What's new pussycat...
they're always lagging.
Apple is once again playing security catch-up to the rest of the computing world, this time with an update for the Leopard version of its Mac operating system that patches critical holes in Java that were fixed on competing systems 29 days ago. The patch updates Leopard to Java versions 1.6.0_15, 1.5.0_20, and 1.4.2_22, which …
they're always lagging.
Like some said already, only affects the 10 people who are using osx...
Wow, where to begin? This article is so one-sided that I’ve decided to finally give in and create an account to respond.
Let’s start with the title. Since “security lags” doesn’t mean much without context I’m left no choice but to believe that the title was chosen simply for shock value. Pity.
Now onto the arguments. The first one states that Macs are safer because few malware programs target them. This is true. Unfortunately the article veers off course from here by assuming that this is because of OSX’s lesser market share.
The most obvious problem with this argument is that is is unprovable. It assumes the intentions and motivations of malware authors. Unless The Register spoke with every malware author on the planet there is no way to know with absolute certainty why these authors target Windows OS’s.
Sure, we can guess (though I would assert that an article titled to suggest being factual isn’t the place for it) but I find it curious that when left to do so The Register chose market share over simple vulnerability counts. My sensibilities tell me that the sheer number of remotely exploitable vulerabilities found for Windows versus those for OSX might be a more likely reason for Windows to be the more common target. But I would never state that as fact because I simply can’t know the truth.
Although we can set aside this argument on the basis of its unprovability alone, I’ll offer another in the form of an example: Apache vs. IIS.
Apache has roughly twice the market share of IIS (and it used to have much more) yet as far as I can recall there has never been a devsatating Apache exploit. Need I mention some of the immeasurable damage done to servers across the world as a result of IIS exploits? I’m sure you’ve heard of them but if not just Google “code red.”
Before I move on, one more small point about market share: OS 8, 9 etc had even less market share yet they had their share of malware. If Mac-based OS’s are a fruitless target why would these versions have any at all? That’s right, it’s because they had inferior architectures.
Next, the article states:
Frankly, an operating system can lack all of Windows’ security features and still be more secure. Do you really think, Mr. Miller, that the ways Microsoft devised to plug up the holes in its software are the only way to secure an operating system? I can confirm that they are not.
This is like making a safe out of cardboard, lining the inside with glass, then disparaging metal safes because they don’t have a layer of glass.
I’m not saying that ASLR isn’t a good thing to have anyway but without any currently known remote exploit (and barely any of any other kind) it’s hardly reason to go around planting seeds of distrust is it?
Apple has been writing graphical operating systems for longer than Microsoft, and Windows has always had more malware. I don’t see any “disconnect in their marketing department” either - marketing tells us that OSX is more secure than Windows and that is true.
I could go on but this is too lenghty as it is. I’d be glad to discuss it further though if you care to respond.
Almost tempted to wipe OS X and stick W7 on. But not quite yet.
When we all know that Steve's Reality Distortion Field extends to every Mac on the planet keeping all malware at bay. It's quite clever actually, just like in World War 2 when the British Navy poured green and blue paint into the sea when there were U Boats around. This affected the German periscopes so, thinking they were still under water, kept rising and were shot down with anti aircraft guns. Personally, I would ban Java altogether. Who needs it?
Upgrading from Leopard to Snow Leopard removes the previous Java 1.4.2 and 5.0 installations in /System/Library/Frameworks/JavaVM.framework, and replaces them with links to the Java 6 installation.
But they're *both* predators, not prey....
These Apple security stories are getting OLD.
By the Reg's reckoning, my iMac and old eMac should be zombified bots and my bank account should have been cleared out.
Who says they are not - you would have no idea!
When there's anything more worrying than a few Mac trojans - which I can't get unless I download illegal software from dodgy sites, which I'm not going to do - then I'll start taking these articles a bit more seriously. In the meantime, I can quite happily use my Mac without needing to install any anti-malware software at all. So their marketing department is currently perfectly justified in making its claims about Macs being more secure than Windows.
"...thinking they were still under water, kept rising and were shot down with anti aircraft guns."
Blimey. Could all U-Boats fly, or did the paint cause them to levitate?
In the past it's been reported that Apple supports the current (10.6), and previous (10.5) versions of the Mac OS, so I'd be surprised if Tiger (10.4) gets another Java update.
(I currently use 10.4, and I'm planning an update to 10.6)
Not as catchy a title, eh? But it's pretty much the same thing. So you install, and do an update on third party software that wasn't out when the disks were being pressed. This is news?
As ebveryone knows there ghave never been any exploits written for anty Mac ever and they never crash.
How many times have you downloaded a rogue jar file and double clicked on it?
How often do you see Java applets on websites? facebook's photo uploader is about the only one I can think of.
Other operating systems aren't automatically updated with Java patches anyway. Apple supplies their own Java SDK as they tweak the look of Swing/AWT to look like a native application.
Many products supply old JVMs and don't automatically update. Oracle being one of them. Eclipse IDE and so on...
Or Windows 9, as my fellow Mac users and I know it.