Apple Computer's latest version of its Mac OS X operating system, Panther, patches security flaws that affect previous versions of the operating system, leaving security experts wondering if users will have to pay the £99 upgrade fee to be secure.
On Tuesday, Apple released an advisory that indicate that the Mac OS X 10.3 upgrade -- which adds an improved Finder menu, better synchronisation of files and a tool to help users find a specific window on a crowded desktop -- also includes more than a dozen "security enhancements".However, Apple apparently doesn't intend to fix the flaws in previous versions of the software: Apple's Security Updates Web page doesn't list fixes for the flaws in Mac OS X 10.2 and earlier.
"It is not a friendly thing to tell your customers to shell out a lot of money to stay secure," said Thor Larholm, senior researcher for software security firm PivX Solutions. "It would be a dangerous precedent, if they did."
Apple declined comment.
David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software. "In my initial conversations with them, they said they weren't going to fix 10.2, but I wouldn't be surprised if they change that," he said.
Typically, companies that charge for software provide security updates for the software for a certain period of time. Microsoft provides support for its products for about five years and releases service packs every year that include all the enhancements to the software. Microsoft doesn't charge for the service packs.
"Imagine if Microsoft tried to charge for security fixes -- people would go crazy," Larholm said.
Linux vendors typically work things a bit differently, as so much of the software they distribute is produced by developers outside the companies. Red Hat, for example, charges about $40 (£24) for its desktop edition and provides a year of easily accessible updates for free through its Red Hat Network. After that, users either have to pay $60 a year for the service, manually install each update or subscribe to a free service such as Ximian's basic Red Carpet service. (Novell now owns Ximian.)
Apple's plan falls between the two models, offering bug fixes for free but charging $129 for the update to the operating system. Panther is the third update the company has released since Mac OS X debuted in March 2001.
The current set of vulnerabilities include a flaw in the operating system that causes applications to be installed that have insecure file permissions. Other vulnerabilities could allow a local or remote user to crash the system.
@stake's advisories say users should either upgrade to Panther or turn off the affected software component.
But PivX's Larholm said Apple would have to release some patches to previous versions of its OS or risk angering its users.
"They have stated that they want to release a new version of OS X every year, but this is the first time they have hinted that they will not be supporting any particular OS X version for more than that year and that they expect all their customers to upgrade their operating system on a yearly basis," he said.
ZDNet Australia's Patrick Gray contributed to this report.
Talkback
Well, I wouldn't expect anything less from Microsoft friendly ZDnet, now would I? That aside, Apple are doing the right thing here. Since Mac OS is built on the foundations (and security model) of Unix, the issues raised aren't that much of a problem at all in reality. I believe MS are also starting to see the folly of constant "patching" and we will see an improved model from them too as far as security issues go.
Upgrading to Mac OS X Panther will be standard issue for Mac users in any case. So many will have the improved security features of a new BSD Kernel and networking stack. This is standard practice even in the world of Linux now too. Irrespective of whether we see patches galore (as we do in Windows) makes no difference. Upgrading to an OS that has over 150 features available plus security enhancements for around £99 is a bargain compared to the highly expensive and overpriced features of Windows and its patching nightmares (not to mention prolific email viruses). Compare what you need to get Windows even marginally safe and secure to what it takes to get a Unix based OS secure and you'll see that @stake are playing games.
Jealousy is a terrible thing in the OS world!
Boy, I'm hopping mad!
I just spent £129 on a major upgrade to the 3 Macs on my home network, only to find that the new OS doesn't include possible security flaws recently identified by some tech firm I've never heard of!
I want my security flaws! Am I going to have to stick with Jaguar just to keep my flaws! Not to mention having to avoid downloading the inevitable free security updates which Apple releases.
And what about the people who DON'T want security issues. The only option they have is to wait several weeks for a free update, or shell out £79 for a major upgrade to the OS. Were it not for the recently discovered security flaws they would have been able to happily stick with Jaguar, or upgrade to Panther for a mere £79!
This is outrageous! I hope Apple is listening.