboard 100 times, or until he gets a clue.
posted by D.C. at 8:20 PM on October 30, 2003

Here. You want a real OS X issue? Apple is about a week late "identifying" this. I love Apple to bits, but they might as well be the Soviet politburo when it comes to releasing information in a timely manner.
posted by stonerose at 9:01 PM on October 30, 2003

I think this is pro-MS FUD. You'd think all the Longhorn tooting would be enough for MS ATM.

Of course it is! And trust me, I'll be using it to every end I can. >:-D

However, that being said, too late about the ATM thing, man.

Not that I think they need to have an OS. I mean, we're talking a screen with pushbuttons. Drop the OS. It's unnecessary overhead.
posted by shepd at 9:45 PM on October 30, 2003

I think Apple has bigger fish to fry ATM with the FireWire/Panther install issue.
posted by infowar at 5:28 AM on October 31, 2003

Listen. All versions of OSX previous to 10.3 allowed users free access to all files on the machine if they had physical access to it. This could be done easily.

So dropping everything for a super-fast (and possibly buggy) patch for this local-only exploit doesn't make a lot of sense, does it? Apple has patched all security holes for free and often, and it is very likely that they will patch this soon. Unlike you know who.

The lovely thing is that the media (even the Screensavers) are making a huge deal out of this and comparing this unfavorably to MS. lol. If MS only had this pretty trivial vulnerability in Win they would be dancing in the streets.
posted by n9 at 8:25 AM on October 31, 2003

Apple dispels FUD.
posted by alms at 11:39 AM on October 31, 2003