Apple Release Mega Patch to Fix 19 Flaws 554
maotx writes "Apple has released a mega-patch that fixes 19 flaws in Mac OS X v10.3.9. The updates include several fixes for remote and local root exploits. The change log can be found here. You can download the updates using the Software Update Program or directly from Apple Downloads."
silly taco (Score:5, Informative)
Re:10.3.10? (Score:5, Informative)
Re:A non-apple user has some questions: (Score:3, Informative)
Re:10.3.10? (Score:5, Informative)
A security update should have a very low threshold for installation. An admin should be able to apply it feeling somewhat confident it is not going to break anything important. Of course, on critical systems "somewhat" is not enough so it may still require some testing.
Point being, a security update should be lightweight to encourage quick adoption.
As an aside, Apple "violated" this express policy and included a few security updates with 10.3.9. That update turned out to break things for a lot of people, therefore people held off installing it. During that time, they were subjected to published vulnerabilities.
Re:A non-apple user has some questions: (Score:1, Informative)
The interface is simple. I have it set to automatically let me know when there are updates available, but you can optionally pick "Software Update" from the Apple menu to see if there's anything new. Or, if you prefer (why, though?) you can download updates from the and install them yourself.
Little patches are rare, but not unheard of. Usually to fix emergency security bits.
Re:A non-apple user has some questions: (Score:1, Informative)
From the summary, You can download the updates using the Software Update Program or directly from Apple Downloads."
Re:A non-apple user has some questions: (Score:5, Informative)
They do a mix of patches depending on what's needed. If there's just a small hotfix, that's what's there. If there's several unrelated fixes, they're all there. Other times it's big fixes like this. Also note that every few months they'll roll up a bunch of fixes into one big one to make it easier on people.
Re:While I think... (Score:5, Informative)
Re:10.3.10? (Score:2, Informative)
Would someone please explain to me why this comment would be marked as "Flamebait"? Still trying to get a handle on this mod thing.
I'm guessing it was some mod who doesn't get the concept that the segments in 10.3.9 are separate fields (like an IP address) rather than one big floating point decimal, thinks "10.310 < 10.39, OMG, this poster wants to make OS X go backwards!" and clicked the flamebait button.
Re:A non-apple user has some questions: (Score:5, Informative)
-About once every 2 months we see security patch. They now name them 200x.00y (x - year, y - patch this year).
-Software updates for apple software (non-OS related) come in about the same frequency. I usually get bugged to install something once every 2 weeks or so.
-Software updates for apple OS (10.3.x, where x is the current update) come in about once a quarter, or so.
All of those are voulentary upgrades.
Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?
-There is an automated, stand alone tool to deliver them.
-They get posted as downloads to their site (apple.com) with documentation, description, etc.
-Sometimes, multiple patches get rolled into an 'uber' patch, if you are installing (upgrading) from previous release of the os to current (not on the release day). Apple also re-issues their OS media w/ most patches as they get posted.
So you can use any number of ways to patch your system.
Are there lots of little patches all the time, or just big lumps of patches like this one?
See above. Small patches are released if they are important, as time progresses they get rolled into bigger, all inclusive patches (and still available as the small ones).
Note, Apple also uses this mechanism to install firmware for iPods, iSights and Airport Stations - which makes upgrading your kit really convinient.
You can set the stand alone utility to check daily/weekly, whatever, or disable it as well.
Re:Apache Exploit (Score:5, Informative)
I believe it's referring to this bug [debian.org] in htdigest that was reported a year ago. If so, it affects linux systems as well.
I wouldn't worry too much about it, it's not a remotely exploitable overflow... it could be exploited by somebody who was allowed to upload a malicious CGI script to your server, but it would have to be somebody who was allowed to deploy CGI scripts to your apache server to begin with.
Re:Several exploits (Score:2, Informative)
Also a download for Windows (Score:5, Informative)
Re:Several exploits (Score:5, Informative)
Oh [secunia.com] (three months) really [secunia.com] (5 months)?
Re:What about *MY* Problem? (Score:3, Informative)
Sorry, you're completely and utterly wrong (Score:5, Informative)
And your other general point about "popularity" is answered below. Nice troll, though.
On this subject, last year I answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here.
Question from Lisa L. Spangenberg, UCLA:
Given that there are no viruses or Trojan horses for the current Macintosh system, OS X 10.3, and given that it is essentially UNIX, and given that the most common applications (Microsoft Office Suite, Adobe applications) work very well on OS X, why don't more institutions adopt Macs and encourage faculty to use them?
Gregory A. Jackson:
Well, first of all, there are viruses and Trojans that afflict MacOS, witness Apple's periodic release of security fixes to counteract them.
First, that isn't true, regarding viruses. To date, there are no known viruses that specifically target Mac OS X. Last week's "trojan" was nothing more than an application with a different icon and misleading name that displayed a dialog box (which was an example posted to a USENET Mac programming group to illustrate this fact that has been known and possible on Mac OS for over twenty years; an antivirus vendor apparently thought this an appropriate time to dress it up, incorrectly, as some new, terrible exploit easily adapted for malicious means, when in reality it's nothing more than an application).
If you're referring more broadly to security issues in general, almost all of the security and security-related updates for Mac OS X to date have been updates for primarily server-type services that ship with the OS, all of which are disabled by default, and the lion's share of which are never even enabled, much less touched, on the vast majority of systems. I'm not saying that they should be ignored, but Apple's comprehensive and swift response to the most minor security issues does not rise to the level of the staggeringly numerous, sometimes completely automated, remote exploits, worms, and so on for Windows. It is no longer possible to even get through a full installation Windows XP on a machine connected to a public network without it being exploited before you even have a chance to patch it.
It's definitely possible for Mac OS X to have viruses, worms, trojans, and other malware - Mac OS X is not invulnerable, and no sensible person would claim it to be. But the underlying philosophical design principles are fundamentally more secure than Windows, period. Since the major ingredient for the success of a worm or virus is some ability to spread, witness the fact that there is no way with anything built into Mac OS X to perform automated propagation of a virus, and no current known ways to exploit a machine remotely, not to mention that potentially exploitable network services are disabled to begin with anyway (and remain that way unless explicitly enabled), a stark contrast to Windows. Any hope for automatic propagation would require a comparatively high level of sophistication, and perhaps even its own mail server - not to mention some intrinsic vulnerability to exploit. On the other hand, there are still, to this moment, unfixed vulnerabilities in certain versions of Outlook that will spread certain virus variants simply by previewing a
Re:What about *MY* Problem? (Score:2, Informative)
Apple techs lurk there and some of the more knowledgeable support people who don't work for Apple as well.
If no one there has a solution, they can tell you were the best place to complain is.
Re:Several exploits (Score:4, Informative)
lies.
The basic filesystem hooks (the basic os filehandling) is FreeBSD, its a LOT more than a few BSD apps.
OSX is _really_ a mach kernel, with a BSD derived OS on top, and a proprietary window manager on top of that.
An example: (Score:3, Informative)
Here's an example of update type and frequency from my log. Note, I installed Panther on a fresh hard-drive on 4-20 there
Also note that this article isn't news (Thanks The Register) as most of us downloaded this 6 meg update days ago. I was all like "what another update?" but then "oh, Slashdot is just reporting the Olds for Nerds". Anyway -- to everyone who is 'happy' about this being posted on Slashdot, because you didn't know about it yet: Please, please just set Software Update to check everyday and fetch updates in the background. Then it's like Christmas when it bounces in the dock and says "Yay, I have updates ready to go if you'd like to install them!"
(This should be familiar to all those 2K and XP folks who have the Windows Auto Update thingamajig).
Re:While I think... (Score:2, Informative)
Re:Several exploits (Score:5, Informative)
Clue #2: If marketshare was the only factor, there would be far more exploits and virii floating around for Apache than for IIS. Security design matters more than market share, and Macs are vastly more secure than Windows boxen.
Clue #3: There's not clue 3.
Clue #4: Incorrect plurala can be fun.
Re:10.4.1 (Score:3, Informative)
Put the keyboard down. Now, I want you to read this and repeat these words after me:
I do not work for Apple. Again. I do not work for Apple.
Do you feel better? One more time:
I do not work for Apple. If I worked for Apple, I'd have been fired by now. If I worked for Apple, people who really are from Apple would know who I am. I could not possibly post at this volume and depth and work at Apple without someone knowing exactly who I am.
It's hard to come to terms with. But it's reality. Yes, you're an obnoxious loon, and in that respect, perhaps you're perfectly qualified to work in management there. But you are not, repeat, not working for Apple. You need to quit with the "we" stuff. With the tall tales.
People have gone mad pretending to be mad. Your mental health is at serious risk.
Re:Several exploits (Score:2, Informative)
On a side note... anyone else sick of this guy proclaiming to speak for apple yet seeming to have no credentials?
Is this an Apple PR account? Somehow I doubt it... as I said before.. probably a nobody at apple who has the parts to try and speak for them.
Re:Several exploits (Score:2, Informative)
A real server wouldn't be running Mac OS X. It's would be running Mac OS X Server, an entirely different product unrelated to what we're discussing here.
No IMAPS Fix? (Score:4, Informative)
Basically, the problem is that if you use Mail.app to access a remote IMAPS server, you may experience problems synchronising your mailbox. My symptoms are that the synchronisation starts but even though the subject lines appear in the list, the connection does not seem to download the message body and close down successfully. It can take several minutes/hours for it to complete, if at all.
In the interim, I'm using Thunderbird on OS X, which is OK given that I use IMAP anyway, but it's far from ideal.
Come on Apple, fix Mail.app!
Re:Also a download for Windows (Score:2, Informative)
Re:Several exploits (Score:4, Informative)
Imagine you've got a graduated cylinder, one that holds a cup of liquid. Fill it all the way up to the top. That's Linux's relationship with Unix. Linux is a file-by-file, folder-by-folder clone of Unix, all the way down to things that make no sense at all today like
There's a little bit of stuff that's been added to Linux that wasn't present in Unix, but these are basically just replacements for the various X windowing environments. As a proportion, there's very little new technology there.
On the Mac, on the other hand, there's only about a tablespoon of Unix in there. We've got the process model and some of the low-level APIs, sure. We've even got a terminal that offer Unix shells and command-line utilities. But we've stripped away massive parts of Unix --like init and the boot scripts, like cron, like
So that's why I say that Mac OS X evolved from Unix.
Why do you think we call our implementation of Unix "Darwin?"
Re:10.3.10? (Score:2, Informative)
http://cocoadevcentral.com/articles/000067.php [cocoadevcentral.com]
http://blogs.msdn.com/oldnewthing/archive/2004/02
Steve Jobs said it himself (Score:2, Informative)
http://live.macobserver.com/article/2004/06/wwdc2
Re:Can you imagine (Score:4, Informative)
Re:Several exploits (Score:5, Informative)
Clue #1.1: Root user *login* is disabled by default. The root user and processes running as root are always there.
-matthew
Re:Also a download for Windows (Score:1, Informative)
I think this release is basically to encourage other developers to use it. The fact that it was released with no fanfare would support that theory. Apple has a vested interest in seeing ZeroConf (the open standard that Bonjour implements) surpass the considerably less open UPnP system that Microsoft uses. So the answer to your question is "Not much, yet."
Your iTunes/iChat examples are a bit misleading -- ZeroConf just handles the discovery aspect (shared libraries just "appear" without entering IPs or searching the network) -- the actual communication is handled by each app itself. It isn't something you have to rewrite apps for -- it can be added to appropriate apps in a few hours.
Re:Several exploits (Score:5, Informative)
The NSA posted an OS X security guide. The NSA stated that OS X is the most secure of clients OSes, particularly in its default configuration.
http://www.nsa.gov/snac/os/applemac/osx_client_fin al_v.1.pdf [nsa.gov]
Re:Several exploits (Score:3, Informative)
OS X Server is about as different from OS X "Client" as Windows XP is from Windows 2003 Server.
Which is to say, not a great deal.