Welcome to the MacNN Forums.

Eug Wanker · Jun 14, 2004, 08:10 AM

These security flaws are almost a good thing for them (since no computers were actually compromised). They get to hype their unix-ness some more...

Apple Makes Its Case for Security.

According to Bereskin, Apple has issued 44 security updates since Mac OS X was introduced in March 2001, and 3 percent of those were classified critical -- a vulnerability that can be exploited remotely. The Help Viewer and Disk vulnerabilities are examples. By comparison, Microsoft issued 78 security updates in the same period, and 65 percent were critical, Bereskin noted.

"Certainly no single operating system can be completely secure from all threats, but most people we talk to, most of the security experts we work with closely, agree that because Mac OS X has a Unix BSD core, it lands up being more secure than other platforms, certainly more than Microsoft," Bereskin said.

mdc · Jun 14, 2004, 08:36 AM

at least are finally seeing the other side of the story. instead of all those "mac os x is not secure" stories.

mitchell_pgh · Jun 14, 2004, 08:45 AM

Originally posted by mdc:
at least are finally seeing the other side of the story. instead of all those "mac os x is not secure" stories.

I'm glad they plugged the holes.

It was bound to happen... now Apple can move on. If anything, this shows them that they can't ignore "small" security issues as they usually end up being big security issues.

smeger · Jun 14, 2004, 01:18 PM

I'm actually really impressed with how quickly Apple plugged the recent nasty security vulnerability. I think it took 'em roughly three weeks, which is about half the time I was estimating. I think they definitely took it seriously.

juanvaldes · Jun 14, 2004, 02:23 PM

no, they ignored the problem until they had egg on their faces and THEN scrambled to patch the vulnerability.

mitchell_pgh · Jun 14, 2004, 02:35 PM

Originally posted by juanvaldes:
no, they ignored the problem until they had egg on their faces and THEN scrambled to patch the vulnerability.

They ignored a small security issue until security people figured out a serious way to exploit it, then Apple took notice.

juanvaldes · Jun 14, 2004, 02:41 PM

they ignored a security issue until it hit the press then they took notice.

Tyler McAdams · Jun 14, 2004, 02:47 PM

I would say they are at least as good as Microsoft. Any popular software will have security holes... as does any software. That's why Microsoft is constantly giving out patches. The same thing for Apple.

diskgolfking · Jun 14, 2004, 02:48 PM

I don't see how people can say they didn't take the vulnerability seriously once it became obvious it was a *real* vulnerability. The fix they released wasn't a simple "add an if statement to check for null" kind of fix.

Some people just can't be pleased. When a change is released quickly, people complain because it undoubtedly causes crashes and other problems. When a change isn't released quickly people complain because the company was sitting on their hands.

Horsepoo!!! · Jun 14, 2004, 03:00 PM

Originally posted by Tyler McAdams:
I would say they are at least as good as Microsoft. Any popular software will have security holes... as does any software.

I'm pretty sure 'Hello World' has zero security holes.

Tyler McAdams · Jun 14, 2004, 03:16 PM

Ok... now... any complex *program* will have holes. There are no security confines in Hello World! And if there were, make sure not to use javascript!

Angus_D · Jun 14, 2004, 03:20 PM

Yeah, Apple takes security so seriously that they treat it as a marketing problem rather than an engineering problem.

jasong · Jun 14, 2004, 04:12 PM

Yeah Apple sux. They've got a 80 Ghz Mac with perfect OS sitting in their labs right now, and it only costs $0.30 to make. But they are never going to release it because they want to make money on their current crappy stuff. I'm surprised they didn't charge us $129.00 for the security fix.

-- Jason

thePurpleGiant · Jun 14, 2004, 06:01 PM

Originally posted by jasong:
Yeah Apple sux. They've got a 80 Ghz Mac with perfect OS sitting in their labs right now, and it only costs $0.30 to make. But they are never going to release it because they want to make money on their current crappy stuff. I'm surprised they didn't charge us $129.00 for the security fix.

-- Jason

Tyler McAdams · Jun 14, 2004, 06:51 PM

Originally posted by jasong:
Yeah Apple sux. They've got a 80 Ghz Mac with perfect OS sitting in their labs right now, and it only costs $0.30 to make. But they are never going to release it because they want to make money on their current crappy stuff. I'm surprised they didn't charge us $129.00 for the security fix.

-- Jason

Ah... jeah...

Gavin · Jun 16, 2004, 04:52 AM

Originally posted by Tyler McAdams:
Ok... now... any complex *program* will have holes. There are no security confines in Hello World! And if there were, make sure not to use javascript!

Actually Hello World 1.4 had a pretty nasty remote buffer overflow exploit. It's much more solid now that it's been open sourced.

Spliffdaddy · Jun 16, 2004, 08:33 AM

Originally posted by mitchell_pgh:
I'm glad they plugged the holes.

It was bound to happen... now Apple can move on. If anything, this shows them that they can't ignore "small" security issues as they usually end up being big security issues.

Did they plug *all* the holes?

For every one you find, there's a hundred more you don't.

The last one was a rather big and obvious hole...and it took 3 years to find it.

Horsepoo!!! · Jun 16, 2004, 09:10 AM

Originally posted by Spliffdaddy:

The last one was a rather big and obvious hole...and it took 3 years to find it.

If it was big and obvious why did it take 3 years to find?

Somehow you don't make sense.

dhobbit · Jun 16, 2004, 10:47 AM

Wasn't the Help View bug introduced in 10.2 or 10.3? The was a really good history of this bug, and IIRC until Apple modified the Help View to use the HTML Framework there was much of a problem.

Derek

Originally posted by Spliffdaddy:
Did they plug *all* the holes?

For every one you find, there's a hundred more you don't.

The last one was a rather big and obvious hole...and it took 3 years to find it.

Spliffdaddy · Jun 16, 2004, 11:01 AM

Originally posted by Horsepoo!!!:
If it was big and obvious why did it take 3 years to find?

Somehow you don't make sense.

My point was...

If Apple overlooked a hole of that size for years - what makes you think they didn't overlook the other holes?

Angus_D · Jun 16, 2004, 02:54 PM

Originally posted by Spliffdaddy:
If Apple overlooked a hole of that size for years - what makes you think they didn't overlook the other holes?

They have and they do. There's nothing more to it. It's things like this which are behind the decision to slow down the release cycle - less pressure for features, more time to fix bugs (including security bugs).

mitchell_pgh · Jun 16, 2004, 03:00 PM

News flash: OS X isn't 100% secure, just like Windows, Solaris, Linux, SCO, BeOS...

bradoesch · Jun 16, 2004, 05:58 PM

Originally posted by jasong:
Yeah Apple sux. They've got a 80 Ghz Mac with perfect OS sitting in their labs right now, and it only costs $0.30 to make. But they are never going to release it because they want to make money on their current crappy stuff. I'm surprised they didn't charge us $129.00 for the security fix.

-- Jason

I dare you to post this as a new topic in teh Lounge.

Lancer409 · Jun 20, 2004, 08:24 PM

always comparing osx and windows security .. shrugs ... just glad this doesnt turn into a arguement

alphasubzero949 · Jun 20, 2004, 10:50 PM

When it comes to holes...

Windows > swiss cheese

Link · Jun 20, 2004, 11:52 PM

Apple takes security as seriously I take posts in the lounge