Apple released a massive security update on Tuesday that patched at least 80 vulnerabilities in its Tiger and Leopard operating systems, many of which were critical. The massive patch batch amounts to a download of more than 105MB, and that doesn't include a separate 25MB file that installs version 3.1 of Apple's Safari browser …
Err, no it isn't, it's 50.5mb, I'm downloading it at this moment.
Perhaps the Tiger update is 105mb, but the patch from 10.5.2 is less than half that.
Still a pretty chunky patch, but no need for exaggeration.
Vista SP1 @ 435MB, now THAT'S a monster patch!
An Apple with a hole.
Is a sure sign of a worm. :p
Mines is the one with the sizable patch on the elbows
it breaks ssh
5 million beta users?
So when Apple happily announced 5 milliion customers, it really means they lured 5 million customers to pay for a beta version of its OS.
I use both Windows Vista and Mac OS and so far I had more problems and much larger updates on my Mac than on Windows. Okay, the Mac UI is nice but I'm having a feeling Apple was not ready for Leopard.
Microsoft's measured approach
The reason MS has to be so careful is because Windows is such a rats nest. UNIX based systems on the other hand are much less monolithic and so it is feasible to update services independently. Also, the open source nature of many of the tools in OS X mean that bugs are often identified on other platforms so OS X is inheriting bug fixes affecting other UNIX based platforms.
At least with OS X I feel like things are being fixed rather than 'patched' (which I read as bodged).
Just looked at the downloads page (http://www.apple.com/support/downloads/) and there is indeed a number of different versions of this patch. Looks like the server version is much larger (makes sense, there is more software in OS X server). So is the Universal version, which also makes sense as that will include builds for both PPC and Intel (minus a little common stuff).
The largest is actually 108mb for the Leopard Server.
The update to Safari looks nice, especially the development tools which will be a god-send to those of us who miss FireBug and other extensions from FireFox whenever we have to sue Safari.
@ Microsoft's measured approach
You've missed the point of what the author was saying; MS create and release x bug patches per month, each month. Apple on the other hand, things "damn, we should fix that" and throws some resources at it.
At the end of the day, who cares about the mechanics behind the patching as long as it gets done.
Comparison to vista SP1
Vista SP1 standalone installer is 435MB. That's a lot more than this. Of course, it has to deal with more than ~4 permutations of hardware. The windows update version is only 45MB...
100+MB for Tiger, 50+Mb for Leopard
I'm still using Tiger on my MacBook, and I got the 100+Mb security update. It isn't an exaggeration, the item wasn't just clearly identified.
If you'd look at the security update details, you'd see that some of the fixes were indeed inherited from open source software that is included in Mac OS X.
Geez Apple Trolls, thought OS X .5 was so Perfect?
So this is the, what 4th or 5th time that Apple has tried to make it "Perfecter", nah it's just that you're all Apple Kool Aid Drinkers and OS X has been and always will be holier than swiss cheese, security and bug wise. AKADs are so deep in denial.
Next time you bash Linux or Windows, look in the mirror as see a stupid hypocrite.
Re: it breaks ssh
FYI, some people are reporting it breaks ssh but not all. On my three Macs (iBook G4, Mac mini G4 and MacBook Pro) there are no problems 'ssh'ing between my Macs and my two Linux machines in all combinations.
improved Acid 3 test
There was also an update for Safari and it looks like they used the
time to improve their results on the Acid 3 test.
Before the update Safari scored 40% and now 75%.
MSs measured approach, take 2.
Ok, MS may have got to the stage where they can release a small patch bundle each month, but that's on the back of spending the past few years shipping monsters to patch copious numbers of glaring holes highlighted by the scrotes out there.
Now it seems that said scrotes have their sights set on MacOS. I suspect that there's more where this came from and that Mac users may be in for a taste of what Win users have had to live with 'til recently (big patches rushed out to fix urgent exploits that break other things when you apply them).
O/S stability / security is inversely proportional to the number of devious bastards trying to break it. Live with it.
we don't needed no steenkin' title!
given my own experience of leopard, i'd have gone for a slightly less charitable headline - 'apple polishes giant turd'
Its on the web elsewhere but the patch last night effectively stopped the use of the 'shift' key when using gmail. Rather than doing what it should, it now acts like a tab key changing focus on the gmail webpage. How did this get past testing?
I would, but...
The last update (10.5.2) stopped wireless networking with my netgear router. A long ethernet cable for me these days.
"It just works" - my arse
...or maybe 105MB? Or 50.5MB?
re: Monster Patch?
Sure Vista SP1 is 435MB if you download the whole thing,but it's more like 60MB if you get it over Windows Update.
Who cares how big the patches are anyway? The more bugs and vulnerabilities that are fixed the better, surely?
I have regularly had to update XP on pre-SP1 machines. Now that takes some time. It's interesting to note that since XP came out Microsoft have issued around 1.5GB worth of critical security patches. Now, if I bought a car that had to go back to the garage every other Tuesday...[insert own rant]
"Vista SP1 @ 435MB, now THAT'S a monster patch!"
The SP covers every version of Vista so it's quite large but no system should require more than 100Mb of it, so it you download it using Windows Update only the necessary files will be downloaded.
super special awesome
This report is a lie. Macs are super special awesome and are perfect when they ship, they never need patching ever.
RE: Breaks SSH
This is due to 3rd party software, do this to fix:
"Have you installed Rogue Amoeba's Instant Hijack?
If so, try:
sudo /usr/local/hermes/bin/hermesctl unload"
ssh and gmail problems
The ssh problems have been identified as being caused by a hack installed by Rogue Amoeba's Instant Hijack plug-in (part of Audio Hijack and other tools). Quite how the hell they managed to break OpenSSH by installing an audio proxy is anyone's guess, but "good work boys!"
The gmail bug is caused by a workaround for Safari originally coded in the Gmail v1.0 interface. A workaround (until Google fix, or rather un-fix, it) is to run with Gmail v2.0 - you may have to swap to English (US) to do this however.
but it r perfect
what happened to apple is so secure?
we don't need antivirus as there are no holes??
100mb for patches iis lazy releases and sticking fingers in your ears.
Mainly stuck on windows, so I'll stick the boot in while I can.... but at least I know what I'm getting.
What's happened to the language?
When I was a working programmer (yes, back in the dark ages kiddies) a patch was something you did at four o'clock in the morning because the system was down. It was keyed in at the console in a hex representation of machine code. Twenty or thirty bytes typically. 100 tops. Then next day you would fix the problem properly, reassemble the segment(s) and load it/them to the system. That's not a patch, it's a new version.
All this talk of "patches" being 100MB or more just bemuses me.
Mines the very very old one with the muffler.
Isn't OSX based on a 'NIX of some sort? It can't, then, be THAT bad for reliability/security/etc. can it?!
The AKAD comment can be used in many places, but I don't think this really counts; save your insults for when they're appropriate. Linux and Windows both have live-update functionality so you don't really see the number of updates you get. Download all the updates for XP-SP2 or even Vista since launch and I bet they'd exceed 100Mb comfortably! Linux would probably be similar.
The fact is that as people learn more about the systems theyre using they'll find more ways to break them. Then patches will be released. Though on pretty homogenous hardware like Apples there's no excuse!
I would say, though, that a hundred megabytes counts as a Service Pack rather than a mere "patch".
Still, Apple stuff is more of an extravagance- a mere high-tech toy if you will- rather than a "proper" computer. So I've got to ask where the IT angle is?
This is not really an OS X versus <anything else> issue
Some of the patches probably relate to software developed internally at Apple. As stated above, many of them relate to open source software that Apple just happen to use.
Using open source components where they are appropriate is admirable — it's a form of adherence to open standards. Patching them when they're broken is also admirable. So there's no controversy in that.
As far as these patches affect Apple-developed code (and I have literally no idea), I don't think anyone has ever seriously argued that the Apple engineers always produce perfect code first time round, and I don't think anyone will argue that they shouldn't release security updates.
If there is any debate, it's about the way the different OSs are set up from a security perspective, i.e. the probability that flaws will be findable and the probability that they will be exploitable. Because it's a probability debate, the existence of each flaw adds empirical evidence but is nothing like a complete answer. And there's a question of measure and degree concerning each flaw — the extent to which each opens up the system.
I have no idea what fixes Apple are offering or what information they provide concerning that type of evaluation. I'm just making the point that without it, the debate is false.
Zero-day vulnerability anyone?
No? That's because the OS X updates are pre-emptive and identified (mostly) by the Open Source community to ensure that the code is safe.
MS tends to act reactively to vulnerabilities that are found by third parties inform - thus raising the chances of unpatched vulnerabilities being exploited (as is often the case).
And so what if it's a big patch. Most people are on broadband and OSes these days are multi-gigabyte affairs so of course the patches are going to be large...
Re: "Apple stuff is more of an extravagance- a mere high-tech toy if you will- rather than a "proper" computer."
They use the same components as Windows and x86 Linux computers, so you're obviously not talking about hardware.
They have a different GUI from both of those systems, but software available for them includes Microsoft Office and the full Adobe suite (InDesign, Photoshop, Illustrator...). So I guess you're not talking about the tasks you can perform with available application software.
The OS is a certified UNIX. So I guess you don't mean that either.
In that case I guess your definition of a "proper" computer presumably means "one that is as cheap as the sum of the individual hardware component costs will allow"? I think you might be at odds with quite a few people there. Argue that Macs cost too much if you want, but it's not accurate to say that they aren't "proper" computers.
Do you have to wear a black shirt and talk on the jesus phone whilst installing this patch ?
Re earlier @AC the ssh error some users are having seems to be a clash with Rogue Amoeba's Instant Hijack. Removing this fixes the problem, see the updated thread http://discussions.apple.com/thread.jspa?messageID=6859298
No. Just browsing the internet with the phone is sufficient.
@ Matt RE: Jobs Lot
Your half way there Matt, while sporting a plain charcoal black shirt and talking on the Jesus phone, you must balance the mac book air on a corner using only one extended finger.
@it breaks ssh
If you look further down the blog you will find the fix :)
Just downloaded the "patches" and applied them. They included a keyboard firmware update.
Previously my Macbook Pro suffered from the well-known "doesn't register the first character keyed into a form box" bug that Apple has been denying for several months. Now when I am working in an Excel spreadsheet, about 50% of the time it only registers the first character typed in a cell. When I click on another cell then go back for a second attempt it's usually OK.
What is going on Steve?
Paris because she had some experience with cells.
@ Grant, @Chris
Vista SP1 may indeed cover n versions of Windows (and who's fault is that?) and it may also be smaller if you d'load it via Windows Update (of course I found out about it via Windows update and WU reported it as being a 435MB dl on a fully patched system as well so I'm not sure this correct anyway but nevertheless . . . ).
So, even if we pretend that the WU version is a more sane size this is pretty much irrelevant to most IT pro's. I never install MS Service Packs via Windows Update. I always dl them for offline installs as I don't want to have to keep dl'ing them over and over again every time I have to do a cruft reduction re-install.
Of course YMMV
" have regularly had to update XP on pre-SP1 machines. Now that takes some time. It's interesting to note that since XP came out Microsoft have issued around 1.5GB worth of critical security patches. Now, if I bought a car that had to go back to the garage every other Tuesday...[insert own rant]"
yeah but the equilivent of hackers and virus's attacking your windows install. would be some one running up to your car and taking bits off so you have to get it repaired but if no one touches it it runs just fine (oh and before some one says about built in faults i'd point out cars thave them to the pug 206 had 7 recalls and a renault model adds 2 miles to the mileage every time you open the drivers door. the difference if that once a car manufacturer finds this fault it can fix it on the next batch manufactued and it pulls the pre sold cars in for repair. microsoft equilent is patching preinstalled windows and then releasing an service pack for new machines) so yeah i would get made if i had to take me to get it fixed every week but the solution is shooting the guy who keeps breaking it or put it in a garage at night so he can't get to it (equvilent of a decent av and firewall)
SSH & Rogue Amoeba's Audio Hijack Pro (and Airfoil, NiceCast)
From the Rogue Amoeba Knowledge Base:
Application Enhancer Technology
Several Rogue Amoeba products optionally make use of Application Enhancers technology, also known as APE, from Unsanity Software. The Instant Hijack component utilizes Application Enhancers to pull in audio from applications that are already running. By default, this component is not installed. If you attempt to hijack audio from a running application, you will be prompted to install the Instant Hijack component or relaunch the application. You can install or uninstall Instant Hijack from the Install Extras... window, under the application's main menu (the Audio Hijack Pro menu in Audio Hijack Pro).
Applications that use the optional Instant Hijack component:
Audio Hijack Pro
Maybe it's Unsanity's problem, not Rogue Amoeba's?
BTW, the older (original) Audio Hijack does not have instant hijack, only the Pro version (current release). As I have the legacy version, I will now install the patches.
Apple or any of its software were any safer than MS products.....
The more the number of user the more patches you will be downloading.
its just the number of people there are to add onto spamming list and botnets that warrant the developments of worms and look for vulns in a software.
Stop buying MACs is the only answer to this problem
sudo sysctl -w net.inet.tcp.delayed_ack=0
Bet they've still not fixed the issue the above command line "fixes"...both my 10.5 macbooks (1st gen and 3rd gen) are both running freshly-crippled wireless, thanks to some crappy code in 10.5. (both run ok on 10.4 or when bootcamping XP).
Thanks Apple, you bunch of gits. How many disgruntled users will it take to get you to fix this damned issue? And how long is going to take - another 6 months????
Near as I can tell the only thing that's ever updated on my Mac is the irritating iTunes music player. That thing seems to download another update every other week.
Downloading Mac Safari on a PC
Despite Apple's attempt to hide the OS X Safari 3.1 update download from PC users, it can be found at
For Leopard (39MB):
For Tiger (49MB):
PPC and Universal included; reboot required.
Man, that was a simple update.
Wall of text, hence dr.
@ Zero-day vulnerability anyone?
"MS tends to act reactively to vulnerabilities"
What rubbish MS have a team of very experience security testers with access to the source code but as even people in the Open Source community know having access to the source doesn't guarentee you can find all issues. MS have spent a fortune and i can't complain about their effort to find issues it's the amount of time they take getting the fixes out that bothers me.
Am I right?
So if OSX is *INX certified you can use terminal and commands like sudo? Havent played with OSX much mainly due to not being willing to blow Jobs. (let the flames commence) But didnt bother checking that out the two or three times I have used it.
cant speak for the rest but I myself do read them if only so I can try to figure out what your talking about because I like puzzles.
On the Vista/OSX/*NIX debate Im of the firm belief that when 99% of the computers (and users) are all using Windows based systems, and your the "hacker" writing the viruses or whatever, which would you choose? Personally if it was me and I did this stuff I would want to cause the most damage possible. But once OSX and *NIX become more prevelant you will start to see more and more "bugs" for each.
/mines the asbestos jacket with the fire hat.
SSH/Hijack Issue fixed
Rogue Amoeba have issued a fix, so if you have Airfoil, having it update itself resolves the issue.
I predict Webster to be the first El Reg reader to pop a vein!
I predict Webster to be the first El Reg reader to pop a vein both in the anticipation leading up to the results and finally popping over the published results of the contest.