[HAL9000]

"It's impossible to solve the problem completely," Valentine said. "As we solve these problems there are hackers who are going to come up with new ones. There's no end to this."

Yes, apparently it is impossible. Microsoft operating systems are trivial for unauthorized users to crack because Microsoft is institutionally incapable of developing good software. Windows users are sitting ducks for any sufficiently motivated teenage intruder to break in and have his way with the user's files.

Mac users don't experience those problems. Apple's level of developer talent and dedication to secure, high-quality software puts Microsoft to shame.

[Bush2000]

Microsoft operating systems are trivial for unauthorized users to crack because Microsoft is institutionally incapable of developing good software.

Give it a rest, HAL. There are a truckload of recent Apple security updates listed on Apple's website. I suppose they're "institutionally incapable of developing good software", as well ... http://www.info.apple.com/usen/security/security_updates.html

Security updates

Security updates are listed below according to the software release in which they first appeared. Where possible, CVE IDs are used to reference the vulnerabilities for further information.

Security Update 2002-08-23

• This security update is for Mac OS X 10.2 (Jaguar) and applies the fixes contained in Security Update 2002-08-02 which was for Mac OS X 10.1.5.
  
  

Security Update 2002-08-20

• Secure Transport: This update enhances the certificate verification in OS X and is now in full compliance with the Internet X.509 Public Key Infrastructure Certificate and CRL Profile (RFC2459).
  
  

Security Update 2002-08-02

This update addresses the following security vulnerabilities which affect current shipping versions of Mac OS X Server. These services are turned off by default in Mac OS X client, however if these services are enabled then the client becomes vulnerable. It is recommended that users of Mac OS X client also apply this update.


• OpenSSL: Fixes security vulnerabilities CAN-2002-0656, CAN-2002-0657, CAN-2002-0655, and CAN-2002-0659. Details are available via: http://www.cert.org/advisories/CA-2002-23.html
  
  
• mod_ssl: Fixes CAN-2002-0653, an off-by-one buffer overflow in mod_ssl Apache module. Details are available via: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0653
  
  
• Sun RPC: Fixes CAN-2002-039, a buffer overflow in the Sun RPC XDR decoder. Details are available via: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823
  
  

Security Update 7-18-02

• Software Update: Contains Software Update client 1.4.7 which adds cryptographic signature verification to the softwareupdate command line tool. This provides an additional means to perform software updates in a secure manner, along with the existing Software Update capability contained in System Preferences.
  
  

Security Update 7-12-02

• Software Update: Fixes CVE ID CAN-2002-0676 to increase the security of the Software Update process for systems with Software Update client 1.4.5 or earlier. Packages presented via the Software Update mechanism are now cryptographically signed, and the new Software Update client 1.4.6 checks for a valid signature before installing new packages.
  
  

Security Update July 2002

• Apache: Fixes CVE ID CAN-2002-0392 which allows remote attackers to cause a denial of service and possibly execute arbitrary code. Further details are available from: http://www.cert.org/advisories/CA-2002-17.html
  
  
• OpenSSH: Fixes two vulnerabilities, CAN-2002-0639 and CAN-2002-0640, where a remote intruder may be able to execute arbitrary code on the local system. Further details are available from: http://www.cert.org/advisories/CA-2002-18.html
  
  

Mac OS X 10.1.5

• sudo - Fixes CAN-2002-0184, where a heap overflow in sudo may allow local users to gain root privileges via special characters in the -p (prompt) argument.
  
  
• sendmail - Fixes CVE-2001-0653, where an input validation error exists in Sendmail's debugging functionality which could lead to a system compromise.
  
  

Internet Explorer 5.1 Security Update (April 2002)

• This addresses a vulnerability that could allow an attacker to take over your computer. The update is available via the Mac OS X Software Update Preference pane, and also via: http://www.microsoft.com/security/security_bulletins/ms02019_mac.asp
  
  

Mac OS X 10.1.4

• TCP/IP broadcast: Addresses CAN-2002-0381 such that TCP/IP connections now check and block broadcast or multicast IP destination addresses. Further details at: http://www.FreeBSD.org/cgi/query-pr.cgi?pr=35022
  
  

Security Update - April 2002

• Apache - updated to version 1.3.23 in order to incorporate the mod_ssl security fix.
  
  
• Apache Mod_SSL - updated to version 2.8.7-1.3.23 to address the buffer overflow vulnerability CAN-2002-0082 which could potentially be used to run arbitrary code. Further Details at: http://archives.neohapsis.com/archives/bugtraq/2002-02/0313.html
  
  
• groff - updated to version 1.17.2 to address the vulnerability CAN-2002-0003, where an attacker could gain rights as the 'lp' user remotely. Further details at: http://online.securityfocus.com/advisories/3859
  
  
• mail_cmds - updated to fix a vulnerability where users could be added to the mail group
  
  
• OpenSSH -- updated to version 3.1p1 to address the vulnerability CAN-2002-0083, where an attacker could influence the contents of the memory. Further details at: http://www.pine.nl/advisories/pine-cert-20020301.html
  
  
• PHP - updated to version 4.1.2 to address the vulnerability CAN-2002-0081, which could allow an intruder to execute arbitrary code with the privileges of the web server. Further details at:
  
  
• rsync - updated to version 2.5.2 to address the vulnerability CAN-2002-0048 which could lead to corruption of the stack and possibly to execution of arbitrary code as the root user. Further details at:
  
  
• sudo - updated to version 1.6.5p2 to address the vulnerability CAN-2002-0043, where a local user may obtain superuser privileges. Further details at:
  
  

Mac OS X v10.1.3

• openssh - Updated to version 3.0.2p1 to address several vulnerabilities in the previous version. For details, please refer to: http://www.openssh.com/security.html
  
  

WebDAV - Extended the Digest Authentication mode to work with additional servers

Mac OS X v10.1 Security Update 10-19-01

• Fixes the vulnerability described in http://www.stepwise.com/Articles/Admin/2001-10-15.01.html where an application can be granted root access privileges.
  
  

Internet Explorer 5.1.1

• IE 5.1.1 - Fixes a problem with IE 5.1 bundled with Mac OS X v10.1 where Internet Explorer executes downloaded software automatically, which could result in data loss or other harm. More information is available in the Knowledge Base article 106503.
  
  

Mac OS X v10.1

• crontab - Fixes the vulnerability described in FreeBSD-SA-01:09 where local users can read arbitrary local files that conform to a valid crontab file syntax.
  
  
• fetchmail
  • - Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:43
  • - Fixes the large header problem described in BugTraq MDKSA-2001:063: fetchmail
  • - Fixes the memory overwrite vulnerability described in BugTraq ESA-20010816-01: fetchmail-ssl
    
    
• ipfw - Fixes the vulnerability described in FreeBSD-SA-01:08.ipfw where a remote attack may be constructed with TCP packets with the ECE flag set.
  
  
• java - Fixes the vulnerability described in:http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/216&type=0&nav=sec.sbl&ttl=sec.sbl where an untrusted applet may monitor requests to and responses from an HTTP proxy server.
  
  
• open() syscall - Fixes the vulnerability described in FreeBSD-SA-97:05.open where another user on the system could do unauthorized I/O instructions
  
  
• OpenSSL - Included version 0.9.6b which contains a number of fixes from the previous version. See http://www.openssl.org/ for details.
  
  
• procmail - Fixed the vulnerability described in Red Hat RHSA-2001:093-03 where signals are not handled correctly.
  
  
• rwhod - Fixes the vulnerability described in FreeBSD-SA-01:29.rwhod where remote users can cause the rwhod daemon to crash, denying service to clients.
  
  
• setlocale() string overflow - Fixes the vulnerability described in FreeBSD-SA-97:01.setlocale where the setlocale() call contains a number of potential exploits through string overflows during environment variable expansion
  
  
• sort - Fixes the vulnerability described in CERT Vulnerability Note VU#417216 where an intruder may be able to block the operation of system administration programs by crashing the sort utility.
  
  
• system clipboard / J2SE - Fixes a security issue that permitted unauthorized applets access to the system clipboard.
  
  
• tcpdump - Fixes the vulnerability described in FreeBSD-SA-01:48 where remote users can cause the local tcpdump process to crash, and may be able to cause arbitrary code to be executed.
  
  
• TCP Initial Sequence Numbers - Fixes the potential vulnerability described in FreeBSD-SA-00:52 where the algorithm to generate the number the system will use for the next incoming TCP connection was not sufficiently random
  
  
• tcsh '>>' operator - Fixes the vulnerability described in FreeBSD-SA-00:76 where unprivileged local users can cause an arbitrary file to be overwritten when another person invokes the '<<' operator in tcsh (e.g. from within a shell script)
  
  
• telnetd - Fixes the vulnerability described in FreeBSD-SA-01:49 where remote users can cause arbitrary code to be executed as the user running telnetd.
  
  
• timed - Fixes the vulnerability described in FreeBSD-SA-01:28 where remote users can cause the timed daemon to crash, denying service to clients.

Mac OS X Server v10.1

• MySQL 3.23.42 - Contains a number of fixes from the previous version. See the 3.23.42 section on the MySQL site for details.
  
  
• Tomcat 3.2.3 - Contains a number of fixes from the previous version. See the Tomcat site for details.
  
  
• Apache - Fixed the .DS_Store file vulnerability described in http://securityfocus.com/bid/3324
  
  
• Apache - Fixed the potential vulnerability where .htaccess files might be visible to web browsers if created on HFS+ volumes. The files directive in the http.conf file was modified to block from visibility to web browsers all files whose names begin with .ht, regardless of case.

Mac OS X Web Sharing Update 1.0

• Apache 1.3.19 - Fixes security issues with sites use of the mass virtual hosting module mod_vhost_alias or mod_rewrite.
  
  
• mod_hfs_apple -- Addresses Apache case-insensitivity problems on Mac OS Extended (HFS+) volumes.
  
  
• OpenSSH 2.9p2 -- Fixes SSH1 vulnerability described in www.openwall.com/advisories/OW-003-ssh-traffic-analysis.txt.
  
  
• sudo -- Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:38
  
  

Mac OS X 10.0.4 Server Update

• Samba 2.0.9 -- Addresses the macro vulnerability described in us1.samba.org/samba/whatsnew/macroexploit.html
  
  
• sudo -- Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:38
  
  

Mac OS X 10.0.2

• FTP  --  Fixes the File Globbing vulnerability described in CERT® Advisory CA-2001-07
  
  
• NTP  --  Fixes the buffer overflow vulnerability described in FreeBSD-SA-01:31
  
  

Mac OS X 10.0.1

• OpenSSH-2.3.0p1  --  SSH services are enabled via the Sharing pane in System Preferences
  
  

Mac OS Runtime for Java (MRJ) 2.2.5

• MRJ 2.2.5  --  Fixes a security issue that permitted unauthorized applets access to the system clipboard.

Note:
For the protection of our customers, Apple does not disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available.