Apple Patches Security Flaw in Terminal.app

Currawong writes "Apple has posted Security Update 2002-09-20 for Mac OS X 10.2 and above in Software Update, fixing a security hole in Terminal.app which could 'allow an attacker to remotely execute arbitrary commands on the user's system.' Apple also has a useful page listing all the security updates with a short summary and links to what they patch."

Apple patch installation?

[Jouni]

Not knowing much about 10.2, how do they handle severe security patches like this? Are users automagically adviced to install or is there an "OS update" type page they need to visit frequently?

Just curious.

Jouni

Re:Apple patch installation?

[xTina]

It is done via the Software Update application. This app checks in certain intervals (default weekly) if new updates are available and lets the user choose the updates to install. Most updates are also available for download from Apple's website. Apple provides a security mailing list which will alert you to security updates. Since summer, all updates are signed and the signature is being checked by Software Update before installing.

The test of this problem:

[Anonymous Coward]

I found this bug 2002/09/20, and start to make report for Apple.
In fortunate thing, Apple fixed this bug and begin to distribute updater.
Since Apple fixed this serious bug, I decided to open to the public.

This is very serious security bug.
All Jaguar user should update immediately.
I prepared the test easy here.
If link below is clicked, a Terminal will start and "ls -la" command will be executed by your authority.
telnet://|ls -la [ls-la]

Your use of updater vanishes this brittleness.

name:Taiyo FUJII
E-Mail:taiyo@vinet.or.jp
Sorry, I don't have slashdot account.

Re:The test of this problem:

[Farley Mullet]

I'm running 10.2, I downloaded the patch last night, and it looks like it works. I clicked the link in the parent, and here's the Terminal.app output:

ls-la: No address associated with nodename
[Process exited - exit code 1]

Re:The test of this problem:

[Karma Sink]

Actually, I just clicked the link on multiple unpatched machines running OS X 10.2.1. The machine tried telneting to ls -la, to no effect. However, after giving it a good look, this is only because your link does not include the pipe. This is a pretty dangerous exploit, and could easily be changed to rm -rf * rather than a simple ls.

It's a damned good thing that Apple is so quick on the draw with security fixes...

Re:The test of this problem:

[Phroggy]

Verified that before the patch, typing telnet://|ls%20-la in Internet Explorer's address bar gives me a directory listing, and after the patch it's fixed by turning the | into %7C which doesn't work. I couldn't get it to work by clicking your link though, or in Mozilla.

Also verified that it launched in two bounces before the patch and one bounce after, on my 700MHz G4 eMac.

The changes to Terminal.app

[Paladeen]

This update replaces the entire Terminal.app.

It is now 528kb in size, as opposed to the previous 439kb.

I've also noticed that it launches noticably faster after the update. Perhaps Apple added some tweaks in addition to the security changes.

(no, it isn't the updated prebindings. I just did that myself this morning).

Re:The changes to Terminal.app

[odenshaw]

It does seems to open much faster. it used to bounce three or four times, now its on in two.

Re:The changes to Terminal.app

[SlamMan]

Hye, you right! It does open in 2 bounces now. Sweet! It doesn't take much to brighten up my day when i have to work on a Saturday.

Re:The changes to Terminal.app

[c13v3rm0nk3y]

I concur. It launches for me in a single bounce. Cool.

Re:The changes to Terminal.app

[Anonymous Coward]

I assure you that no changes were made to the program, apart from a minimal fix of the bug.

They didn't even remove the superflous NSLog's (console debugging output) even though they knew about them, since they wanted to touch as little as possible.

Re:The changes to Terminal.app

[c13v3rm0nk3y]

I assure you that no changes were made to the program, apart from a minimal fix of the bug.

This sounds reasonable. The launch speeds I see may have just been one of those things 10.2 improved that I hadn't noticed yet. Nice to have instant terminals, though.

Since Jaguar, I've done nothing but shamelessly gloat about how cool OS X is.

Re:The changes to Terminal.app

[the way, what're you]

I concur. It launches for me in a single bounce. Cool.

I see a marketing opportunity here:

Faster than a speeding bullet! More powerful than a locomotive! Able to launch terminals in a single bounce! It's a bird! It's a plane! No, it's Mac OS X 10.2!!!

Re:The changes to Terminal.app

[nevershower]

>(no, it isn't the updated prebindings. I just did that myself this morning).

IIRC, you don't need to manually update prebindings anymore. It's done automatically on a weekly basis.

Re:The changes to Terminal.app

[norwoodites]

not on a weekly basis but automatic when you launch the program and if it needs it, the dynamic library loader (dylib) will automatically do it for you, so the ext time it will launch faster.

This is from reading the sources of dylib and the release notes of cctools which contains the sources.

Re:The changes to Terminal.app

[monolith25]

You can verify that this is happening by looking for 'fix_prebinding' in the process tree after you start up an app that needs prebinding.

Re:The changes to Terminal.app

[DavidRavenMoon]

(no, it isn't the updated prebindings. I just did that myself this morning).

I believe Jaguar updates prebindings automatically now at boot time.

When I was running an old version of Classic Spy, OS X would write a log saying it couldn't update prebinding when I started up.

Re:its sad

[jtdubs]

Simple solution.

Use the Mac like it's supposed to be used, not like a damned windows box.

When you close a terminal window, use Apple+W, NOT Apple+Q. Mac's are document-based, not application-based. Close the window, not the terminal app.

Now, when you click on the terminal again it will open up a new window in a fraction of the time.

Justin Dubs

Re:its sad

[theNeophile]

By that logic, I should start every application on boot but without open documents so that new windows open faster.

Yes, if you open a new shell often enough to bitch about a .5 second difference, you should leave it open all the time.

Re:its sad

[plastik55]

If Macs are "document-based" then how come the behavior of clciing the Terminal icon depends on the state of the application?

If Terminal is closed or has no open windows, clicking on it starts a new terminal.

If Terminal has windows open, clicking on it brings those windows forward.

If Terminal has windows open but they are minimized, clicking on it has no apparent effect other than changing your menubar.

"Document-based," Ha. That's a good one.

Re:its sad

[Van Halen]

That's fine if you're the only person who uses the machine. But when you share with someone else (my wife in my case), you find yourself logging in and out at least once a day, if not more. Waiting for everything to start up again each time can be a real drag if it takes more than a second or two per app. Especially when it's something as simple as Terminal, which by all accounts should open more or less instantaneously.

But then again, an iBook with Airport is high on our Christmas wishlist, so perhaps this won't be a problem in the future. Instead of fighting over who gets to use the PowerMac, we'll fight over who gets to roam around the house instead of being chained to the desk. ;-)

Re:its sad

[dcstimm]

what do you mean? Linux developers have came up with alot of cool stuff. Like highlighting the text to copy then just middle clicking to paste. Of course you can do this on bsd or anything that runs X but its still cool. And we have based the desktops around it. No more need to right click to bring up a menu to copy/paste. also in X you can have a active window behind another window. this comes in handy when you are trying to look at both windows at the same time and so one doesnt cover the other. (you do this by right clicking on the window behind the main window to focus on it).

As for the way the desktop looks, thats a personal preference. Do you really think kde/gnome and linux distros really ship with aqua themes?

I like the macosx look and If I can have that look emulated on my free linux box, then thats a bonus.

Linux is completely customizable, you can change everything about the desktop, kde and gnome are very flexable. If you dont like something you can pull the src apart and change it. (I wrote a couple patches my self because I like to use the mouse scroll to shade and unshade windows on the top bar)

We have also made our own freetype fonts. So we dont have to steal them from microsoft. But we can also install the microsoft fonts if we want our desktop to look like a windows box.

Linux developers are very innovative we have more updates and enhancements than macosx and windows put together.

Yes somethings need improvement, but thats what you get when the developers are not being paid.

I would like to see more fluid movement when moving windows across the desktop. Gnome 2.0.2 has really improved it, but its still nowhere as smooth as macosx.

(this probably has something to do with Xfree86)

Linux does have apps like itunes and dreamweaver and even microsoft word. One stop at freshmeat and you will find everything you need.

A good Itunes replacement would be xmms, yes its a clone of winamp, but there is nothing wrong with that, FREE THEMES!

A good replacemnt for dreamweaver would be hotdog, yes the name sounds kinda crude but its very useable and very fast. Reminds me alot of dreamweaver.

And a good replacement for MSword is Abiword or kword, or openoffice. Any One of these will fill your needs. Abiword can read new and old docs perfectly.

Sorry to go on forever but I dont like when people say that linux developers are not innovative.

Re:its sad

[rampant mac]

what do you mean?

Yes somethings need improvement

Obviously "Spell Checker" and "Grammar" come to mind ;)

Re:its sad

[MoneyT]

Like highlighting the text to copy then just middle clicking to paste

If I recall correctly, this feature existed in the Sparc 2 which we had at our highschool which ran solaris. This is not a linux development. It may be a *NIX varient development, but not linux.

Linux is completely customizable, you can change everything about the desktop, kde and gnome are very flexable. If you dont like something you can pull the src apart and change it. (I wrote a couple patches my self because I like to use the mouse scroll to shade and unshade windows on the top bar)

All of this can be done with OS X too. You can even kill Aqua and just use it for apps that require Agua and use another windower in it's place for most of your work.

We have also made our own freetype fonts. So we dont have to steal them from microsoft. But we can also install the microsoft fonts if we want our desktop to look like a windows box.

Apple has their own fonts too, what's your point?

Linux developers are very innovative we have more updates and enhancements than macosx and windows put together

And how many of those updates were because they were nessesary to get a feature that has been availible in other OSes for a long time? Seriously, most of linux updates have just brought it closer to being comparable with the modern OSes, not major improvements.

A good Itunes replacement would be xmms, yes its a clone of winamp, but there is nothing wrong with that, FREE THEMES!

Themes don't replace functionality. You have no idea how useful something like a live search feature is untill you've become used to it iTunes is far superior to WinAMP

I will grant that linux developers are innovative and that Linux is a fun system to toy arround with, but they are no more innovative than paid programmers and sadly do make most of their software from other peoples ideas (because otherwise no one would use Linux because people are too fricken dumb to learn a new OS, but that's an entirely differnt rant)

Re:its sad

[dcstimm]

I cant use macosx because I am so used to the way my windowmanager controls windows. In macosx I really cant customize anything. For example, I like to be able to shade and unshade windows using my mouse wheel on the top bar of the window. This makes it so I dont have to minimize the window.
Apple got rid of shading the window in macosx but you can get a plugin that will allow you to get the feature back. But the plugin still wont allow you to shade and unshade using the mouse wheel.

Another thing I like to do is to move and resize windows using Alt+mouse button1 and mouse button 2. This is a must have feature for me, it makes navigating the gui alot easier on me.

So you can see that macosx cant be customized the same way linux can. If you dont like those above options in linux you can always turn them off.

As for itunes/xmms I really dont care, I just like being able ot play music. I do have one thing to say about itunes, its confusing to some people. My dad got his first computer last month, he got the new imac with the 15" lcd. He is 78 years old. He asked me if I the computer was able to play the music cds that he had (he has a couple of cds that my sister made him) I told him I can copy the cd to the harddrive so he doesnt have to put the cd in everytime (I didnt expect him to do it him self) so Once I had the music converted to mp3 I made him a play list in itunes and i showed him how to use it. It was way to much for him, he kept hitting the wrong things and nothing is marked so he had a hard time finding the correct buttons. (he didnt understand if you hold the mouse over a button that it would show the name in a pop up) TO make a long story short, he had alot of problems with itunes, it took him a while to learn, while programs like xmms are a no brainer. I really wish there was a program like winamp for macosx.

Sorry about grammar and spelling, I normally dont spell check or care about things I post on slashdot.....sorry if it bugs you.

Re:its sad

[MoneyT]

I wouldn't know specificaly, but I would be willing to bet you could get most of your costomizations from www.macosxapps.com Granted it's not a built in feature, but you have to consider that sometimes, espesialy when you're developing a system for new users. One of the big problems with Linux is the myriad of options. Sometimes you never know what to do. Linux should really have a simple GUI option, sort of like the mac OS Simple Finder option. That could potentialy bring more desktop users to the OS.

As for your father, I'm not going to assume anything before I know the exact problem because that would be rude. But from what you described, all he would need to know how to do is to start the program, press play stop and skip and quit. Is there somethign else he needed because I know all of those are clearly marked buttons.

Re:its sad

[dcstimm]

Yes to many options is a problem, but having a registry full of options is not. have you ever tried gnome 2? it has gconf-editor which has options for pretty much everything you could think of. Its not for normal users but for users that know enough to tweak things.

By default gnome/kde/windowmaker/fluxbox or whatever are very useable and have minor gui changes in their config menus which make it easier for the User.

As for my father, he would click on the wrong button by mistake, like when he wanted to double click on a song he would end up dragging it by mistake or something silly like that. Bad thing is I cant see him doing this because he always does it when I am not around.

but hopefully he will get the hang of it.

Re:its sad

[DavidRavenMoon]

I cant use macosx because I am so used to the way my windowmanager controls windows. In macosx I really cant customize anything. For example, I like to be able to shade and unshade windows using my mouse wheel on the top bar of the window. This makes it so I dont have to minimize the window. Apple got rid of shading the window in macosx but you can get a plugin that will allow you to get the feature back. But the plugin still wont allow you to shade and unshade using the mouse wheel.

So double clicking a window's title bar is too hard? I use WindowshadeX, I have it set so a double click shades the window, just as in OS 9, and the minimize button still minimizes. Are you using the mouse wheel as a button? You can do this with the software that came with the mouse. I have an MS Itellimouse Optical, and use USB Overdrive. If I wanted to I could program the wheel to do this. I have it set so when I click on the mouse wheel it opens a link in a new tab in Mozilla.

Another thing I like to do is to move and resize windows using Alt+mouse button1 and mouse button 2. This is a must have feature for me, it makes navigating the gui alot easier on me.

Once again, that's easier than dragging the window by the title bar? I can move and resize a window with one hand.

You can do a lot of customizing in OS X, you just don't seem familiar with what's available.

Re:its sad

[Cadre]

Linux developers have came up with alot of cool stuff. Like highlighting the text to copy then just middle clicking to paste. Of course you can do this on bsd or anything that runs X but its still cool.

I think you mean "XFree86 Developers" and not Linux developers. XFree86 runs on many kernels, not just Linux. The functionality they developed was not specific to Linux, it was specific to XFree86.

Linux is completely customizable, you can change everything about the desktop, kde and gnome are very flexable.

I don't mean to nitpick, but once again, you're mixing the names up. The desktop customizability is a function of XFree86 and whatever desktop manager you use, not Linux (which I'll reiterate, is a kernel).

Re:its sad

[dcstimm]

then why does linux launch it so fast?

Re:its sad

[MoneyT]

Because text OSes always launch faster than GUI OSes. Come back when you're using Gnome or KDE

Re:its sad

[dcstimm]

umm I am in gnome 2.0.2, I click on the XTERM button on my tool bar, and it pops up an "X"term. And Linux is a gui OS when in X.

Re:its sad

[dcstimm]

I use the terminal more than I use a gui based filemanager. I can do ALOT in a terminal. tab complete is one of the most usefull tools. In my eyes its alot faster than a gui. But Im sure people that have never used a terminal to its fullest would say the gui FM is better.

I also Have like 20 Terminals open at once. Makes life easier. Have you seen how much memory the terminal.app uses?

here is my handy dandy xterm:

ps aux:

0.0 0.4 xterm
cpu mem

Re:its sad

[MoneyT]

Umm, tab complete is in the OS X terminal. I don't see what the problem is? If you just want to use the text based system log in as
>console

Re:its sad

[dcstimm]

okay, yes I just stated i like using the terminal because of tab complete. (had nothing to do with macosx) And I also said I like to open ALOT of terminals So how would the >console help me?

Re:its sad

[MoneyT]

I haven't tried it and unfortunately my iBook is in the shop, but does command Fkey work in OS X for switching to virtual terminals? That would at least give you 8 terminals

Re:its sad

[dcstimm]

I like to be able to see all the terminals at once also.

Re:its sad

[MoneyT]

Are you certain that Xterm is not availible for OS X or that Fink will not compile it to OS X?

I offer some possibly helpful information here:

http://fink.sourceforge.net/doc/x11/x11.html

http://macreviewzone.com/archive/hardcider/guest re views/01/stoton/xtools.shtml

http://www.macosxapps.com/article.php?story=2002 01 10081658797

http://www.macosxapps.com/article.php?story=2001 09 07082336916

Re:its sad

[dcstimm]

I know how to launch Xdarwin in rootless mode and I know all about fink. Still the terminal.app shouldnt be that slow.

Re:its sad

[DavidRavenMoon]

I like to be able to see all the terminals at once also.

You can open as many terminals as you like in OS X. Just put their windows where you want.

Re:its sad

[Benley]

No. The fkey-virtual-terminals thing is fairly unique to x86 PC clones, as it is a result of the way text mode works on the video cards (e.g. text being passed to the video board instead of a frame buffer arrangement like most other systems). It would certainly be possible to implement similar functionality on other systems, but it wouldn't be nearly so straightforward as on PCs. Linux, in fact, has already done this - the fbcon text consoles do provide exactly this functionality using a frame buffer, so it works on sparc, ppc, etc. Sadly, OS X doesn't. Then again, I wonder how useful it would even be...

Yay Apple

[zaren]

I didn't know a thing about this exploit until I heard there was a patch for it. Not to bash or anything, but if it was MS, it would have been all over the news before the fix came out. Guess there's something to be said for being the minority player after all :)

Re:Rectal flaw

[NitroPye]

Its these ignorant people that love to keep their minds closed and keep runing sites like ihateapple.com