Security information for an end-of-life operating system is lacking

Topic

New Reply

ON SECURITY By Susan Bradley Lately, I’ve been working on painting the trim on my house. We have old-fashioned caulked windows. To make sure that the
[See the full post at: Security information for an end-of-life operating system is lacking]

Susan Bradley Patch Lady/Prudent patcher

8 users thanked author for this post.

ibe98765, IBM1130, fisher75, abbodi86, DLivesInTexas, Cybertooth, windbg, lmacri

Reply | Quote

Replies

..Apple is another vendor that often doesn’t release detailed information about vulnerabilities until a later date…

Apple has explained the it doesn’t release detailed information about vulnerabilities as not all devices have been updates and are at risk if detailed information would have been published.

Reply | Quote

Often it’s a long time before the details are released.  That’s a long time to push out updates.

Susan Bradley Patch Lady/Prudent patcher

Reply | Quote

IMHO statements such as the following (which was copied from this page: https://support.apple.com/en-us/HT214105) are not terribly informative.

“Disk Management

Available for: macOS Monterey

Impact: A user may be able to elevate privileges

Description: An authorization issue was addressed with improved state management.

CVE-2024-27798: Yann GASCUEL of Alter Solutions

Entry added June 10, 2024”

I don’t think I should have to go to the referenced CVE article in order to get information such as the severity of the vulnerability, does an attacker need physical access to a computer, etc.

Oh, and by the way, notice the wording under the heading “Description”. This wording is ubiquitous on the “About the security content of macOS (fill in the blank)” web pages. Almost every issue is addressed with improved something or other. Well yes, I supposed something or other did need to be improved. But here’s a thought – which I think would apply to all software vendors, not just Apple – why not just do it right the first time?

Reply | Quote

CVE-2024-27798 Detail

Description
An authorization issue was addressed with improved state management. This issue is fixed in macOS Sonoma 14.5. An attacker may be able to elevate privileges.

Does this give you the missing details you are looking for ?

1 user thanked author for this post.

DrBonzo

Reply | Quote

Thanks for your effort, but no, it doesn’t. The first and last sentences are almost identical to the “Description” statement on the Apple web page (quoted by me above). And the middle sentence simply says the issue was fixed. So apparently there is no additional enlightenment in the CVE article. But I expect something more from Apple.

Reply | Quote

Susan Bradley wrote:

That’s a long time to push out updates.

Apple knows exactly the percentage of users installed the last security update.
Apple may wait for high% before releasing details.

Reply | Quote

Excellent article, Susan—thank you!

You mentioned the YouTube video about the guy who connected an XP system to the Internet:

The video garnered many views and was cited in — you guessed it — clickbait headlines. I don’t want to spoil it for you, because it’s sometimes interesting to check out this sort of thing, but I noticed a problem — he turned off the firewall.

Yeah, he connected XP directly to the Internet with no firewall of any kind. Still, the experiment was interesting as it showed what can happen if a computer has no protection at all. But the experiment would be more valuable if he repeated it each time after adding a single layer of protection (e.g., a router with hardware firewall, then the software Windows Firewall, then anti-virus, etc.).

 

Keep Running Windows 7 Safely for Years to Come  
Make Windows 10 look and work like Windows 7

Reply | Quote

In the past, Cloud service providers (CSPs) refrained from disclosing information about vulnerabilities found and resolved in cloud services, unless customer action was required. The common understanding was that if the customer didn’t need to install updates then no additional information was necessary to help them stay secure. However, as the industry matures, we recognize the value of transparency. Therefore, we are now announcing that we will issue CVEs for critical cloud service vulnerabilities, regardless of whether customers need to install a patch or to take other actions to protect themselves.

Living in the Seattle area, where both companies are frequently in the news, I can’t help thinking that maybe Microsoft learned a lesson from their manufacturing counterpart across the lake with the decision not to let pilots know about a new system because they didn’t have to do anything with it.  (Obviously not a direct analogy, except for the general attitude!)

Reply | Quote

Hi Susan,

Thank you (and your comrades) for the article and the AW newsletter; I read it every week. I’ve been using PCs since the mid-’70s but I’m slow to keep up with the times. I still use a 15 year old Win7 desktop with Eudora email and MSO 2010 — if that tells you anything about me. But I do have a couple of Win10 computers for stuff that won[‘t work with Win7. And y’all have been scaring me about Win11. I too have been increasingly unhappy with Microsoft and others trying to push web data and web apps onto me. I like keeping my apps and data locally where I can control things and maintain privacy a little better. But, given present trends, I’ve wondered lately whether I should start tinkering with Linux, Libre Office, etc. How about an AskWoody article or even a series for dilettantes like me who are wondering whether to try making the switch. Or please let me know if there are some good books or websites that have already covered this ground. Thank you. Kelly Butler

1 user thanked author for this post.

JGO

Reply | Quote

Speaking of EOL and TLS 1.2
did you know that they cut down Server 2008 (NT 6.0) from Windows Update since two or three months? even if you are a paid ESU subscriber (moreover Premium Assurance till 2026)

the endpoint “fe2.update.microsoft.com” now uses TLS 1.2 cipher suites that are supported (backported) only for Windows 7-8.1
Vista / Server 2008 did not got it

Reply | Quote

DrBonzo wrote:

But I expect something more from Apple.

Apple is detailing each OS component that has been fixed. Example :

https://support.apple.com/en-us/HT214111

“Bluetooth

Available for: AirPods (2nd generation and later), AirPods Pro (all models), AirPods Max, Powerbeats Pro, and Beats Fit Pro

Impact: When your headphones are seeking a connection request to one of your previously paired devices, an attacker in Bluetooth range might be able to spoof the intended source device and gain access to your headphones

Description: An authentication issue was addressed with improved state management.

CVE-2024-27867: Jonas Dreßler”

https://support.apple.com/en-us/HT214103

“Safari 17.5
Released May 13, 2024

Safari

Available for: macOS Monterey and macOS Ventura

Impact: A website’s permission dialog may persist after navigation away from the site

Description: The issue was addressed with improved checks.

CVE-2024-27844: Narendra Bhati of Suma Soft Pvt. Ltd in Pune (India), Shaheen Fazim

Entry added June 10, 2024

WebKit

Available for: macOS Monterey and macOS Ventura

Impact: An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 272750
CVE-2024-27834: Manfred Paul (@_manfp) working with Trend Micro’s Zero Day Initiative….”

1 user thanked author for this post.

DrBonzo

Reply | Quote

I’ll admit that the one you linked to is better, but still not what I consider to be a fountain of information.

And I still stand by my comment about “improved something or other”. Is it really asking too much for software vendors to get it right the first time around?

Reply | Quote

I don’t think I read your full post above last night, but in my opinion the rest of the examples leave me non-plussed as they are almost the same as the one I quoted. The bluetooth example at least says the attacker needs to be physically nearby but the others just say “attacker”. But what does that mean? Is the “attacker” a man in the middle, does the “attacker” need physical access or just close proximity? There are bunch of such questions one could ask.

I suppose in some sense it’s a moot point since one has to accept everything that’s in an Apple security patch or else reject the entire patch (remind anyone of another OS vendor?). On the other hand I’ve seen some patches with only a handful of addressed vulnerabilities that I might be tempted to skip if I knew the likelihood of impacting a home user was nil. And, yes, it can make a difference. On more than one occasion I’ve been saddled with an extremely slow macBook Air after an update, and I treat macOS updates just like Windows updates – neither one is anywhere near being infallible.

Reply | Quote

The video garnered many views and was cited in — you guessed it — clickbait headlines. I don’t want to spoil it for you, because it’s sometimes interesting to check out this sort of thing, but I noticed a problem — he turned off the firewall. That’s not a real-world scenario.

Hi Susan:

Well said. As soon as this type of clickbait is posted in a reddit community or YouTube video it’s immediately picked up by multiple aggregator sites like Neowin, ghacks, etc. and, sadly, often makes its way onto this AskWoody site.

I wish users would think twice and be a bit more judicious about what “news” they re-post in this AskWoody forum so others don’t have to scroll through the Recent Topics list every day trying to discern clickbait and fun facts from relevant news that might actually be helpful.

1 user thanked author for this post.

Microfix

Reply | Quote

Painting over the cracks, isn’t that Redmond’s remit soon after collateral patches have been released? /s

Windows - commercial by definition and now function...

Reply | Quote