Apple Releases Mac OS X Security Patch Addressing 25 Issues
by , 6:45 PM EDT, April 19th, 2007
Apple released Security Update 2007-004 for Mac OS X 10.3.9 and Mac OS X 10.4.9. The update addresses some 25 different issues for 19 different Mac OS X components. All of them are issues that would have potentially allowed either arbitrary code execution or a bad guy to gain access to your Mac with "escalated privileges."
The patch notes from Apple:
Security Update 2007-004 is recommended for all users and improves the security of the following components:
haha, last week, OS X is the most secure OS in history, this week, 25 more security holes fixed. at least three of them are from MOAB back in January.
Remember when everyone was saying those vulnerabilities weren't even valid? Apple disagreed with you so much, they've been releasing security updates every month since then addressing these holes!
Guest wrote: Remember when everyone was saying those vulnerabilities weren't even valid? Apple disagreed with you so much, they've been releasing security updates every month since then addressing these holes!
I agree with you 100%, and share your happy enthusiasm for such a great company. It really is amazing that Apple chooses to address even the most frivolous & minor security issues during the same quarter that the issues are raised, unlike some other non-security minded OS producers.
Huh, and here I thought remote exploits that allow arbitrary code execution were more than frivilous. I'll have to readjust my idea of "security" when it comes to a Mac.
I agree with you 100%, and share your happy enthusiasm for such a great company. It really is amazing that Apple chooses to address even the most frivolous & minor security issues during the same quarter that the issues are raised, unlike some other non-security minded OS producers.
If a security issue is frivolous, wouldn't that be a waste of Apple's resources to develop of a fix for it, especially at a time when the company is unable to deliver it's products to market on schedule? Why are Jobs & Schiller allowing fixes for issues are unworthy of serious attention? Wouldn't this be a strategic mistake and a waste of the company's resources? More than likley, these 25 vulnerabilities allowed arbitrary code execution, escalation of privileges, unexpected termination of applications, and other things that should not be allowed on a secured system. At least, that's what Apple says, but we know better about the security of Mac OS X than Apple does!
CloseViewName:Sir Harry FlashmanPosts: 750Joined: 08 Feb 2007 Thu Apr 19, 2007 9:46 pmSubject: Troll alert
Quote
Guest wrote: haha, last week, OS X is the most secure OS in history, this week, 25 more security holes fixed. at least three of them are from MOAB back in January.
Remember when everyone was saying those vulnerabilities weren't even valid? Apple disagreed with you so much, they've been releasing security updates every month since then addressing these holes!
Anonymous wrote: haha, last week, OS X is the most secure OS in history, this week, 25 more security holes fixed. at least three of them are from MOAB back in January.
Remember when everyone was saying those vulnerabilities weren't even valid? Apple disagreed with you so much, they've been releasing security updates every month since then addressing these holes!
OK, OK, hang on, hang. Let me get this right. You're saying that last week, or some last week, not actually last week because, like, you know, this week isn't the same week as the week this item was first posted, which means of course that last week is a kind of relative term or something. You know? Anyway, so the previous week of some previous week, OS X was the most secure OS in history, and then this week, which is as relative a term as the previous one, OS X has 25 less vulnerabilities than when it was the most secure OS in history.
So you're saying, what... that the term "infinity plus one" is a valid concept? Hmmm, so all those primary school taunts were actually meaningful. Like... somebody could throw a ball further than me infinity plus one times and that this feat was actually possible.
I think I need to review the meaning of superlatives, 'cos obviously I'm not grasping some basic tenents here that should be cleared up before I go any further in life believing that "most" and "ever" are two words that can co-exist in the same assertion as "25 more".
that's funny, inferiority complex much? for some reason, whenever there is criticism of an Apple OS, Apple nuts are the first to bring up Microsoft, and then they spell the name wrong.
that's funny, inferiority complex much? for some reason, whenever there is criticism of an Apple OS, Apple nuts are the first to bring up Microsoft, and then they spell the name wrong.
1. I did not misspell MicroSoft.
2. I merely pointed out the truth about MicroSoft's notorious security problems.
3. I do not have inferiority complex. If anything I feel superior about using OSX and Macs.
Guest wrote: that's funny, inferiority complex much? for some reason, whenever there is criticism of an Apple OS, Apple nuts are the first to bring up Microsoft, and then they spell the name wrong.
Guest wrote: haha, last week, OS X is the most secure OS in history, this week, 25 more security holes fixed
The fact that they fix problems is what MAKES it secure.
This isn't hard.
The fact that it takes them over 3 months to fix publicly known vulnerabilities kind of makes it obvious that claiming to be the most secure OS is pure bloviating. You're right, it's not hard at all.
There is no capital S in Microsoft. Look at the title bar when you visit www.microsoft.com. It's Microsoft Corporation. Look at the logo. Look anywhere the name Microsoft is used on the site. Even basic facts escape an Apple fanatic.
Inferiority complexes arise when someone thinks they are superior than something else but have less success than that that something else. Apple, Microsoft. Hmm, which one has a larger installed base? How many machines are running Mac OS X vs. Microsoft Windows?
that's funny, inferiority complex much? for some reason, whenever there is criticism of an Apple OS, Apple nuts are the first to bring up Microsoft, and then they spell the name wrong.
1. I did not misspell MicroSoft.
2. I merely pointed out the truth about MicroSoft's notorious security problems.
3. I do not have inferiority complex. If anything I feel superior about using OSX and Macs.
Nice link dude. Looks like a lot of different systems were affected, but every one of them has a link to download a patch. This was only released on the 3rd, that some serious attention to security by Microsoft. They are on the ball getting patches out!
The fact that it takes them over 3 months to fix publicly known vulnerabilities kind of makes it obvious that claiming to be the most secure OS is pure bloviating. You're right, it's not hard at all.
Oh, right. I forgot.
This is related to that report where Microsoft fixed 12 severe threats in 21 days while Apple fixed 1 their severe threat in 66 days.
Me? I'll take the system with 1 threat to start. That's a total of 66 days that 1 threat was a problem.
You'd prefer to have the equivalent of 252 threat-days (12x21) on your system.
That's fine if that's what YOU want, but you're never going to convince US that 252 days of threats is better than 66 days.
That math doesn't reflect reality. When a flaw is first discovered, there is no exploit running around. Exploit code, like all software, takes time to develop, test & deploy. The turn around time for a patch is what matters.
Also, who cares about that report from before people started paying attention to Mac OS X, here are 25 flaws, at least 3 of which have been known publicly for 3 months. Maybe way back then Apple only had one flaw, but in 2007 it has been a steady stream of security flaws requiring a patch.
Also, who cares about that report from before people started paying attention to Mac OS X
March of 2007 is too old to remember? I guess things do change quickly in this business.
Well, if March doesn't matter anymore I guess I can look forward to forgetting all about THIS news by May.
Quote
Guest wrote: That math doesn't reflect reality. When a flaw is first discovered, there is no exploit running around. Exploit code, like all software, takes time to develop, test and deploy. The turn around time for a patch is what matters.
OH! I get it. It's the EXPLOIT that matters, not the proof. That's what you're saying?
I wasn't getting that before.
Now that I know, I feel a lot better since none of these things here have been exploited. So, really, it's like they don't matter at all, I guess.
Ok, dude, if you want to try to do this, let's get it right, because you are very confused.
First, those numbers weren't from March, they were from 2006, not from March 2007. This is why, "In 2007 it has been a steady stream of security flaws requiring a patch." So let's take a look at 2007 from Apple.
That's less than three months and Apple has issued 63 security updates. In the last 6 months of 2006 (that's where the numbers you were using for your math came from) there were 43. Cut that in half and you'd have, say 21. Apple is releasing security updates at triple the rate it did in the back half of last year. This is what happens when security researchers start to take a look at the Mac OS X platform, which heretofor has gotten very little attention. MOAB illuminated the need for Apple to get serious about security beyond marketing, but obviously that project was not solely responsible for all the flaws being patched right now, as there are more than double released so far than days in January.
Now, when it comes to exploits, there seems to be a perception in the Mac community (just read all the threads here) that exploit means virus or worm in the public view. You and I cannot know whether or not any of these vulnerabilities have been exploited yet, unless an exploit is made public. Since many of these vulnerabilties allow for escalation of privileges a wise attacker would not be interested in gaining any publicity if a system was compromised, he would not even want the system's administrator to know. Instead, a good attack would involve gaining unauthorized access to a system in order to collect data, and the system, once compromised through a vulnerability, would likely have a "permanent hole" in it, and the attacker only needs to exploit the vulnerability on the first access, and then would look like a regular user accessing the system with approved privileges from then on out. In order to exploit a vulnerability it takes time to research the vulnerability, develop a method of attacking that vulnerability, and then executing the attack. This is why there is so much focus on the "time to patch". The first few days or weeks after the discovery of a vulnerability will likely not see any active attacks on that vulnerability. To see a perfect example of this in the real world take the SQL Slammer worm. That worm exploited a vulnerability for which Micorosoft had issued a patch months prior to the worm's release. In fact, it was the publishing of the patch that made the vulnerability public as it was discovered and fixed by Microsoft. Months later the worm infected systems that had not applied the patch. So, those early days & weeks after a vulnerability has been made public are not as dangerous as the months down the road. This is why the basic multiplication you used does not pertain to reality.
That's why, at most 17 days for Microsoft to have patches for that vulnerability linked above is considered good, and why releasing patches in April for vulnerabilities publicly disclosed in January is considered bad.
CloseViewName:LaurieF- TMO Forum ModPosts: 3528Joined: 15 Jun 2001 Fri Apr 20, 2007 8:44 pmSubject:
Cut out the FUD, troll. You're just here to bag Apple, but I can't let it go.
So there are eleventy-three potential flaws in the OS - who gives a stuff? How many have been taken advantage of - that is, how many Macs have actually been compromised? That's the figure I want to have identified by you, because the latest figure I have (apart from possibly fifty isolated iChat users) is zero.
CloseViewName:Guest Sat Apr 21, 2007 1:23 amSubject:
Boy did you miss the point. That's a figure you can't possibly know. Not you, not I. Just turn the exact statement around and tell me how many Slackware systems have been compromised via its security flaws, BSD, Solaris, any system, you can't come up with that number. That's the real FUD right there, using uncountable numbers as your argument basis. Whereas, when some puts down a logical paragraph about how security vulnerabilities are exploited, and why certain numbers are used as measurements, you yet again fall into the trap of security exploits = publicly known viruses. Thank you for demonstrating that point. Security is far more than viruses.
Quote
LaurieF wrote: Cut out the FUD, troll. You're just here to bag Apple, but I can't let it go.
So there are eleventy-three potential flaws in the OS - who gives a stuff? How many have been taken advantage of - that is, how many Macs have actually been compromised? That's the figure I want to have identified by you, because the latest figure I have (apart from possibly fifty isolated iChat users) is zero.
CloseViewName:Guest Sat Apr 21, 2007 1:25 amSubject:
There is no uncertainty of the number of security vulnerabilities that have been patched in the past 3 months. I have no doubt about it, nor should you. Just go look at Apple's Security Update webpage, or are you afriad?
CloseViewName:LaurieF- TMO Forum ModPosts: 3528Joined: 15 Jun 2001 Sat Apr 21, 2007 8:12 amSubject:
I did not miss the point. I did not fall into any trap. You are a troll. You don't register, yet you, whoever you (plural) are, see fit to say whatever you like to show that the Mac's security is fatally flawed, and Apple's support is flawed. They aren't.
I can't prove that there haven't been any breakthroughs into my computers. However, I have sufficient proof to show that my security is at least adequate. All the Mac users I know are without any malware on their computers. (And before you say, "You can't possibly know that.", you're technically correct - but I'm talking about a level of confidence.)
Even without having hardware firewalls and virus checkers, the average Mac user retains a level of security that is way above average. How do I know? Empirical evidence shows it to be secure. I don't care that you say that this is a wrong conclusion to take - OS X has been around for over six years now, and despite all the potential holes, none have effectively been exploited.
So if Apple takes what you consider to be a long time to plug the holes, what of it? The holes are plugged, but in the meantime nothing gets through. Microsoft plugs its holes, you say, much more quickly. But its holes are exploited. Go and argue the latter point on a Microsoft advocacy board.
As I have said elsewhere, no-one has been shown to have broken into any Mac anywhere in the world without the (at least) carelessness of the user. No malware has ever been shown to have propagated through more than a handful (way less than a hundred) of computers.
If you were genuinely interested in Apple, and didn't come here to slag it off, you'd probably be here to read what others have written and at least partially digest it. Instead you vomit up your own misinterpretations, bile and misinformation.
Last edited by LaurieF on Sun Apr 22, 2007 7:03 am; edited 1 time in total Reply | Quote
CloseViewName:DaiMacPosts: 952Joined: 29 Jun 2001 Sun Apr 22, 2007 3:36 amSubject:
Quote
Anonymous wrote: are you afriad?
Well, while Google had some interesting things to say as to what a Friad might be, I don't quite see what that has to do with visiting a page on Apple's website...
I'd also like to take this moment to thank Guest, Anonymous, and Seth McFarlane, without whom I wouldn't laugh nearly as often. The best thing is that while hardworking, creative people like Seth eventually get bored and/or die off, Anonymous and Guest posters saying stupid things from behind the safety of their cheap, nicotine-stained LCD screens is forever, even if one troll wises up and gets a life there will always be another to replace them.
It would almost be tragic if it weren't so damned funny
I can't prove that there haven't been any breakthroughs into my computers. However, I have sufficient proof to show that my security is at least adequate. All the Mac users I know are without any malware on their computers. (And before you say, "You can't possibly know that.", you're technically correct - but I'm talking about a level of confidence.)
I can say the exact same thing, except I'd be talking about Windows users and the people I know.
Quote
LaurieF wrote:
Even without having hardware firewalls and virus checkers, the average Mac user retains a level of security that is way above average. How do I know? Empirical evidence shows it to be secure.
Sure it does, glad to see you've linked that emperical evidence. Did you mean the over 60 security flaws that had to be patched in the last 3 months?
Quote
LaurieF wrote: So if Apple takes what you consider to be a long time to plug the holes, what of it? The holes are plugged, but in the meantime nothing gets through. Microsoft plugs its holes, you say, much more quickly. But its holes are exploited. Go and argue the latter point on a Microsoft advocacy board.
It's not me that says it's too slow, it's the rest of the industry. As you point out repeatedly, security is partly on the users. If someone was affected by the SQL Slammer, it is purely because they didn't install the patch which was released before the worm was. Microsoft had done all it could, and empirically has been shown to respond to security threats much faster than Apple. (Just read up in the thread for those numbers, they've already been included here by another poster).
Quote
LaurieF wrote:
As I have said elsewhere, no-one has been shown to have broken into any Mac anywhere in the world without the (at least) carelessness of the user.
Yeah, that's pretty much wrong. There is always some nitpick step that a user COULD have taken to prevent EVERY attack. So, you could say that's true of every system. But at some point you have to say "reasonable" in there. But of course, you're not reasonable.
Quote
LaurieF wrote:
If you were genuinely interested in Apple, and didn't come here to slag it off, you'd probably be here to read what others have written and at least partially digest it. Instead you vomit up your own misinterpretations, bile and misinformation.
Come now, say what you really think. Someone might mistake you for a fanatic.
Yup, when you've lost the argument in reality, you argue typos.
Quote
DaiMac wrote:
Quote
Anonymous wrote: are you afriad?
Well, while Google had some interesting things to say as to what a Friad might be, I don't quite see what that has to do with visiting a page on Apple's website...
It would almost be tragic if it weren't so damned funny
CloseViewName:Guest Fri May 11, 2007 2:14 pmSubject:
Quote
Guest wrote: That math doesn't reflect reality. When a flaw is first discovered, there is no exploit running around. Exploit code, like all software, takes time to develop, test & deploy. The turn around time for a patch is what matters.
Also, who cares about that report from before people started paying attention to Mac OS X, here are 25 flaws, at least 3 of which have been known publicly for 3 months. Maybe way back then Apple only had one flaw, but in 2007 it has been a steady stream of security flaws requiring a patch.
Very good points. The time to fix is what is most critical. It usually takes over a month for an exploit to go from proof-of-concept to actual threats in the wild. For example, one of the Quicktime vulnerabilities discovered in January now has an exploit in the wild for it. There is fortunately a patch available for it, since it was one of the vulnerabilities that got enough press from MOAB to fix. But this just illustrates why having several vulnerabilities that are patched in less than a month is less of a threat to your system than even a single vulnerability that remains unpatched for more than 2 months. The first month is crucial timeframe in which to issue a fix.
OWC: Juice up your iPod w/NewerTech High Capacity Battery from $19.99 Free Installation Videos for most models. Pro Installation Service w/FedEx Shipping From $57.95 (Battery Included). - www.MacSales.com
New MacPro Memory 800Mhz With Apple Spec Heat Sink 2GB $88 / 4GB $138 / 8GB $274 - Click to Maximize your Macs...
Mac observers can now play Party Poker for Mac as well as Mac casino games by going to MacPokerOnline.com.
RamJet Memory: Mac Pro FB-DIMMs: 2Gig kit $95, 4Gig Kit $179, 8Gig Kit $355! MacBook 2Gig Kit $78, 4Gig Kit $149! Click here
Laptop Hardware Provided by TechRestore - Overnight Mac & iPod Repairs.
DCT HH201 Mini 4 ports USB 2.0 Hub: $5.59 Delivered - $2.40 Drop 
Refurbished MacBook Deals at the Apple Store from $899 
Home-Use Tempered Glass Weight Scale with Large LCD Digital Display: $19.99 Delivered 
2-Pack HP15 Remanufactured Inkjet Cartridge Combo: $15.95 Delivered 
2-Pack Canon L50 Compatible Toner Cartridge: $53.85 
