Apple is blessed with an extremely loyal -- some may say fanatical -- user base. Since presenting the public with the fact that the only way to secure OS X 10.2 (and ealier versions) from several serious vulnerabilities is to purchase the newest version of the operating system for US$129, this publication's inboxes have been flooded with hate mail.
The entire trail of messages had one underlying theme -- denial. Mac fanatics have denied the vulnerabilities are serious, denied the company would leave them twisting in the wind, questioned the independence of @Stake and accused ZDNet Australia of conspiring with Microsoft to sully the good name of Apple, the loveable underdog.
To begin, let's have a look at some of these issues. Let's reconcile. Let's get along.
Claim #1: The vulnerabilities are not serious.
Not true.
One of the issues is a kernel level buffer overflow condition that may be remotely exploitable. In plain English, that's the most serious type of vulnerability there is.
True, it hasn't been exploited yet in the lab, however @Stake has not ruled it out as a possibility, saying only that "since it appears to be an overflow in the kernel the severity of 'possibly execute commands as root' is warranted".
There are some other issues which will allow an attacker with interactive shell access to a targeted machine to escalate their access level to root. Mac apologists have claimed this means an attacker requires "physical access" to the target machine. This is incorrect.
A local or remote user of a Mac server with interactive shell access could take over the whole system by escalating their privileges using the techniques described in @Stake's advisory. Furthermore, any attacker able to seize control of a trivial process with limited privileges could, once again, escalate their status to root. That is serious.
Claim #2: Apple always planned to release patches for 10.2.
Debatable, with evidence to the contrary.
@Stake research director Chris Wysopal coordinated a release date for the advisories with the cooperation of Apple's security team. @Stake actually waited -- at Apple's request -- until the release of version 10.3 of the operating system, also known as Panther, before publishing its advisories.
You might be interested in:
"They told us the fixes would be in 10.3 and asked us to wait until 10.3 was released to publish our security advisories," Wysopal wrote in an e-mail.
In other words, @Stake says it was operating on a timeline dictated by Apple. The vendor statements Apple sent to @Stake made no mention of patches for 10.2. Instead, the phrase "this is fixed in Mac OS X 10.3," is everywhere.
Both Wysopal and David Goldsmith, also of @Stake, say Apple explicitly told them there would be no free patch. "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," Goldsmith said at the time.
Predictably, Apple released the following response after the proverbial hit the fan. "Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," it read. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT (Computer Emergency Response Team) and the open-source community to proactively identify and correct potential vulnerabilities."
Claim #3: The coverage of this issue was biased because the media is in Microsoft's pocket.
People making these types of claims should really do their homework. Microsoft does not, contrary to the belief of some, pay the media to write negative things about its competition.
It is unlikely this article had MS executives popping the cork and jumping for joy in Redmond, nor would the PR team be celebrating the publication of this item.
Notice the MS bashing and praise for the publication in the feedback to the first article listed. Criticise MS and you're an insightful, balanced journalist. Criticise anything else and you're a sell out idiot not worthy of the air you breathe.
These critics should be forced to read Josh Mehlman's brilliant commentary A Lesson in Logic before being allowed to hit the flame button on their uber-cool Mac mail clients. This publication serves to report the facts and is not aligned with any operating system developer.
Let's not forget that if Microsoft tried releasing "XP 2" instead of a security update its executives would be drawn and quartered by the media.
Claim #4: The media did not seek comment from Apple.
Both myself and my CNET colleague Robert Lemos tried unsuccessfully to extract a response from Apple. The company, at the time, was not talking about it.
So what's the point?
Whether or not Apple planned to release a free patch for 10.2, like it now says it did, is irrelevant. The fact is, until the company gets around to releasing the patches, Mac OS X users cannot update their defective product without forking out a significant chunk of their hard-earned dough for a comprehensive OS upgrade they may not necessarily want. At last check, though Apple has stated an intention to issue patches, they still had not been released at time of publication.
Apple has been given a swift kick up the backside by the press and sections of the security community and now it's releasing patches; however, the attention the issue received was warranted regardless of whether or not it planned to fix older versions of its OS. @Stake gave Apple opportunity to produce a fix. It should have seized it. Pumping out a couple of patches now will not absolve Apple of its sins.
As for the retraction of the story that kicked off this brouhaha that irate Mac zealots have been demanding, the fact remains that the only way to remove defects from OS X 10.2 is to pay the upgrade fee. Users, for the time being, are still left twisting in the wind. Apple dropped the ball. OS X is insecure, and so are a lot of its users.
How do you like 'dem Apples?
dcashion 
skljdlaskjdklajdskjdasklsajdlasjldASKJDSKLJDAKLDJALASSASSFUCKER 
Linkedin 
RSS Feeds 
Newsletters 
Alerts
Are you sure you know what you're writing about? You haven't done a good job of making a point.
For example, issue 1 of CAN-2003-0876 states that a attackers with interactive access to a Mac OS X system can run an app with global permissions, thus giving them the same level of access as a legitimate user on the Mac.
There is no logic in this issue. If an attacker has already been able to gain access to a legitimate user's account on a Mac OS X system, then they already have the ability to do everything that user does with resorting to running apps with global permissions.
The premise of this issue rests entirely on an attacker getting access to an account.
If any attacker on any OS can get access to a user account then the games over.
This is like warning me that if I leave my door open then an attacker can take my house keys. Der. But what if I've got the door tightly sealed?