Apple has released the latest version of its Mac OS X operating system - 10.3.4 - but has failed to keep it up-to-date with security patches, despite claims to the contrary and a variety of pompous pronouncements.
The operating system has been warmly welcomed by Mac users but as one site - MacFixIt - has pointed out, the update does not include the vital Security Update 2004-05-24 that prevents the Help viewer being misused to plant malicious files on the hard drive.
This is despite Apple's stated claim that the latest version: "Includes recent Mac OS X Security Updates." On the OS' official security page, Apple claims that Mac OS X 10.3.4 is "safe and secure". "Because it's built on Open Source standards, Mac OS X provides you with time-tested security and reliability not available on proprietary systems." Its documentation also claims that security is at the core of the operating system.
However, not only does a patch rated "extremely critical" not come with the latest OS but Apple makes no mention of the need to download and install it. In fact, it claims it is already installed.
On top of this, Apple has yet to provide a patch for another "extremely critical" hole first reported over a week ago, even though it falsely claimed that its Help viewer patch also covered this hole which allows a malicious hacker to remotely execute code.
These holes are still easily exploitable and an updated version of a test engine by Unsanity reveals how significant the hole is. Hardware editor of The Register, Tony Smith, who has also written about Apple's failure to include the patch confirmed to us that he had installed 10.3.4 and also installed the patch manually, but that Unsanity's scripts were still able to exploit his system.
Nonetheless, all Apple has produced by way of explanation is a short statement which reads: "Apple takes security very seriously and works quickly to address potential threats as we learn of them."
Such apparent pomposity will do nothing to quell security companies' criticism of Apple. Head of Secunia, Niels Henrik Rasmussen, told us earlier this week: "Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue. This is not possible when reading an Apple update."
And eEye earlier announced with respect to another hole: "Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software."
One wonders how much longer the software company can continue to pretend that security somehow does not apply to its operating system.
And the OS itself
That said, Mac 10.3.4 otherwise appears to be getting a warm welcome. Improvements include: better file sharing and directory services; improved OpenGL technology and updated ATI and NVIDIA graphics drivers; better disc burning and recording functionality; closer interaction with an iPod; improved compatibility for third-party apps; and updated general apps including Address Book, Mail, Safari, Stickies, and QuickTime. Lots more info here.
All in all, a good package. Apart from the security holes that is.