Follow Slashdot blog updates by subscribing to our blog RSS feed

 


Forgot your password?
Close
typodupeerror
×
Security Businesses Upgrades Apple

... And the Hits Just Keep On Coming 72

Posted by pudge from the mo-updates-mo-updates-mo-updates dept.
Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)
This discussion has been archived. No new comments can be posted.

... And the Hits Just Keep On Coming More

... And the Hits Just Keep On Coming

Comments Filter:

  • Snagged this last night (Score:4, Interesting)

    by Pope ( 17780 ) on Saturday December 20, 2003 @12:07PM (#7773216)
    I was very happy about the MPEG-2 update, previewing my m2v files in VLC is a pain compared to QuickTime's player, simply because the control in QT is much better.

    Also nice to see all the other Security fixes happening. gg Apple!

    • Re:Snagged this last night (Score:5, Insightful)

      by tgibbs ( 83782 ) on Saturday December 20, 2003 @02:53PM (#7774076)
      Also nice to see all the other Security fixes happening. gg Apple!

      Also nice to see Apple giving public credit to the people who reported these security holes.

  • Security Update not just for 10.3 (Score:5, Informative)

    by TheRedHorse ( 559375 ) on Saturday December 20, 2003 @12:18PM (#7773258)
    I'm running 10.2.8 and still got the security update via Software Update.

    • Re:Security Update not just for 10.3 (Score:4, Informative)

      by dbirchall ( 191839 ) on Saturday December 20, 2003 @04:55PM (#7774720) Journal
      There are separate updates for 10.2.8 and 10.3.2. The 10.3.x update requires 10.3.2 and will not appear in Software Update unless/until 10.3.2 is installed.

      I and a few other Dual G5 users are having [bhphotovideo.com] problems [apple.com] with [apple.com] 10.3.2 and/or some other very recent updates (say, QuickTime 6.5 or XCode 1.1), and are thus unable to apply this particular security update. Grumble.

      • Dan et al.

        I posted about this on the Apple forums, but it's worth repeating here, perhaps in a little more detail. I'm running a Dual G4/800, so it looks to be a DP problem.

        If you examine the stack traces that the crash catcher asks to send back to Apple you will see that all the non-working iApps (iTunes, iPhoto, Safari, Mozilla, etc.) crash at initQuickTimeFoo()+44. Sorry I don't recall the exact function.

        That is consistent with the "fix" that I found...namely to grab /System/Library/Frameworks/Quick

  • Three days turn around on the Buffer Overflow.. (Score:5, Informative)

    by byolinux ( 535260 ) on Saturday December 20, 2003 @12:22PM (#7773276) Journal
    .. this puts Apple much closer to the Free Software Movement in terms of patching, than Microsoft.

    It's pretty impressive..

    Tip for any fellow 10.3 users out there...

    In System Preferences > Software Update > Turn on 'Download Important Updates in the Background' - particularly handy if you leave your machine turned on at night.

    • In all fairness, there were a number of people offering patches for cd9660.util hours after the vulnerability was announced. On the other hand, Apple was very quick to get the patch as part of the "official" Apple release.

      Personally? This rocks. It means Apple's listening and are responsive to security issues.

  • Installed and all is good (Score:5, Informative)

    by jlower ( 174474 ) on Saturday December 20, 2003 @12:22PM (#7773277) Homepage
    In case anyone is waiting for user reports of installations that didn't crater their machine, here's one. G4/400 AGP installed & up and running again without any hiccups.

  • 10.2.8 (Score:5, Informative)

    by Johnny Mnemonic ( 176043 ) <mdinsmore&gmail,com> on Saturday December 20, 2003 @12:28PM (#7773305) Homepage Journal

    The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.

    The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier [carrel.org], but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.

    Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?

  • Apple is killing me! (Score:1, Interesting)

    by UV_Haze ( 561159 )
    They keep updating things. In a way you could say this is cool. Kinda like end of year/quarter house cleaning; however, I don't see any obvious reason why they could not release all of this stuff on the same day at the same time.

    I only ever reboot my machine when the software update thing tells me to, so generally that's about once every other month. I've rebooted every day this week.

    ARGH..

    Apple.. please get better release management going. I know its nice to make the headlines everyday on slas

    • Re:Apple is killing me! (Score:5, Insightful)

      by MoneyT ( 548795 ) on Saturday December 20, 2003 @01:49PM (#7773742) Journal
      It's a matter of not being able to please everyone at once. When they did the bulk updates, people were ticked because they couldn't pick and choose what to install, so now you get them piece by piece, of course, now people want them all at once

    • Advice (Score:4, Insightful)

      by phorking ( 624428 ) on Saturday December 20, 2003 @02:49PM (#7774050)
      You want to stay current but don't want to reboot your machine every day. You want 2 completley mutualy exclusive operations here. In your choice where Apple only releases updates once a week you are not staying any more current than you would if you only patched yourself once a week. Instead, you are only being ignorant to your current patched status. The patches are still waiting at Apple and you still have not applied them. You have not actualy gained anything by waiting for Apple to release those updates on a schedule. So, just update once a week. It makes no difference in the end. If you want to stay current, stay current and don't complain about rebooting. TTFN =)

      • Re:Advice (Score:5, Insightful)

        by Senjaz ( 188917 ) on Saturday December 20, 2003 @03:55PM (#7774318) Homepage
        Not true. Patching doesn't always require a reboot. Any system service could be updated and it's process restarted individually instead of taking down the entire system. Unfortunately Apple's updates tend to want to reboot the entire machine. I suspect further effort could be made to improve the software updater so that machine reboots were not required as often. All but very core stuff could be suspended while a updated process is swapped out for a newer one.

        • Re:Advice (Score:2, Informative)

          by martinX ( 672498 )
          Given that so many things are dependent on so many other things, it's just easier to reboot really. Probably quicker too.

          • Re:Advice (Score:4, Insightful)

            by Anonymous Coward on Saturday December 20, 2003 @09:47PM (#7776421)
            If I update my linux boxes I reboot them.

            Why? I've been caught before, having a machine up & running for months, updating a dozen small things that restart just fine, and I get used to how they work.

            Then on a reboot, things AREN'T identical. It's just not worth trying to trace down why the system isn't working as I'm used to when I could have completely avoided problems with a reboot. Granted it's rare, but if I'm going to do 10 reboots over a few months that's better than spending a few hours poring over a system to find why it's not working how it used to, when it's not working how it SHOULD and not how it did without the reboot.

            A reboot costs 45 seconds. That's worth it. Screw uptime

        • Re:Advice (Score:1, Insightful)

          by Anonymous Coward
          "I suspect further effort could be made to improve the software updater"

          I suspect that further efforts are being made to improve it but I'm what you might call an optimistic pessimist; I'm certain that something horrible is going to happen but I am, at the same time, certain it won't hurt too much. As little sense as that makes, it's enough for me. ;-)

    • Re:Apple is killing me! (Score:4, Insightful)

      by macmurph ( 622189 ) on Saturday December 20, 2003 @06:03PM (#7775140)
      If you have ever worked in a software company you would know how incredibly difficult it is to syncronize the release of components...even within the same product. Even if everything is on a schedule, last minute bugs can delay a component for several days.

      Apple is doing the right thing by releasing updates as they become available instead of what you propose (batching updates).

      As others have said, a restart is not required in many cases, and maybe apple could eventually eliminate the need to restart. But restarting is fairly harmless in most cases.

    • Re:Apple is killing me! (Score:3, Insightful)

      by Onan ( 25162 )
      For them to release updates at the same time, they'd need to either 1) rush the later ones, involving less testing, or 2) delay the earlier ones, which you could easily do yourself.

      Which one of these strikes you as a good idea?
    • Um, how old are you?

      One one hand you're saying you'd like Apple to hold off on releasing security patches so that they come out at the same time as other stuff to save you having to reboot your machine.

      On the other hand you're saying that you have Software Update checking for updates every day. And you don't want to set it to every week (or every month) because you want to stay current.

      I say bite the bullet, Einstein! Set your software update to once a week. Let Apple release updates on their own sche
    • It's not going to all-of-the-sudden be like this all the time, all the teams are pushing out their progress and tying up loose ends before the year ends. I'm sure there's a lot of developers at Apple who want to spend the next two weeks relaxing and soaking up the holiday work atmosphere, not crunching code.
    • Look, just replace your uptime program with a script that prints out some ridiculously high value and quit whining.
    • I know its nice to make the headlines everyday on slashdot (and other news sites) because you've updated something

      *blinks*

      Other news sites?

  • Has anyone had problems with updating 10.2.8? i can't confirm it, but I've read some comment at versiontracker.com that say after running the update kernel panics started happening. One even claims he had to reinstall his system.

    I have been reluctant to install the updates because of this. Has anyone else heard/had this problem?
    • I have, but the machine is a biege G3 266 from the days of yore. My prismo powerbook and b/w G3 took it on the chin without a stumble.

      • Re:10.2.8 kernel panic? (Score:3, Informative)

        by HiredMan ( 5546 )
        Do you have two monitors?

        I'm running dual monitors on 233 (now 500Mhz BG3) with an ATI Rad 7000 in addition to the on-board video. With 10.2.8 I ran into random monitor blacking or corruption varying from 2 hours to a 4 days.

        After I heard about others with the same problem I finally rolled back to 10.2.6. *SIGH*

        There's a precident for this - the same set-up had screen corruption on sleep issues until the ATI updates in 10.1.5 update.

        =TKK
        • actually i don't have a monitor on it. been using it as a web dev server, and it has been pretty stable until 10.2.8. that update seemed to fubar a lot of stuff on that machine.

          i too may be resorting to a full rebuild of that box and do the 10.2.6 combined update or risk the 10.2.8 combined update. is there a 10.2.8 combined update? hmm.

          not sure about the vid card stuff. still working with the on-boards grafix card/mem, although i did upgrade it a few years back, adding a whopping 4MB of vram.

          sorry,

    • Re:10.2.8 kernel panic? (Score:5, Informative)

      by awfwal ( 596968 ) on Saturday December 20, 2003 @02:33PM (#7773963) Homepage
      I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.
      • Intresting. I use NAV auto-protect as well. I'll do that and try the updates. Thanks for the info (:
      • In my experience, antivirus software is far more damaging and invasive than any virus from which it might protect you.

        I've been using (and adminning) internet-connected macs for about ten years without any antivirus software. I think the only thing with which I've ever contended was the "concept" Word macro virus in 1997 or so. Which made saving some Word documents inconvenient until you ran a simple tool to clean it out. No system corruption, no reinstalling of anything. All told, less work (and money) t
        • The university requires it.
          I hardly ever use it. Just scans, and I never found anything.

          I actually had auto-protect turned off before updating NAV, but I guess the update turned it back on.
      • Get the heck off Norton, it's a waste of money. None of their programs are of any use on a Mac running OS X, and if you run Panther, the updates don't even exist for some of the apps.
        Filesaver is one sure way to damage a drive badly, as well as make a mess of your system (throwing many files everywhere) and slow everything down by half, making a point to rescan and log every single file you open or move, as well as many other things you might do in regular use. In all I've seen, heard, and read, it has *ne
        • I agree. Symantec's stuff is crap. I use NAV because I get it free from the university, and they say that I have to have some form of anti-virus software.

          Free, but maybe not worth it. It's started causing problems so I may look at coughing up some money for something sucks less.

          Virex,you said?
    • i believe this was the first 10.2.8 that caused this problem, it was pulld and a revised 10.2.8 was put up the next day, i've been running 10.2.8 since then, not one panic.
    • The only issue that I ever had with 10.2.8 was that it broke the Option-Eject function to eject the second DVD drive.

      I have had no other problems. Dual monitors work fine, etc., etc.

      A.
    • Can't say that I've ever seen a kernal panic under 10.2.8, with Macs ranging from beige G3's up. I did have one beige that wouldn't boot into 10.2.8 (although it was fine with 10.2.7) until I replaced the hard drive.
    • My Jaguar partition is still on 10.2.6, as I have the Gigabit Ethernet Dual 450, and was spooked after learning of the first 10.2.8 update that killed the ethernet .kext file [macosxhints.com], and left users without a net-enabled machine. I do have a few other machines online, but didn't bother doing it or the re-released update, as everything works fine with 10.2.6.

      My current Panther install (I usually Carbon Copy Clone my main boot drive to an external firewire drive, then do an upgrade install on that drive to the new
      • I'm on a Gig E dual 450 too, the 10.2.8 caused exactly ZERO problems, though that's now ancient history as I'm running a fully updated 10.3.2.

        Panther REALLY helps UI speed on the dual 450 - cheapest speed upgrade ever - go for it!
    • seems ok so far to me, i even installed the last 3 updates in a row and nothing broke that i've noticed

  • The TechNote... (Score:5, Informative)

    by Anonymous Coward on Saturday December 20, 2003 @01:50PM (#7773749)
    AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

    cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

    Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.

    fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.

    fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

    rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.

    System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.

    Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

    CAN-2003-1005: ASN.1 Decoding for PKI
    CAN-2003-1008: Screen Saver text clippings
    • Last night I ran Repair Permissions after installing the new Security Update. The only change was to cd9660.util. This same change occured on two of my computers. The message was:

      Repairing permissions for "OS X"
      Determining correct file permissions.
      Permissions differ on ./System/Library/Filesystems/cd9660.fs/cd9660.uti l , should be -rwsr-xr-x , they are -rwxr-xr-x
      Owner and group corrected on ./System/Library/Filesystems/cd9660.fs/cd9660.util
      Permissions corrected on ./System/Library/Filesystems/cd9660.fs/

      • Re:Cd9660.util permissions? (Score:5, Informative)

        by pudge ( 3605 ) * <slashdot.pudge@net> on Saturday December 20, 2003 @05:17PM (#7774875) Homepage Journal
        I am unfamiliar with an "s" permission for root (-rws vs. -rwx). Is this correct?

        Yes. It stands for "Set UID/GID". See man chown:
        The letters `rwxXstugo' select the new permissions for the affected
        users: read (r), write (w), execute (or access for directories) (x),
        execute only if the file is a directory or already has execute permis-
        sion for some user (X), set user or group ID on execution (s), save
        program text on swap device (t), the permissions that the user who owns
        the file currently has for it (u), the permissions that other users in
        the file's group have for it (g), and the permissions that other users
        not in the file's group have for it (o).
        It means when you run it as Joe User, it will be run as root, which is why a buffer overflow is such a big problem. If the buffer is overflowed with some executable code -- thereby replacing the existing code with some other code -- then the program can be tricked into running that other code.

        This is normally not a huge problem, but when the program is set to execute with setuid, then it is a huge problem. The program cd9660.util is eseentially trusted code: anyone can run it, and nothing bad can happen with it. But with a buffer overflow, now anyone can run it and (conceivably) gain root access to the system by getting it to run a root shell. You might as well, at that point, make bash setuid, or just leave your root password as an empty string.
        • You might as well, at that point, make bash setuid

          Just a note: making Bash suid root won't work: if the effective user ID (the one affected by the setuid bit) is 0 (read: root), Bash simply resets the effective user ID to the real user ID (the one inherithed from the parent process). Other interpreters probably do that as well.

          OTOH, making Bash setuid any other user works as expected.

          Of course this doesn't prevent a suid root wrapper to change its real user id before forking a shell (otherwise su, s

  • With all these updates, 10.3.2, bug fixes, program updates like xcode 1.1 and final cut pro... what will tehy have left for MacWorld? you would think that the program updates and what not would have been a nice debut on stage with Jobs on the keynotw, but since they release them 3 weeks early, what will the Keynote debut, if anything?
  • I'm guessing your referring to the new Java 3D and Java Advance Imaging update.

    Since it's still in public beta form it won't be found in software update but here:

    http://docs.info.apple.com/article.html?artnum=120 289#English The big rumor for Macworld is almost all of Apples software will see upgrades and some totally new software apps.

  • The IE hole (Score:5, Informative)

    by goombah99 ( 560566 ) on Saturday December 20, 2003 @04:24PM (#7774505)
    This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URL
    https://www.earthlink.net%01@211.154.171.106/li_pi n/verification/step1_e.htm
    (mind the break inserted by the lameness filter!)
    I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues
  • Oh give me a break; an UPDATE is nothing bad, they found a problem and fixed it, come on slashdot editors; grow up.

    The fact that they were identified and fixed before a worm/virus came out to exploit them is something to be proud of.

    Yes, whoop-di-doo, macs have a couple holes in them, that's not why they're more secure, they're more secure because they're not on by default and they're patched quickly.
  • I installed all the latest Apple updates, including Quicktime 6.5, just before installing a copy of Warcraft III: The Frozen Throne. The game seems to play OK, but the cinematic cutscreens are all screwed up, playing in overlapping tiles rather than fullscreen.

    The vitals: Duel 1 GHz PowerMac G4, 768 MB, Radeon 9000, 10.3.2 and all the latest and greatest.

    Anyone else seen this problem?

Slashdot Top Deals

Understanding is always the understanding of a smaller problem in relation to a bigger problem. -- P.D. Ouspensky

Close