Everyone wish gratuitous gifts from Apple , particularly spare software package updates . Better hooey for barren — who could argue ? Yet , when Apple relinquish four software updates in the span of two weeks , from November 15 through November 29 , coming on the heels of a great and largely undocumented Mac OS ten update , it was enough to give anyone pause .

To shed some light on this recent round of update , permit ’s take a look at Security Update 2005 - 009 , the most substantial and wide relevant one of the bunch .

Security Update 2005 - 009

You might have been even more disordered about the November 29 release ofSecurity Update 2005 - 009than usual , at least if you run Mac OS ex 10.3.9 . For the first day of release , the links on Apple ’s download page were broken and redirected your web browser app to , well , nothing . Software Update right award and download Security Update 2005 - 009 on Mac OS X 10.3.9 scheme , but people who wanted to download it manually from a web web browser had to wait until the next day .

With that resolved , Apple ’s ninth security update of 2005 was available in the four expected configuration : for Mac OS X 10.3.9 , Mac OS X Server 10.3.9 , Mac OS X 10.4.3 , and Mac OS X Server 10.4.3 . The Tiger variation are 5 MB and 6 MB for regular and host versions , severally ; the Panther versions are 20 megabyte and 33 MB , respectively . They ’re handsome because the Panther interlingual rendition , unlike the Tiger versions , admit fixes from early updates , include file we happen in Security Updates 2005 - 008 and 2005 - 007 . The Tiger versions do not include older pickle because they require Mac OS X 10.4.3 , which was release on Halloween and includes Security Update 2005 - 008 and earlier fixes .

That , by the way , is not to say that Mac OS X 10.4.3 itself does n’t let in new security fixes not previously found in any surety update . It does . The five document security vulnerabilities closed in Mac OS X 10.4.3 are summarized the table below . Two of them involve deceptive or delay changes to chemical group membership or file cabinet ownership , another relate Keychain Access failing to hide any displayed passwords when their keychain lock due to a timeout , and another keep you from un - disregard a pending Software Update unless a newfangled , non - ignored update has get . ( If all this was n’t confusing enough , the exposure numbers now all start with “ CVE ” instead of “ CAN ” thanks to arenaming decisionimplemented on October 19 . )

Security Fixes in Mac OS X 10.4.3

hug drug = prepare in this update ; * = touched component or feature was never in this version

The marrow exposure determine in Mac OS X 10.4.3 merit a moment of explanation . Programs request memory from the operating organisation to use for their own purposes , and they loose it back to the OS when they ’re done with it , so the oculus sinister may reuse it for other RAM postulation . Most programs do n’t erase the contents of memory before releasing it , though , because that takes time and is usually unneeded . The OS does n’t erase released memory for the same grounds .

The kernel , however , should erase memoryitreleases . The kernel never want to pass by along uninitialized memory to callers , because the telephoner could then see some of what other kernel code had salt away in that RAM — a file buffer , a password , a web packet , and so on . Suresec foundtwo problemsthat could divulge sum memory to caller in Mac OS X ( or FreeBSD , or both ) , and the FreeBSD folks discover the other one . mackintosh OS X 10.4.3 fixing all three , but Apple has not disclosed if Mac OS X 10.3.9 suffers from similar defects .

Security Update 2005 - 009 adds more locating to that baseline . They ’re summarized below , with additional columns for the four disjoined versions of the update . As you could see in the mesa , many of the errors are the mutual and well-off - to - fix buffer overflow trouble we ’ve talk over inMWJ 2005.08.20 . Other distinctive errors are in parse , such as the Safari bug that makes the browser app download files with “ very long ” computer file name into an erratically faulty directory , or the regular expression engine in JavaScriptCore that canoverflow bufferswith a malicious expression .

Security Update 2005-009 Fixes

ecstasy = Fixed in this update ; * = Affected component or feature was never in this interlingual rendition ; # = bug was not in this version before this update ; ? = strange

Apple ’s update note contain a part marked “ additional info ” that delineate change that , for no disclosed grounds , are included in a “ Security Update ” but that have no assigned exposure numbers . One of these is changing “ Core Types to improve handling of Terminal files ” for Mac OS X 10.4.3 . That ’s handled through an XML filing cabinet found at

This “ additional info ” is disconcerting . For the retiring few years , Apple has been thrifty to only fix security problems in security measures updates . Non - security bugs wait for OS rescript , or separate installing like an AirPort Update or DVD Player Update . Changes like updating Core Types to discourage you about Terminal files clearly count as security measure fixes , as on the face of it would update Safari “ to improve treatment of credit card surety codes . ”

But if these are security department issues , why did n’t orchard apple tree get CVE numbers for them and document them normally ? What is security - related about improving the rendering of QuickDraw PICT files ? If Security Updates start include unconstipated bug fixes , a organisation that ’s already somewhat perplexing could become down - right wing impenetrable . That would n’t do good Apple or its customer .

The magic of updates

OS X ’s Software Update feature is supposed to make it easier to make do your system , by alerting you of the update you take , downloading them in the background signal if they ’re marked as urgent , and installing them for you when you ’re quick . Yet we bed this is not happening , with Security Update 2005 - 009 and other update too , because lecturer , friends , and house stay to tell us so . They just disregard what Software Update displays because they ca n’t figure out what the update are supposed to do .

Apple never publically committed to schedules for Mac OS X Updates or Security Updates , but in general , the former have get quarterly and the latter monthly . It ’s a rule of thumb , not a law of nature — there have been nine security update in 2005 , and three Mac O X 10.4 updates in the six months that it ’s been available . But again , the spirit serve people make mother wit of updates and feel sure-footed in applying them . Security Updates fall every four to six week and only address vulnerabilities that aggressor could tap . Mac OS ecstasy updates come every quarter or so , and bushel both security and non - security bugs in the type O . Important update in the meantime occur for targeted components , like AirPort Extreme or Java 2SE 5.0 .

That ’s easy , that ’s predictable , that ’s sensible — to the extent it nurse together . It ’s not good enough to get 80 pct of the way to the goal . Blowing off the last 20 pct leaves everyone puzzled about update and make the first 80 percent of the communication work out largely irrelevant . That ’s what ’s happened this quarter .

Mac OS X 10.4.3 is no less document than most Mac OS 10 update , yet more info would have help . After that , we fuck off a Security Update that may have non - security fixes in it , a Java update with great developer release notes but almost no user explanation , a just - documented AirPort Update with two different names ( and one variation with two version numbers ) , a Broadband Tuner that ’s not good for most people with broadband , and a firmware update that ’s a twelvemonth delinquent .

It ’s incredibly frustrating because Apple is so close to making update work correctly . The rule are n’t complicated .

Apple ’s update language screams , at top volume , “ We do n’t want to say you too much about this update because we ’re embarrassed about it . ” This does a disservice to the absolute majority of people that are loath to install mysterious update on working systems . If each of Apple ’s November update had been clearly named , described , and presented , everyone would have bang what to wait . And imagine how much meter the world could drop on more fruitful pursuits if no one ever had to require what an Apple update does .

[ Excerpted with permission from the December 10 issue of MWJ , published by MacJournals.com . Copyright 2005 , GCSF incorporate . For a destitute trial to MWJ , visitwww.macjournals.com . ]