Skip to comments.
Apple patches Panther but not older OS
CNet News ^
| 10/29/2003
| Robert Lemos
Posted on 10/30/2003 11:03:02 AM PST by Salo
Apple Computer's latest version of its Mac OS X operating system, Panther, patches security flaws that affect previous versions of the operating system, leaving security experts wondering if users will have to pay the $129 upgrade fee to be secure.
On Tuesday, Apple released an advisory that indicate that the Mac OS X 10.3 upgrade--which adds an improved Finder menu, better synchronization of files and a tool to help users find a specific window on a crowded desktop--also includes more than a dozen "security enhancements."
However, Apple apparently doesn't intend to fix the flaws in previous versions of the software: Apple's Security Updates Web page doesn't list fixes for the flaws in Mac OS X 10.2 and earlier.
"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent, if they did."
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Typically, companies that charge for software provide security updates for the software for a certain period of time. Microsoft provides support for its products for about five years and releases service packs every year that include all the enhancements to the software. Microsoft doesn't charge for the service packs.
"Imagine if Microsoft tried to charge for security fixes--people would go crazy," Larholm said.
Linux vendors typically work things a bit differently, as so much of the software they distribute is produced by developers outside the companies. Red Hat, for example, charges about $40 for its desktop edition and provides a year of easily accessible updates for free through its Red Hat Network. After that, users either have to pay $60 a year for the service, manually install each update or subscribe to a free service such as Ximian's basic Red Carpet service. (Novell now owns Ximian.)
Apple's plan falls between the two models, offering bug fixes for free but charging $129 for the update to the operating system. Panther is the third update the company has released since Mac OS X debuted in March 2001.
The current set of vulnerabilities include a flaw in the operating system that causes applications to be installed that have insecure file permissions. Other vulnerabilities could allow a local or remote user to crash the system.
@stake's advisories say users should either upgrade to Panther or turn off the affected software component.
But PivX's Larholm said Apple would have to release some patches to previous versions of its OS or risk angering its users.
"They have stated that they want to release a new version of OS X every year, but this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year and that they expect all their customers to upgrade their operating system on a yearly basis," he said.
ZDNet Australia's Patrick Gray contributed to this report.
TOPICS: Business/Economy; Technical
KEYWORDS: apple; lowqualitycrap; macuser; osx; panther; security
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-42 next last
Weak.
1
posted on
10/30/2003 11:03:03 AM PST
by
Salo
To: rdb3; Ernest_at_the_Beach; CheneyChick
I've already upgraded, but this sucks.
2
posted on
10/30/2003 11:04:13 AM PST
by
Salo
To: Salo
Is the upgrade worth it (beyond the security issues)?
3
posted on
10/30/2003 11:31:27 AM PST
by
ECM
To: Salo
So far, MS has provided 5 years of support. They discontinued support for Win98 this summer, but the update site will still get you updated to that point.
4
posted on
10/30/2003 11:37:19 AM PST
by
js1138
To: Salo
Here is a similar article I posted on another thread yesterday,
Apple charges US$129 for security fix:
U.S. based Internet security research company @Stake has warned of newly discovered vulnerabilities affecting the Mac OS X operating system. The company released three advisories this morning. The first details "systemic" flaws in the way OS X handles file and directory permissions, while the second details a kernel level vulnerability that does not affect default installations of the operating system. The third involves a buffer overflow condition that may be remotely exploitable. Controversially, Apple has not yet released patches for the security issues. @Stake has advised Mac users to upgrade to the latest Apple operating system, which is not vulnerable to the flaws. The operating system, OS X 10.3, or Panther, is priced at US$129.
rest of article here
5
posted on
10/30/2003 11:38:09 AM PST
by
avg_freeper
(Gunga galunga. Gunga, gunga galunga)
To: Salo
The spin on Mac sites is that this @stake company is joined with, contracted by, or in some way controlled by Microsoft. Apparently there was an @stake report critical of the use of Microsoft software in government/military operations a ways back. The guy who wrote this report was allegedly sacked by the @stake company.
This is where the Microsoft-evil-corruption link comes in. The mac rumor mongers believe that Microsoft made @stake sack the guy and now release this report pointing out OS 10.3 flaws.(like they don't have better things to do.)
6
posted on
10/30/2003 11:46:52 AM PST
by
avg_freeper
(Gunga galunga. Gunga, gunga galunga)
To: js1138
So far, MS has provided 5 years of support. They discontinued support for Win98 this summer, but the update site will still get you updated to that point.
Applying these guidelines to currently available Windows desktop operating systems, the following desktop operating system products are scheduled to enter the Extended phase, Non-Supported phase or to End of Life (EOL) on the following dates.
| These products follow the previously announced Windows Desktop Product Life Cycle Guidelines |
MS DOS x.xx |
N/A |
December 31, 2001 |
December 31, 2002 |
| Windows 3.xx |
N/A |
December 31, 2001 |
December 31, 2002 |
| Windows 95 |
December 31st 2000 |
December 31, 2001 |
December 31, 2002 |
| Windows NT 3.5x |
N/A |
December 31, 2001 |
December 31, 2002 |
| Windows 98 / 98 SE |
June 30, 2002 |
January 16, 20046 |
January 16, 2005 |
| Windows NT Workstation 4.xx |
June 30, 20027 |
June 30, 2003 |
June 30, 2004 |
| Windows Millennium Edition |
December 31, 20038 |
December 31, 2004 |
December 31, 2005 |
| These products follow the current Microsoft Lifecycle Support Policies |
Windows 2000 Professional |
March 31, 2005 |
March 31, 2007 |
March 31, 2008 |
| Windows XP Professional |
December 31, 2006 |
December 31, 2008 |
December 31, 2009 |
| Windows XP Home Edition |
December 31, 2006 |
December 31, 2006 |
December 31, 2007 |
- Microsoft Hardware and Game Software are not eligible for seven years of support.
- To make it easier to predict end of license availability where appropriate general availability dates have been rounded to the end of the quarter.
- Although Windows Millennium Edition is currently in the Mainstream phase of the product life cycle, given that support volumes are low this product will also continue to follow the previously announced Windows Desktop Product Life-Cycle Guidelines.
- Under the current Microsoft Life-Cycle Support Policies, operating systems designed for consumers do not have an Extended phase (because consumers do not submit requests for extended hotfixes).
- For desktop operating systems that follow the previously announced Windows Desktop Product Life-Cycle Guidelines, this includes the Non-support phase between years four and five (online self-help support information only).
- Microsoft will offer paid incident support on Windows 98/98 SE through January 16, 2004. Windows 98/98 SE downloads for existing security issues will continue to be obtainable through normal assisted support channels at no charge during this time. Customers can request Windows 98/98 SE fixes for new security issues and these requests will be reviewed. Fixes for any new security issues can be specifically requested through normal assisted support channels. Web-based self-help support will be available for at least one year after assisted support has concluded. Mainstream support for Windows 98/98 SE ended on June 30, 2002, and no-charge incident support and extended hotfix support ends on June 30, 2003.
- Security hotfix support has been extended through June 30th, 2004 for both Windows NT Workstation 4.0 SP6a and Windows 2000 Professional SP2. Support for non-security hotfixes will not be extended, and ended as previously announced on June 30, 2003 for Windows NT Workstation 4.0, and August 18, 2003 for Windows 2000 SP2.
- For Microsoft's independent software vendor (ISV), independent hardware vendor (IHV), and OEM customers only, hotfixes for Windows Millennium Edition will only be available in the Mainstream phase for home and run-time scenarios based upon identified trends. For enterprise accounts that purchased licenses for Windows Millennium Edition prior to April 1, 2001, and require hotfix support, please contact your technical account manager or applications development consultant.
For More Information
Windows Desktop Support Life-Cycle Wizard
Windows Service Pack Road Map
| Continued |
 |
| 1 of 4 |
 |
|
<di
7
posted on
10/30/2003 11:56:34 AM PST
by
Paleo Conservative
(Do not remove this tag under penalty of law.)
To: ECM
Is the upgrade worth it (beyond the security issues)?It is to me. Just the "expose" feature alone was enough to make me tear up. And as someone who provides tech support to a Macintosh-only department, I'm really happy about the fast user-switching (probably the only Microsoft feature I wanted.)
8
posted on
10/30/2003 11:58:37 AM PST
by
libravoter
(Live from the People's Republic of Cambridge)
To: Salo
>>"Imagine if Microsoft tried to charge for security fixes--people would go crazy," Larholm said.<<
Used to be you'd "charge" beta testers their free labor to find all the bugs for you.
To: Paleo Conservative
I'm not sure what your table is intended to prove. People will continue using DOS and Win95 for many years, but to the best of my knowledge ther will be no more security updates or bug fixes for Win98. Obviously a lot of big corporations consider NT to be mission critical, so MS may or may not provide updates. They may also announce a policy, then change it.
I was merely remarking that the Apple policy, as described in the lead article, is equivalent to MS discontinuing support for XP. I'm sure that Linux users can get free support, but the official support policy of $60 per year seems high. Windows upgrades are about $89 and come out about every three years.
I'm not about to get into a flame war over this. My analysis could be completely off base, but it is the way I see it right now.
10
posted on
10/30/2003 12:07:57 PM PST
by
js1138
To: ECM
I think it is worth it: it's noticably faster, and some of the new features are pretty nifty. Haven't had much time as I would like to play with it: I had lasik surgery Monday afternoon and am trying to go easy on my eyes.
11
posted on
10/30/2003 12:10:20 PM PST
by
Salo
To: Salo
Apple Computer's latest version of its Mac OS X operating system, Panther, patches security flaws that affect previous versions of the operating system, leaving security experts wondering if users will have to pay the $129 upgrade fee to be secure.BWAHAHAHAHAHAHAHA!
Nothing new here. Just more under-reported security holes.
Security Updates Page #2
Security Updates Page #1
To: Salo
Yet another good reason to go with Linux.
13
posted on
10/30/2003 12:19:11 PM PST
by
paulk
To: js1138
People will continue using DOS and Win95 for many years.... I was merely remarking that the Apple policy, as described in the lead article, is equivalent to MS discontinuing support for XP........ Windows upgrades are about $89 and come out about every three years.
True.
At least Microsoft is posting its intended support policies on their website. I have found that usually I prefer to abandon their older operating systems long before they are no longer supported. I stopped using NT 4.0 almost two and a half years ago, because the Windows 2000 upgrade offered better support for modern hardware like USB and firewire, plug and play hardware installation, automateed OS patching, etc. It sounds like Apple is trying to charge a major version upgrade fee for a decimal point upgrade. The professional versions of Windows like NT4, 2000, and XP Pro usually cost about $200 to upgrade.
14
posted on
10/30/2003 12:24:29 PM PST
by
Paleo Conservative
(Do not remove this tag under penalty of law.)
To: Salo
Well I guess they take the expession "One bad apple don't spoil the whole bunch..." quite literaly.
15
posted on
10/30/2003 12:27:19 PM PST
by
Revel
To: ECM
While the report is from a potentially biased source, I hope Apple does spell out a reasonable policy regarding security support for older operating systems.
I upgraded to Panther, and I like it a lot. However, for some it is going through growing pains, and I'd avoid the "FileVault" (always-encrypted home directories) feature for right now in particular. Also, there appears to be a printing bug for some after running a permissions repair, fixable with a script from:
Things I love about Panther:
1. Speed - everything, especially GUI, is faster
2. Expose - quite like a bigger monitor, as window updates continue
3. Xcode, the new development environment included for free
4. The new finder window layout (with a locations sidebar on the left)
5. The open/save dialogs are redone, with the same locations sidebar
6. Mail.app finally seems to work correctly
7. Safari seems faster, smoother, better
All in all, worth some money. Worth $129? Probably, but I got it on deep discount, so for me it was a no-brainer.
16
posted on
10/30/2003 12:30:26 PM PST
by
Yossarian
(1 CA Governor down, 1 CA Senate and 1 CA House to go...)
To: js1138
I was merely remarking that the Apple policy, as described in the lead article, is equivalent to MS discontinuing support for XP. It's worse, since XP is already twice as old as the last release of OS X, Jaguar. They're stopping support for a version that's slightly more than one year old - 10.2 was released in August of 2002. It would be equivalent to MS EOL'ing Windows Server 2003 around next July or so.
17
posted on
10/30/2003 12:32:34 PM PST
by
general_re
("I am Torgo. I take care of the place while the Master is away.")
To: ECM
Is the upgrade worth it (beyond the security issues)? Yes. Expose and the new font manager, alone, are worth it. You'll get lots of other goodies, too.
To: Ol' Dan Tucker
I read the security problem lists. I see nothing in that list for a typical desktop user of Mac OSX to worry about. Most of the problems involve (A) theoretical exploits that are not currently a concern, (B) using features that are off or set differently by default, or (C) Macs where a system administrator has limited the access of the user(s). These aren't problems like "Open this email and your hard drive gets erased." or "Click on this attachment and someone in Russia owns your computer." While the quantity of security problems is a concern, the bigger concern is the quality of the exploits.
This is like car recalls. I'd rather own a car that was recalled a dozen times with problems related to the paint, hubcaps, and radio than a car that was recalled only once because it tends to explode when hit from behind by another vehicle going more than 25mph.
To: paulk
Yet another good reason to go with Linux. I used Linux from the 1.0.9 kernel for about 5 years as my exclusive desktop computer at home. I finally swiched back to using a Mac because I decided that I really needed to be able to run Internet Explorer, Microsoft Office, and other commercial software and despite having fairly extensive Unix/Linux system administration skills, I like not having to worry about if a particular new bit of technology works with Linux yet or not or the hassle of hand upgrading things.
Don't get me wrong. I still use Linux as a server and still like it a great deal. I did and could use it as a desktop OS but Mac OSX gives me the ability to run Mac software (including Microsoft apps that will not be ported to Linux anytime in the near future) and ported Linux/FreeBSD software on the same machine. Heck, I could also get VirtualPC and run Windows XP if I wanted to. And the hardware is great quality stuff.
Navigation: use the links below to view more comments.
first 1-20, 21-40, 41-42 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
