MOTUnation.com

I just installed OS 10.9.5. The usual 'last update before the new release', no doubt.

No problems or issues except that I am in Firefox at the moment and it looks weird -- for some reason, it's displaying Courier as I enter text. Hopefully, Chrome and Safari will behave.

Safari 7.1 is taking forever to download.

Safari and Chrome are fine but FireFox is still switching to Courier when I edit or enter text. Annoying.

MAJOR MAJOR MAJOR MAJOR problems with 10.9.5.

I'm not going to have time to write it up. It's mostly going to affect newly installed software; probably not DP.

The new security model is a HUGE crisis in the industry right now. We'll probably see lots of compatibility updates.

Not sure if it affects plug-ins as much as standalone apps.

Huge crisis caused by 10.9.5? No one I know seems to know what you are talking about. 10.9.5 appears to be the fix, not the cause.

http://nakedsecurity.sophos.com/2014/09 ... -x-10-9-5/

More than 40 separate vulnerabilities have been fixed, covered by 55 CVEs; 10 of these could allow remote code execution, including 3 inside the kernel.

In fact, there is something of a laundry list (or a vulnerability glossary) of holes fixed, including:

Remote code execution.
Remote code execution in the kernel.
Lock screen bugs allowing access to a supposedly-locked device.
Information disclosure allowing address randomisation to be bypassed.
Code execution risks due to booby-trapped PDF files.
Deleted files never actually removed.
Sensitive information written into system logs.
Incorrectly-implemented address book encryption.
Use of deprecated and insecure Wi-Fi authentication.
Passwords leaked by Safari's password manager.

No issues here. Update is fine.

MIDI Life Crisis wrote:No issues here. Update is fine.

Except for Firefox, none here -- and I am not sure it's an OS issue. Besides entering text in Courier, it does not respond to zoom-in/out on my Magic Trackpad. I've rebooted several times, too.

My other apps have no problems.

It's a matter of perspective.

There are many apps out there, and plug-ins, that are no longer officially supported or whose vendors are gone.

It used to be that such stuff was only orphaned due to hardware incompatibilities or major OS shifts, but now we've thrown the entire security thing into the mix.

Certificates expire. If products aren't likely to be updated frequently, vendors usually try to anticipate that.

The problem right now is that the certificates have to be PRODUCED on a machine running Mavericks. This is shutting off a LOT more software than is normally the case.

So the problem is not the OS. OK.

So a large number of applications have to become more secure... I don't see a way around it. Everything wants to talk with everything else.

Do you want Apple to wait tip Yosemite to fix these issues? I don't. People always complain when they stop supporting older OS with security updates. We the consumers and, by extension, the developers cannot have it both ways.

That does explain the flurry of updates that I have seen with my purchased apps. Security may explain the Firefox issue - or some plugin not wanting to work or something I'm too busy to check.

Is this something to do with Apple's new two step or two stage app vendor signature process? Can't you bypass the whole app signature process anyway?

This article is the best explanation I can find, and apparently the code signing doesn't go into effect until 11/1. As best I can tell, it only applies to the App store and GateKeeper and possibly .pkg files.

http://arstechnica.com/apple/2014/09/ap ... uirements/

cuttime wrote:This article is the best explanation I can find, and apparently the code signing doesn't go into effect until 11/1. As best I can tell, it only applies to the App store and GateKeeper and possibly .pkg files.

http://arstechnica.com/apple/2014/09/ap ... uirements/

From this article:

However, developer Daniel Jalkut of IndieStack reports that most applications with v1 signatures continue to work properly

Italics added.

And I assume that if an application doesn't show that its certificate is verified, that one can bypass Gate Keeper, just like one always does. I don't see this as being a big problem, at least for a moderately savvy user.

The problem is that most users are NOT moderately savvy. We get a gazillion service calls when these sorts of things come up, even if we post Release Notes to try to guide people through the process.

It's easy for people on this board to forget how many people are in professions where computers are not omnipresent, and how easily intimidated those people are as well as how little it takes for them to run for the hills.

I don't know anyone who's happy about the new security rules. I am ONLY seeing the down side of it, and NEVER saw security problems in the past to justify what's going on with the technology. I personally think it's because the so-called "cloud" (new name for a 40-year old concept) has taken over, and thus desktop apps and plug-ins have to suffer as the Lowest Common Denominator drives everything now.

Browsers are inherently unsafe, as are most of the technologies used in them (at least HOW they're used in them -- maybe Chrome is different, but I got so burnt by the pre-beta Alpha release that I haven't touched it since).

At any rate, in some cases you can indeed side-step and right-click your way to overriding warnings, but not always. What upsets me, as mentioned earlier, is when small vendors with few resources have to pull away from important development, bug fixes, etc., to deal with an external crisis created by the big players like Apple, Microsoft, et al. That's why the Microsoft model of development doesn't scale to firms outside the computer business who only have small teams (of one, in many cases). Unfortunately, 15 years later, the industry is now consolidating towards Microsoft's way. Anyway, the point is that it diminishes the chances for developers to produce stable releases that can last for awhile as they work on future stuff.

I predict a rush towards Linux in the next few years. If it weren't for DP, I'd do so myself, as most other stuff can be made to work on Linux.

mhschmieder wrote:
It's easy for people on this board to forget how many people are in professions where computers are not omnipresent, and how easily intimidated those people are as well as how little it takes for them to run for the hills.

I predict a rush towards Linux in the next few years.

I can't reconcile those two statements.

The above-linked article had the following update:

"Update: The new code signing requirements don't actually appear to be enforced in the release version of 10.9.5. We have updated the article to reflect that fact."

bayswater wrote:

mhschmieder wrote:
It's easy for people on this board to forget how many people are in professions where computers are not omnipresent, and how easily intimidated those people are as well as how little it takes for them to run for the hills.

I predict a rush towards Linux in the next few years.

I can't reconcile those two statements.

I was struck by the same contradiction.

Linux is an idea whose time came and went. It's the least secure platform and is highly unlikely to make a comeback as a serious commercial platform. Hobbyists will continue to enjoy it for a long time.