Security is everyone's problem.
Did you even read any of these advisories before saying Apple didn't do it?
There's not a ton of detail out there on the second exploit, so I'm not sure whether or not they can actually be paired to gain kernel privileges remotely. Still, more than enough reason to take these issues seriously and make sure you upgrade in a timely manner.
I run Mountain Lion (OS X 10.8.5) on one of my systems. For the longest time, whenever I click "Software Update", it says that there are no updates (though it does offer OS X El Capitan as an upgrade).
I can understand that Apple or any company doesn't want to support old software indefinitely, but if security updates are available as separate packages--without having to do a major OS upgrade--then you'd think that "Software Update" should offer it!
At the moment security updates cover versions 10.9+. The most recent security update for OS X v10.8.5 was in August (a bit over 3 years after the initial release of 10.8), and 10.9+ have had an additional 5 security updates after that.
Reminds me of how easy it was to jailbreak the first iPhone (in 2007) with a malicious image. No computer required.
- Use a quick hack to enable WiFi on a brand new unactivated phone (for which you just paid full price).
- Visit a website with a malicious tiff file, Voila !
The best part : The above jailbreak also claimed that they patched the vulnerability after exploiting it.
Still can't believe the fact that they let people walk away with a subsidised phone without a contract to ensure they'll recoup the price.
Did they ? The cheapest one was $599 initially. I don't feel that's the price of a subsidized phone. After a few months the price was dropped by $200, but that was to accelerate sales and capture a bigger market share.
Their pricing & sales model was unconventional, both for AT&T as well as customers, because the device was unique in so many ways back then.
Memory safety is nice, but I wish Rust evangelists would 1) stop acting like it's a panacea, and 2) acknowledge that Rust isn't really fully baked yet. I have various complaints about the language and standard library, but the real show-stopper is this: https://github.com/rust-lang/libc/issues/290
Java specifically doesn't have this issue because its image decoders (except for JPG) are written in Java itself.
So whilst for the types of library that Apple OS' use, rewrites in Rust would avoid any odd IPC issues and be the most obvious drop-in replacement, you would pay the cost of rewriting the libraries as I guess there are no mature Collada or OpenEXR libraries in Rust. I do see a TIFF library though it says it doesn't support interlaced images.
Some people do wrongly act like Rust will solve all security issues forever, but the OP did not.
Which version of OS X is fully patched?
Has this even been fixed yet?
Previous HN discussion here:
Apple info here:
https://support.apple.com/en-us/HT206903 (OS X)
OS X Security Update 2016-004 applies to v10.9.5, v10.10.5, and v10.11+ https://support.apple.com/en-us/HT201222