Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
OS X Businesses Operating Systems Security Apple

Friday Security Fun 52

rgraham writes "Apple has release a new security update for the Safari cookie bug. 'Security Update 2003-12-05 updates Safari to prevent unauthorized access to a user's cookies.' They also updated the article on how to 'Configure Directory Access to Protect Your Mac From a Malicious DHCP Server.'" We posted that the other day, but this time, pictures!
This discussion has been archived. No new comments can be posted.

Friday Security Fun

Comments Filter:
  • Cookies (Score:5, Funny)

    by Anonymous Coward on Friday December 05, 2003 @03:58PM (#7642072)
    Never hand out cookies when on a Safari!
  • That's it! (Score:3, Funny)

    by Anonymous Coward on Friday December 05, 2003 @04:03PM (#7642164)
    I'm switching to Fig Newtons.
  • Or another fix (Score:1, Interesting)

    by Doc Squidly ( 720087 )
    Just don't allow cookies. (Yes, it seems too simple)
    • "Just don't allow cookies. (Yes, it seems too simple)"

      I'll agree.

      CIRCLE GETS THE SQUARE!!
    • by Anonymous Coward
      Dude, you're logged into slashdot, which means you're allowing cookies.
    • Re:Or another fix (Score:5, Informative)

      by SillyWilly ( 692755 ) on Friday December 05, 2003 @04:59PM (#7642891) Homepage
      It has been suggested that even disabling Cookies won't help: http://www.securityfocus.com/archive/1/344992 As I understand it, this is because in Safari disabling cookies merely prevents creation of new cookies and not access to old ones. Therefore you should delete all cookies first.
    • Re:Or another fix (Score:5, Insightful)

      by prockcore ( 543967 ) on Friday December 05, 2003 @06:31PM (#7643749)
      Just don't allow cookies. (Yes, it seems too simple)

      If by "fix" you mean "break a lot of functionality on sites" then yes, that certainly is an option.
      • Re:Or another fix (Score:5, Informative)

        by Graff ( 532189 ) on Friday December 05, 2003 @09:07PM (#7644732)
        Just don't allow cookies.
        If by "fix" you mean "break a lot of functionality on sites" then yes, that certainly is an option.

        That's why I love OmniWeb. It allows you to accept cookies, but throw them out when you quit the browser. Sure I lose such nifty "features" as not having to log into some websites but I also cut ads and whatnot of the ability to track me across sites for long periods.

        Honestly, there need to be much better built-in controls on all browsers for limiting a server's access to data on your computer.
  • by cbiagini ( 728046 ) on Friday December 05, 2003 @04:35PM (#7642584)
    Along with this update, Steve Jobs announced today that OS 10.3.2 will include a small globe icon that will appear next to your system clock, helpfully reminding you that you have an update to install. While Jobs did acknowledge the fact that this feature has been in another operating system for years, he did point out that Apple's implementation will harness the power of Quartz Extreme to render fully three-dimensional, alpha-blended "Security Gnomes" that run around and patch your system twice a week. I'll still never Switch back though ;)
    • On Windows this feature is called the Start Menu.
  • Needs a reboot... (Score:4, Interesting)

    by Fulkkari ( 603331 ) on Friday December 05, 2003 @05:05PM (#7642947)

    The update needs you to reboot the computer. *sigh* Why is that? This is a web browser we're talking about. Shouldn't it be enough quitting Safari + all applications that uses it's content rendering engine? As far as I know, Safari isn't integrated to the OS in any way like IE to Windows, so it shouldn't be neccesary to reboot the *whole* OS. On the other hand they effectively stop applications to interfere while updating and cause problems that way. Maybe it's some precautionary measure, but I don't think this should be neccesary...

    BTW software updater was already automaticly fetching the update in the background while I read this. It's really nice when you don't have to wait while downloading them. I don't understand what's the big fuss of letting the OS fetch updates in the background, as long as it doesn't install them. I'm not sure but I think software update does only download the important updates...

    • Re:Needs a reboot... (Score:5, Informative)

      by Rosyna ( 80334 ) on Friday December 05, 2003 @05:13PM (#7643039) Homepage
      A lot of apps use WebKit (Help, Sherlock, Safari, Mail) so it's easier to tell users to restart than to tell them to log out or to quit all those applications. A person that knows what they are doing will just force quit the installer.
    • As a side note, in Jaguar the update gives Safari v 1.0.1 not 1.1.1 as given in Panther.....annoys me a good bit.
    • I'm not sure but I think software update does only download the important updates...

      It appears as though you can not choose what software update downloads automatically. Once things are downloaded you can make them inactive(remove them from the list of available updates). You can read more here(apple.com) [apple.com]...
    • Re:Needs a reboot... (Score:5, Informative)

      by Hes Nikke ( 237581 ) on Friday December 05, 2003 @07:23PM (#7644132) Journal
      The update needs you to reboot the computer. *sigh* Why is that? This is a web browser we're talking about.

      oddly, this update isn't an update to Safari, instead, it's an update to the CoreFoundation framework!

      as the name implies, CoreFoundation is the core of all your aqua apps, or at the very least, all your cocoa apps. one of the things this framework can do is let any app that uses the framework to get data from a URL, so it would make sense that the cookie handling would be there too. yeah, in this case i'd say a reboot is absolutely called for.
      • Thanks for the info, I was wondering about that. I went ahead with the reboot, since I'd rebooted the day before and had no uptime to preserve. I'd discovered the hard way that Escape Velocity: Nova needs a Panther update..

    • Re:Needs a reboot... (Score:4, Informative)

      by Graff ( 532189 ) on Friday December 05, 2003 @09:23PM (#7644820)
      BTW software updater was already automaticly fetching the update in the background while I read this. It's really nice when you don't have to wait while downloading them. I don't understand what's the big fuss of letting the OS fetch updates in the background, as long as it doesn't install them. I'm not sure but I think software update does only download the important updates...

      Yep, only critical updates are automatically downloaded and even that is optional. In fact the whole process is optional. You can tell the operating system to never check for updates on its own and you can choose to ignore updates.

      Software Update is pretty flexible and non-obtrusive. The only thing that I wish is that it had an option to allow me to register and de-register other programs for it to check. That way if the author of a program allowed it I could have Software Update automatically check for updates from him in addition to those from Apple.
      • Re:Needs a reboot... (Score:4, Informative)

        by Anonymous Coward on Saturday December 06, 2003 @01:40AM (#7646021)
        The only thing that I wish is that it had an option to allow me to register and de-register other programs for it to check. That way if the author of a program allowed it I could have Software Update automatically check for updates from him in addition to those from Apple.
        According to ThinkSecret, Apple will provide this capability in a future version of Software Update. It will be limited to select developers, but surely the API will be reenigned in no time.
    • Re:Needs a reboot... (Score:3, Informative)

      by Aqua OS X ( 458522 )
      To the user Safari doesn't appear to be integrated into the OS (like MSIE); however, its does access a lot global system resources that other applications frequently use.

      Webkit is a fairly major one. Mail, Help, OmniWeb, etc all access this.
    • by Anonymous Coward
      Just reboot. With the uptime I get from OS X Panther these days, it's probably not a bad idea to reboot every now and then. Everyone needs a good nose blow occasionally; picking alone just won't do it.
  • Some links (Score:5, Informative)

    by blb ( 412923 ) on Friday December 05, 2003 @07:51PM (#7644289) Homepage
    The knowledgebase article for 10.2.8 [apple.com] and for 10.3.1 [apple.com].
  • by rixstep ( 611236 ) on Saturday December 06, 2003 @02:55AM (#7646321) Homepage
    'For example, not from advertisers on those sites'

    So reads the third cookie option in Safari, but it's not true. You'll find '.doubleclick.net' in there all the time, and I doubt any of you are wandering over to DoubleClick to check out the action.

    And any domain for a cookie beginning with a '.' means 'any URL in that domain' - and that is NOT just 'from sites you navigate to'.

  • by Anonymous Coward on Saturday December 06, 2003 @03:32AM (#7646427)
    ...and the cookies only last for the current session.

Trap full -- please empty.

Working...