New Apple Patches: OS X, Safari, more

[theblue1]

Quote:

Apple Patches Keep Coming: Mac OS, Safari Beta Fixed


Monday, December 17, 2007 5:00 PM PST

Apple kept its rush of year-end security patches coming Monday, issuing a flurry of fixes for its Mac OS X operating system and the test version of its Safari browser.


Monday's patches included a whopping 31 updates for the Apple operating system. The Mac OS X patches fix components ranging from the Address Book and iChat software to under-the-covers operating system components such as ColorSync, the IO Storage Family, and the Perl, Python and Ruby programming languages.


Most of these flaws theoretically could be exploited by attackers to run unauthorized software on the Mac, although some of them had other security implications, such as allowing an attacker to gain access to sensitive information or download files to the computer without authorization.


These updates are for the Mac OS X 10.4 and 10.5 operating systems, known as Tiger and Leopard, respectively.


Apple also released a minor update to its Safari 3 beta code, which runs on Windows as well as Mac OS X, fixing a cross-site scripting security problem that affects Windows users.


The patches come just days after Apple released a major update to its QuickTime media player and a Java security fix for the Mac OS X 10.4 operating system, code-named Tiger. The QuickTime flaw was particularly serious, as it had been exploited by online criminals since early December.
With hackers and security researchers now paying more attention to Apple's products, the company's security team has been working overtime on bug fixes this year. Monday's patches were Apple's 35th and 36th security updates this year. In 2006, the company released just 22 sets of patches for its products.

PC World - Business Center: Apple Patches Keep Coming: Mac OS, Safari Beta Fixed


MORE: Another month, another monster Apple security update

Apple Security Update 2007-009 Can Cause Safari Crash || The Mac Observer

[theblue1]

BTW -- if you're trying to get the Quicktime Security Update for a Windows machine you MAY have to use Safari for Windows to get Apple's QT download page to work...

Everytime I clicked the check for updates in QT/Win it took me to a page with links ONLY for QT Mac! I searched the Apple site and found a few links for QT/Win DL's -- but they all took me back to the original Mac-only page.

Finally, it occurred to me that I should check in something besides my default browser, Firefox 2. So I go to the same URL using Internet Explorer and -- voila! -- there's a message that says my download will begin automatically. It is a lie. I sit there. Nothing. Try again. Nothing.

But I'm NOT out of options, oh no!

I pull out my trusty copy of Safari for Windows which I keep for testing (it's far too slow to use for normal browsing, at least without super jacked up caching). And -- YES! -- I get the 'download will start automatically' message -- and it actually does!!!

[theblue1]

In OTHER OS X news:

Quote:

December 17, 2007 11:34 AM PST
QuickBooks update shreds Mac files

Posted by Tom Krazit
Updated 1:55pm with comment from Intuit below.
Mac users who installed an update to their QuickBooks software over the weekend were met with a nasty surprise: missing data.


If you're a user of Intuit's QuickBooks accounting software for small businesses on your Mac, and you haven't installed an update pushed to users over the weekend, don't.


The update caused several Mac users to lose data from their Desktop folders, infuriating many who were hoping to close their books this week for 2007, only to lose valuable purchase orders and spreadsheets. This problem doesn't appear to affect those using QuickBooks on Windows PCs, but it does appear to be causing problems for both Tiger and Leopard users.


The update apparently came along with a prompt that read, "there is not enough space to install." If you clicked yes, knowing that your hard drive wasn't even close to full, you could have found yourself with lost data, once you rebooted after installing the update.

[tclash]

Chip on your shoulder

[theblue1]

Quote:

Originally Posted by tclash

Chip on your shoulder

I think it's a good thing that companies like Microsoft and Apple put out updates to patch problems. I hope they keep 'em coming as long as they're needed. I've posted here about important updates or security issues for Windows stuff, too.


But, since you mention it, I probably should say that I have a less than 100% rosy history with QuickTime.

I'd had some unpleasant and one very nasty problem with QT free over the years. Still, I bought QT Pro 6.51 for Windows a few years ago in order to be able to deal with the QT movies my digi-cam puts out. I thought it was, overall, an entirely adequate program for $30 and that it was admirably light on its feet for a vid editor. I had qualms about its interface but once I figured out where the FX filters were I was happy enough.

Then people started sending me files (AACs and Mp4s) that it wouldn't play. It would go to the Apple site to check for a codec and come back and tell me it couldn't find any. I would check for new QT Pro versions and it would say there were none.

So I have to say I was pretty surprised when I realized that QT Pro 7 had actually been out for some time and that I would have to upgrade to it to be able to see the new content types.

So, how much to upgrade from 6.51 to 7? Full price.

I'd never run into something like that before. So I said to heck with it and finally downloaded VLC which played the content just fine.

But then, the security notice for QT 6.x came out -- it was blunt: do not use it if you are connected to the internet. Upgrade. So, I decided to throw away my QT Pro investment and just get the free QT 7.


So, yeah, it's not a big chip on my shoulder -- a measly little 30 dollar chip, actually. Not much in computer hassle/expense terms. But, yeah... full disclosure, it's there. So when the QT update site was so buggy today in not just one but TWO different browsers, there was no way it was going to go without comment. I apologize for the distraction.

[severe]

EVEN MORE: Another month, another New Apple Patch thread from theblue1

Hey... in most cases, if it wasn't for these threads I wouldn't know there was a problem.

...on either of my Macs or iPhone.

Good look'n out.

[theblue1]

Big fan of the iPhone, here, all things considered.

If there's a phone with a better user interface -- I haven't seen it.

One thing I should add as long as we're doing the full disclosure thing... I've never actually made a call on one.


PS... Anyone who is worried that I'm inclined to give Microsoft any kind of free ride has never seen my comments about Vista. I'm pretty sure.

__________________________________________

UPDATE -- rather than bump this thread up, I'll just add THIS interesting bit to this post:
Larry Dignan, Zero Day blog, ZDNet:

Quote:

The year 2007 has been an interesting year that brought us improved security with Windows Vista and Mac OS X Leopard (10.5). But to get some perspective of how many publicly known holes found in these two operating systems, I’ve compiled all the security flaws in Mac OS X and Windows XP and Vista and placed them side by side. This is significant because it shows a trend that can give us a good estimate for how many flaws we can expect to find in the coming months. The more monthly flaws there are in the historical trend, the more likely it is that someone will find a hole to exploit in the future. For example back in April of this year, hackers took over a fully patched Macbook and won $10,000 plus the Macbook they hacked.

I used vulnerability statistics from an impartial third party vendor Secunia and I broke them down by Windows XP flaws, Vista flaws, and Mac OS X flaws. Since Secunia doesn’t offer individual numbers for Mac OS X 10.5 and 10.4, I merged the XP and Vista vulnerabilities so that we can compare Vista + XP flaws to Mac OS X. In case you’re wondering how 19 plus 12 could equal 23, this is because there are many overlapping flaws that is shared between XP and Vista so those don’t get counted twice just as I don’t count something that affects Mac OS X 10.4 and 10.5 twice.

Larry Dignan, Zero Day blog
» Mac versus Windows vulnerability stats for 2007 | Zero Day | ZDNet.com

[severe]

However...

Vista vs Mac OS X Security: Why George Ou’s ZDNet Vulnerability Numerology is Absurd

[Switchcraft]

Stats from some guy on the internet???
please! I have used macs for 6 years and I have had about 6 different ones and I have never seen one bug, and had my computer OS die...um never.

My office pC, eeek. I have never even looked at porn with that PC and it still walks with a limp.


i dont need some guy to tell me about my vulnerability.

[severe]

Quote:

Originally Posted by Switchcraft

Stats from some guy on the internet???
please! I have used macs for 6 years and I have had about 6 different ones and I have never seen one bug, and had my computer OS die...um never.

My office pC, eeek. I have never even looked at porn with that PC and it still walks with a limp.

Exactly my experience. Just tack on another few years under Macintosh's security. I've easily had more issues in the past year or two with my office PC's than I've had in my entire history with Apple.

[theblue1]

Quote:

Originally Posted by Switchcraft

Stats from some guy on the internet???
please! I have used macs for 6 years and I have had about 6 different ones and I have never seen one bug, and had my computer OS die...um never.

My office pC, eeek. I have never even looked at porn with that PC and it still walks with a limp.


i dont need some guy to tell me about my vulnerability.

If you've got a complaint, you have a complaint with security blogger George Ou or Larry Dignan and/or with the well known security clearing house, Secunia (follow that link to their OS X page).

Feel free to ignore it. I really couldn't care much less.


Let me bold this: I certainly think that Windows users have a lot more to be worried about, no matter who has the most flaws in a given year, fixed or otherwise. And I've often said in these very forums that I think Windows' security is gawd awful.

I will say one thing though -- I've never had Microsoft want to charge me full price for a security upgrade, as Apple wanted me to do with Quicktime Pro 6.5.x. In fact, though I'm no fan of the company, MS has never charged me a single cent for a security patch or security updated version of a program. I'll say that.


But if you want to argue with Secunia about their flaw counts, that's between you and them.

[severe]

Quote:

Originally Posted by theblue1

I will say one thing though -- I've never had Microsoft want to charge me full price for a security upgrade, as Apple wanted me to do with Quicktime Pro 6.5.x. In fact, though I'm no fan of the company, MS has never charged me a single cent for a security patch or security updated version of a program. I'll say that.

That's two things.

[Switchcraft]

OK, that works for me. Ill be at the library.

[severe]

Quote:

Originally Posted by theblue1

I certainly think that Windows users have a lot more to be worried about..

And you're not the only one:

U.S. Army Acquires More Macs To Enhance Cybersecurity

According to Forbes, the Army has quietly begun to integrate Macs into its systems.

"The U.S. Army believes that diversifying its computing platforms, in part by integrating more Macs, will make it more secure against cyberattacks like the ones that occurred over the summer to the Pentagon and a number of defense contractors."

"A leaked deployment order, for instance, might reveal the path of a supply truck and the points where it could be sabotaged [...] This is information that affects the lives of soldiers and the civilians we're trying protect [...] It has to be safeguarded."

If it's secure enough for my country.. er, umm... it's secure enough for me?

[Kyle S]

i dont understand why the department of defence doesnt design, build, and code thier own damn computers.

[Dysanfel]

Quote:

Originally Posted by Kyle S

i dont understand why the department of defence doesnt design, build, and code thier own damn computers.

Not to start a stupid political discussion, but its probably because designing its own system does not allow the flow of public money into private hands fast enough.

[theblue1]

Quote:

Originally Posted by severe

...[snip]...

If it's secure enough for my country.. er, umm... it's secure enough for me?

I'm glad you put so much faith in the people who brought you the Iraq War, who won and then lost Afghanistan, the folks who take such good care of our wounded returning vets and who did such fine work after Katrina...

But I do think breaking up the mono-culture of Pentagon computing makes very good sense on paper... of course, so did capturing Osama bin Laden and defeating the Taliban in Afghanistan... and we ain't done that yet, either...

[chrisp2u]

Quote:

Originally Posted by theblue1

I will say one thing though -- I've never had Microsoft want to charge me full price for a security upgrade, as Apple wanted me to do with Quicktime Pro 6.5.x. In fact, though I'm no fan of the company, MS has never charged me a single cent for a security patch or security updated version of a program. I'll say that.

Don't most companies charge for major revisions/updates of apps? Think the justification for the QT upgrade charge is when they add more supported formats... not security updates and bug fixes. Quicktime technically isn't considered part of the OS... it's a separate app. It's also optional that you convert it to "Pro". Don't get me wrong, I've been burned by it too and wasn't too excited about it (especially when they don't tell you and you go to use it and get the "upgrade to pro" message crap), but I can certainly understand why they do it. They have a team of guys that needs to get paid to keep developing it. I would imagine maybe 1 in 10,000 people actually upgrades to the pro version.
---
c

[theblue1]

I have no problem paying for upgrades. When I finally did find out there was a new version (the built in updater in QTP 6.51 kept telling me I had the latest version), I figured I'd have to spend 10 or 15 dollars to update what had been a 30 dollar program. But it was full price: at the time, I think, around $32. More than I paid originally.

I don't think I've ever run into a program where an ordinal upgrade (from my 6.51 to 7) cost full price. I was taken aback. That was why I stuck with QTP 6.51. I got VLC to play new media types and I was happy enough. All I really wanted QTP for was for dealing with vids from my digicam.

But then that much earlier security advisory went out saying not to use QT 6.x and that it would not be updated; I read up on the security issue and it was a zero day exploitable flaw, so it wasn't something I was prepared to laugh off. I uninstalled QTP and switched to QT 7 free. I started using Super to convert my vid files. Not the end of the world. But annoying.

Still, I figure I'm just about done with my 30 dollars worth of bitching, now, though.

[RichS]

Quote:

Originally Posted by theblue1

I have no problem paying for upgrades. When I finally did find out there was a new version (the built in updater in QTP 6.51 kept telling me I had the latest version), I figured I'd have to spend 10 or 15 dollars to update what had been a 30 dollar program. But it was full price: at the time, I think, around $32. More than I paid originally.t

Would you feel better having paid $60 for the original, then $30 for the upgrade?

There are several Apple programs (things like iLife, Pages, Numbers, Keynote, QT) that are extremely low priced for what you get. Maintenance and security updates are always free, the major upgrades are full price. It works the same for OSX. In the long term, I've found that it's much cheaper than how you get screwed by MS paid upgrades. BTW, upgrade to QT Pro has always been $29.99.

Peace, love, and rock 'n' roll.

[jdunn]

I saw this thread and ran Software Update on my Mac Mini. After downloading and installing the Security Update and the Quicktime update, I hit restart. Then I got the spinning black circular lines for a while.... then a while longer. Went upstairs and took a long shower, came back and the damn thing was still spinning. Arrgghh! I held down the power button until it shut off, then started it up again and it finally restarted.

Thanks for the update Apple, but that was totally infuriating.

[severe]

Quote:

Originally Posted by jdunn

I saw this thread and ran Software Update on my Mac Mini...

Repair Disk Permissions.

[jdunn]

Quote:

Originally Posted by severe

Repair Disk Permissions.

Yeah that was the first thing I did after it rebooted. Disk Utility lives in my Dock. Thanks for the tip though! Everything seems fine now.

[theblue1]

Quote:

Originally Posted by RichS

Would you feel better having paid $60 for the original, then $30 for the upgrade?

...[snip]

Absolutely.

Some things are more important than money. An orderly universe: priceless.




____________________

UPDATE: Here's a bit more on the mil's move to de-hegemonize the Windows hold on the Pentagon desktop: Sci-Tech Today | Army Adds Macs To Improve Security

As I noted above, I think breaking up a computing monoculture is good in principle -- but take note that not everyone talked to for the article thinks that this is any kind of panacea or even, necessarily, an improvement.

Quote:

The Army's Apple program is being led by Jonathan Broskey, a former Apple employee. He says it's not just that Macs are a less inviting target than Windows; Apple's version of Unix is inherently more secure than Windows, he says.

But some observers point out that as Macs have become more popular, Apple has had to release increasingly substantial security updates. Apple's QuickTime was recently shown to suffer from fairly serious security holes. And security company F-Secure has identified over 100 Mac-specific exploits over the last two months.

Macs 'Behind the Curve'

Broskey, however, maintains that the large number of patches shows the strength of Apple's reliance on open-source software for its operating system, but that military I.T. will have to be aggressive about deploying the updates. "The Army's no different from any corporation," he was quoted by Forbes as saying.
At least one security expert isn't all that impressed with the Mac as a battle-hardened OS. Charlie Miller of Independent Security Evaluators said Apple had to patch security flaws five times as much as Microsoft . "I love my Macs, but in terms of security, they're behind the curve, compared to Windows," Miller told Forbes.

Miller added that the Army needs a better security strategy than just adding Macs to the mix. He said attackers will just target whichever platform is weaker, which might just be the Macs that are supposedly more secure. "In the story of the three little pigs, did diversifying their defenses help? Not for the pig in the straw house."

I note that they mention XServe earlier in the article -- but they don't address what some consider a fundamental flaw inherent in the way that the upper levels of the Darwin Layer interface with the Mach microkernel architecture (that has led to seriously decreased performance vis a vis Linux in common net apps like the Apache and MySQL server softwares) as users are added.