October 31, 2003 11:31 AM PST
Apple plans to remedy OS X security issues
While some in the security community fretted that Apple would only make the patches available as part of the $129 Panther upgrade, Apple said it will also offer the security patches for older versions of Mac OS X.
"Apple's policy is to quickly address significant vulnerabilities in past releases of Mac OS X wherever feasible," the company said in a statement. "The shipment of Panther does not change this policy. Apple has an excellent track record of working with CERT (Computer Emergency Response Team) and the open-source community to proactively identify and correct potential vulnerabilities," it said.
The concern began on Tuesday, when Apple released an advisory that indicated that the Mac OS X 10.3 upgrade--which adds an improved Finder menu, better synchronization of files and a tool to help its users find a specific window on a crowded desktop--also includes more than a dozen "security enhancements."
At the time, some in the security community said they believed that Apple was not planning to offer updates for older Mac OS X versions and expressed their displeasure.
"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent if they did."
David Goldsmith, director of research for @Stake, a security company that found four of the vulnerabilities, said it was his understanding that Apple was not planning on patching the flaws in earlier versions of the software.
"In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Typically, companies that charge for software provide security updates for the software for a certain period of time. Microsoft provides support for its products for about five years and releases service packs every year that include all the enhancements to the software. Microsoft doesn't charge for the service packs.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"Imagine if Microsoft tried to charge for security fixes--people would go crazy," Larholm said.
Linux vendors typically work things a bit differently, as so much of the software they distribute is produced by developers outside the companies. Red Hat, for example, charges about $40 for its desktop edition and provides a year of easily accessible updates for free through its Red Hat Network. After that, users either have to pay $60 a year for the service, manually install each update or subscribe to a free service such as Ximian's basic Red Carpet service. (Novell now owns Ximian.)
Apple's plan falls between the two models, offering bug fixes for free but charging $129 for the update to the operating system. Panther is the third update the company has released since Mac OS X debuted in March 2001.
The current set of vulnerabilities include a flaw in the operating system that causes applications to be installed that have insecure file permissions. Other vulnerabilities could allow a local or remote user to crash the system.
@stake's advisories say users should either upgrade to Panther or turn off the affected software component.
But PivX's Larholm said Apple would have to release some patches to previous versions of its OS or risk angering its users.
"They have stated that they want to release a new version of OS X every year, but this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year and that they expect all their customers to upgrade their operating system on a yearly basis," he said.CNET News.com's Ina Fried and ZDNet Australia's Patrick Gray contributed to this report.