Fog Creek Software
Discussion Board




At Least Microsoft Patches are Free

" On Tuesday, Apple released an advisory indicating that the Mac OS X 10.3 upgrade--which adds an improved Finder, better synchronization of files and a tool to help users find a specific window on a crowded desktop--also includes more than a dozen "security enhancements."

However, Apple apparently doesn't intend to fix the flaws in previous versions of the software: Apple's Security Updates Web page doesn't list fixes for the flaws in Mac OS X 10.2 and earlier."

http://news.com.com/2100-7355_3-5098688.html

Matthew Lock
Wednesday, October 29, 2003

10.2.1, 10.2.2, 10.2.3. 10.2.4, 10.2.5, 10.2.6 and 10.2.8 were all free upgrades. 10.3.0 is a major feature upgrade, so you pay for it, just like we paid to go from Windows 95 to Windows 98.

Seems fair to me
Wednesday, October 29, 2003

Yes,

This is trollsome FUD. 10.3 == Panther == the next release of the operating system, it has been a long time coming, everyone new that it was going to cost to upgrade, etc, etc.

Walter Rumsby
Wednesday, October 29, 2003

I'm not entirely sure it's FUD.

I think the point is that Microsoft releases security patches for previous OSes, sometimes OSes that are more than half a decade old. If the poster is right, and you have to buy 10.3 just to get some of these fixes, that's a pretty rotton thing to do to your users.

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, October 29, 2003

Apple says:

"It addresses CAN-2003-0871 a potential vulnerability in the implementation of QuickTime Java in Mac OS X v10.3 and Mac OS X Server v10.3 that could allow unauthorized access to a system. The issue does not exist in earlier versions of Mac OS X or Mac OS X Server."

FUD, plain and simple.

seems fair to me
Wednesday, October 29, 2003

"and you have to buy 10.3 just to get some of these fixes, that's a pretty rotton thing to do to your users."

fixes in 10.3 wont be _able_ to be applied to <10.1 anyway, thats an entirely different operating system so even if they _could_ be applied the problem prolly doesn't exist there anyway.

and out of apples own mouth it was stated that the problem _does not exist_ in 10.1 or 10.2.

All of which leads me to the conclusion that the original poster was merely a moron :)

FullNameRequired
Wednesday, October 29, 2003

At Least Apple Development Tools are free

Panther, costing only $129, comes with a full suite a cutting-edge object oriented visual development tools at no additional charge. Microsoft, on the other hand, charges an arm and a leg for inferior tools.

http://www.eweek.com/article2/0,4149,1362577,00.asp

seems fair to me
Wednesday, October 29, 2003

Try reading closer.  If the story is correct, it's not "trollsome FUD". 

According to the story, 10.3 contains security fixes that Apple does not intend to make available for earlier versions meaning that anyone with 10.2 or earlier either coughs up the cash or lives with a system with known security flaws. 

The question is will Apple provide a patch for earlier systems to fix the things listed here:
  http://macnn.com/news/21771

SomeBody
Wednesday, October 29, 2003

The .NET framework SDK is free. The GUI IDE is not (although it can be had for as little as $99). Personally, I think the SDK tools -- combined with other free tools like NUnit and NAnt -- are perfectly good starting places.

I will admit that Microsoft IDE is not as good as it can be, but I've yet to find one better.

Brad Wilson (dotnetguy.techieswithcats.com)
Wednesday, October 29, 2003

This is equivalent to saying Microsoft is not providing patches for Win XP to Win NT users.

The patches don't apply.

Walter Rumsby
Wednesday, October 29, 2003

"as little as $99"

Yah Ok, well if we're looking at all the prices for students and everyone, then it's fair to mention that Apple will send anyone a CD with the developer suite, without the OS, for $20, or you can download it for free, zip, nada.

If you qualify, you can get the entire current OS with all the visual development tools, plus a subscription to all future OS releases for the next three years for  a special price of $89.

seems real fair to me
Wednesday, October 29, 2003

You can get the VB.Net Visual Studio IDE for $100 retail

http://tinyurl.com/sxsw

Ankur
Wednesday, October 29, 2003

>>
This is equivalent to saying Microsoft is not providing patches for Win XP to Win NT users.
<<

Microsoft does provide patches to Windows NT users if the problem that is patched existed in Windows NT (for example, MSBlast). 

I haven't seen anything yet that demonstrates that all of these OS X fixes are for things that didn't exist in prior versions.  It seems a little bizarre to me that a company would list security fixes as something in a new version if the problem wasn't in an older version.  This makes no sense -- "Here's a new version and, by the way, while we were developing the new version, we discovered some bugs in new Feature 'A' and fixed them."  I can't recall ever seeing fixes for new features being listed as part of what's new in a new version.

SomeBody
Wednesday, October 29, 2003

The original poster was refering to the fact that the retail price for Visual Studio with VB.NET, C#, or C++.NET is $99.

You can also buy a version that comes with the Step-By-Step book for a $79 street price.

These prices are the normal retail, not Acedemic, etc.

  --Josh

JWA
Wednesday, October 29, 2003

Like the OP, I'm obviously a complete moron. I thought it was perfectly clear that  Mac OS X 10.3 contained a number of fixes for 14 security vulnerabilities that do occur in earlier versions, although it is also true that security update 2003-10-28 contains a fix for one security issue, CAN-2003-0871, which does not occur prior to v 10.3. This seems to imply to a stupid person like myself that, if you want the security vulnerabilities in earlier versions of OS X fixed, then you will have to pay for an upgrade, but obviously I've made a mistake somewhere.

as
Wednesday, October 29, 2003

And it comes with a full license of Windows XP, correct? Or would it be appropriate to compare to the $20/$0 development tools only deal, which in not an academic pricing. The $89 is academic, but you get 3 years of OS updates with it. Does $89 get 3 years of OS upgrades and development tools for free on Windows if you are a student?

seems fair to me
Wednesday, October 29, 2003

wow...boring day guys?

heres the list of actual fixes etc:

http://docs.info.apple.com/article.html?artnum=61798

only one is labelled 'security' but it looks pretty clear that some others could also fall into that branch.

AFAICT there are _no_ known cases of any attacks that actually take advantage of any of these 'security holes'
until there are Im inclined to agree with apple that backdating security fixes for every older version of the OS is rather pointless.

If anyone out there knows of a operating system that does _not_ contain unfixed, theoretical security holes then Id be most interested in knowing exactly what it is...Amiga OS maybe?  possibly tinyOS?  certainly not windows, Linux, apple, or any of the Unix variants...

FullNameRequired
Wednesday, October 29, 2003

It is possible to charge the Mac faithful more money like this every year partly because they are very willing to create justifications, and also because Macs are marketed as elite computers.

There were some complainers when Apple charged for their last upgrade, but Steve was able to convince most users it was for their own good.  Since their demographic does not want to be seen complaining about price, they acquiesced.  Macs are status symbols.  In fact, Jobs' keynotes are similar to a televangelist's job.

If Mac users immediately attack by calling you stupid, it is safe to ignore them and search for the facts, which may or may not be in their favor.

anonymous
Wednesday, October 29, 2003

hi ya Rick :) 


I wondered whether we'd seen the last of you...

FullNameRequired
Wednesday, October 29, 2003

Let me amend that.  "If Mac users immediately attack by calling you stupid or 'Rick'"...

anonymous
Wednesday, October 29, 2003

:)  dont be so defensive rick old boy.

FullNameRequired
Thursday, October 30, 2003

Having a look at what was updated:

http://docs.info.apple.com/article.html?artnum=61798

And the new features in Panther:

http://www.apple.com/macosx/newfeatures/

Hmm,  Finder, Mail, OpenSSH, etc - i.e. these issues seem relate to applications new/improved in Panther.

Walter Rumsby
Thursday, October 30, 2003

its hard to believe, _windows_ users complaining about _security_.  I thought theyd all become inured to such issues.

hey! I know, lets play the google game.

Ill enter "unfixed security holes" into google and see what comes up...

ouch...look at those unfixed windows vulnerabilities....sure glad I dont rely on any system as unsecure as that....

pot insulting clean kettle
Thursday, October 30, 2003

mmmmm...look at the panther new features...

http://www.apple.com/macosx/newfeatures/

full file encryption and on-the-fly decryption...fast user switching (at last!)...builtin fax support as easily as printing..updated version of iCal....builtin pdf supprting (with preview finally updated!)..and the list goes on....

damn...I think Ill buy a powerbook next...

FullNameRequired
Thursday, October 30, 2003

> its hard to believe, _windows_ users complaining about
> _security_.  I thought theyd all become inured to such
> issues.

Hey, who said we were Windows users?

> Ill enter "unfixed security holes" into google and see what
> comes up...

I tried it, and most links have nothing to do with Windows

> ouch...look at those unfixed windows vulnerabilities....sure
> glad I dont rely on any system as unsecure as that....

Can you demonstrate to me some known Windows vulnerabilities that Microsoft has not commented on whether they will fix them or not?

That's the issue. Apple have refused to comment on whether or not they will fix known vunerabilities in 10.2.

Matthew Lock
Thursday, October 30, 2003

Hi Matthew,

"Hey, who said we were Windows users?"

<g> by their actions shall ye know them..

"I tried it, and most links have nothing to do with Windows"

odd..I tried it and most of them _do_...
oh! sorry, try doing a find on "unfixed security holes windows"
Theres an interesting link there regarding _19_ unfixed (and serious) security holes.  Some of them apparently may have been fixed by the latest patches, but MS has refused to be clear one way or the other...

"Can you demonstrate to me some known Windows vulnerabilities that Microsoft has not commented on whether they will fix them or not?"

not at all reliably...I never read windows press releases...heres one though that AFAIK they have not made a statement on:

http://www.theregister.co.uk/content/55/26147.html


"That's the issue. Apple have refused to comment on whether or not they will fix known vunerabilities in 10.2."

It does seem reasonable to assume that they wont be moving any of those fixes into 10.2, but AFAIK they have not made a statement either way.


If you look at them they are all pretty small problems, and the slightly more serious ones are connected with services that are off by default anyway (makes a change eh?  imagine leaving non-essential services off by default).

you really are making a mighty mountain out of an incredibly petty hill ;)

or maybe Ive just become jaded by the apparently endless succession of massive windows security holes involving non-essential services that are on by default and that allow mean spirited people to entirely takeover the machines in question...

FullNameRequired
Thursday, October 30, 2003

> oh! sorry, try doing a find on "unfixed security holes
> windows"

Funny. Of course if you search on "unfixed security holes  windows" you will find articles on Windows.  Trouble is they don't take the articles down when MS releases the patch.

Anywho I don't care. I really like Apple machines, and 10.3 looks like a winner, just thought it was pretty poor of Apple not to comment on whether they would fix 10.2 or not.

Matthew Lock
Thursday, October 30, 2003

"I really like Apple machines, and 10.3 looks like a winner"

it really does.  I actually skipped 10.2, staying with 10.1 (just too damn cheap to upgrade for no real reason) but I think Ive stayed off the bandwagon for long enough.

<g> all I need is a decent excuse to buy a new g5..

FullNameRequired
Thursday, October 30, 2003

As a Mac user, I'm with Matthew on this, except that I feel that "poor" is too weak word to describe Apple's treatment of its users in recent years. Since Steve Jobs took over again. I think "utter contempt" would be more accurate.

I rather like FullNameRequired's approach to security, though. Why on earth would Apple fuck around fixing security holes that no-one has yet got around to exploiting?

But who the smeg is Rick?

as
Thursday, October 30, 2003

"I think "utter contempt" would be more accurate."

??? why exactly?  what on earth has the poor man done to you that deserves that?

Ive been perfectly happy with the odd speech that hes made.  <g> sounded like any other ceo of a billion dollar company to me. 
What did you think he was lacking?  a bowtie?

"rather like FullNameRequired's approach to security, though. Why on earth would Apple fuck around fixing security holes that no-one has yet got around to exploiting?"

sheesh.  Did you read the actual list?  'exploiting' these 'holes' would mean entirely minor problems.  Many of the 'holes' require services that are off by default anyway, and the others are either dependent on perfect timing ("theoretical holes") or sunstrike.
Ill repeat, these are _not_ serious issues.

get a grip guys.

FullNameRequired
Thursday, October 30, 2003

"AFAICT there are _no_ known cases of any attacks that actually take advantage of any of these 'security holes'
until there are Im inclined to agree with apple that backdating security fixes for every older version of the OS is rather pointless."

Irrespective of any vender/OS issues involved the strategy you outline is simply not workable. You can not wait for an exploit to be in the wild to start working on your patches for known security issues. It is not a question of supporting everything you ever released for a infinity. It is a matter of having a published predicatble support policy and sticking to it. If Apple wants to be taken seriously as an enterprise computing platform (which btw. I do not think is their ambition) they must be able to present a clear lifecycle support model.

Just me (Sir to you)
Thursday, October 30, 2003

"Yah Ok, well if we're looking at all the prices for students and everyone..."

The $99 price I quoted wasn't for a student edition. Anybody can get a single language in Standard Edition for $99 (in point of fact, I have a copy of Visual C# Standard Edition around here somewhere...).

Brad Wilson (dotnetguy.techieswithcats.com)
Thursday, October 30, 2003

"It is possible to charge the Mac faithful more money like this every year partly because they are very willing to create justifications, and also because Macs are marketed as elite computers."

As opposed to Microsoft, of course, who gives their stuff away for free.

Look, it's not Apple's fault that it takes Microsoft more than 3 years to put together a release that's worth paying for.  Meanwhile, they charge their customers annually for all that software they're not getting (subscription model, anyone?).

Jim Rankin
Thursday, October 30, 2003

"The $99 price I quoted wasn't for a student edition. Anybody can get a single language in Standard Edition for $99 (in point of fact, I have a copy of Visual C# Standard Edition around here somewhere...)."

The $0 price quoted for Apple's developer tools includes all the supported languages.  (Granted, not all features are supported for languages other than Objective C, though.)

Jim Rankin
Thursday, October 30, 2003

"Irrespective of any vender/OS issues involved the strategy you outline is simply not workable. You can not wait for an exploit to be in the wild to start working on your patches for known security issues."

yes, you can.  more often than not thats the only way you find out about the security issue in the first place.

This strategy is probably not sufficient for an operating system like windows that is (a) used by 90% of the computing industry and (b) has more known serious security holes than any other computing system out there, but it is perfectly fine for most of the others.
Lets turn it around....issuing patches for every potential security issue, not matter how small or how unlikely it is to be exploited, and ensuring that those security fixes are backwards compatible with every version of your operating system is a guaranteed way to go bankrupt.

"It is not a question of supporting everything you ever released for a infinity. It is a matter of having a published predicatble support policy and sticking to it. If Apple wants to be taken seriously as an enterprise computing platform (which btw. I do not think is their ambition) they must be able to present a clear lifecycle support model."

that sounds like a load of hot air to me.  <g> one of those sentences that sounds impressive but actually contains nothing of any actual value.
Is that rule written down somewhere?  IIRC Linux has no published lifecycle support model and yet it appears to be taken very seriously for enterprise computing.  MS _does_ have a published lifecycle support model of course, but they tend to update it every couple of years anyway which means that its of verra limited value for people who actually need to know their intentions.

I suggest that you look at the list of actual fixes....they are pretty minor in my opinion, and the slightly more serious ones are reliant on services that are off by default. 

FullNameRequired
Thursday, October 30, 2003

Jim, the nice thing is that the mainstream Windows user rarely has to upgrade.  Microsoft does a good job keeping backwards compatibility, and they're still issuing patches for my Win2k.

I made my point more aggressively than usual, because Mac users were quick to pull out the personal attacks.  Everyone has seen this before, and it's to a level that even surpasses Linux zealots.  I like Macs, but not the users.  Macs themselves are quality machines and worth the cost for many middle-class owners.

How many users want to buy dev environments?  And how many want to upgrade their OS?  Should Microsoft charge $100/year and give away their dev tools?

anonymous
Thursday, October 30, 2003

>>
...has more known serious security holes than any other computing system out there...
<<

Could you give a source for this?  Until you do so, I'll assume that you are a moron.

SomeBody
Thursday, October 30, 2003

Moron is a word thats bandied about all to much these days....

Matthew Lock
Thursday, October 30, 2003

"IIRC Linux has no published lifecycle support model and yet it appears to be taken very seriously for enterprise computing. "

The versions that are considered for serious settings do: e.g RedHat Enterprise Linux has a published support lifecycle. One could argue it is a policy that is barely adequate, but at least there is one. In other (most) cases this lack is patched by a nice (and very expensive) IBM Global Services contract. In yet other cases the (very large, or specialized vertical needs) business simply bring a branch inhouse and ensure support for it through investment in staff. This last scenario is only possible for a completely published OS, and it ensures that there is a niche for wich these systems are uniquely suited.

In the case of Apple, you will be stuck with Apple as the sole supplier of OS patches (exactly the case you are in with Microsoft, Unix vendors or "Enterprise" Linux Distros). Unlike Microsoft, Apple does not seem to have a clear business support roadmap. What is worse: Apple is the sole supplier of hardware for its system, and has always tied new OS releases to model ranges. This leads to a "hardware failiure forces OS upgrade, since hardware compatible with the previous OS is no longer on the market" upgrade cycles.

Just me (Sir to you)
Friday, October 31, 2003

"Apple does not seem to have a clear business support roadmap."

im not clear on exactly what you think such a roadmap will cover?
 
apple has an excellent record in terms of providing updates for older os's, this particular storm in a tea cup is centred around an article on which apple made a 'no comment' statement, _not_ a 'we will not be providing any further updates for 10.x < 10.3" statement.
(They have already provided a number of updates to 10.2 btw, and given their past record I fully expect them to provide more...<g> If they dont I promise Ill be the first to shriek loudly)

"What is worse: Apple is the sole supplier of hardware for its system, "

interestingly enough that is also one of its greatest strengths....hardware integration with macos is very good indeed and has always been very good in the past, this is _because_ apple is the sole supplier of hardware for its system.
<g> its one of the tradeoffs Ive always felt to be very worthwhile.

"and has always tied new OS releases to model ranges."

nothing wrong with that either, from a marketing perspective it makes perfect sense from their POV, and from the POV of their customers there is no loss involved, surely?  I mean, I can run any new os on the older hardware (there was a bit of a skip in that between os9 and osx of course, but that was just because they were so different) if I dont wish to do that then I can continue to run the older os.....I really dont see the problem here.


oops..<g> then I read the next sentence..
"This leads to a "hardware failiure forces OS upgrade, since hardware compatible with the previous OS is no longer on the market" upgrade cycles."

Maybe it can in theory, but in my experience it never has.  Ive _never_ had that problem, except the skip between os9 and osx, but there were good, practical reasons why the new os would not run on older hardware.
In general newer versions of the os have always run perfectly well on the older machines, I have a new firewire drive that works as well in os8.6 as it does in osx10.x, ditto with the mac keyboard and fancy-dan infra-red mouse.
My printer is new, but works perfectly (and painlessly) with everything Ive tried it on from 8.6 to 10.2
One of my clients has a network of os9 computers, coupled with half a dozen 10.x computers and they all network without trouble.

<shrug> honestly, the _only_ problem I have with the macintosh is the slightly higher prices of their machines...but given the overall excellence of what they provide I always tend to make the same decision again whenever I rethink it. (which is everytime I need to purchase a new computer).

..these days the price difference isn't so great either, especially for comparable pc laptops...

FullNameRequired
Friday, October 31, 2003

Just Sir said:

"hardware failiure forces OS upgrade, since hardware compatible with the previous OS is no longer on the market" upgrade cycles.

Sir to me, just curious if you are saying that this is different from any of the other OS vendors out there. I found it difficult to install XP on my 286.

Dennis Atkins
Friday, October 31, 2003

"http://maccentral.macworld.com/news/2003/10/31/jaguarfix/index.php?redirect=1067595294000"


apple has finally made a statement about the patches...they will be providing patches for <10.3 for the security issues.


<g> have some faith people..

FullNameRequired
Friday, October 31, 2003

FNR,

I mean something like http://support.microsoft.com/default.aspx?pr=lifecycle

Dennis,

it would be the opposite: e.g. buying a new machine that can still run Win98. Not all machines will, but it is still possible.

Just me (Sir to you)
Friday, October 31, 2003

You mean a website 'promising' 5 years of support?  starting from 2002....what did microsoft users do for support before then?


<g> I wonder how this balances out with the shrinkwrap license that you have to agree to before using any microsoft product..you know, the one that totally repudiates any responsibility whatsoever for the software in question, and that makes it absolutely clear that MS is in no way responsible for supporting, maintaining or delivering _anything_ in the future.

I mean, legally speaking....would that license take priority over the 'promise' made in the link you gave me do you think?

or maybe the 5 year support lifecycle would be seen as binding by a court?


now apple has fairly similar licenses of course, but what they _dont_ have is a webpage pretending that that license isn't important.

<g> the mainstream support phase of 5 years for consumer products sounds good, until you click on the "Products no longer supported by microsoft" link and see all the Works 2001, Encarta 2000 type products....

That support lifecycle is a work of fantasy old chap, and any security you may feel when reading it is _entirely_ misplaced.
Microsoft has arbitarily changed its rules to suit itself in the past, and I have no doubt it will do so again in the future.

This is perfectly reasonable and absolutely within the rules laid down by the software license it uses to distribute software.

FullNameRequired
Friday, October 31, 2003

I'd just like to quote something FullNameRequired said earlier:

>>
fixes in 10.3 wont be _able_ to be applied to <10.1 anyway, thats an entirely different operating system so even if they _could_ be applied the problem prolly doesn't exist there anyway.

and out of apples own mouth it was stated that the problem _does not exist_ in 10.1 or 10.2.

All of which leads me to the conclusion that the original poster was merely a moron :)
<<

So what are these fixes that Apple is going to provide for earlier versions then??

SomeBody
Friday, October 31, 2003

Hi Somebody,

The fixes that are being added to the <10.3 os patch are listed at:

http://maccentral.macworld.com/news/2003/10/31/jaguarfix/index.php?redirect=1067595294000

you can view them at your leisure :)

FullNameRequired
Friday, October 31, 2003

FNR,

Ah, right. Well, if I understand correctly you can still buy a new Mac that runs OS 9. Apparently they've got some dual G4s and something called the eMac. So it would be similar to your example of running 98 on a new PC, I guess?

Dennis Atkins
Friday, October 31, 2003

Ah dangit that was supposed to be addressed to Just you/Sir to me.

Dennis Atkins
Friday, October 31, 2003

OK, well to those wondering what Apple's policy was and whether they have one, the article just posted does explicitly state such a policy:

>"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," Apple said in a statement given to MacCentral.

Ho hum.

Dennis Atkins
Friday, October 31, 2003

So, is this where we all sing the FUD song? What are the lyrics to that song? Seems like we're singing it about one thing or another about weekly. Maybe we could make a campfire and roast some marshmallows.

Dennis Atkins
Friday, October 31, 2003

"Maybe we could make a campfire and roast some marshmallows."

mmmm...marshmallows...

FullNameRequired
Friday, October 31, 2003

*  Recent Topics

*  Fog Creek Home