Forgot your password?
typodupeerror
Security Businesses OS X Operating Systems Apple

Apple Release Mega Patch to Fix 19 Flaws 554

Posted by CmdrTaco
from the i-got-yer-patch-right-here dept.
maotx writes "Apple has released a mega-patch that fixes 19 flaws in Mac OS X v10.3.9. The updates include several fixes for remote and local root exploits. The change log can be found here. You can download the updates using the Software Update Program or directly from Apple Downloads."
This discussion has been archived. No new comments can be posted.

Apple Release Mega Patch to Fix 19 Flaws

Comments Filter:
  • 10.3.10? (Score:5, Funny)

    by avalys (221114) on Thursday May 05, 2005 @03:55PM (#12444834)
    Why not just call it 10.3.10?
    • Re:10.3.10? (Score:5, Informative)

      by LEgregius (550408) on Thursday May 05, 2005 @03:58PM (#12444870) Homepage
      Apple has always separated security updates from OS updates. I guess it's just a matter habit.
      • Re:10.3.10? (Score:5, Informative)

        by remahl (698283) on Thursday May 05, 2005 @04:01PM (#12444910)
        No, there is very solid reasoning behind doing so.

        A security update should have a very low threshold for installation. An admin should be able to apply it feeling somewhat confident it is not going to break anything important. Of course, on critical systems "somewhat" is not enough so it may still require some testing.

        Point being, a security update should be lightweight to encourage quick adoption.

        As an aside, Apple "violated" this express policy and included a few security updates with 10.3.9. That update turned out to break things for a lot of people, therefore people held off installing it. During that time, they were subjected to published vulnerabilities.
        • Re:10.3.10? (Score:4, Insightful)

          by hitchhikerjim (152744) on Thursday May 05, 2005 @05:30PM (#12445912)
          Worse -- they only release security patches for the latest-and-greatest. Notice that this patch is only for 10.3.9. If you stayed back at 10.3.8 becuase you wanted Mail.app to keep working with SSL connectoins (10.3.9 broke that), you're out of luck.

          Wish they'd start behaving like a real OS company and release security patches for every 'supported' version instead of trying to drive upgrades with them.
  • silly taco (Score:5, Informative)

    by Anonymous Coward on Thursday May 05, 2005 @03:55PM (#12444835)
    it was a 6 mb security release from 2 days ago.
  • But the linked article doesn't make that clear.

    Crow T. Trollbot

  • Several exploits (Score:4, Insightful)

    by m50d (797211) on Thursday May 05, 2005 @03:56PM (#12444849) Homepage Journal
    Firstly, remote root should never happen. Secondly, what were they doing leaving all these exploits open? I appreciate that a mega-patch may be easier to install, but vulnerabilities need to be patched immediately.
    • so would you rather have 19 single downloaded patches?

      the time from discovery to fix was relativly short.

      They decided to put them all in a single patch.
      • Re:Several exploits (Score:5, Informative)

        by remahl (698283) on Thursday May 05, 2005 @04:23PM (#12445191)
        the time from discovery to fix was relativly short.

        Oh [secunia.com] (three months) really [secunia.com] (5 months)?

  • While I think... (Score:4, Interesting)

    by Landak (798221) <Landak@gmail.com> on Thursday May 05, 2005 @03:56PM (#12444852) Homepage
    While it's certainly worthy of comment that there have been so many things requiring patches, I think it's also worthy of note that apple does actually patch them quite well. I hadn't come across any of these obscure vulnerabilities, but I'm sure they're there - I'm just glad to see apple fixing them - and, it has to be said, giving credit where it's due (Thanks to $NAME for bringing this to our attention, etc)
    • by IamTheRealMike (537420) <mike@plan99.net> on Thursday May 05, 2005 @04:01PM (#12444899) Homepage
      It's worth noting that Microsoft does exactly the same thing. Presumably you find that worthy of note also?
      • Re:While I think... (Score:5, Interesting)

        by MobyDisk (75490) on Thursday May 05, 2005 @04:16PM (#12445096) Homepage
        You are right. And as far as I know, MS was one of the first.

        I just wish Microsoft better documented what is in their patches. Sometimes they say that it fixes an exploit, but doesn't say which part of that 50MB download is for that exploit. Or exactly what the exploit was. If I recall, they've even sued people for publishing the exploit!

        And if I may put on my tin foil hat here, I've noticed that some MS patches do surreptitious things. For example, several Win2k patches connected to a 3rd party server, by IP address since it had no DNS entry, and made and HTTP request. When my firewall denied the connection, the patch refused to install. No problem! I connected to that server myself to see what it is. As soon as I enter an HTTP GET, it immediately disconnects me. Hmmmmmmm!? Why does an MS patch connect to a mysterious server with no DNS record that goes to extra lengths to hide other connections?

        Sometimes this hat feels kinda comfy.
        • Microsoft find and patch a lot of exploits as they do internal audits, these fixes are discovered by themselves so they aren't documented to extend the length of time it takes before black hats create exploits for them. The patches are sometimes intentionally obfusctated (or many combined together) to make it harder to reverse engineer them into documented exploits.

          I don't know why the patch is contacting a web server but the lack of a DNS name is not all that suspicious: it makes it impervious to hacked/

    • Re:While I think... (Score:5, Informative)

      by remahl (698283) on Thursday May 05, 2005 @04:05PM (#12444958)
      They could do a better job, I think. The product security team must be overworked. I was credited with discovery of four of the issues (more about those [remahl.se]), and I reported them in mid-February. Almost three months later, the patch is out...
    • How do you run across a vulnerability? Unless you're an elbow-deep-in-the-OS hacker, I can't think of how I'd run across a vulnerability unless it manifested itself as an ordinary bug that caused a visible fault.

      • by stevey (64018)

        People tend to go looking for them [debian.org].

        If you're a penetration tester, or work for a security firm, then publishing flaws is how you get "noticed", and how you attract new customers.

        Not many people do it for purely altruistic motives - but I guess that doesn't matter if the flaw is found and fixed.

  • Tiger? (Score:2, Funny)

    by DeathFlame (839265)

    So since tiger* is 10.4, does it get these patches as well?

    *TERMS OF USE

    The reader of these terms of use agrees not to sue me for trademark infringement for the use of 'tiger'
  • by JPelorat (5320) * on Thursday May 05, 2005 @03:57PM (#12444856)
    So are we supposed to like or dislike this so-called "mega-patch"?

    • by Anonymous Coward
      Both.
      Like because it is only 6MB to fix 19 holes.
      Dislike because they released them all at once instead of releasing a fix as they were fixed.

      Your welcome
  • 10.4.1 (Score:3, Interesting)

    by DavidLeblond (267211) <meNO@SPAMdavidleblond.com> on Thursday May 05, 2005 @03:57PM (#12444866) Homepage
    Where's the patch that fixes all the stuff that is broken in Tiger. Quicktime beachballs anyone?
  • by Enigma_Man (756516) on Thursday May 05, 2005 @03:58PM (#12444867) Homepage
    How often does Apple release patches and the like? I'm just curious to see how it compares to say Windows.

    Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?

    Are there lots of little patches all the time, or just big lumps of patches like this one?

    Thanks!
    -Jesse
    • Once a month. This was a one alot bigger than average.
    • Software Update is a system tool. It can be set to check for updates daily, weekly, or monthly (IIRC).

      They do a mix of patches depending on what's needed. If there's just a small hotfix, that's what's there. If there's several unrelated fixes, they're all there. Other times it's big fixes like this. Also note that every few months they'll roll up a bunch of fixes into one big one to make it easier on people.
    • I run Software Update once a week and there's usually something getting updated.

      Software Update can be set to check for updates on your schedule: it's a preference pane (think Control Panel).

      You can also manually kick it off, or just go to apple.com and check for downloads there.

      Most patches are small. This one is larger than most.
    • It's very similar to Windows Update.

      They have a little utility that contacts the apple update site about once a week. If it finds any, it gives you a list box that you can pick and choose which items to upgrade. I usually do them all.

      Feature upgrades occur about monthly, not that I've really timed it. Security fixes are on a faster track.

    • There's an app called Software Update. [apple.com]

      If you are online, it tells you that an update is available. The update runs in a self-contained application.

    • by tomcio.s (455520) on Thursday May 05, 2005 @04:08PM (#12445004) Homepage Journal
      How often does Apple release patches and the like? I'm just curious to see how it compares to say Windows.
      -About once every 2 months we see security patch. They now name them 200x.00y (x - year, y - patch this year).
      -Software updates for apple software (non-OS related) come in about the same frequency. I usually get bugged to install something once every 2 weeks or so.
      -Software updates for apple OS (10.3.x, where x is the current update) come in about once a quarter, or so.

      All of those are voulentary upgrades.

      Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?

      -There is an automated, stand alone tool to deliver them.
      -They get posted as downloads to their site (apple.com) with documentation, description, etc.
      -Sometimes, multiple patches get rolled into an 'uber' patch, if you are installing (upgrading) from previous release of the os to current (not on the release day). Apple also re-issues their OS media w/ most patches as they get posted.

      So you can use any number of ways to patch your system.

      Are there lots of little patches all the time, or just big lumps of patches like this one?

      See above. Small patches are released if they are important, as time progresses they get rolled into bigger, all inclusive patches (and still available as the small ones).

      Note, Apple also uses this mechanism to install firmware for iPods, iSights and Airport Stations - which makes upgrading your kit really convinient.

      You can set the stand alone utility to check daily/weekly, whatever, or disable it as well.
    • There's an application called Software Update that checks in the background at a schedule you set through the System Preferences application. Then, if there's an update, Software Update opens and shows you a dialog and a description of each patch or updated application, and can select or deselect updates via checkboxes. You can also disable updates so they never show up again (for example, I've disabled the iSight update because I don't have Apple's webcam).

      Just click Install and it grabs and installs a

    • How often does Apple release patches and the like?
      Pretty often. But as with some other large companies, sometimes they drag their feet if they don't feel that it is a priority.

      Do they have some sort of web-interface like Windows-update, or is it a self-contained program

      It's a self-contained program run from the System Preferences page. It downloads, installed, optimizes and then, if necessary reboots. It runs automatically by default so you really don't need to worry about it. It checks once a week
    • How often does Apple release patches and the like?

      Security patches are about one a month. They also issue other bugfixes every couple of months.

      Do they have some sort of web-interface like Windows-update...

      They have a Web page that lists all the updates as they are released and provides downloads. It works in every browser I have tried.

      or is it a self-contained program

      OS X also has an application that automatically checks for updates on whatever schedule you set and will download them automatical

    • How often does Apple release patches and the like? I'm just curious to see how it compares to say Windows.
      Apple has a couple flavors of updates. Their Security Updates [apple.com] are issued once every few weeks (monthly perhaps) and contain just that, security related patches. May 3 was Security Update update 2005-005 [apple.com] - the fifth in as many months.

      Other updates come in the form of point releases (10.3.8 -> 10.3.9 [apple.com] for instance). They include any Security Updates that might have occured and gracefully manage upda
    • An example: (Score:3, Informative)

      by David Rolfe (38)
      I should note that you can also run SoftwareUpdate from the command line (e.g., SoftwareUpdate --install --req to get everything critical, it approximates that warm fuzzy you get from running apt-get :).

      Here's an example of update type and frequency from my log. Note, I installed Panther on a fresh hard-drive on 4-20 there :-) So frequency of updates should be noted only after that date.

      Also note that this article isn't news (Thanks The Register) as most of us downloaded this 6 meg update days ago. I was
  • by aapold (753705) on Thursday May 05, 2005 @03:59PM (#12444878) Homepage Journal
    Windows patches more stuff in a couple weeks than other OS's patch in an entire year!
  • by winkydink (650484) * <sv.dude@gmail.com> on Thursday May 05, 2005 @03:59PM (#12444884) Homepage Journal
    Welcome to our world.
  • Though I support all software vendors issuing quality products the first go round, I recognize QA cannot catch ever issue and I find it cause for minor cellebration when Microsoft, Apple, the FOSS community, or any developer for that matter issues free patches for their work.

    This is a wonderful benefit of the Internet. No waiting for CDs in the mail. No waiting until a new version hit store shelves. I remember running a BBS with WWIV and being mailed 5.25" floppies with the latest improved and patch source
  • Beware (Score:5, Funny)

    by Aenox (874907) on Thursday May 05, 2005 @04:05PM (#12444961)
    Downloading this patch is acceptance of remote exploits existing in our beloved Mac. I for one will not be updating. Stick to your principals everyone.
  • by rsilvergun (571051) on Thursday May 05, 2005 @04:07PM (#12444986)
    ...fix 1 million flaws?
  • by deft (253558) on Thursday May 05, 2005 @04:09PM (#12445006) Homepage
    critical sidways remark about security of OS and said manufacturer.

    Oh, my bad, not MS.
  • Personly i have tiger on my mac that runs OS X , but its nice to know apple are on-top of the security updates.Well Its good to know they get them out before Ihad even heard of most of the security problems which gives me alot of faith in their development teams and Debugging systems.
  • I skimmed through the change log but didn't see anything that addresses my problem. My B&W G3 will not boot by itself after the update two before this one.

    Let me allow that to sink in for a moment ..... before I repeat myself. My Mac will not boot by itself after one of the last Panther updates.

    If I have to reboot I have to hover over the keyboard and wait for the Startup "Pong" to do a PRAM flash, second "Pong" and the system starts just fine. If I don't do that the screen goes black and the sys

  • by remahl (698283) on Thursday May 05, 2005 @04:17PM (#12445111)
    I'm just happy one of the issues I reported was assigned CVE "CAN-2005-1337" ;-). Must have been my lucky day.
  • by line.at.infinity (707997) on Thursday May 05, 2005 @04:19PM (#12445143) Homepage Journal
    Apple has also released Bonjour for Windows [apple.com] (05/05/05). Bonjour, formally known as Rendezvous, also known as zero-configuration networking.
  • by Silas (35023) on Thursday May 05, 2005 @04:23PM (#12445192) Homepage
    You guys are still using 10.3.9? That's, like, soooo one week ago.
  • A nice balance (Score:4, Insightful)

    by aberkvam (109205) <(moc.euqreb) (ta) (mavkreba)> on Thursday May 05, 2005 @04:37PM (#12445344) Homepage
    This is Security Update 2005-005. That means that it is the fifth security update that Apple has offered in 2005. (Not to mention the 10.3.8 and 10.3.9 updates which also included security fixes.) (Apple has a list of all their 2005 security updates [apple.com].) These updates come out roughly once a month and usually are several security fixes rolled up into one.

    Some people are posting and saying that Apple should release each update as soon as they patch it. This would be about one security update per day. Most users would probably find having to install a patch ever day to be rather annoying. They probably would wait until a number of them had built up anyway. They might even turn off updating altogether.

    Besides, many of these security holes are only theoretical. If there are no exploits of them, does it really matter if the patch is delayed a few weeks?

    I think Apple is striking a nice balance between endless daily updates and waiting for major OS updated every 18 months.

  • by Martin Blank (154261) on Thursday May 05, 2005 @04:57PM (#12445582) Journal
    Apple Release Mega Patch to Fix 19 Flaws

    Slashdot Editor Grammar Still Not Get Better
  • No IMAPS Fix? (Score:4, Informative)

    by tyagiUK (625047) on Thursday May 05, 2005 @05:18PM (#12445786) Homepage
    Since Apple broke IMAPS support in the 10.3.9 release, it would have been nice to see a fix in this patch.

    Basically, the problem is that if you use Mail.app to access a remote IMAPS server, you may experience problems synchronising your mailbox. My symptoms are that the synchronisation starts but even though the subject lines appear in the list, the connection does not seem to download the message body and close down successfully. It can take several minutes/hours for it to complete, if at all.

    In the interim, I'm using Thunderbird on OS X, which is OK given that I use IMAP anyway, but it's far from ideal.

    Come on Apple, fix Mail.app!
  • Yellow journalism (Score:5, Insightful)

    by John Newman (444192) on Thursday May 05, 2005 @05:25PM (#12445868)
    I know The Register is The Register, but "mega-patch"? "A service pack in all but name"? Gimme a break. It is the biggest single Security Update Apple's released so far, but barely. 2005-003 had 12 patches, 2004-09-07 had 15 patches, and 2004-12-02 had 17 patches. This one has 19? BFD.

    Was it really necessary to echo The Register's ridiculous hyperbole in the article title?

If Machiavelli were a hacker, he'd have worked for the CSSG. -- Phil Lapsley

Working...