Apple patches 34 exploits with latest security update

WTF? Apple hire MS programmers recently. Its been a long time since MS has fixed 34 security holes in one sitting. Maybe if Apple spent more time evaluating and scrutinizing code (and finishing it, for goodness sakes) then trying to add as many unfinished whiz-bang features, we wouldn't have to have all these security updates.

34 exploits? Or vulnerabilities? There's a world of difference; most of what I see described in the notice are buffer-overflow "vulnerabilities", which are frequently only hypothetical, since actually exploiting a buffer overflow requires a bunch of other things to go right (for the bad guy). An "exploit" is a documented, reproducible way to take advantage of the vulnerability, and is a much more scary thing.

I think too many people are prone to use the words interchangeably, and thereby (as in this case) overstate the danger.

Buffer overflows are probably one of the most common programming errors made in C/C++; such vulnerabilities, when found, should be corrected, even if there is no known exploit. But please let's be careful in describing what Apple is fixing here.

Apache CUPS LDAP Kerberos MySQL OpenSSL Squirrelmail X11 (XFree86/xorg) zlib

Are all services that Apple simply bundles and/or wraps a GUI around. Apple does not write or maintain code for these projects.

This is a big one:

(And the people who get credit must be pretty fast, because this was reported by zillions of people, myself included, before "official" release date. :)

---

Mail CVE-ID: CAN-2005-2512

Available for: Mac OS X v10.4.2, Mac OS X Server v10.4.2

Impact: Loss of privacy due to Mail loading remote images in HTML emails.

Description: When Mail.app is used to print or forward an HTML message, it will attempt to load remote images even if a user's preferences disallow it. As this network traffic is not expected, it may be considered a privacy leak. This update addresses the issue by having Mail.app only load remote images in HTML messages when the preferences allow it. This issue does not affect systems prior to Mac OS X v10.4. Credit to Brad Miller of CynicalPeak and John Pell of Foreseeable Solutions for reporting this issue.

34 exploits? Or vulnerabilities? There's a world of difference; most of what I see described in the notice are buffer-overflow "vulnerabilities", which are frequently only hypothetical, since actually exploiting a buffer overflow requires a bunch of other things to go right (for the bad guy). An "exploit" is a documented, reproducible way to take advantage of the vulnerability, and is a much more scary thing.

Yet no one seems to blink an eye when MS releases security patches for vulnerabilities and gets blasted for being insecure and full of holes, etc.

Apache CUPS LDAP Kerberos MySQL OpenSSL Squirrelmail X11 (XFree86/xorg) zlib

Are all services that Apple simply bundles and/or wraps a GUI around. Apple does not write or maintain code for these projects.

Hey, maybe Apple should spend some time working on these projects to make sure they aren't full of security holes before they decide to include it in their 'premier' OS, esp. one that everybody talks about being so secure...

Yet no one seems to blink an eye when MS releases security patches for vulnerabilities and gets blasted for being insecure and full of holes, etc.

No argument here; people tend to jump on low-probability potential vulnerabilities with the same zeal as actual exploits, although MS does get properly hammered for blatant vulnerabilities that have let to real problems.

stopping a crime before it happens by using the think police?

This is so BS, compare exploits to exploits. So in the four years OSX has been out what's the score to windows now? 0 to 50,000+

go to the CERT search page and type in "exploit" http://search.cert.org/