In Fear of Security Update 2005-007
A few hours ago, AppleInsider posted that Apple's newly released Security Update 2005-007 had major problems when it came to 64-bit apps, namely that it completely broke them:
Wolfram Research, makers of the popular Mathematica software, began informing its customers of the issue in an email on Tuesday. The company said the security update disables its flagship Mathematica software: "Due to an error on the part of Apple, this update prevents any 64-bit-native application from running. In particular, this means that Mathematica 5.2 will not run on any G5 system if it has installed this Security Update
MacInTouch apparently contacted Apple and confirmed the issue. The same email AppleInsider was working from ended up on the Mac Enterprise list in its entirety yesterday evening...
** Important notification for users of G5 Macintosh systems running OS X 10.4 **At approximately 8 p.m. PDT on Monday, August 15, Apple began automatic distribution of Apple Security Update 2005-007 for Mac OS X 10.4.2 (Tiger).
Due to an error on the part of Apple, this update prevents any 64-bit-native application from running. In particular, this means that Mathematica 5.2 will not run on any G5 system if it has installed this Security Update.
This problem was discovered by our testing procedures a few hours ago, and Apple has now assured us that they have stopped automatic distribution of Security Update 2005-007 at this time.
If you did not install Security Update 2005-007, then you will not be affected. If your Mathematica 5.2 successfully launches and performs any computation (such as 2+2), then this also means that you have not been affected.
If you have been affected, then Mathematica 5.2 will generate a MathLink error when you try to do any computation with it. (If you run MathKernel directly from the command line, it will crash at startup.)
Apple has informed us that there is no workaround for this problem.
Apple is investigating the problem at high priority, and intends to distribute a new Security Update in the very near future. This update will correct the problem and allow Mathematica to run successfully.
To run Mathematica 5.2 today, you must temporarily disable its 64-bit capabilities. You can do this by running the following commands in the Terminal:
cd /Applications/Mathematica\ 5.2.app/Contents/MacOS cp MathKernel MathKernel.bak lipo MathKernel.bak -remove ppc64 -output MathKernelIf you are unable to run the script above, an alternative is to use an earlier version of Mathematica. The problem with Apple Security Update 2005-007 affects only 64-bit applications; Mathematica 5.2 is the first 64-bit-native version of Mathematica.
Note that when Apple has made the corrected Security Update available, and you have installed it, you must reverse the procedure above by running the following commands:
cd /Applications/Mathematica\ 5.2.app/Contents/MacOS mv MathKernel.bak MathKernelIf you do not do run these commands, Mathematica will not operate in optimized native 64-bit mode.
We regret the inconvenience caused by this problem, and hope that as soon as Apple has corrected the problem you will continue to enjoy the outstanding performance of Mathematica on 64-bit Macintosh systems.
Sincerely,
The Technical Support Team Wolfram Research, Inc.
P.S. Should you require further technical support for this problem,
Apple has informed us that you should contact them
As you can see the screenshot, it's still going out. And yes, I know I am behind, I reinstalled from scratch again yesterday to try to document things in a more scientific way. For the record, science is saying Tiger can bite me. I tried to check 40 minutes ago to see if the update was still there, but Software Update stalled and had to be force quit, which completely locked up the GUI layer, which forced a hard reboot and a round of DiskWarrior "just in case" while I hung around.
I'll admit I was pretty damn pissed, as this was the second time Software Update has done this to me in 10.4, but MarsEdit tempered my anger by saving the last big chunk of the post...
The first time it was trying to check in the background, and popped up the little thing in the Dock where it was going to show me there were updates, but then wouldn't let me switch to it... and trying to force quit it locked up the GUI too.
Anywho, If you weren't aware of the problem, you'd probably install it. If you have your computer set to automatically install security updates, you could well already have it.This situation brings a few things to mind...
- Luckily, there aren't that many native 64-bit apps on the platform so the pool of people who will be affected will be segmented and easily identified. Wolfram mentions native, and the frameworks are touched by this update, but Mathematica is still dead via the CLI. It's unknown if this will affect someone running a 64-bit version of say, MySQL will be unaffected, and unfortunately I know only one person running a 64-bit version on OS X and they aren't going to install it to see.
- Of those who are affected, they'll be severely affected. It's nasty. I.E., while Wolfram has a workaround for running the program slower on your hardware via the GUI, you're out of luck when it comes to using it via the CLI.
- With adequate testing procedures -- including an adequate testing pool -- a bug of this magnitude should never get out of Cupertino, let alone down the chain and into our systems. Since adequate testing procedures would have caught it, you couldn't blame someone for assuming Apple's testing procedures are inadequate for the type of software they're shipping.
- Memory is a funny thing, and we have a tendency to gloss over the bad and remember the good. Unfortunately, my memory is telling me that updates going out and yanked the same day or next -- with little explanation of the problem or what to do if you already installed it -- is entirely too common with OS X.
- Reversion is way past due in Mac OS X, and an update like this only shows how important it is. Reversion is what would allow you to tell the system to uninstall this security update, or any update if you are having problems.
I.E., if you install something like this and have major problems -- or it automatically installs in the background -- your only real way to get close to a reversion process is to boot from CD, do an "Archive and Install", and then install updates to get to where you were before. It's good to do nightly backups.
- It's nice to see that they're supporting 10.3.9 in this update for the client and server, but it's still decidedly not nice that we have no idea how much longer they'll continue to do so. Repeat after me: Apple will never make be taken seriously in the enterprise market until they tell people how long they will support what they're buying.
- If you look through the tech note for S.U. 2005-007, Apple's documentation for updates isn't yet perfect, but I feel as though I should note again how much it's improved. If you go back through the archives, or have been around for awhile, this is something I harped on for a long, long time.
I almost hate to give them props for improvement here, because I think it -- and more specifically their entire process for dealing with security issues and bugs -- could still use major work and I'd hate for people to think the issue is taken care of. It's not, but they're miles from where they were and its worth rubbing them a bit for it.
The other thing that's coming to mind is the idea of too much, too sexy versus taking your medicine all at once:
- Too much, too sexy
You're probably not aware of it, but Macs get hacked all the time now, although ~95% of the hacks occur Macs acting as exposed servers somewhere. Platform differences can make them immune from some attacks, but not all, and I'm often forwarded sites served from a Mac that are defaced because a script kiddy got in.
Often times, this has as much to do with a flaw in the software they're using -- say a bulletin board software -- but often its due do flaws in what Apple is rolling into their OS. I.E., in this update there updates to SquirrelMail and
pingandtracerouteas well as major issues for those using LDAP and fun things where a flaw in OpenSSL can allow someone to grind your server off the grid.Now, this security update is huge. It not only touches a lot of apps, it makes sizable changes to CoreFoundation and Appkit which can affect any app running on top of them.
The problems with it being teh huge is twofold:
- If you need any of the above updates, but installing this will kill apps on your G5-based systems you also need in order to get work done, your only choice is to run an insecure system until Apple fixes the issue.
- Flaws don't get fixed at the same time, and if you are waiting for a security update with 30+ fixes, that means you're waiting on some of the updates in general. This is becoming increasingly unacceptable as the time between a problem being found and exploits in the wild keeps going down. If you need that Kerberos update but don't care about Bluetooth, or vice-versa, you're out of luck.
If you are lucky, you might be able to find a workaround, or do away with what Apple ships and install your own, but that can create its own headaches and isn't an option for a whole lot of what Apple is shipping.
The obvious solution to this is to break the updates out into individual updates that target the service they're affecting. I.E., roll the Apache updates into one, and the Bluetooth updates into another, and the CoreFoundation updates into another, and let people pick and choose what they want to install and when. The time lag for the flaw-to-fix goes down, and administrators and users are able to avoid what will screw them up without giving up the rest, so people have more secure systems across the board.
- Taking your medicine all at once
Of course, those being affected by Too Much, Too Sexy aren't the only school of thought, or rather the only aspects that have to be kept in mind, and there are some problems with breaking out all of the updates. For starters, Mac users like to laugh about launching Windows and seeing that it needs to install 120 different updates to their 20, but there are others...
- What Apple is doing now -- lumping all these updates into one -- is easier for them, which means its less expensive. I.E., Apple does do some internal testing, and while the things I'm digging up are making me wonder at its thoroughness, there are internal processes patches have to go through before they go out. For the way they're set up now, running one patch through the QA process is much easier than running 30 through it.
- A lot of users -- especially the ones Apple says they're trying to target -- need updates broken out for the reasons I gave above, but I'm sure Apple if Apple did it they'd get just as many requests for them not to do it.
Both groups of users are using Macs to try to get things done, instead of personal use, but it's how they go about dealing with updates that causes the problem. Generally, in an organization of any size where computers are being used to get stuff done you don't just install an update. It first has to be qualified.
I.E., if you are responsible for supporting 50 Macs running
xsoftware, and a patch for Mac OS X comes out, you first test it under the apps your business or school needs to run to make sure MatheMatica, Quark, Office, networking functionality or even some learning game doesn't stop working. You have to do this, because an aberrant patch could work fine for most users, but a change in Safari could mean none of your employees could log into the intranet.If your company depends on say, Microsoft Office, and they release 40 little patches instead of 2 larger patches, each one has to go through the company's testing process before it can be rolled out, which means its more expensive and many of them would much prefer to deal with bigger rolled-up updates. The lack of being able to roll back updates, and the fact that software for administering Macs is somewhat anemic compared to other platforms only exacerbates the problem.
Of course the flip side of this is that my font bug for Office 2004 may well be fixed, but I'm waiting on it because they have 10 other things that they want to include in one larger update. This stuff is never simple.
If forced to choose between the two interests I'd go with the Too Much Too Sexy side, because of the two they are the ones that are actually screwed with little options or recourse. The other side has options, they're just annoying and require more effort and expense, but honestly I'd rather not have to choose sides.
When forced to deal with two competing yet valid interests with little overlap, if you try to take a hammer to it a lot of stuff is going to squish out at the sides, which means an elegant solution is needed.
Posted by drunkenbatmanAugust 17, 2005, at 03:27 PM
Comments (28)
Posted by: Finlay Dobbie at August 17, 2005 03:49 PM
It's nice to see that they're supporting 10.3.9 in this update for the client and server, but it's still decidedly not nice that we have no idea how much longer they'll continue to do so.I recieved the following some time ago from one of Apple's marketing executives:
We're tried to be explicit about our policy:
- We only patch one active OS release at time with Software Updates
- We will patch both the current and prior OS release with Security Updates
- Decisions about backporting patches are due to a combination of feasibility and severity
- If the bug itself is introduced by a Software Update, we will fix any regressions.I asked where this information was publicly available, and the last I heard was that he was "looking into it" (on 20 May 2005).
Posted by: Michael at August 17, 2005 03:52 PM
Well, I've used System Restore on Windows Me and - like most M$ software - it's crap. It breaks things. Far better to disable it and recover the space. The XP version is, apparently, marginally better, but if I still had an XP machine I doubt I'd risk using it.
Yep, 2005-007 is still there:
http://www.apple.com/support/downloads/
Posted by: Wes McGee at August 17, 2005 04:47 PM
I'm not a Mac user (Never touched one) but this is surprising to me. Microsoft introduced this Windows ME as "System Restore" and lots of tools let you take system snapshots.
It's not just "System Restore", but most of the hotfixes, patches and updates released by MS can be uninstalled through the Add/Remove programs menu (though obnoxiously enough, not WMP updates).
(Of course I'm 6 minutes away from finishing a clean install of Tiger on the G3 iBook (better deal than Henrico Co. -- it was free)... if that update is still there, I'll be disappointed).
Posted by: Derek at August 17, 2005 04:48 PM
I'd rather they have an easy way to break up the updates so you can do unsupported power user installs like you could do in the classic OS. It was nice to know in 9 and below that I could custom configure and control many collections of libraries or features. Now that you bring this up, custom system configuration for power users is what I miss most about 9 and below.
Posted by: at August 17, 2005 04:52 PM
I can't see how the Software Update application could lock up an entire system.
Posted by: Wes McGee at August 17, 2005 04:57 PM
Don't knock him... SU froze my iBook the first time I got it and turned it on...Though I thought it was just because the machine was slow...
Though here I guess I'm glad that I don't have either a G5 or Mathmatica...
Posted by: Adam J. at August 17, 2005 05:08 PM
Just to add to your "Taking all your medicine at once", as a user having patches that require a restart come out at the same time means I have to reboot less often.
Posted by: sundoggy at August 17, 2005 05:37 PM
Hey DB. Interesting post. As someone who is haunted on a daily basis by Windows because I'm forced to use it, I have to say one thing that they do right is the ability to restore a previous system state. It seems crazy that you can't do this on a Mac. If you could, I'd be much more likely to install system updates as they come in, but I don't until I feel safe and see what people like you experience and comment on about such updates.
The comment above by Finlay is very interesting also. As a marketing person, I found the correspondence with the Apple marketing person rather funny given that we're supposed to communicate effectively and his communication was riddled with grammar/typo problmes (sort of like your post today!)
Speaking of which, where to do you go when you've got issues with Apple... I mean where to you go where someone will listen? I get the feeling Apple frequently doesn't listen until it reaches critical mass. Quite frustrating and it also makes it difficult to be an Apple advocate. In fact, lately I've been kind of quiet.
What's one to do outside of get constantly frustrated.
Posted by: Other_Matt at August 17, 2005 05:59 PM
Mmm, Windows System Restore... Let's reinstall all the malware I just removed!
I know things scan the System Restore data, but they still don't always get it.
Posted by: simplisticton at August 17, 2005 07:12 PM
Windows System Restore (at least in XP) is rather reliable and an absolute necessity when a simple software install (ironically, in my case, anti-virus software) can kill you entire system.
I don't understand why more OSes don't use the Linux approach of distributing patches by package and/or application. It's clean, simple, and rarely results in a borked system and *never* in a system that can't be unborked by backing out the package install.
Posted by: Chucky at August 17, 2005 07:27 PM
Can't modern software development find some way to eliminate buffer overrun vulnerabilities in the first place?
Posted by: Anthony at August 17, 2005 07:31 PM
This is not a new thing.
Check any Mac-centric board and whenever any update comes out, you'll see a bunch of people posting their results.
That wouldn't happen if the frequency of breakage was small enough to be ignored.
Posted by: Art at August 17, 2005 07:41 PM
I'll admit I was pretty damn pissed, as this was the second time Software Update has done this to me, but MarsEdit tempered my anger by saving the last big chunk of the post...
"It was like, uh, a really good paper..."
Shilling for MS now? Anti-Switcher ads on the cheap?
Posted by: Anthony at August 17, 2005 07:43 PM
> Can't modern software development find some way to eliminate buffer overrun vulnerabilities in the first place?
For the most part, yes, but it's pretty difficult to do with unmanaged langauges (like C). There are also other types of vulnerabilities that cannot yet be "cured".
Posted by: robert at August 17, 2005 10:10 PM
Tiger cannot install software updates automatically. It can only download them in the background for you.
Reversion sucks on windows and encourages all sorts of user freak outs over suspicious activity they think is related to installed updates breaking their creaky machines. The options it presents to keep or discard cryptically named dynamic libraries are useless to the average user, and knowledgeable users don't need system roll backs. In fact I would argue that system restore has probably hurt Microsoft more when neophytes try to uninstall patches and run into these problems, sooner or later they just give up and never bother to patch. Why should a modern OS involve its users under the hood like this?
I can't see any way that breaking software updates into smaller chunks helps anyone-computer users do not want to confront a mass of patches coming randomly down the pike, it encourages all sorts of hypochondriac computing behavior like 'hey that last update just ate my term paper" and induces update fatigue-exactly the problem that windows has been battling for years. Test well, roll them up and deploy monthly.
I agree that this bug should not have appeared, but my feeling is that since it is confined to 64 bit apps they are testing well, just not out to the edges.
"You're probably not aware of it, but Macs get hacked all the time now, although 95%+ are Macs acting as exposed servers somewhere" What does this mean? I don't get the use of "although."
Posted by: Craig Turner at August 17, 2005 10:11 PM
Apple have been lax on this stuff for years. I remember a java update that completely broke WebObjects. How does a company come to ship a java update that breaks their flagship java application server?
Posted by: drunkenbatman at August 17, 2005 10:59 PM
Tiger cannot install software updates automatically. It can only download them in the background for you.
Good catch Robert -- noted in the post. My bad.
Posted by: Martey at August 17, 2005 11:10 PM
Reversion sucks on windows and encourages all sorts of user freak outs over suspicious activity they think is related to installed updates breaking their creaky machines. The options it presents to keep or discard cryptically named dynamic libraries are useless to the average user, and knowledgeable users don't need system roll backs.I am not sure what version of Windows System Restore ("reversion" sounds like something you *don't* want to have on your computer) you are used to, Robert, but System Restore in Windows XP does not have those kind of problems. Neither Windows updates nor System Restore ask about DLL files (they replace them without prompting); the only Windows applications I have seen that have this type of behavior are some installers.
That said, I have seen less technically-inclined users have two problems with System Restore. 1) They scan their computer and think the existence of an old malware file in a System Restore point means their computer is infected, or 2) they use System Restore, which restores malware to their computer or uninstalls a Windows security patch that they needed. Neither of these problems, however, is System Restore's fault, and I am hard-pressed to see how Microsoft could fix them.
Posted by: robert at August 18, 2005 01:54 AM
My bad-it was an installer that asked to confirm/delete a dll. file, not System Restore as Martey pointed out AND it was under Win2K...now that I think of it.
I think the behaviour I describe is accurate though, I have a lot of windows friends who are very loathe to mess with their machines, despite the presence of such "features" as Add/Remove program and System Restore, and even I am loathe to do so in Virtual PC for cryin'out loud, when there is no penalty for mistakes. So if the 'features" designed to ease the minds of the average user are not being used, and even feared, then it seems as if the ms approach to useability is flawed.
Posted by: Mac-arena the Bored Zo at August 18, 2005 01:57 AM
just to let you know: the command lines in the Mac-Enterprise email are coming out as one line per paragraph.
Posted by: m@dman at August 18, 2005 02:24 AM
Lux on the dock! So much for avoidance!
Posted by: robert at August 18, 2005 02:27 AM
last post for me...
So the comments are coming down more on the side of System Restore "good" than not, so I must try to trust it more. Mea culpa.
I think we need to remember what average users are likely to face, and maybe this is what I meant to post first-how many average users are running Mathematica for example? I know SJ like to trot out the Wolfram pony at keynotes and make him dance, and it is an important app for a good portion of the Apple community, but I think those people running it are pretty capable of dealing with any problem that might come up. In fact I think they probably are Rocket Scientists...This is not a problem that many average users will confront.
So what is my point- I take issue with the title-"In Fear of Security Update"-that word-Fear, is what worries me. There is so much Fear in computing, and I think it is fair to point most of the blame Microsoft's way, they really have helped to create a climate where Fear is the right word to use when dealing with their software. And journalists like to pick it up and pretty soon Consumer Reports (anyone have an email for those ass-hats?) is saying that 20% of Mac users reported viruses in some bogus survey the methodology of which even they can't explain or defend.. So more FUD on top of FUD.
And I believe that MS actually likes it this way, because the more you can point to things like "Well, Apple has their share of problems too, look at what this says" and the more disinformation that gets spread-why do you think Mac users rabidly post when this stuff gets printed, its just so far from the truth, 20%, I mean, come on? But this makes it through and into the consciousness and the damage is done.
So for me, "Fear of Security Update" is completely wrong, and way overblown. You are asking all these questions about well maybe it breaks SQL? and yada yada, and it just seems unnecessary.
Why does this mean anything to me if Apple gets tarred with the same brush as Microsoft? It has a real impact because it slows the adoption and support for Apple products which means that I can't enter my gas meter reading on the Con Ed website and they continually estimate my bill and that costs real money, because the stupid web-masters used MSIE only technology. Or the patent office or Library of Congress is forced to support only certain browsers in their new copyright registration website because their backend database is only capable of doing that.
And yes it all gets worked out eventually, and I ignore the rest, but it doesn't have to be this way, and Fear is the thug that opens doors for Money. Don't be at one with the Thugs DB...
Posted by: Dan Todd at August 18, 2005 02:29 AM
Security Update 2005-007 version 1.1 is now available. It claims to include a 32 and 64 bit version of the library that was 32bit only in the previous update and thus broke Mathmatica et al.
I've done a google, but can't find a reference to the update, but I have downloaded and installed it!
Posted by: loki at August 18, 2005 02:36 AM
Just to note that Apple has now replaced Security Update 2005-007 1.0 with Security Update 2005-007 1.1, both in Software Update and on the support site. It claims to have fixed the 64-bit problem.
Posted by: robert at August 18, 2005 02:40 AM
..that was fun while it lasted...
Posted by: Peter da Silva at August 18, 2005 04:41 PM
I would be more inclined to care about security updates if Apple disclosed more information about what the updates were for and what they were preventing: remote or local, and denial of service or code execution or privilege escalation.
Posted by: Jonathan at September 1, 2005 10:48 PM
By the way, Security Update 2005-007 has COMPLETELY disabled the Audio/MIDI setup utility, which has a lot of us in the audio industry completely P-ed off!
Terrible. Puns like that are beneath us all.
I'm not a Mac user (Never touched one) but this is surprising to me. Microsoft introduced this Windows ME as "System Restore" and lots of tools let you take system snapshots.