back to article Apple keeps critical security fixes to itself

Apple has released updates for two widely distributed products that harbored a raft of security vulnerabilities, some of which were actively being exploited by miscreants. Unbelievably, the company isn't presenting either as a security fix to mainstream users despite the risk the bugs pose for its millions of users. QuickTime …

COMMENTS

This topic is closed for new posts.
  1. Dan

    Hardly-

    The so-called "malicious code vulnerabilities" would only crash the app on a Mac. Sorry, bub, but Symantec is just another security fear-monger, nothing people need to take seriously.

    I bet your site got hits for this, though, so el Reg gets some revenue.

  2. Mectron
    Happy

    You got it

    Ap[le crapware is no more secure then Microsoft.. Apple is just better at hiding.

  3. Adam Azarchs

    The title is a bit of an exaggeration

    I think there's a world of difference between "not being clear as to the importance of an update" and "keeping security fixes to itself."

    Blah blah blah Apple not being honest about the security of their systems blah blah nothing new here.

  4. Webster Phreaky
    Jobs Horns

    Apple Isn't the Only One that HIDES it's Buggy Software Problems

    It's no surprise that Apple loves to HIDE it's ACTUAL Security Vulnerabilities (since it's based on unfixed BSD UNIX), since Apple likes to preserve it's UNDESERVED image of perfection; but also Apple's Buddy Whores in the Media like Walt Goatberg and Leo Laporte (and often The Reg) do a great job of never mentioning what those of us in IT Mgmt know and hear about from inside circles about what Apple is actually patching 5 or 6 times a MONTH!

    You might call the Apple Hack Media the same as the Clinton Dirty Tricks Squad, hiding and burying what an actually incompetent company Apple really is (and so is Hillary and Bubba), while bashing Linux and Microsoft in the same breath.

  5. Anonymous Coward
    Stop

    Not mentioned by 'Apple software update' either

    When I read the article, I fired up 'Apple Software Update' and it told

    me I was all up-to-date.

    Started Quick time, no popup, quite happy with version 7.3

    From Quick Time window, Help > Update Existing software, "Your Quick Time software is up to date"

  6. Paul Vail

    Yawn... maybe the common Joe isn't as stupid as you IT types want

    and perhaps we common joes will download and install the patches because we've grown accustomed to finding most bug fixes are worthwhile. What an arrogant bunch you are to think the general public is too stupid to think an update might be a 'good thing'?

    After all the years of being 'trained' to suspect every patch is required in Windows, even us switchers are aware enough to consider that if a patch is offered, there might be a reason for it.

  7. Anonymous Coward
    Thumb Up

    Great story Dan

    Keep up the good work.

  8. yeah, right.

    marketing

    Looks like the marketing department is getting more and more power at Apple. It used to be that they were a little more honest. But the more the marketing folks get their toxic claws into it, the less they seem to be able to actually tell the difference between their lies and fucking over the users.

    Very unimpressed with Apple right now from that perspective.

  9. Herbys
    Thumb Down

    Stupid?

    Paul: common users are not stupid. They are practical. Every time Quicktime installs an update I have to go and manually remove automatic launch items from the registry, delete the icon in the quick launch bar and remove the item in the taskbar. So I end up NOT installing QT updates unless it is strictly necessary.

    Maybe I would change my patterns if Apple changed their patterns, but as they are I will try to avoid their products like the plague (unluckily for me, QT seems to be a necessity today, though there are some third party players that are decent replacements for QT). Oh, and installing Itunes when I just wants QT is a far worse type of bundling than anything MS was even accused of, as two completely unrelated items of the same level should NEVER be bundled together.

    By the way, if all users installed all fixes as you seem to imply, why not installing the fixes automatically? Installers ask because there are reasonable situations when you will want not to update. hiding information about the updates just puts users at risk in exchange for some cheap image bonus points.

  10. Martin
    IT Angle

    Is it even necessary?

    First of all, QT is not only pointless (as a player) it is also a bloat, although available freely. Updates are released occasionally, as and when required. As for running on OS X, I believe, though correct me if I'm wrong, it is included with the OS and therefore (like M$ Internet Explorer) subject to attacks from hackers because of the wide user base. Therefore, updates are 'probably' a good thing! ;)

    My advice to people using QT on Windows is download the Quicktime Alternative (also free but 5-16mb lighter) as it does not create all the registry keys, startup items and system tray tasks the "official version" does. Admittedly it is a third party hack. It is open source though I believe (although I won't eat my hat) and if so is open to public scrutiny and/or reprogramming.

    Comments welcome, criticism more so.

    -------

    Hey if I'm wrong, tell me, if I'm not however, well, just bask in my sunlight :)

  11. Susan Ottwell

    QuickTime Update

    Makes it pretty clear to me:

    QuickTime 7.3.1 addresses security issues.

    This update is recommended for all QuickTime 7 users.

  12. William Thackrey

    This article in absolute bunk

    This article is nonsense. Apple published this article - http://docs.info.apple.com/article.html?artnum=307176 - the day the Quicktime 7.3.1 patch was released. There's a link on the Mac update dialog to a summary page which contains a link to this and other relevant web pages. Apple's policy is to not release details about security exploits prior to the release of a fix. While you may not agree with this policy, there's plenty of argument for it. So suggest that "Apple keeps critical fixes to itself" is just plain wrong.

  13. Bemi Faison
    Thumb Down

    Information Abyss

    With the advent of OS X, Mac users were thrust into a brave new world. Most, including myself, were unfamiliar with the inner-workings of UNIX. Although not out of treachery, I do suspect Apple ("Computer", then) did use it's marketing muscle to wash over the arguably rare vulnerabilities of it's OS underpinnings.

    What I've learned and trust, is that OS X is rock-solid against external exploits. What I don't know is what an exploit can achieve once breached. I think we could use some clarity on this.

    Sure, "it'll just crash the app", at worst the system, and I'm actually none too concerned of that happening. But, no one (especially the Mac fanatics) ever talks about a payload: a script that gains admin or root access. I mean, it was done during that silly "break my Mac mini" challenge... And what about a payload which simply deletes the user's home folder?

    Look, no Reg'r has their head in the sand about security. We all know "it's" possible, regarding OS X, but I think knowing the "what" that is possible would save a lot of debating. So, who understands the reach of an OS X exploit? I'd love for El Reg (readers or writers) to share their knowledge, instead of defending it.

  14. Syd
    Jobs Halo

    Mow On Spftware Update (OSX)

    I am downloading from software update as we speak.

  15. Chad H.
    Jobs Halo

    update

    So because apple didn't send you all a press release saying they were going to update their os and qt, apple are bad at security??? Oh the arrogance of those apple boys...

    And no doubt in a few months one of your intrepid reporters will write another whinge article about not being let into some apple event...

  16. Paul
    Heart

    Description in Software Update on a Mac

    QuickTime 7.3.1 addresses security issues.

    This update is recommended for all QuickTime 7 users.

    For detailed information on this update, please visit this website: http://docs.info.apple.com/article.html?artnum=61798

    --

    So, either the bug doesn't affect the PC version (possible), or they just slipped up on the description.

    Not sure why you think Apple would suddenly start actively hiding bugs now? Software Update has always been pretty descriptive when it comes to why an update is happening, normally with a link to relevant KB articles.

    Having said all that, why Apple seem incapable of securing QT is beyond me. After all this time I would expect it to be secure. TBH, I don;t really get why a sodding media player can be such a continuing security risk.

    Paul

  17. Grant Mitchell
    Jobs Horns

    And while you're in a fixing mood...

    Dear Apple,

    While you are fixing things, please fix the following 2 little issues:

    1. Firmware for Airport Extreme Base Station. For 4 months now, the airdisk (an _advertised_ functionality) fails if any computer connected to it goes to sleep (so not as useful for my laptop as I thought....).

    2. For over 1 month now (since Leopard) Intel MacBook Pro keyboard bug. After about 2 or 3 days your keyboard will (frequently, ie, about every 5 minutes) stop working. Holding down a key (space bar is nice and big for this) for 30 seconds will get it working again... I mean... this is hardware from your current line, and well, keyboards are a pretty common peripheral, so why did this get released?

    Apple don't even seem to admit these bugs, and speaking to their "Geniuses" seems to be about as useful as a chocolate teapot (the answer to every problem is not "Re-install it". I'd rather know why, and fix the root cause!).

    Anyway enough ranting. I did install the update on my Mac, and it did say it was a security update, so I don't really see what this particular article was talking about...

    -

    Grant

  18. DZ-Jay

    Nothing to see here..

    I fired up System Update and I get the following (as others have also pointed out):

    -------

    QuickTime 7.3.1 addresses security issues.

    This update is recommended for all QuickTime 7 users.

    or detailed information on this update, please visit this website: http://www.info.apple.com/kbnum/n61798.

    -------

    Note the "addresses security issues" notice. I'm guessing that means that the application contains security vulnerabilities that are patched by this update. I'm also inclined to think that stating "this update is recommended" suggests that they are pretty important vulnerabilities.

    Perhaps you were expecting something like this:

    -------

    QuickTime 7.3.1

    <H1><FONT COLOR="red"><BLINK>WARNING!!!!!!!</BLINK></FONT></H1>

    <FONT SIZE="24" COLOR="red"><B>addresses security issues!!!!!!!!!!!!!111one</B></FONT>

    <B>This update is <U>HIGHLY</U> recommended for all QuickTime 7 users!!!!!!!!!!!11</B>

    -------

    Exclamation points tend to do the trick, right?

    -dZ.

  19. Anonymous Coward
    Gates Halo

    @Webster Phreaky

    Webster Phreaky wrote:

    ... those of us in IT Mgmt know and hear about from inside circles about what Apple is actually patching 5 or 6 times a MONTH!

    ---

    Yes, Apple has a secret update mechanism that takes no network bandwidth, hard drive space, or CPU cycles, and is constantly patching your system.

    Even worse though is Microsoft! All of us in IT Mgmt know that Microsoft employees sneak into your house at night and drink your beer and whiskey. We all KNOW this to be true from what we hear from inside circles!

  20. David Simpson

    Wrong!

    First your article is factually wrong as others have pointed out.

    Second why are you sharing symantec scare stories ? I though this was a web site for tec heads and any tec head worth there salt knows Norton is waste of time, money and system resources.

    Why do Apple even still have QT ? Just roll it into iTunes it really is the most pointless media player ever.

  21. Leo Davidson
    Unhappy

    Changelogs, who needs em?

    The last three firmware updates for the iPod Classic have had change logs which consisted of just one line:

    * Bug Fixes

    See for yourself:

    http://www.pretentiousname.com/temp/bug_fixes.png

    Okay, it's not likely to be a security issue but it would be nice to know what is going to be different when you install an upgrade and to not have to work out for ourselves what has been fixed, what is still broken, and which features have been added, removed or changed. (Despite just saying "bug fixes" these firmware updates have included feature changes.)

    Not that it is just Apple. The last Firefox security update had a completely blank change log, at least at the time it was released.

    Going back to QuickTime, I am sick of how many security bugs it seems to have. Combined with the fact that Apple have tied QuickTime and iTunes together (just try installing QT without iTunes and you'll be constantly nagged by the updater that a new version of iTunes is out!), and the fact that every time Apple add a major feature to any of their portable devices -- whether you own the device or not -- you are prompted to download a new 50meg iTunes/QuickTime installer, it's all a bit much. The installer also makes you reboot which seems odd as I'm not aware of QT/IT tying into anything that cannot be shutdown and restarted independently.

  22. Charlie Dyson
    Stop

    released *on* Thursday

    So sad to see a language so abused.

  23. Pooper Scooper

    @David Simpson

    Because some of us find QT an unfortunate necessity for online media, but don't want the turd iTunes on our hard drives, which is most definitely *not* a necessity for any type of online media.

  24. Pooper Scooper

    @Paul

    "Having said all that, why Apple seem incapable of securing QT is beyond me."

    It's really easy...their coders are crap. All the stable stuff -- most of their OS, that is -- they got from much better coders at various other projects (FreeBSD, Apache, Postfix, KDE, etc etc).

    All of their in-house products have proven to be messes of insecure crap, because their in-house coders are crap.

  25. Dennis
    Happy

    @Bemi Faison

    That was an insightful comment, one that I totally agree with. Given the quality of the content of both the article and most of the comments, maybe you should start writing for El Reg! Congrats.

  26. Dan Goodin (Written by Reg staff)

    Incorrect?

    Many thanks to all the readers who are weighing in. I've just updated the story to respond to comments that there are inaccuracies.

  27. Steve VanSlyck
    Unhappy

    El Reg?? Anybody Home?? Anybody??

    So where's the link to the Java update?

  28. Anonymous Coward
    Anonymous Coward

    They make it so easy for us

    The only reason I have QT installed is because iTunes put it there. So, from iTunes help | Check for Updates it says it is up-to-date.

    Apple software updater, no updates.

    QT help | Check for updates, need to update to version 7.3.1.

    Apple could have made it a little easier for us to update to the latest version.

  29. J
    Joke

    Or...

    "What an arrogant bunch you are to think the general public is too stupid to think an update might be a 'good thing'?"

    Or they got burned before (installing WGA) and now view all updates with suspicion...

  30. Fred Stella
    Stop

    Sheesh, at least admit that you're wrong

    It links to the info, and not only explains the security fixes, but also gives credit to the people who discovered or reported the bugs. Furthermore, your claim that Apple doesn't divulge the problem affects windows is patently false. It's a few pages of info, which wouldn't fit in the software update window. For the people who care, click the link - how is that such an onerous task? For the people who don't care, well, they'll install every update like sheep anyways.

    Here's the text of the quicktime update article. Apparently following the link was too hard for El Reg, so I did the job for you.

    QuickTime 7.3.1

    QuickTime

    CVE-ID: CVE-2007-6166

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted RTSP movie may lead to an unexpected application termination or arbitrary code execution

    Description: A buffer overflow exists in QuickTime's handling of Real Time Streaming Protocol (RTSP) headers. By enticing a user to view a maliciously crafted RTSP movie, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue by ensuring that the destination buffer is sized to contain the data.

    QuickTime

    CVE-ID: CVE-2007-4706

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Viewing a maliciously crafted QTL file may lead to an unexpected application termination or arbitrary code execution

    Description: A heap buffer overflow exists in QuickTime's handling of QTL files. By enticing a user to view a maliciously crafted QTL file, an attacker may cause an unexpected application termination or arbitrary code execution. This update addresses the issue through improved bounds checking.

    QuickTime

    CVE-ID: CVE-2007-4707

    Available for: Mac OS X v10.3.9, Mac OS X v10.4.9 or later, Mac OS X v10.5 or later, Windows Vista, XP SP2

    Impact: Multiple vulnerabilities in QuickTime's Flash media handler

    Description: Multiple vulnerabilities exist in QuickTime's Flash media handler, the most serious of which may lead to arbitrary code execution. With this update, the Flash media handler in QuickTime is disabled except for a limited number of existing QuickTime movies that are known to be safe. Credit to Tom Ferris of Adobe Secure Software Engineering Team (ASSET), Mike Price of McAfee Avert Labs, and security researchers Lionel d'Hauenens & Brian Mariani of Syseclabs for reporting this issue.

  31. James
    Jobs Halo

    Now everything makes sense!!!!

    A few days ago my apple software updater popped up out of the blue and was most helpful in suggesting there were updates I might want to avail myself of. It would seem that I can get a shiny new version of quick time which comes with a wonderful piece of iPhone interface software called 'iBollocks'.

    The thing that really surprised me about all of this was the fact that when I went hunting for the PFO checkbox to make sure I was never bothered again it was already ticked!!! ?

    <rant on>

    Either Apple really really really want me to by an iPhone and start using iTunes or they do regard this as an important update. So much so that they disregarded any settings in their own software that approximate to "do not ever ever ever check to see if Apple have any newer crap to install on my box, i'd rather die than have more of your malware".

    <rant off>

  32. Robert
    Thumb Down

    Buried for innacurate.

    Oh wait, this isn't Digg. With all the assinine reporting here lately, you could've fooled me.

    Look, el Reg, just give up your complete overblown exaggeration of every minor Apple flaw. They aren't perfect, and they're fixing bugs. What are you really complaining about. Shit, you guys are a bunch of Fox News wannabees.

    My update says it addresses security issues. so, wtf?

  33. Kanhef

    @ James

    Tried System Preferences > Software Update > disable "Check for updates (daily | weekly | monthly ) yet ?

  34. Bemi Faison
    Stop

    A poor thesis on a non-issue

    Dan Goodin (the author) has arguable misgivings about how Apple communicates security concerns to it's customers (Mac, PC, enterprise, and otherwise). Fair enough, since Apple doesn't communicate security concerns at all. Apple does, however, communicate security improvements; as many comments here exclaim.

    The hullabaloo is over Goodin's poor thesis on, what is - in the larger context of security - a non-issue: What and when to tell the customer. Notification is a part of the security ecosystem, but the larger context is: How to keep the technology secure. Unfortunately Goodin loses focus of his own complaint, recklessly confuses non-notification of security as non-security, and concludes with the tired charge that Apple is bad at it. Furthermore, Goodin maintains a bias that security is one known thing which should be done one known way.

    Poor research and composition are one thing, but an incurious journalist (from El Reg, no less) is unforgivable.

    Just what is the ruler to which Goodin measured Apple's wayward security? The renown Windows industry, of course! Goodin practically describes the daily operation of Windows security purveyors (like Microsoft and Symantec): tell everyone about the problem. Though a useful and lucrative practice in it's own right, to this date (susceptibility aside) that industry has a higher degree of known exploits. Therefore, the fact that Goodin elects this policy as best-practice is ludicrous and wildly dis-ingenious.

    Neither did Goodin contrast the security notification policies of Apple, Microsoft, and Linux communities, or how they have evolved as such. Not once was a user profile mentioned - the notification needs of enterprises against end-users, third-party vendors against small-businesses, etc. Apparently, it's all the same to Goodin...

    Considering other articles by Goodin, I can't imagine how this sub-par subjective rant made it to El Reg. Notwithstanding his lengthy low-brow retort to earlier comments (see the "bootnote"), this journalistic fiasco resembles a slashdot forum. The bickering of facts alone is evidence of unbalanced analysis and under-whelming research.

    I do hope El Reg will review their editorial policies, to protect readers from future blog-entries-disguised-as-articles. [Anyone's welcome to rephrase that and invent a snappy acronym for said pandemic.]

  35. Anonymous Coward
    Anonymous Coward

    Unwanted Software and Processes

    No matter what you check or uncheck when updating Quicktime for Windows you are left with QTTASK.EXE in your startup folder which must be deleted and you end up with an installation of Apple Software Updater in your programs. If you uninstall Apple Software Updater with thier included uninstaller you are left with 96 lines of registry entries to clean out either manually or with a good registry utility.

  36. Rui Ribeiro
    Jobs Halo

    Apple not as good in updates

    As much as I like Apple, Apple got some serious Q&A problems or shall I say, the syndrome of hiding under the rug bugs that involve interaction with 3rd party software or hardware.

    The wireless bug in Intel after Tiger 10.3 never quite got so solved, and I only had a notebook that I could take anywhere and have wireless Internet after Leopard.

    In Leopard, after 3 quicktimes updates, subtitles in Frontrow + Perian are not working yet, whilst the Perian team has been saying Apple is notified of a bug in Quicktime.

  37. Mark Broadhurst
    Jobs Horns

    An Excercise in fanboybaiting ?

    look at them all get riled up suggesting that apple could posibly be "insecure" surly it must be a typo so why mention it in a security up date (which is probally unessacary?)

  38. Anonymous Coward
    Jobs Halo

    Lies

    This article is a complete lie written by a paid microsoft lackey.

    Everyone knows Apple is super special awesome and does not have security vulnerabilities, problems or viruses.

    Go to hell you Apple haters

  39. Anonymous Coward
    Gates Halo

    OMG LOOK THERE IS AN APPLE FLAW!

    omg omg... you Apple people, see, your computer sucks too.

    You gave us sh't for over a decade about Windows, well now Windows rules, and OSX sucks. It's so flawed.

    Microsoft would never allow such security flaws to exist, just look at its record. They have been perfect.

    I'd say anyone who thinks Apple can't have faults is a communist and a democrats sympathizer. Long live microsoft!

  40. Atari Forever
    Flame

    Mac bashers shoot themselves in foot

    As i'm very pleased by the information provided on El Reg on all sorts of stuff,

    I'm getting irritated at the increasing Lemming like behaviour of Mac Bashing

    Having started many years ago with Atari ST which still work Thank you.

    i;m impressed with the way MS is listening to their customers. Happy XP user.

    The Apple firm is nt that open but having joined the club this summer with a MacBook running Tiger I think the hardware is the best there is.

    Please do not disinform your readers with BS.

    APPLE does not keep the updates for itself !!!!!!

    Any update request is answered up to now. Even on Tiger.

    I will migrate to Leopard second half next year.

    Keep up the good work and dont drink too much

  41. Anonymous Coward
    Stop

    Hmmm ....

    Mien QT player detected it needed an update, but then crashed with a buffer overflow error before I could hit the button to tell it to update.

    Apple Software Update tool said I was all good and happy.

    Ended up just downloading the installer for 7.3.1 directly.

  42. James Butler

    @Bemi Faison

    You seem to be very good at ferreting out Mac support docs, and yet you still have questions about one of the most dangerous and prolific types of computer exploits. Spoon-feeding is no way to educate yourself ... you need to get more information about the issue, and not just sit there defending what little Apple has done to protect you.

    As Mr. Goodin complains, the notification that the patch is available should STRESS that it is CRITICAL to install the update, which is does not do, even in the depths of its documentation, as reported by others in this thread. The screenshots of the notification alerts CLEARLY suggest that the patch is NOT critical, and can easily be postponed at the whim of the user, increasing the likelihood that such patches will be belatedly installed, if at all.

    Apple is reporting the very most basic info about the bugs their security patches are intended to fix, namely that buffer overflow conditions cause the application to crash. What they don't tell you is that when the application is crashing, your computer may be in the process of open the gates wide for the barbarian hordes. Here's a basic description of a buffer overflow, for your edification:

    "A buffer overflow is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data and may cause a process to crash or produce incorrect results. They can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checking by either the programmer, the compiler or the runtime can prevent buffer overflows."

    And yet, Apple did not include "sufficient bounds checking" until, perhaps, these recent updates. (Agreeing with the sloppy programmer comment, above. This should be very old news, for them.)

    See the illuminating yet hardly exhaustive article at Wikipedia (http://en.wikipedia.org/wiki/Buffer_overflow) for more low-level info on buffer overflows. There are many excellent articles and even entire books on this subject, and it is addressed in depth in any hacker guide for dummies. (I recommend the not-for-dummies "Stealing the Network" series of books ... by hackers, for IT security-types.)

    And don't EVEN get me started on stack overflows!

  43. Anonymous Coward
    Thumb Down

    Mac-bashing

    I have the agree that this is pointless Mac bashing. Why would someone ever choose NOT to update? Well, limited uptime, i.e. they know they will restart in a minute or so. On dialup and already downloading something. Both pretty rare situations. I think its stupid that people think Apple should be more IN YOUR FACE about updates. You either download them or don't. I don't see how adding Security Vulnerability would change anyone's mind.

    To Bemi: Well put.

    This is a continuing trend I see on this site and I stopped reading it for a long time after their stupid iPhone bashing article.

  44. James Wilkinson
    Unhappy

    Apple having a bad day...

    The .Mac services for Apple Mac users are down - and have been for a while now.. oops.

    http://www.mac.com/WebObjects/Welcome

  45. James Butler
    Stop

    IN YOUR FACE

    Because, Mr. Davis, the biggest problems we face on the Internet today have to do with (a) spam/phishing/garbage emails and (b) identity theft.

    The Average Joes mentioned by Mr. Goodin in his article, none of whom are reading these notes or even are aware of the nature of the network in which they play, let's their computer get taken over by exploits JUST SUCH AS THESE. Exploits that appear to be benign (in this particular case, through lack of any indication of the potential severity of the bug) yet which allow the most inexperienced script kiddy to add that Joe's computer to the zombie nation.

    Then THOSE computers are used to (a) reach out and take over other systems, (b) send any personal data found on the now-hostage system to its botmaster and (c) start spewing a flood of crap that binds up the unsuspecting Joe's computer and the network at large.

    This is a VERY SERIOUS (note the caps ... that means "serious") issue. Average Joes DO NOT know what the hell they are doing. Apple and Microsoft et al. are the CREATORS of these problems by their obscene refusal to do what is best for the common good, therefore it is incumbent on the crappy programmers at Apple, Microsoft et al. to do their part by HELPing the average Joes to keep their systems secure so the rest of us ("above average Joes") don't have to pay the price for their incompetence.

    As Mr. Goodin complained (again), the pitiful "please install this, or not" notices available to anyone who believes that the alerts tell them what they need to know (Average Joes) were simply not alarming enough for this issue. They SHOULD have said something like "This is an EMERGENCY, CRITICAL download that you MUST install IMMEDIATELY in order to minimize the chances that your computer will be taken over by criminals, causing you to spend money getting your issue fixed, and potentially causing serious issues with your Internet community. DO NOT WAIT! Download and install this patch RIGHT NOW!" They could even restrict any other activity with the affected applications until the patch was applied, as demonstrated by their response to the QuickTime Flash player issue noted above.

    It doesn't matter if it's Apple or Microsoft ... neither does a good job of informing its most-vulnerable users. And if Apple can't do any better than their ex-rival, now-partner, then they deserve to go straight down the road to Hell that has been so neatly paved by their compatriots at Microsoft.

  46. Anonymous Coward
    Linux

    @ James Buttler

    [Excised by Reg moderator]

    Here's a bit of a news flash, buffer overflows et al have been around for a long time, if you had a few months to spare you may just be able to document the thousands of examples in operating system software this has happened to (covering all platforms) and all the third party applications (server / client) which have allowed this to occur as well.

    Buffer overflows can be dangerous, but to just cite it shows a lack of understanding on the subject itself. Aspects like the design of the Operating System, the applications design, and whether the application sits in its own virtual environment or not are all examples of aspects which play a part here.

    Your gratuitous description for the kind of so called havoc which could play reign from this flaw has yet to gather any significant real world impact, so is as hypothetical as finding WMD in Iraq.

    Not that these kind of flaws should not be addressed, they should, because they do present a possibility of some level of security risk, and should be done so with as much urgency as possible, but also preferably without the acts of drama queens such as yourself, I just can't see any benefits from it.

    Also i'd love to see you actually try and explain stack overflows in a method which does not simply involve you doing a bit of C&P work from your Wikipedia files. Maybe we can get a head to head between you and some turkish hackers, and see who actually knows what they're talking about when it comes to security. I'm sure it would be good for a laugh.

  47. James Butler

    @AC

    Buffer overflows affect the application layer, not the OS core layer. That is why (need I tell you?) Apple issued patches for both OSX and Windows. It is on the programmers of the applications to handle these types of flaws. As you point out, writing proper handlers should be part of Programming 101, by now.

    As far as going head to head with a Turkish hacker (is there any other kind?) ... been there, done that. Just trying to keep it simple for those here who do not have a clue, as, obviously, many do not. I could write my own opus on this well-known application programming issue, but the Wikipedia article seemed to cover some good, basic ground ... again, for those of us who have not taken the time to wrap their heads around this serious and obvious security issue.

    See my above post and the vast body of information on the rising tide of home users whose systems are fast becoming part of the zombie nation to determine whether this is a vapid claim.

  48. Bemi Faison

    @James Butler - The bandwagon floweth over

    Thank you, James, in part for describing a buffer overflow. As a Mac user, I was also concerned about what is possible when this happens on a *nix machine. (I have yet to come across an answer to that question.) However, that was my first comment and it spawned from the hub-bub over which OS is best, secure, etc, etc...

    All that has nothing to do with this abysmal article.

    My second comment pointedly nailed Goodin's attempt to frame Apple as lax on security, due to infrequent vulnerability notifications and relatively shallow update information. You didn't confuse the two, but you too believe Apple (when applicable) "should STRESS that it [an update] is CRITICAL". Like Goodin, a difference in computing culture gives your opinion.

    Apple has never alarmed it's users about updating software - at least not in the ways you have come to expect and advocate. With Apple, an update is an update... Someone invented "critical" updates (probably along with "urgent" emails), but it's ubiquity today is not evidence of a superior notification policy. Developers choose how and when to communicate what (regarding security), based on their understanding of and commitment to their users.

    But I digress. Culture aside, both you and Goodin encourage a notification process which is part of a largely failed security policy amongst the Windows industry: tell, tell and tell all (with added meta-data, like "critical" and "optional"). In this age, the practice seems a veritable appendix yearning for removal.

    I do understand the call for Apple to incorporate some guidance for users updating their products - in this case, when the fix arrives long after the vulnerability was discovered. Put straight: Apple earns poor marks for a slow response to a vulnerability, not because they neglected to label the fix "critical".

    To directly counter your call for Apple to label/prioritize it's updates, consider the impact of similar human-engineering tricks elsewhere (US examples, follow): cigarette warnings, national terror alert levels/color... Need I go on? People will do what they want, no matter the urging, fear-mongering or manipulation (which usually results opposite the desired outcome). So, from this user's perspective, let an update be an update.

  49. James
    Paris Hilton

    @ Kanhef

    Kanhef. Did you miss the bit where I said I had ALREADY ticked the relevant box??? Aplle just decided to ignore it as they want to give me a free copy of iTunes

  50. James Butler
    Go

    My Last Comment On This

    Thank you, Mr. Faison (I do apologize if it's the wrong salutation.)

    I understand your point of view.

    I was just this past weekend discussing with my wife the amusing and perilous new 'security' features of Windows Vista, in particular the UAC, that substitute reasonably secure programming for a bunch of pop up windows prompting the user to 'ok' various procedures.

    I believe our consensus was that the burden of providing security for any individual machine is being transferred to the user (i.e. "Hey, man, you said it was okay to install that spyware.") rather than being taken on by the providers of the software that makes the machine go. The software makers claim that they want people to use the computer as an appliance (what operating system does YOUR phone use?), but they are unwilling to accept responsibility for the yawning gap between what they sell and what the buyer must then commit to do in order to maintain that illusion of reliability.

    Ah well. I guess that's what constitutes 'freedom' in today's computing environment. Let updates be updates, and let the Average Joe take some kind of online security class, if they give a darn about their role in the larger community. If they do not, we have only them to blame ... for clicking on one too many pop up windows. Or not, as may be the case with these and probably many other security updates.

    And I don't want to start a flame war, but it is the knowledge of what one is commiting to as a computer user that often makes the Linux system more reliable than the other two big guys ... those who take the time to learn how to use a Linux system know that they need to continue to work on their systems to keep them clean and efficient, whereas Apple and Microsoft users tend to believe that their software overlords will keep the Huns from their gates, and inevitably pay the price for that belief. I use all 3 operating systems in various circumstances, and they all have certain benefits of use. And all 3 need user attention and education in order to perform at their best.

  51. Anonymous Coward
    Anonymous Coward

    something seems to have been missed by a few people

    Sheesh, There may well be an element of Mac bashing going on but whats new? Fact is it should be treated no differently to all the M$ bashing that goes on daily. So why do people react so differently?

    For one Mac users seem to take everything far too {seriously/personnaly} [delete as appropriate]. How many times have I read the old chestnut "This article is a complete lie written by a paid microsoft lackey"? Answer. Almost as often as I've read articles that dare to highlight an issue with Apple software.

    Another thing that is often ignored is the fact that when M$ bashing starts up all the M$ users join in. Why, because crap software needs ridiclue and lots of it. This is certainly not the behaviour of someone whose sole purpose in life is to Mac bash?

    Note : It's incredibly rare for comments like "This article is a complete lie written by a paid Apple lackey" to surface.

    The cardinal sin here is simply that Apple evangelises itself as a company that writes software that is hack/virus resistant, albeit an accident of statistics an popularity. Still, they go out of their way to promote their brilliant security by comparing themselves against M$ products. This is bound to invite the inevitable crusade to disprove such twadle (that Apple is "any better" at security). So it's not so much Mac bashing as a bunch of people laughing their arse off when it all, inevitably, goes tits up.

    Finally, and by no means least. Apple seems to take great pride in bringing consumer unfriendlyness to new heights. Little wonder so many people take great pleasure in knowing their life is better for not buying the latest and greatest Apple must have item.

    End of the day most software sucks. It's not [chose your preffered OS] bashing to say something negative about [chose your preffered OS]. It certainly doesn't help matters if you cry [chose your preffered OS] bashing scum and accuse everyone else of being [chose your least favoutite OS] lovers. This just escalates hostilities.

    For what it's worth, that's my view.

  52. Snot Nice
    Coat

    Eeeek!

    My Apple is rotten to the core :(

    Runs to get coat, mittens and Biggles cap with flaps down....

    Before I dash, @James Butler. Ours it a thankless task.

  53. Anonymous Coward
    Anonymous Coward

    Quicktime

    I just noticed on Apple's website that iTunes is no longer an obligatory download to install Quicktime, and now users have the option of just a QT exe or QT+iTunes. Happy to see that.

  54. Shakje

    The reason Apple gets a bashing

    Is because anyone making themselves out to be perfect gets it the worst. It's exactly the same reason that the Tories get hammered over sleaze.

    A buffer overrun is potentially bad, but not terrible, however this should still be marked as a critical fix. Apple should tell their users when there is a flaw in their software that can result in remote execution of code on their machine (even just theoretically).

    @James Butler

    Your comments on UAC and the user's responsibility are naive, completely. An operating system is there to run applications. There are plenty of legitimate programs that do need access to the internet and don't send across bogus details, games trap the keyboard and mouse, but don't log your passwords, applications constantly have popups telling you useful information without trying to sell you stuff.

    These are all functions that have to be performed constantly for different reasons, and aren't security flaws. Yes, there are plenty of security flaws in Windows, but get it right. If the user chooses to install a piece of software that uses the OS to do something malicious, how does the OS know the difference? It just does what it's told. The only way to prevent against these things is by either scanning for known software and treating them like virii, or preventing the user from installing them in the first place, or notifying them of the danger. Vista not only comes with Windows Defender, but UAC and the Windows Firewall as a sort of last defense "do you really want to do this". Yes, there are Windows flaws that can lead to software being installed, but until those are patched (which happens every week) UAC and Windows Firewall is a good preventative measure, and Defender is pretty damn good as well.

    There are only two reasons that you don't get spyware on as many Macs. One, not as many users. Two, no-one wants to have to learn Smalltalk.

  55. James Butler
    Unhappy

    Just when I think I'm out ...

    @Shakje

    First, for your dictionary, it's a "buffer overflow". And it is one of the top attack vectors on any system.

    Second, why isn't there a UAC on my Linux systems? I'll tell you why ... it's because the OS core layer is completely separate from the application layer, similar to the BSD clone used in OSX, and there is a strong, well developed security structure (multi-user separation, for one) in place. These factors are also contributors to the paucity of malware for Posix systems, as it is difficult and far more complicated to get a toehold into the OS core layer as a result.

    This is very different from the Windows structure where many Microsoft applications are tied into the OS core layer, and where a "buffer overflow" at the Microsoft application layer can often easily compromise the OS core layer and allow for, among other dangerous things, privilege escalation, compromise of the Windows kernel, and on up to the compromise of even the BIOS and CPU.

    If Apple is using similar hooks into their OS core layer, then Apple application security issues also present a significant risk.

    While your statement about few users does apply to Apple users, if your explanation for fewer pieces of malware and its relation to "not as many users" were to hold up, you would need to explain why so few web servers (apart from Windows servers) are compromised in the OS core layer. Sure there are apps (notably forums, AJAX and sendmail) that show weaknesses and can be compromised to swamp the resources of any server, but the majority of web servers are running Posix (Unix, Linux, etc.)

    Your argument would dictate that, because there are many more Posix servers out there, they should be riddled with malware, since they are a much juicier target than a home user's system. And yet, they are not. Because the systems are fundamentally different from Windows, the "come on down" king of malware.

    And please don't call me naive. It's so ... belittling, and really not much of an argument for your points. I hope I have not been similarly disrespectful to anyone here.

This topic is closed for new posts.

Other stories you might like