bigc73542
November 7th, 2003, 10:56 PM
http://www.internetweek.com/
even microsoft isn't this brazen.
Microsoft Could Never Get Away With What Apple Is Doing
While Apple says it plans to patch a security flaw in Mac OS X, the only current fix available is a $129 upgrade.
:o
Last week, on October 28, the security research firm @stake published three security advisories that affected Mac OS X 10.2.8 and below. One flaw is a serious kernel buffer overflow. Now, while @stake researcher David Goldsmith says the flaw wasn't proven to be remotely exploitable in the lab, he didn't rule out the possibility, which would make it possible for affected systems to be attacked over the Internet. The two other flaws make it possible for local or remote users, with interactive shell access, to gain root access to the vulnerable system.
For more information about the vulnerabilities see this story or visit the @stake advisory page.
During an interview with Goldsmith, who authored the advisories, he indicated that Apple had been aware of the vulnerabilities for "at least 30 days." So it's probably no coincidence that @stake timed its advisory to coincide with the release of Apple's new Panther operating system.
The recommended action to fix the flaws was, startlingly: "Upgrade to Panther (Mac OS X 10.3)."
So where's the patch? Goldsmith indicated that he didn't think Apple intended to issue a patch for a legacy operating system. Of course, the operating system had only been a legacy OS for about a day.
A quick call to Apple confirmed the company wasn't sure how it was going to handle the issue, but it became apparent a patch wasn't being developed. On Wednesday, a day after @stake's advisory, an Apple spokesperson said the company was working on a statement and that he would get back to me.
On Friday, everything became clear, sort of, with the following statement:
"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible. The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."
I still wasn't sure if a patch was forthcoming. But after a follow-up E-mail the spokesperson said the company would be issuing a patch for the security flaws in question.
So Apple is going to do the right thing. But why did the company take so long? It seems its original idea of a security patch was a $129 operating system upgrade. Can you imagine the outcry if Microsoft tried such a thing? "Oh, you want to fix that kernel buffer overflow condition. Well then, what you need is Longhorn!"
Now software vendors shouldn't have to expend their resources writing, testing, and issuing patches for their older operating systems forever, but it my opinion that timeframe shouldn't be measured in weeks or months and certainly not days. Customers depend on their systems being secure and available now more than ever.
even microsoft isn't this brazen.
Microsoft Could Never Get Away With What Apple Is Doing
While Apple says it plans to patch a security flaw in Mac OS X, the only current fix available is a $129 upgrade.
:o
Last week, on October 28, the security research firm @stake published three security advisories that affected Mac OS X 10.2.8 and below. One flaw is a serious kernel buffer overflow. Now, while @stake researcher David Goldsmith says the flaw wasn't proven to be remotely exploitable in the lab, he didn't rule out the possibility, which would make it possible for affected systems to be attacked over the Internet. The two other flaws make it possible for local or remote users, with interactive shell access, to gain root access to the vulnerable system.
For more information about the vulnerabilities see this story or visit the @stake advisory page.
During an interview with Goldsmith, who authored the advisories, he indicated that Apple had been aware of the vulnerabilities for "at least 30 days." So it's probably no coincidence that @stake timed its advisory to coincide with the release of Apple's new Panther operating system.
The recommended action to fix the flaws was, startlingly: "Upgrade to Panther (Mac OS X 10.3)."
So where's the patch? Goldsmith indicated that he didn't think Apple intended to issue a patch for a legacy operating system. Of course, the operating system had only been a legacy OS for about a day.
A quick call to Apple confirmed the company wasn't sure how it was going to handle the issue, but it became apparent a patch wasn't being developed. On Wednesday, a day after @stake's advisory, an Apple spokesperson said the company was working on a statement and that he would get back to me.
On Friday, everything became clear, sort of, with the following statement:
"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible. The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT and the open source community to proactively identify and correct potential vulnerabilities."
I still wasn't sure if a patch was forthcoming. But after a follow-up E-mail the spokesperson said the company would be issuing a patch for the security flaws in question.
So Apple is going to do the right thing. But why did the company take so long? It seems its original idea of a security patch was a $129 operating system upgrade. Can you imagine the outcry if Microsoft tried such a thing? "Oh, you want to fix that kernel buffer overflow condition. Well then, what you need is Longhorn!"
Now software vendors shouldn't have to expend their resources writing, testing, and issuing patches for their older operating systems forever, but it my opinion that timeframe shouldn't be measured in weeks or months and certainly not days. Customers depend on their systems being secure and available now more than ever.