INTERACT FORUM

Please login or register.

Login with username, password and session length
Advanced search  
Pages: [1]   Go Down

Author Topic: OSX Security Flaw -- Apple recommends updating to Yosemite  (Read 2376 times)

JimH

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 72446
  • Where did I put my teeth?
OSX Security Flaw -- Apple recommends updating to Yosemite
« on: April 10, 2015, 10:51:00 am »

Article at Engadget
Logged

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13875
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #1 on: April 10, 2015, 11:23:09 am »

Article at Engadget
Brilliant.
And what are the myriad of users without the hardware required to update to Yosemite supposed to do?
Apple has traditionally supported at least the previous release of OSX with security updates. They should be roasted for this.
Logged

blgentry

  • Regular Member
  • Citizen of the Universe
  • *****
  • Posts: 8014
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #2 on: April 10, 2015, 12:27:15 pm »

Security is complex.  When most people think of security threats to their home or office computer, they think of remote exploits where an attacker can gain control of the machine with no action from the person running the computer.  Windows is famous for having lots and lots of these types of vulnerabilities which has led to this mind set.

The particular issue being addressed here is a LOCAL exploit.  It requires a person at the computer to do something *OR* it requires the person to INSTALL a program that then exploits the vulnerability.  It does allow a rouge user or program to have complete control over the machine, so it's pretty serious.  But it is NOT A REMOTE EXPLOIT.

Further, while the issue has been tested and confirmed in OSX 10.8, it hasn't yet been replicated on 10.9.  It *is* present on 10.10, which is why 10.10.3 has been introduced to correct the problem.  So what if you're running 10.8 and you want to be safe?  You can upgrade to 10.9 or 10.10.  Or you can follow the advice in this article to secure the machine.

Apparently simply running your Mac as a non-administrator user makes this exploit not work.

I hope this helps you guys understand the nature of the threat and the level of danger it represents.  To me, the danger is pretty low.

Thanks,

Brian.
Logged

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13875
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #3 on: April 10, 2015, 01:27:36 pm »

As the article points out, the default is to run as administrator so changing the account requires something the average person will never do.

You'll not often find someone that uses Apple products more than me. It's lame that they are implying the issue exists on the earlier versions of MacOS and pushing to upgrade to 10.10.
I've been running OSX since 10.0.0 public beta and with these updates there have always been generations of hardware that are unable to upgrade.

Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #4 on: April 16, 2015, 01:50:17 am »

Brilliant.
And what are the myriad of users without the hardware required to update to Yosemite supposed to do?
Apple has traditionally supported at least the previous release of OSX with security updates. They should be roasted for this.

In Apple's defense here, Bob... 10.10 and 10.9 have the exact same system requirements.  Any machine that can run 10.9 can run 10.10.  They dropped nothing between the two.  Same goes for Mavericks to Mountain Lion.  Any machine that can run 10.8 could run 10.9.  So, you're going 3 major versions back there.  And, of course, the upgrade is free for anyone running Snow Leopard 10.6.8 or newer.

And... Yosemite, Mavericks, and Mountain Lion were also all pretty forgiving on what hardware they'll will run on:

Quote
Before you install Yosemite, make sure you have one of these Macs:

    iMac (Mid-2007 or newer)
    MacBook (Late 2008 Aluminum, or Early 2009 or newer)
    MacBook Pro (Mid/Late 2007 or newer)
    MacBook Air (Late 2008 or newer)
    Mac mini (Early 2009 or newer)
    Mac Pro (Early 2008 or newer)
    Xserve (Early 2009)

Your Mac also needs:

    OS X Mavericks, Mountain Lion, Lion, or Snow Leopard v10.6.8, already installed
    2 GB or more of memory
    8 GB or more of available disk space

I think they only dropped like one or two devices from 10.7 to 10.8, even, but I'm too lazy to look.  The big cutoff was between 10.6.8 and 10.7, because of the 64-bit requirement.

So... I don't think it is quite the same as not fixing a bug on, Android, for example when you had partners shipping devices 6 months ago that will never get the patch.  Or Windows where they charge you to update.  They go back quite a ways, and the fixes are free.

Considering both of those facts, I can see them being all like: Forget you, upgrade it.  If MC was free and compatible with the same exact hardware, would you go back and fix stuff like this in MC19 today, or would you say: "It is free, just upgrade"?
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

6233638

  • Regular Member
  • Citizen of the Universe
  • *****
  • Posts: 5353
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #5 on: April 16, 2015, 03:01:29 am »

I think they only dropped like one or two devices from 10.7 to 10.8, even, but I'm too lazy to look.  The big cutoff was between 10.6.8 and 10.7, because of the 64-bit requirement.
We still have a few MacBooks in use here that are stuck on 10.6.8

They're actually still fine for what they get used for, and in this case it's not a major issue that Apple don't bother to release security updates for them any more as they are not used as daily machines for browsing the internet. It's more frustrating that I don't have access to a lot of the newer apps, or that it can be difficult to get hold of an older 32-bit version of apps which were updated to 64-bit at some point.

While I can understand why Apple might not keep it up-to-date, 10.6 is only five years old - which makes it the equivalent of Windows 7, and Microsoft is going to release security updates for that until 2020.
 
Even Windows 10 supports 32-bit hardware, so I should probably investigate switching these systems over from OS X to Windows at some point - though at least one of them will have to stick with OS X for a few specific apps that won't run on newer versions of OS X.
 
And I'm not the only one - I know a few other people that are stuck keeping around a system dedicated to an older version of OS X because certain software that they own was broken on newer releases and there are no alternatives. Or if there are, those alternatives are too expensive to justify for the sake of an OS upgrade.

Though Apple may do a better job keeping iOS hardware up-to-date than Android hardware, they still very quick to abandon things.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #6 on: April 16, 2015, 06:47:07 am »

Yes.  They certainly abandon hardware more quickly than Microsoft does.  They can because they control the hardware platform, so they can be very careful about the specific devices they abandon.  I think that has generally been a good thing for them, because they're not as "stuck" as Microsoft.

But, that wasn't the point I was making.  Re-read the line of Bob's I quoted.  ;)
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/

bob

  • Administrator
  • Citizen of the Universe
  • *****
  • Posts: 13875
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #7 on: April 16, 2015, 09:51:50 am »

Yes.  They certainly abandon hardware more quickly than Microsoft does.  They can because they control the hardware platform, so they can be very careful about the specific devices they abandon.  I think that has generally been a good thing for them, because they're not as "stuck" as Microsoft.

But, that wasn't the point I was making.  Re-read the line of Bob's I quoted.  ;)
Still, a few machines that can't upgrade is not zero.
Also as the updates roll in the memory requirements generally go up along with the complexity of the built in software.
Each release is always slower on the same hardware and on older machine it just get's so slow as to be unusable.
iOS shows this even more. My 3gs was reasonably fast on ios4, slow on ios5 and like a dog on ios6.
Logged

glynor

  • MC Beta Team
  • Citizen of the Universe
  • *****
  • Posts: 19608
Re: OSX Security Flaw -- Apple recommends updating to Yosemite
« Reply #8 on: April 17, 2015, 12:54:04 am »

iOS shows this even more. My 3gs was reasonably fast on ios4, slow on ios5 and like a dog on ios6.

Agreed, but iOS isn't exactly the same thing.  The rate of IPC gains in mobile processors has been at a pace not seen in x86 land in many a year.  Comparing your 3GS's 600 MHz ARM Cortex-A8 CPU to the Apple A6 Swift cores is like comparing a Pentium Pro to a Core 2 Duo.  They were doubling and doubling and doubling (and tripling in some spots) performance year after year.  Plus, RAM sizes ballooned too (the biggest issue with the 3GS on iOS 6 was the RAM limits on the old device). I'd also say they've gotten better at that with iOS since the 3GS on iOS 6 days.  It was touch and go for a while at first, but iOS 8 works just fine on my old iPhone 5.  My mother-in-law has it, and still uses it, and it is fine.  My iPad 3 is... Less fine.  But that was a compromised device from day one (the GPU was really just barely fast enough to run that display), and the iPad 4 we have at work is much better with it.

But, I think including every machine they've released since 2009 (and including more powerful machines back to machines in 2007) is pretty decent for a free update.  It is 2015.  XP was supported for absurdly long, but Microsoft isn't patching Windows 8.0 anymore either (because 8.1 is a free update to everyone who can run Windows 8.0).

Does it compare to long-term release and support cycles for enterprise OSes?  No, but that's not what it is for, it is a consumer OS.  And in my experience in practice, Yosemite runs as-well-as-if-not-better-than Mountain Lion on machines that support it, much like Windows 8.1 does compared to 8.0.  Up until 10.10.3, I'd have been a bit more skeptical and stuck with Mavericks for best stability, but I've been quite happy with it since the most recent huge bugfix release.

If your machine is newer than mid 2009 or so, and probably even older, then you can upgrade for free if you want to.

Like I said, I do not dispute in any way that they do drop hardware quicker than Microsoft.  They do, but I think it is overall healthier for the platform to drop them when they do.  And in many ways, it is often healthier for the customer's machine too (rather than squeezing it to run on something it can't, like iOS 6 on a 3GS).  But, in this particular instance, I can see their point.  And they haven't been very aggressive in dropping older Mac hardware since the big 32-bit/64-bit schism between 10.6.8 and 10.7.

It does stink if you have a Core 2 machine that can't get past 10.6.8 or 10.7, I grant you.  That machine is going to be a pretty darn old computer, though.  I'm sure there are some that are still in service out there (my mother-in-law has an old one which she handed-down to my father-in-law last Christmas when she got her new 13" Retina), but... It is pretty old, and cruddy, and only still worth using at all because of the SSD I put in it.

There's certainly still room for criticism in the iOS space (they're still selling iPad 2 hardware right now in the iPad Mini 1 shell, which is crazy-pants). But on OSX their track record here is decent and understandable, if not ideal.  If you assume that they weren't going to go back and fix Lion (and they didn't for FREAK or other recent vulnerabilities where they did patch 10.8, 10.9, and 10.10), and every single machine that can run 10.8 can also run 10.10 for free?  Dunno.  I think that's acceptable.  It is a patch, with a bunch of new features.  How different is that from Windows XP SP3?
Logged
"Some cultures are defined by their relationship to cheese."

Visit me on the Interweb Thingie: http://glynor.com/
Pages: [1]   Go Up