Panther: A £99 security update?

• Tags:
• Security,
• Mac OS X,
• Jaguar,
• Panther

Published: 30 Oct 2003 09:15 GMT

• 
• 
• 
• 
• 

Apple Computer's latest version of its Mac OS X operating system, Panther, patches security flaws that affect previous versions of the operating system, leaving security experts wondering if users will have to pay the £99 upgrade fee to be secure.

On Tuesday, Apple released an advisory that indicate that the Mac OS X 10.3 upgrade -- which adds an improved Finder menu, better synchronisation of files and a tool to help users find a specific window on a crowded desktop -- also includes more than a dozen "security enhancements".

However, Apple apparently doesn't intend to fix the flaws in previous versions of the software: Apple's Security Updates Web page doesn't list fixes for the flaws in Mac OS X 10.2 and earlier.

"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent, if they did."

Apple declined comment.

David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software. "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.

Typically, companies that charge for software provide security updates for the software for a certain period of time. Microsoft provides support for its products for about five years and releases service packs every year that include all the enhancements to the software. Microsoft doesn't charge for the service packs.

"Imagine if Microsoft tried to charge for security fixes -- people would go crazy," Larholm said.

Linux vendors typically work things a bit differently, as so much of the software they distribute is produced by developers outside the companies. Red Hat, for example, charges about $40 (£24) for its desktop edition and provides a year of easily accessible updates for free through its Red Hat Network. After that, users either have to pay $60 a year for the service, manually install each update or subscribe to a free service such as Ximian's basic Red Carpet service. (Novell now owns Ximian.)

Apple's plan falls between the two models, offering bug fixes for free but charging $129 for the update to the operating system. Panther is the third update the company has released since Mac OS X debuted in March 2001.

The current set of vulnerabilities include a flaw in the operating system that causes applications to be installed that have insecure file permissions. Other vulnerabilities could allow a local or remote user to crash the system.

@stake's advisories say users should either upgrade to Panther or turn off the affected software component.

But PivX's Larholm said Apple would have to release some patches to previous versions of its OS or risk angering its users.

"They have stated that they want to release a new version of OS X every year, but this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year and that they expect all their customers to upgrade their operating system on a yearly basis," he said.

ZDNet Australia's Patrick Gray contributed to this report.

• 
• 
• 
• 

• Share this article:
• Digg
• Slashdot
• Del.ici.ous
• Stumble
• Reddit

• Most Recent
• Most Popular
• Most Discussed