OS X: Still Not WYSIWYG

Apple release their second security patch for Tiger.

Apple have released their second security update for OS X 10.4 Tiger less than two weeks after the first. Although many issues were addressed in both updates, most eyes were on what the Cupertino company were going to do about the holes exposed by the recent Oompa Loompa, Inqtana, and Heise exploits.

The patch is a 13.9 MB download and all told addresses issues in apache_mod_php, CoreTypes, LaunchServices, Mail, rsync, and Safari - as well as issues covered in the previous patch from 1 March.

It's the patches for CoreTypes, LaunchServices, Mail, and Safari people are most interested in. And from the looks of it, OS X is still not 'WYSIWYG' - what users see is still not what they get.

Of course Apple must try to issue 'ad hoc' patches first. After all, NeXTSTEP wasn't ruined in a day, and it's going to take time to undo all the wrongs that were done. But the basic dilemma remains - although Apple have provided temporary safeguards for their own web applications, the system as a whole is still vulnerable - and the only reason Apple have directed their work to the application level is that they don't yet have a fix for what's really wrong.

As noted here and elsewhere, the core of the issue is that the one hand of the OS X shell tells the user one thing and then the other hand goes and does the complete opposite. Files appearing to be of one type are treated at another level of the system as being of another.

So far there's no word of how Apple plan to deal with this issue, although it should be a foregone conclusion that they must and they will - eventually at any rate.

For now the old adage used to describe OS X Tiger has to be altered. 'You've come a long way, baby, but still not quite far enough.'