Apple Release Mega Patch to Fix 19 Flaws 554
maotx writes "Apple has released a mega-patch that fixes 19 flaws in Mac OS X v10.3.9. The updates include several fixes for remote and local root exploits. The change log can be found here. You can download the updates using the Software Update Program or directly from Apple Downloads."
While I think... (Score:4, Interesting)
10.4.1 (Score:3, Interesting)
A non-apple user has some questions: (Score:3, Interesting)
Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?
Are there lots of little patches all the time, or just big lumps of patches like this one?
Thanks!
-Jesse
Re:While I think... (Score:5, Interesting)
I just wish Microsoft better documented what is in their patches. Sometimes they say that it fixes an exploit, but doesn't say which part of that 50MB download is for that exploit. Or exactly what the exploit was. If I recall, they've even sued people for publishing the exploit!
And if I may put on my tin foil hat here, I've noticed that some MS patches do surreptitious things. For example, several Win2k patches connected to a 3rd party server, by IP address since it had no DNS entry, and made and HTTP request. When my firewall denied the connection, the patch refused to install. No problem! I connected to that server myself to see what it is. As soon as I enter an HTTP GET, it immediately disconnects me. Hmmmmmmm!? Why does an MS patch connect to a mysterious server with no DNS record that goes to extra lengths to hide other connections?
Sometimes this hat feels kinda comfy.
Re:Several exploits (Score:2, Interesting)
1) Remote root vulnerability exists for a long time.
2) If there are a large number of machines with this vulnerability, then it is worth exploiting.
3) Most Macs have this vulnerability.
4) If Macs had a large marketshare, this "most" would correspond to (in absolute terms) a large amount of machines, and so something worth exploiting.
5) Huge bunch of Macs are rooted. Mac OS users have a false sense of security, so do not realise it.
6) ...
7) People who want botnets profit!
Re:10.4.1 (Score:3, Interesting)
I don't know about waiting for 10.4.3, but definitely wait for 10.4.1. My co-worker installed Tiger and is having a hell of a time with it. Safari2 crashes much more often than 1.3 did, and his iChat will crash whenever an iChat from Panther sends him a message (and it displays my messages from Gaim in Black text on a Black background). He's had to install AOL's AIM just to talk with his co-workers.
Tiger is probably the buggiest OS that Apple has put out since 10.0. MacNN has an 500 comment thread going on Tiger bugs. Plus it breaks a lot of 3rd party apps. Cisco VPN for example.
I can't believe how much shit MS got for breaking a few apps with SP2, when Tiger broke sooo much more.
Re:Several exploits (Score:2, Interesting)
Apple doesn't wait months to fix vulnerabilities
Mac OS X doesn't have the structural vulnerabilities of Windows/IE/Office - e.g., active x
from change log re VPN update
"This issue cannot be exploited remotely"
that's the only update that mentions root user
(ok, semantics
ergo, assuming equal size user base, Apple's quicker response time and more secure architecture would result in less 'root' compromises
your points? your post is an unsubstantiated assertion.
Re:Several exploits (Score:3, Interesting)
Joe Faculty may turn on services, fixes applicable (Score:2, Interesting)
On this subject, last year I answered a query raised during a Chronicle of Higher Education colloquy. I believe it touches on the major issues here
Your premise is severely flawed. While "Joe User" may never turn these services on "Joe Faculty" is somewhat likely to do so. The Universities point that exploits do exist is completely valid. Then add to this the fact that a University environment is an extremely hostile environment, trojans abound, some possibly even in source code submitted with assignments. Ddon't assume submitter did this intentionally, someone may have gained access to his/her account. As a student I never got a copy a class roll, tried first and last names as password, got into 1/3 of the accounts, but I'm sure someone out there has.
Re:Several exploits (Score:1, Interesting)
Spoken like somebody who has never used or even looked closely at OS X.
Spoken like someone who has no clue.
You can't kick off a process as root unless you first go into the NetInfo Manager and enable the root user. Period.
Oh yes I can. From a command prompt:
sudo su -
I now have a root shell without having "enabled" root.
Regardless there are a number of processes that run as root by default. From a command prompt:
ps -aux | grep root
will list them.
Re:Several exploits (Score:1, Interesting)
How is it "WRONG"?
Apache is far more popular than IIS.
The statement "Apache is far more popular than IIS" is very misleading with respect to malware. Such a generic reference may be valid. However malware is very implementation specific. Since Apache runs on a very wide variety of operating systems (Linux [all the hundreds if not thousands of versions), IRIX, AIX, HP/UX, and even Windows) running on a very wide variety of hardware (x86, Sparc, MIPS, Alpha, Itanium) with two major code forks (1.x and 2.x), and who knows how many minor versions a generic use of the term "Apache" is very misleading. Contrast this with IIS which is limited to a very narrow set of operating systems (Windows) and a very narrow set of hardware (essentially x86) with a very limited code base (4.0, 5.0, and 6.0). Thus which "version" of Apache has more market share than IIS?
Also I'll bet dollars to doughnuts that you're getting your marketshare info from Netcraft. Is that really a true reflection of the popularity of the two web servers? Netcraft measures only Internet facing web servers.
IIS servers get pwn3d a hell of a lot more often.
People keep saying this yet I've seen no facts to support it. Perhaps you'll be the first to present them (though I won't hold my breath).
Re:While I think... (Score:3, Interesting)
I don't know why the patch is contacting a web server but the lack of a DNS name is not all that suspicious: it makes it impervious to hacked/poisoned DNS servers.
Re:Several exploits (Score:5, Interesting)
Re:Several exploits (Score:2, Interesting)
From a technical standpoint, they're 99.44% Same Damn Code, with some more server-oriented applications bundled in with the Server version.
So, yes, they're different products with a different set of features. (An uncharitable person might observe that the non-Server version is simply hamstrung, but that's very common in this industry, and therefore irrelevant).
I'm not sure why you're trying to draw strong technical distinctions between the two. Under the hood, they're not very different...
Re:10.4.1 (Score:1, Interesting)
Bluetooth vulnerability on by default (Score:3, Interesting)
Did you read the vulnerabilities fixed in this patch? There is a (potential) bluetooth vulnerability (on by default!) that allows remote users to view the contents of your hard drive, and maybe even upload files to anywhere on your hard drive.
Read below:
Bluetooth
Impact: Bluetooth-enabled systems may allow file exchange without prompting users Description: The Bluetooth file exchange service is enabled by default on systems with Bluetooth capability.
Bluetooth
Impact: Directory traversal via Bluetooth file and object exchange Description: Due to insufficient input checking, the Bluetooth file and object exchange services could be used to access files outside of the default file exchange directory.
from here [apple.com]
Re:Several exploits (Score:3, Interesting)
We were talking about the OS. You compared removing stuff from the OS, and tossing in programs as an improvement to the OS.
My point is that almost none of the stuff you talked about has anything to do with how the OS runs. They're simply programs that run under that OS, and can be ported to Unix.
And Unix would remain Unix.
Re:Several exploits (Score:4, Interesting)
Because you're behind the curve. Whatever version of Mac OS X you're looking at pre-dates version 10.4.
The system boots in Unix, it runs init, it runs various rc scripts which start various services which then become the processes that present a graphical user interface.
Everything you said here is wrong. The system boots xnu, the Mac OS X kernel, and the kernel runs launchd. There are no rc scripts.
It has plenty of stuff in
There is, in fact, no
It uses shell scripts and Perl scripts.
So does Windows, for that matter. That criterion is obviously meaningless.
It Is a Unix-like system in every way.
Only if you get practically every fact about the system wrong, evidently.
OSX, for the most part, is a set of processes and libraries, conventions and file-system layouts, with a Unix-like kernel at the heart of it.
Mac OS X is a set of processes and libraries with a Unix compatibility environment included as one small part of it. The Unix environment -- a C-language runtime supporting the various POSIX APIs -- exists alongside the Mac OS Classic virtual machine, the Core Foundation runtime, the Carbon runtime, the Cocoa Objective-C runtime and the Java runtime. Unix compatibility is just one slice of Mac OS X.
If you leave the Unix libraries and config files and executables, and take away the OSX-specific stuff, you're left with a system that is pretty much Unix.
If you leave our implementation of Unix interfaces and take away Mac OS Classic, Core Foundation, Carbon, Cocoa and Java, you're left with Darwin, which you can download for free in source or binary form.
Get it? Darwin? Evolution? Mac OS X evolved from Unix. It is not Unix.
How much of OSX is implemented in the kernel and how much is implemented in shared libraries?
That question has no meaning. None of Mac OS X is "implemented in the kernel." The kernel is just a program.
How many non-Unix non-Mach (i.e. OSX-specific) system calls are there?
Countless thousands. There are seventy-three high-level frameworks in Mac OS X 10.4 Tiger, including such monsters as Core Foundation, AppKit, Foundation, Core Audio, Core Data, IOKit, QTKit, Core Services, Quartz and Directory Service. Each of these frameworks contains hundreds or thousands of function calls or Objective-C selectors.
How much of the system runs directly under Mach instead of running as a Unix process?
Again, a meaningless question. Just because Mac OS X adopted the Unix process model doesn't mean anything at all on a Mac is a "Unix process." That's like saying anybody who speaks French is French.
I don't understand why you have such a thing about insisting that what is running on a Mac running OSX isn't "Unix-like", when it clearly is.
I never said Mac OS X doesn't resemble Unix. I have said repeatedly -- so many times now that I've lost count -- that Mac OS X has a complete Unix compatibility environment. It is evolved from Unix, derived from Unix, based in no small part on Unix. But Mac OS X is not Unix. It's far, far more than just that.
Linux is NOT a "file-by-file" clone of Unix.
Of course it is. Programs like init, rc, cron, inetd and of course all the shells and utilities are file-by-file copies of Unix, duplicating all the good stuff but also methodically and deliberately duplicating all the bad stuff too.
If I boot Linux on a root file system that has
Sorry, but I totally glazed over here. What you described is so close to my idea of navel-gazing hobbyist hell that I just couldn't handle reading it. I skipped to th