Re: The clock is running down on OS X "security"
- From: michelle ronn <completelyinvalid@xxxxxxxxx>
- Date: Tue, 14 Aug 2007 04:39:04 GMT
On 2007-08-13 20:34:05 -0700, Timberwoof <timberwoof.spam@xxxxxxxxxxxxxxxxxxxxx> said:
In article <2007081319175316807-completelyinvalid@boguscom>,
michelle ronn <completelyinvalid@xxxxxxxxx> wrote:
The wide open holes that are in OS X are getting more public by the day.....
http://news.com.com/8301-10784_3-9759132-7.html?tag=nefd.only
Now, lets see how many security "experts" on this forum will continue
to stick their heads in the sand...
The author's opinion is based on how the release of OS X is behind on
the releases of several of the software packages contained in it:
package OS X latest
OpenSSH 4.5p1 4.6p1
OpenSSL 0.9.8d 0.9.8e
Apache 1.3.33 1.3.37
Samba 3.0.10 3.0.25b
Cups 1.1.23 1.2.11
Maybe you could point out to us the significant security flaws that
were discovered in these servers between the OS X releases and fixed by
the latest releases.
It would be interesting, perhaps, to do a fresh install of OS X 10.4.0
and list the versions that came with it, just to see if Apple updates
these services with their software updates.
Now of these that are listed, I'd consider SSH, SSL, and Apache to be
potentials for real trouble: these are for services that have business
being opened to the Big Bad Internet. (I would never expose Samba or
Cups on an open server. Windows file sharing on an Internet server? Are
you nuts? Printer sharing on an Internet server? Are you nuts?! [FWIW, I
would not do AppleShare either.])
If these services are running on a commercial site, then the sysadmin
should be keeping tabs on the open services and update them as needed to
respond to bug fixes and security patches. If they're running on an
internal-only site with controlled access to trusted users, then I'll
happily stick my head in the sand about these issues while taking care
of the Windows users and their eternal problems connecting to file
servers and wireless routers.
So, Michelle, where do you work as a sysadmin?
I have not done sysadmin work since college.
I agree with you that any sysadmin that is worth a flip should be keeping up with current patches, outside of OS X releases. However, those sysadmins are becoming fewer and far between.. to add, Apple does not provide these patches.
The key here is the method that is being exposed. OS X is releasing behind the current revisions. This is also common with large shops, don't go with the new stuff unless you have to, stick with the older tried and true bits.
This does leave one exposed to issues that get patched.
.
- Follow-Ups:
- Re: The clock is running down on OS X "security"
- From: Timberwoof
- Re: The clock is running down on OS X "security"
- References:
- The clock is running down on OS X "security"
- From: michelle ronn
- Re: The clock is running down on OS X "security"
- From: Timberwoof
- The clock is running down on OS X "security"
- Prev by Date: Re: Gripe with Apple's lack of selling me bluetooth and 802.11 modules for my Mac Pro
- Next by Date: Re: Exploit for OS X
- Previous by thread: Re: The clock is running down on OS X "security"
- Next by thread: Re: The clock is running down on OS X "security"
- Index(es):
Relevant Pages
|
