Apple Uncommunicative About Security Holes 573
blackmonday writes "Kieren McCarthy of Techworld argues that Mac OS X is rife with security holes, and that Apple is doing a 'half-hearted' job of patching their operating system security holes, and has a 'strange habit of pretending a big problem is of no significance.' As a Mac user I find this an intriguing article in light of the Sasser Worm and its recent variants." Despite the article's assertions, no evidence of widespread security problems, or lack of effort to solve them, is offered. The only real question is Apple's lack of communication with the public in the nature of the problems.
Reasons why... (Score:5, Informative)
I read the linked article and was absolutely stunned at how superficial the evidence was given the claims being made. If one is going to make such statements, one would think there would be a little more substance, but hey the article certainly has garnered some attention, so perhaps that was the sole goal of the author? Or if one were likely to believe in conspiracies, one might guess that the author was put up to writing the article by a potential competitor? In science, we have to publish "disclosures" that establish corporate or political linkages. Perhaps it is time for the news media to do the same?
Re:Reasons why... (Score:5, Informative)
you're statement is a bit misleading - Apple doesn't ignore security holes, they fix them quickly and quietly before anybody realizes where they are. that's a BIG difference.
Apple knows its audience (Score:5, Informative)
A comment in response to the Scobleizer [weblogs.com] blog said it best:
Re:Reasons why... (Score:2, Informative)
All you need to do is RTFA, Oh, Wait..........., never mind.
Re:Reasons why... (Score:5, Informative)
It's more along the lines of a Gym realizing that their locksmith put identical locks on every single locker in the locker room. They can say "Oh. Crap. There's a problem, let's tell our users so that they can decide to use an unsecure locker or not." Or they can say "Maybe no one will notice, the locksmith will be here in a couple of hours anyway."
Still not the perfect analogy, but when you have a large group of people that are operating under the assumption that something is secure, and you don't tell them so that they can take steps to modify their behavior until the security is increased... It's like knowing there's a potential terrorist attack pending, but not telling anyone about it so that they can avoid public areas.
If there's a vulnurability with something, I prefer to know so that I can avoid a particular action until there is a patch. If I don't know, I go on blissfully unaware and may not even download the patch right away as it becomes available. (Especially since Apple has unusually large patches sometimes.)
-Sara
Re:Wow, this is pointless (Score:3, Informative)
I don't think there's anything truer than "There are dozens of holes in OSX". Also "There are dozens of holes in Windows" and "There are dozens of holes in Linux - pick a distro any distro". You only have to look at the number of patches released for ALL operating systems to see the truth in that. Some OSs will be worse than others and have more exploited holes, that's an argument for another time.
Those holes aren't a dramatic problem, until they're found and IGNORED by a vendor. That's all there is to it, not whether a company is uncommunicative. I'd be willing to bet that as soon as Apple became aware of its AFP problems, work began on fixing the problem. I'd rather see a best effort is made towards fixing the problem rather than release press release after press release, SCO style.
Of course, openness is always admired and it would be a nice thing to know just what's happening with a fix for an exploitable hole, but that's a little less important than getting a well written patch out for the hole.
And now, it IS patched. fixed. Any default OSX install is going to have already alerted its owner to the existence of the fix.
Re:Wow, this is pointless (Score:5, Informative)
Yes. The configuration is difficult to deal with, but it certainly ships on every OS X machine.
The long story is that you have to go to the "System Preferences" application, click on the "Sharing" panel, and check the box marked "Personal Web Sharing".
I realize that had a lot of "tech" "jargon", but that's how you configure Apache on Mac OS X.
Re:So why was this posted then? (Score:5, Informative)
Re:This could be pretty serious (Score:0, Informative)
Have you actually talked to some art students lately? Aside from people that are actually doing computer graphics work, their computer skills (in general) are pitiful. Having a Mac does not help this - in fact, it gives them even less incentive to actually learn how their computer works beyond "double-click the cute little icon to open IE/AIM/Photoshop/etc.".
Feel free to prove me wrong, but I go to a fairly geeky school [rit.edu], and with a couple exceptions, I haven't really seen otherwise among the art/photo majors here.
Even CowboyNeal is switching back from Mac (Score:1, Informative)
It's rumored that he ended up smashing the shit out of it [cowboyneal.org] in the end.
It really kind of turns you off to paying extra for the priveledge of owning a Mac.
Attack story (Score:5, Informative)
Man, I haven't read such an obviously antagonistic bit of tripe like that in a long time. Mentioning 5 possible exploits which all require default-off services to be enabled, only one of which could lead to a system-wide compromise under 99% of normal circumstances, then calling "Sasser" trivial in comparison (sorry.. "a blip") is not only completely incorrect but is irresponsible journalism.
The AFS vulnerability, which is the only process in the whole list which runs under root privs, would require someone be running AFS (the Apple equiv of NFS) over the Internet. It has been known for a very long time that NFS is *ONLY* for internal trusted networks. AFS is turned off by default on Macs, and the vast majority of users (certainly almost all home users) would never need to enable it.
The Quicktime vuln would only affect files owned by the executing user. Certainly a pain in the ass, but not fatal or prone to "zombification" of your computer like Sasser.
The Apache vulns, IIRC, are of the DOS type (one is a memory leak condition). Irritating, but not critical, unlike Sasser.
Kieren McCarthy should be ashamed of himself for writing such a disingenuous load of crap as that article. Microsoft's history of disclosure and cooperation with security research firms is ** FAR ** from unblemished.
Nice propaganda (Score:5, Informative)
* Some older vulnerabilities in Apache 2 can be exploited by malicious people to inject malicious characters into log files and cause a DoS
Who is running Apache 2? Are most OS X users running their own web server in the first place? This isn't an Apple issue. Anyone who is running Apache, which includes all flavors of Unix as well as Windows has the same issues, but of those, the 2.x tree?? A tiny minority probably not even worth mentioning. This isn't necessarily Apple's responsibility unless they've branded Apache 2 and offered it as some core feature.
* Two vulnerabilities in the IPSec implementation can be exploited by malicious people to conduct MitM attacks (Man-in-the-Middle), establish unauthorised connections, or cause a DoS.
Again, this is an OpenSSL issue, not an Apple issue, and it has nothing specifically to do with Apple. The circumstances under which this exploit would be taken advantage of are pretty limited. That's not to say any of these issues shouldn't be addressed, and maybe Apple should more accurately call attention to these vulnerabilities but they aren't really the issues justified by the FUD being spewed.
* A vulnerability within AppleFileServer can be exploited by malicious people to compromise a vulnerable system.
Ok, this may be ONE issue so far that is attributable to Apple.
* An unspecified vulnerability exists within the CoreFoundation when handling environment variables. This may potentially be a privilege escalation vulnerability. This has not been confirmed, though.
WTF? An "unspecified vulnerability" that "has not been confirmed"? Did the lawyers from SCO write this article?
* An unspecified vulnerability exists within RAdmin when handling large requests. This may potentially be a system compromise issue. This has not been confirmed, though.
More unconfirmed vulnerabilities? Nice FUD.
Re:Where's the evidence??? (Score:5, Informative)
http://www.net-security.org/vuln.php?id=3401
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name
I don't think Microsoft has ever released a patch to the Windows kernel via Windows Update. Can anyone confirm this?
http://www.microsoft.com/technet/security/bulleti
Google is your friend [google.com].
utter rubbish (Score:1, Informative)
IS that all! My God Apple are doing a sterling job, I wonder how many good old MS have? Seriously, yes it is a shame that Apple doesn't write 101% perfect code but I think you will find that the average OS X user does in-fact use the prescribed patches. As I have done today.
This strange habit of pretending a big problem is of no significance was also displayed last month
Habit? Since when did Apple make it a habit of ignoring anything? Surely he must meant Microsoft?
This article is utter, utter drivel. Yes it's important for Apple to keep on their toes, yes it's ultra important for OS X users not to be complacent. However this article is just endorsed flambé bait. I suggest Keiren finds another profession.
As one poster on the Techworld discussion board comments:
Your headline by itself is possibly even actionable as an untruth, maybe a slander - I'd be very careful, if I were you. I hope for your sake that you got it vetted by Techworld's legal department before "going to press".
Re:Where's the evidence??? (Score:2, Informative)
Buffer Overrun in Windows Kernel Message Handling Could Lead to Elevated Privileges [microsoft.com]
Update Rollup 1 for Windows XP Is Available [microsoft.com]. Search for ntoskrnl.exe for the proof of a kernel patch.
Is Apple Uncommunicative? (Score:5, Informative)
Investigate it, acknowledge it, and patch it-- that's what I see as the typical course of action, even for Microsoft, and Apple does this reasonablly well. In fact, most of my knowledge about the various Apple related security holes comes directly from Apple in their knowledge-base articles related to the various security patches. It's only randomly that I hear about a security hole that will also effect Apple from a third party source, before I hear it from Apple. But I'll admit to most of my security subscriptions tend to cater to the PC, for obvious reasons.
Also, it seems to me that Apple spends a fair amount of time patching security holes in the various open source solutions its using/tying in with Mac OS X. Which means that technically many of these security holes are also effecting Linux, and Unix machines as well. Like the security update from yesterday or the day before address issues in Apache, IPSec, OpenSSL, and CUPS.
The guy mentions the QuickTime flaw, which was patched weeks ago by Apple, per normal, in a quite automated QuickTime update. He then also mentions that "trojan" that never was. Basically a proof of concept idea that was published, but works technically not that much differently on a Windows machine. Basically, someone can change the icon of an application to that of an MP3 file, and run code when double-clicked. Did anyone besides Intego consider this a big deal, even Symantec scoffed at it, and scolded Intego, though they did duly post a low level security warning.
The truth is, to my knowledge Apple doesn't rate security updates. An update is either a normal bug fix or feature addition, or its a security update. Apple expects all its users to Apple each of their security patches, and to the best of my knowledge has never used a security patch to ship in unwanted software or system changes. So why complain that Apple hasn't called the security updates a "critical" security update. The knowledge base typically includes who original posted the hole/flaw, and the item number, so you can go read the details yourself, and look at the rating attribute.
Blah, blah, blah...isn't this just more of I'm looking, scraping, scrouning for something bad to say about Apple security. I guess, I'd be more forgiving, if the article actual focused in on the various security issues, as opposed to chastising Apple for what, not taking out a press release about them?
Re:Where's the evidence??? (Score:2, Informative)
Re:Reasons why... (Score:5, Informative)
Fact: By default, NONE of the exploitable holes are available by DEFAULT out of the box. There are ZERO services running, so no remote vulnerabilities.
Re:Where's the evidence??? (Score:3, Informative)
For example, the recent MS04-011 [microsoft.com] fix which patches the vulnerability exploited by Sasser actually updates the kernel. If you look in the list of updated files you'll see "ntoskrnl.exe", "ntkrnlpa.exe", etc amongst some other critical system files (such as Winlogon.exe, Lsass.exe, etc)
If you bother looking there are many other fixes that update the kernel, though not all are for security holes, but for other non-exploitable bugs that cause poor performance or incorrect behaviour.
Incidentally, the vast majority of kernel problems (i.e. system crashes) are actually due to 3-rd party drivers. Microsoft receive a huge number of crash submissions each year via it's Online Crash Analysis tool and the data from these is collated and passed to the driver vendor for fixing. So, next time your Windows system crashes and asks "do you want to tell Microsoft?" click "yes" - it really does make a difference!
Re:Virus Scanner Sales (Score:4, Informative)
ClamAV, among others, compiles and runs just fine under Mac OS X...
Re:Reasons why... (Score:3, Informative)
Do you want to be accused of being an overgeneralizing ass that has no original sarcastic points to aide in one's mod points?
NeXTSTEP for the CIA WAS NOT NeXTSTEP for the General Consumer. I know I worked there. Get over it. OS X/X Server for the Federal Government will be a CUSTOM BUILD tailored to the Government Requirements certification specs.
Does that mean the Feds get a better OS? No. It means the Feds actually want a more limiting OS that when installed is hack proof and limited to doing specific tasks only. The CIA still touts the best Network is NO NETWORK.
Re:Reasons why... (Score:2, Informative)
Microsoft isn't the only company with access to MS source code.
They have quite a few security 'partners' who have source code but are under full NDA and can't go public with any exploits found without an MS go-ahead.
Re:Reasons why... (Score:2, Informative)
The use of a lithium-polymer battery is supposed to help here, since the electrolyte doesn't decay as rapidly. 10 hours of battery life (give or take) isn't too shabby either (and i do get this, i'm using it right now well into its 6th hour)
Now, i don't know about you, but i'd much prefer three years over 1, but the battery in the iriver doesn't appear to be easily replaced (by users), so i'm kinda up shit creek when it does eventually die.
ashridah
* note, this is according to iriver's FAQ. here [iriver.com]. take with appropriately sized grain of salt, their definition of 'normal use' is fairly small.
Of course, you get what you pay for, and the li-poly batteries do actually cost a bit more (and so does the ihp range)
Re:Apple isn't particularly good at the patching g (Score:5, Informative)
Apple's description of the patch was rather terse (AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue."), but it provides the reference (CAN-2004-0430) that provides full details. Admittedly, this did require a google search, or reading the usual advisory lists. But it's certainly not hidden from anyone who wants the detail.
Re:Reasons why... (Score:5, Informative)
The vulnerabilities are announced on various security lists [google.com]. If you're paying even any attention, you can't help but notice.
Re:Reasons why... (Score:1, Informative)
Re:Reasons why... (Score:5, Informative)
All of the RPC-flaw worms would have had much smaller impacts if only the people who actually used Remote Proceedure Calls were running it. Simply put, that'd mean next to nobody would be running that service, and therefore there'd be much fewer people at risk, and therefore much fewer people infected, and therefore much longer of a wait time before any given IP address is randomly hit with an attempt.
Microsoft's learned the moral of this tale. All recently released versions of Windows start with all non-critical services turned off until the user does something to enable them. SP2 will apply this logic retroactively to Windows XP Home, and that'll take care of most home users and college kids. This will greatly lower the odds of Windows ever being hit with worms of this size again...
Re:Reasons why... (Score:3, Informative)
let us review "Apple sold a $300 super-walkman that needed a $100 exchange for a refurbished iPod & battery after a yea"
Well then since the implication that since an ipod was reveled that it needed a battery (and the reasons of the battery failure were not detailed by the owner), your hyperbole implies that all ipods need a battery in a year.
So turn about, since some firestone tires exploded, therefore your sister already had hers explode.
update mechanisms (Score:5, Informative)
1) My very-non-expert understanding of Microsoft's update mechanism is that there are several semi-overlapping systems which are relevant, and that some or all of them do not default to running automatically. (I've never used Windows myself, so it's entirely possible that I'm mistaken about this. It's the impression I've acquired after listening to many Windows users.)
Contrast this to Apple's Software Update tool, which defaults to checking for updates once a week, and handles all hardware and firmware from Apple. It requires explicit permission from the user to perform upgrades, but it does take the liberty of downloading "important" updates before requesting a final go-ahead, making it as painless as possible.
2) Microsoft's patches have a pretty high incidence of causing problems for previously-working systems. My understanding is that this is often related to a very inflexible shared library system which encourages third-party developers to overwrite standard system DLLs with their own versions left and right, predictably causing problems upon future update.
While it is absolutely the case that updates from Apple occasionally cause problems, it seems to be relatively rare. I personally have no qualms about simply agreeing immediately to any update Apple offers me; I've been doing so for five years now, and I haven't had any cause to regret it yet.
So, yes, a very high percentage of systems out there are lacking patches which Microsoft has made available. But there are still some senses in which Microsoft is very responsible for that being the case.
Microsoft toadies (Score:4, Informative)
From the article:
Secunia has given the series of patches a "highly critical" rating, which it explained was due to the Apple's dismissive attitude to one of the holes. Secunia described a vulnerability within AppleFileServer that allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.
These were the same guys who fired one of their employees because they had the temerity to say something bad and substantial about Microsoft.
Link [google.com].
Pretty FUDdy article to me.
Re:Reasons why... (Score:3, Informative)
So, I guess the point is that Apple respond to holes and you're too lazy to look them up?
Re:Where's the evidence??? (Score:3, Informative)
It's the [insert application] creator's fault for not implementing them.
You'll also notice that no microsoft software has something running as SYSTEM open windows that can interact with the user; they all use unpriveleged client apps. (other than Winlogon and it has its own protections) That makes it even more the app writer's fault and not an inherant system flaw. Notice they exploited some 3rd party virus scanner.
Re:Where's the evidence??? (Score:4, Informative)
Re:Reasons why... (Score:5, Informative)
Well you're thinking is impaired and you should therefore refrain from making such grossly inaccurate assumptions.
Personally, I have 2 Windows 2000 systems, 1 Windows XP laptop, 1 MacOS X Powerbook, and 1 FreeBSD firewall. Not only do I weekly sync the FreeBSD box up via cvs and recompile the Stable source tree, I also patch both Win2k and the Mac as needed via the same 56K dial up. I haven't been hit with any of the Windows worms/viruses, nor any FreeBSD or Mac problems. That's because I run Windows Update nearly every other day, and MacOS X's Software Update at least a few times a week (in case a new patch I've not already heard about is there).
Yeah, it sucks on dialup - and I frequently let the updates download overnight while I sleep. That's what my cell phone is for - voice conversations. If you're thinking twice about 50MB and you're not limited to dial up, I think you're nuts. I keep all of my systems as up to date as possible. Luckily the XP laptop is for work only, so I can run Windows Update from work with it.
Re:Reasons why... (Score:1, Informative)
Re:update mechanisms (Score:5, Informative)
1) The Windows Update is installed by default, and (annoyingly) pops up when using a new computer until you tell it what to do. The options are simple: 1) Enable Windows Update (on by default). a) Notify before downloading, b) Download automatically, but don't install. c) Auto-download, and auto-install at scheduled time. Default is Updates ON, but just to notify.
2) Yes, in the past there have been a couple windows updates that were not up to par, but they have become much better. The last problem one I remember was about 2 years ago with an Exchange Update (not security related) messing up an existing exchange server. I have yet to have a security update mess anything up, and I run about 100 windows servers. Like any update, I do test on a non-production box (like staging server or development server) before I push to production, but I have yet to have a problem.
Re:update mechanisms (Score:5, Informative)
As for some patches causing trouble, I seem to remember an update for OSX that neutered the network adapter.
As for DLL hell, that was cured in XP/2K which keeps multiple versions of DLLs
Re:Reasons why... (Score:5, Informative)
However, that isn't by definition a network service itself. The only way that this flaw can be exposed to the network is if there is a running network service that depends on the LSASS to do user authentication for it... LSASS isn't network-aware in itself, it's just concerned with permissions of things on the local machine. In order for the worm to work, it must depend on the help of a network service in order to be able to get to the affected service to exploit the bug.
To put it mildly, if the Sasser worm can't get get in at port 445, which is an SMB file-sharing port, then it gives up and moves on to the next potential victim. Nobody should have port 445 exposed to the open Internet unless they want to share files with the world that way, which is most likely nobody at all. In fact, users who don't have a multi-PC home network have no business having that port open in the first place, they're not going to have use for SMB.
So, if File Sharing is turned off, the LSASS flaw would still exist but Sasser wouldn't be able to exploit it remotely, the LSASS flaw would be contained to only local users on that machine. In fact, anybody behind a firewall that denies port 445 would be protected from being exploited by anything on the other side of the firewall.
In short, if SMB shipped off by default, only those who turned on File Sharing and then failed to properly firewall it from the Internet would be infected. Those who were unaware of what File Sharing did would not be...
I think this needs to get mod'ed back down... (Score:3, Informative)
That would be every single Windows user. All Windows versions.. at least all that are from the poisoned NT tree, actually make an RPC call back to themselves when they log in. If you disable RPC on a Windows box.. the box can't authenticate LOCAL users! How's that for clever design?
Re:update mechanisms (Score:3, Informative)
In some cases, this problem can be "fixed" by changing the order that directories are listed in %PATH%, but sometimes the differing versions cause too many compatibility problems.
The parent to your post is either delusional or misinformed. DLL Hell still exists on Windows.
-- Len
Re:Where's the evidence??? (Score:2, Informative)
Internet explorer is in fact part of explorer.exe, the windows shell.
Test: Open task manager and close IE so you can only see explorer.exe, not iexplore.exe. Open windows explorer and type a URL into the location bar. It'll open a web page and you'll get the IE toolbars. Check task manager: no iexplore.exe.
It doesn't really matter _where_ the flaw is, as long as it leads to privilege escalation it's as bad as it can get.
Re:Reasons why... (Score:2, Informative)
MOST people on dialup who see a dialog box pop up saying "Microsoft thinks you should download a 100 meg update right now and restart your computer" click "go away right now and never bother me again"
If everyone was like you, we wouldn't see CNN stories about massive worm outbreaks, and the percentage of slashdot posts bitching about Microsoft security problems would plunge from 25% all the way down to 20%.
Slander (Score:3, Informative)
And why does this always happen whenever Windows gets the shit kicked out of it?
Kieren McCarthy, whoever you are, I am sure this comes as no great news to you, but 1) you are full of it; and 2) you're a dupe - perhaps a paid dupe, perhaps an unpaid (and therefore even more duped) dupe.
My argument is only anecdotal, but even as such it offers much more substance and evidence than this charlatan.
I have never - and I literally mean never - come across a company so freaking security conscious as Apple. I mean, these guys are out in front and thinking and preparing for possible security vulnerabilities waaay down the line - years ahead.
All you have to do is read the programming tutorials to understand this.
And their grasp of Unix is excellent. These guys really know security, and for them security is a top, if not the top, priority.
Exposing a bug in OS X gets you an immediate response - and by 'immediate' I mean 'immediate': within a couple of hours at the most. And the contact you get becomes a liaison between you and the development team. And even more impressive, they actually keep after you to complement your information so they can get to the bottom of it.
Now honestly, Mr Kieren McBullshit, who else does this? Eat you know what and do you know what. You should be ashamed.
There used to be a time when Apple traced every hardware flaw back to the design phase - and corrected it. This thinking they have today about software and security echoes that type of thinking.
You might accuse Apple of many things, but lax on security is not one. My information is only anecdotal, but it's more than good enough for me: in terms of security, Apple are simply best.
So crawl back into the woodwork, Mr Microslave, until next Windows gets walloped by a simple hack written by a teenager sitting in his underwear at his computer halfway around the world.
We'll be waiting.
Re:update mechanisms (Score:1, Informative)
Is that widespread enough for you, smartass? Arguing that Windows hotfixes don't cause problems is a fool's argument, because there's enough history to show that yes, indeed, they do cause problems, and yes, indeed, they are routinely widespread. There's been at least a couple that affected virtually every desktop known to man, gosh, how could that have slipped through their rigorous testing procedure?
The fun part is that Microsoft has more money than god and is in charge of testing their software before releasing it - at this point they have enough money coming in every year to fscking test every conceivable hardware combination, never mind that hardware and software manufacturers frequently provide their equipment to Microsoft's testing department free of charge when they ask for one.
Face it: Microsoft is greedy and doesn't want to spend the money on a large enough testing department to adequately test their patches. And you, like all Microsoft apologists, defend them.
So... are you directly/indirectly employed by Microsoft, or just own stock? Come on, you can come clean and tell us.
Re:Where's the evidence??? (Score:3, Informative)
This [securityfocus.com] one causes a memory leak; DoS.
This [securityfocus.com] one is possible information disclosure, not code execution.
This [securityfocus.com] is another memory leak; a DoS.Design flaws like what? Give me exmples. Every object from window, to thread to registry key has a seperate ACL. API interfaces are divided into subsystems that all have to use the same system interface. All system calls go through ntdll.dll. All strings use a single format and are sized. NT uses memory protection like any other modern PC OS. All named objects are stored in the object manager. Services like the IO manager use layers to abstract functions.*sigh* There is really no point to argue the definition of a kernel. You are right though, if a vuln exists in something with the privledges of the kernel, it might as well be part of the kernel from a security standpoint. I think the discussion originally made the statement that no vulns exist in the kernel itself (ntoskrnl.exe); not including optional modules. You found some. The difference is that you can choose to not use optional modules, you can't choose to not use the kernel.
As for things that must be run in the kernel, a mircokernel architecture should have almost nothing. MS traded safety for less overhead by moving so much into kernel mode. I agree that there is too much. Ideally the user should be able to choose what they want to have where. However, MS has never been one for giving users choices.Bring 'em on!
Re:Apple isn't particularly good at the patching g (Score:3, Informative)
Apple did. I'll quote more of the knowledge base article:
"* CoreFoundation: Fixes CAN-2004-0428 to improve the handling of an environment variable. Credit to aaron@vtty.com for reporting this issue.
* Apache 2: Fixes CAN-2003-0020, CAN-2004-0113 and CAN-2004-0174 by updating to Apache 2 to version 2.0.49.
* RAdmin: Fixes CAN-2004-0429 to improve the handling of large requests
* AppleFileServer: Fixes CAN-2004-0430 to improve the handling of long passwords. Credit to Dave G. from @stake for reporting this issue.
* IPSec: Fixes CAN-2004-0155 and CAN-2004-0403 to improve the security of VPN tunnels. IPSec in Mac OS X is not vulnerable to CAN-2004-0392."
Admittedly this is listed in the knowledge base article, not in the consumer description of the patch, but it doesn't seem unreasonable that a sysadmin would read the KB article for the patch before installing it.