About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Learning Curve

Still Waiting

Caution online still advised.


Buy It

Try It

Apple have proved not that Unix security is weak but that Apple security and Apple security procedures are weak. OS X users are left hanging with little or no information and waiting for security fixes that just don't come.

All versions of Apple's OS X up to 10.4 Tiger released 29 April 2005 are wide open to devastating attacks requiring no more than kindergarten sophistication.

They were wide open six years ago and remain wide open today. Apple's recent security updates for previous versions of OS X do not address these issues.

Recent revelations about zero day exploits with roots in the confusion Apple made of their file system prompted Apple to release fixes for their own software only, and despite an outcry from users and the media both, Apple have not shown any ambition to devote more time to these severe issues.

Users of Firefox, Camino, Thunderbird, OmniWeb, Opera, Eudora - users of any web applications not Apple's own - are still wide open to attack requiring no interaction whatsoever on their part even with 10.4 Tiger and the lastest security updates.

You've been ignored. You are not safe using any of these products. You may only use Apple's own Safari web browser and Apple's own Mail application. If you stick with Apple's own web applications, you are 'more or less' safe: you'll get a warning when an attack tries to exploit the holes Apple have poked in 'the rock solid foundation' that was Unix.

Of course if you don't understand the warning then all bets are off: Apple have no further perimeters for your defence. You're burnt bread instead.

Parallels

It's hard to find a parallel in computer science history. Even Microsoft with their abysmal security track record have never done something as outrageous as this.

A common misunderstanding is that Microsoft are weak and nonchalant when it comes to security procedures. Although Microsoft have a singularly unsuitable operating system for use on the Internet, this does not necessarily equate to lax policies in Redmond. What Apple are doing does.

Knock Knock

Again, just in case you didn't get it or fully appreciate the gravity of the situation: if you are running any version of OS X prior to 10.4.5 Tiger with both security patches 001 and the revised (1.1) 002, you are wide open to attack in a way Windows losers never have been; and even if you are running the aforementioned, you cannot, repeat cannot, use any web applications other than Apple's own.

And if you still don't get it, read that again. This is no joke - it's deadly serious. Apple have taken a 'rock solid foundation' (Unix) and made a mess out of it - and you have always assumed you had the safety of Unix.

You didn't; you don't; and unless Apple change their tack you never will.

Browse through the articles below and the other resources available at this site and harden your system now. You still won't be safe using web applications other than Apple's own - these exploits are at file system level and only Apple can fix those things. But if you take precautions as prescribed below you will at least cover the other bases.

Do it now. And frequent the CLIX forum where these matters are being discussed and people are actively helping one another. You can't afford to trust in your operating system. Not for now.

See Also
Perimeters
Seeing Double
The Other Shoe
Hyde Park Corner I
The Chocolate Tunnel
OS X: Still Not WYSIWYG
Peeking Inside the Chocolate Tunnel
Apple's 'Unix' Runs Arbitrary Code on Boot?
Input Managers — The Cure

OS X patch faces scrutiny
Trojan flaw persists in OS X
Experts Claim Security Flaw Remains
Apple criticised for persistent Trojan flaw

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.