From today's SANS NewsBites Vol. 8 Num. 39


WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES
--Apple Issues Security Alerts for OS X and QuickTime Media Player
(15/12 May 2006)
Apple Computer has issued two security alerts describing more than 30
flaws in Mac OS X and a dozen flaws in QuickTime media player software.
The flaws in OS X could allow attackers "to execute arbitrary commands,
bypass security restrictions, disclose sensitive information or cause a
denial of service." The vulnerabilities in QuickTime present security
concerns for both OS X and Windows computers; the flaws could be
exploited to hijack vulnerable machines.
http://news.com.com/2102-1002_3-6071833.html?tag=st.util.print
http://www.pcworld.idg.com.au/index.php/id%3B1209940133%3Bfp%3B16%3Bfpid%3B0
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1188049,00.html
http://docs.info.apple.com/article.html?artnum=303737
http://docs.info.apple.com/article.html?artnum=303752



If not already, this is starting to become a huge issue for Apple...

Doc

"There are over 500 new viruses and worms released on the Internet each month." - Invisius Direct. :nono:

Macvirus.org currently lists 28 viruses for Macintosh. :yes:

I wonder where the other 472 are headed? :scratch2:

I agree that Apple needs to step up their attitude about security - many of the exploitable flaws in the current system are things that were patched years ago on other systems (source: ZDnet). Apple has gotten complacent after years of a clean track record - the new OS (unix-based) is a whole new can of worms. (pun intended) :no:

Windows XP shipped with over 63,000 known bugs and security holes.

Ok I have MAC OS X 10.3.9

What do I do to fix my puter?

I use the software update thingy at least once a week, but I gather that's not going to cut it for these issues.

This is really concerning because i have had my email account hacked in the last 4 days. I can't get in the bastid. errrrrrrrrg :tears:

Im sure allot of people are trying to email me too, but oh well. I don't think there is any hope. I emailed everyone with addresses I knew by memory telling them not to email my account any more.


Help me Help me it's got me by the paws!

The SANS publishes their Newsbites twice a week (Tuesday and Friday). I only post what they provide in their newsletter that directly affects Windows, Mac, and Unix users as reflected in their newsletter regarding WORMS, ACTIVE EXPLOITS, VULNERABILITIES & PATCHES.

The point to all of this is not a race, or which OS is better, or which has the fewer security issues.

The point is to provide awareness to all in the AK community who are concerned about security and keeping their machines as free as possible of these threats.

If this information helps some to become more aware, concerned, and cautious, then that is a good thing.

Doc

Apple has been very proactive in releasing patches for their vulnerabilities. If an exploit is publicized, very likely no one has written an exploit for it yet. And they've already had three security mega-patches released so far this year, which have addressed every publicly known exploit thus far.

MSFT has gotten more on the ball with their "Patch Tuesdays", but they have been loath to release interim security patches (witness the RCX hole that was eventually addressed by MS06-001, but only after a huge amount of public pressure to put out an official patch before the next Patch Tuesday) see http://antivirus.about.com/b/a/233074.htm

Almost every time you put a GUI or a user convenience feature set in front of an OS, you're going to have vulnerabilities. The key is to keep on top of them as a user, and get updates ASAP.

Not knocking your post, Doc. Reinforcing the point that Apple needs to wake up, as does its user base. Mac users have spent years (under the old OS) with only a tiny handful of worms and viruses to contend with, and those not under wide distribution. This new unix-based system is a whole new ballgame. As Apple's user base grows, so does their attraction for hackers. Why are there 20x as many viruses for Windows? Because the Mac only holds a 3% (IIRC) market share.

I love the new system, I haven't booted any machines (capable of running OS X) into "classic" mode in over a year. But it takes a new skill set to manage. I went from "guru" to "newbie" with one install! :thmbsp:

Almost every time you put a GUI or a user convenience feature set in front of an OS, you're going to have vulnerabilities. The key is to keep on top of them as a user, and get updates ASAP.

Yes, users demand rich feature sets. Unfortunately, it is difficult to test the number of permutations to isolate those that lead to security holes. We should also note that there is a difference between a bug and a security hole, and that there are a number of classifications of levels of bugs/flaws. Not all bugs/flaws are security issues, but all security issues are bugs and/or design flaws.

Reinforcing the point that Apple needs to wake up, as does its user base. Mac users have spent years (under the old OS) with only a tiny handful of worms and viruses to contend with, and those not under wide distribution.

Yes, Apple needs to wake up, and so do the MAC users. After years of believing they were immune to these threats, which PC users have learned to live with, MAC users are unaccustomed with having to deal with the reality of being a target, caused mostly by Windows becoming more difficult to attack. Hackers like low-hanging fruit, and the MAC and UNIX operating systems are ripe for the picking. Microsoft has made huge steps forward in re-design and correcting interfaces and holes, but it has taken several years to do so, and significant cost, and they still have a long way to go. Let's hope that Apple has already started addressing the problem. You cannot patch your way to being secure.

Doc

Apologies for hijacking this thread, but while the iron's hot.....

I run OS 10.3.9, and I run Security Update monthly and download the latest security updates. For the past couple of months, whenever i open Software Update, one of the available downloads is 'Security Update 2004-10-27', which is kinda weird considering its almost 2 years old! I have not downloaded it. Should I? FWIW I have just downloaded the most recent security update.

Super cooge! I got er done. :thmbsp:

Apologies for hijacking this thread, but while the iron's hot.....

I run OS 10.3.9, and I run Security Update monthly and download the latest security updates. For the past couple of months, whenever i open Software Update, one of the available downloads is 'Security Update 2004-10-27', which is kinda weird considering its almost 2 years old! I have not downloaded it. Should I? FWIW I have just downloaded the most recent security update.If software update is reporting you need it, there is some software on your system it addresses that has NOT been updated. The software update panel scans your drive for components and compares their versions to the update.

Running XP Pro SP1 here for over two years with no update crap. Zero problems.

Running XP Pro SP1 here for over two years with no update crap. Zero problems.XP Pro SP1 is a pretty "mature" system. Under the older MAC OS, I rarely upgraded an install. When things are running smoothly, why mess with it?

OSX is a much younger system, and is still undergoing revisions that are having a positive impact on its functionality. I've hit a stable system at 10.3.9, and I'm sticking here for a while. Like I said, when things are running smoothly...