Apple Releases Mac OS X Patches 84
phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."
Any exploits "in the wild"? (Score:4, Interesting)
Re:Any exploits "in the wild"? (Score:5, Funny)
Re:Any exploits "in the wild"? (Score:2)
Re:Any exploits "in the wild"? (Score:5, Informative)
Is anyone aware of any malware that takes advantage of the exploits?
There was a demo exploit of the Safari pop-up redirection. Anyone could have grabbed that and set up an exploit site. That one was pretty weak though. It might have been good for phishing clueless people.
Re:Any exploits "in the wild"? (Score:2, Interesting)
...oh, so you mean 99% of users on the Internet (the masses are dumb). Anything that can take advantage of clueless people is a threat in my book.
Re:Any exploits "in the wild"? (Score:2)
Nah this exploit would target the clueless 50% of the 6% that are surfing with Safari. If someone is doing a phishing scam, they are probably better off using a more pervasive exploit.
Re:Any exploits "in the wild"? (Score:3, Insightful)
Cool! (Score:5, Funny)
I've never used Software Update to apply 5.333 fixes before. This should be fun.
Re:Cool! (Score:2)
Re:Cool! (Score:2)
Now, before anyone says it... (Score:5, Informative)
0 / 16.
Every last one of them was -- and still is -- theoretical.
Do what you have to do in the name of "balanced reporting," though, eWeek.
p
Re:Now, before anyone says it... (Score:2, Insightful)
Yep... as far as you know.
Re:Now, before anyone says it... (Score:5, Interesting)
Re:Now, before anyone says it... (Score:5, Insightful)
Every last one of them was -- and still is -- theoretical.
Well, not quite. The second Safari fix had a demo exploit published. I never got it to work on my system, but several people reported it working for them. (This was a pretty minor issue possibly tricking someone into thinking a pop-up was opened by another window). As for the other exploits, I don't know of any being leveraged either by a hacker or a worm, but that does not mean they were not found by anyone. The tiff and postscript overflows, for example, are not too different from exploits on windows and someone may have been using them.
This patch encompasses about 5 possible remote code executions most of which were discovered by the open source community or by security firms. I find it encouraging that Apple is able to leverage the OS community to help secure their system, but it seems like Apple would benefit from some more thorough security reviews internally.
Please note, I am not trying to pick on OSX here. OSX has an excellent security record, and I would trust it more than Windows or the average Linux distribution at this point. Eweek's coverage was not too bad, they mentioned them as potential vulnerabilities. I could have done without Secunia's 2 cents, and it might have been nice if they had emphasized that even with these vulnerabilities unpatched, there is little practical danger to the average user. All in all though, I did not think the article was too bad.
Re:Now, before anyone says it... (Score:1)
Re:Now, before anyone says it... (Score:4, Interesting)
That's one serious hole. Hope they upgrade soon.
Re:Now, before anyone says it... (Score:1, Interesting)
Looks more like a vulnerability in Slashcode to me...
p
Re:Now, before anyone says it... (Score:5, Insightful)
First, Apple provides the faulty default Apache configuration that doesn't secure against this attack. No web admin should have to know intricate details of the operating system's file system to think up every single possible exploit that could come about due to idiosyncrasies in that particular system.
Two, they put in that nonstandard behavior in the first place. This is the kind of thing that gets Slashdot up in arms about Microsoft all the time. We feel all smug that OUR systems don't have all these extra features with no thoughts to security. Well, Apple added an extra feature for HFS+ to access a file's data and resource forks through
It's not surprising that it took someone this long to discover the hole, and it's been there all along. How many other applications might be out there that restrict access to files based on name, but would be fooled by using the
I really hope that everyone running an OS X web server runs this update quickly. Otherwise attackers will be able to read their scripts and other sensitive date - which they thought was blocked - and scrutinize it for bigger holes to truly exploit the systems. Yikes.
More info here [apple.com].
Re:Now, before anyone says it... (Score:2)
Re:Now, before anyone says it... (Score:2, Interesting)
All true.
Still, there's more blame to spread. "allow all, but these that we explicitly
Re:Now, before anyone says it... (Score:5, Informative)
I'll provide the link that the very helpful AC posted below [slashdot.org] in case it doesn't get modded up as I think people should see it.
More info here [apple.com].
Re:Now, before anyone says it... (Score:2)
Re:Now, before anyone says it... (Score:3, Informative)
Re:Now, before anyone says it... (Score:2, Interesting)
So would you sooner have them wait until there are threats in the wild? I would call this rather proactive.
Of course if you use your own compiled version of apache and are on top of it then you've probably patched these hole a long time ago.
MSFT says URL spoofing security a feature (Score:5, Interesting)
Just today, a MSFT IE secutity tester posted an entry on the IE Blog that dismisses the vulnerabilty. He feels that allowing web sites to display arbitrary text on the status bar is a feature and that users need to learn that they can only trust the address bar URL field, and the lock icon in the status bar. IE users need to know that "the status bar text is not helpful in making trust decisions."
I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!
Here is the link to the blog:
http://blogs.msdn.com/ie/archive/2004/12/0
Re:MSFT says URL spoofing security a feature (Score:5, Interesting)
This amazes you?
On the one hand, you have Apple fixing potentially exploitable holes.
One the other hand, Microsoft regularly downplays holes with "Mitigating Factors"
Nope, seems like business as usual to me.
Re:MSFT says URL spoofing security a feature (Score:1)
It is and it has been for quite some time. It's part of every major browser.
It's really *not a vulnerability* at all. Anyone who doesn't examine the address bar before entering personal information is going to get duped *anyway*.
It is no more a flaw than the alert() function. In a loop, the alert() function allows pages to prevent the browser from recieving input.
Should we disable that too?
What about a link that
Re:MSFT says URL spoofing security a feature (Score:2)
To the average user, there is a world of diference between what is displayed as part of the browser UI and the contents of a web page.
When I go to nytimes.com it is clear to me and the average user that the browser vendor is not responsible for the content of the page.
However, the average user does not expect that the web page has direct control over the browsers UI. When the browser puts up a lock icon indicating that the page is secure, we hold the browser responsible for making sure the pag
Re:MSFT says URL spoofing security a feature (Score:3, Insightful)
It was originally intended to be a feture, just some people chose to use it to cause problems. Then again, some people choose
Re:MSFT says URL spoofing security a feature (Score:2)
If something that was originally intendend to be a feature ends up a security risk and does not actually provide user benefit then that "feature" should be gotten rid of.
I'm not arguing that we get rid of Linux or other things of value. I'm not claiming that we should all unplug from the net and hide in a closet.
Re:MSFT says URL spoofing security a feature (Score:1, Interesting)
"I'm amazed that you find this an issue AT ALL. It IS NOT a security flaw."
That would be true it it was called the arbitray text bar, but it isn't, it is the status bar, it should show me the URL of the link or tell me status info. Rename to the, "Whatever the fuck people want to sho up here" bar and I would not mind as much.
Re:MSFT says URL spoofing security a feature (Score:3, Insightful)
Re:MSFT says URL spoofing security a feature (Score:4, Interesting)
Not true. Check out the Secunia test case below with IE, FireFox, and Safari. Only IE is vulnerable. FireFox and Safari do not allow the website to spoof the URL in the status field.
http://secunia.com/internet_explorer_address_bar_
Re:MSFT says URL spoofing security a feature (Score:3, Insightful)
I still find it distateful that a security expert would accept a potentially dangerous situation by trying to educate users (and expect users to know) that the status bar isn't to be trusted. Something you seem to agree with.
Thanks for the correction.
Re:MSFT says URL spoofing security a feature (Score:3, Insightful)
It's a widespread problem, this mindset, shared by lots and lots of admins, power users and people who happen to just spend too much time with their computer and thus know a teensy bit more than their neighbor...
well, it works on at least one machine (Score:4, Informative)
I, of course, cannot vouch for your sucess or failure, but no problems yet!
kudos to apple (Score:4, Insightful)
Knowledge Base Article (Score:5, Informative)
Security Update 2004-12-02 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:
Apache
AppKit
HIToolbox
Kerberos
Postfix
P
Safari
Terminal
For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798
Clickable link (Score:4, Informative)
(Doh! I hit while correcting spelling in the subject.)
I don't see it... (Score:2)
Re:I don't see it... (Score:2, Informative)
BTW, the Mac OS X Downloads slashbox usually will show you any stand alone update and is really cool regardless.
Re:I don't see it... (Score:2)
I don't think it applies to System 7. :)
Seriously, I wouldn't expect to see it applied to OS <=10.1
Re:I don't see it... (Score:2)
Re:I don't see it... (Score:2)
Snappier! (Score:2, Funny)
Re:Snappier! (Score:3, Funny)
Re:Snappier! (Score:2, Funny)
Re:Snappier! (Score:2)
Re:Snappier! (Score:3, Insightful)
There would have to be code optimizations at work here.
Re:Snappier! (Score:1, Funny)
Previously, it would deactivate the first time the computer went to sleep mode, and wouldn't come back on waking.
Now we all get constant Reality Distortion - just the way we like it!
(Disclaimer: I own an iBook so I'm allowed to ridicule it.)
"Highly Critical" according to whom? (Score:5, Insightful)
Apple has not described these as "highly critical" to my knowledge.
That label has been applied by Secunia [secunia.com], the Danish security company that has, in the past, gotten press for indicating that Windows is secure and OS X isn't [techworld.com], no matter what tests [usatoday.com] might show.
The browser fixes are potentially significant, but the bulk of the others involve services that aren't even on by default, or things that most users wouldn't deal with.
Sky falling, next 10 miles.
Error? (Score:4, Interesting)
"Apple said the problem exists because its HFS+ file system handles file access in a case-sensitive way, while the Apache configuration blocks access in a case-sensitive way."
Shouldn't that be case insensitive?
Re:Error? (Score:2)
(The second instance of "case-sensitive" is correct as written.)
Re:Error? (Score:2, Funny)
For successful updates... (Score:5, Informative)
Re:For successful updates... (Score:2)
Interesting note: (Score:5, Interesting)
From the Secunia mailing list: (Score:3, Informative)
1) A vulnerability in the Apache "mod_digest_apple" authentication can be exploited by malicious people to conduct replay attacks.
2) Multiple vulnerabilities in Apache and mod_ssl can be exploited to inject potentially malicious characters into error logfiles, bypass certain security restrictions, gain escalated privileges, gain unauthorised access to other web sites, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.
For more information:
SA8146
SA10789
SA11170
SA11534
SA12787
SA12898
3) A security issue in Apache results in access to ".DS_Store" files
and files starting with ".ht" not being fully blocked. The problem is that the Apache configuration blocks access in a case sensitive way, but the Apple HFS+ filesystem performs file access in a case insensitive way.
4) A security issue in Apache makes it possible to bypass the normal Apache file handlers and retrieve file data and resource fork content via HTTP. The problem is that the Apple HFS+ filesystem permits files to have multiple data streams.
5) Multiple vulnerabilities in Apache2 can be exploited by malicious people to cause a DoS or potentially compromise a system, or by malicious, local users to gain escalated privileges.
For more information:
SA12434
SA12540
6) A security issue in Appkit causes secure text fields to not enable secure input correctly in some circumstances. This allows other applications in the same window session to read the entered characters.
7) Multiple vulnerabilities in Appkit can potentially be exploited by malicious people to compromise a user's system or cause a DoS (Denial of Service).
For more information:
SA12818
8) A vulnerability in Cyrus IMAP when using Kerberos authentication can be exploited by malicious, authenticated users to access other mailboxes on the system.
9) A security issue in HIToolbox can be exploited by malicious users to quit applications in kiosk mode via a certain key combination.
10) Multiple vulnerabilities have been reported in Kerberos, where the most serious potentially can be exploited by malicious people to compromise a vulnerable system.
For more information:
SA12408
11) A vulnerability in Postfix when using CRAM-MD5 can be exploited by malicious users to send mails without being properly authenticated. The problem is that the credentials used to successfully authenticate a user can be re-used for a small time period, which can be exploited via replay attacks.
12) A vulnerability in PSNormalizer can potentially be exploited by malicious people to compromise a user's system. The vulnerability is caused due to a boundary error when converting PostScript to PDF.
13) A vulnerability in QuickTime Streaming Server can be exploited by malicious people to cause a DoS via a specially crafted DESCRIBE request.
14) A weakness in Safari can be exploited by malicious people to trick users into visiting a malicious web site by obfuscating URLs.
For more information:
SA13047
15) A vulnerability in Safari can be exploited by malicious web sites to spoof dialog boxes.
For more information:
SA12892
16) A weakness in Terminal may result in the "Secure Keyboard Entry" menu setting erroneously looking like it is active when it's not.
MAJORS PROBLEM with update! Read this! (Score:5, Informative)
On Apple Discussions, arguably the best official tech solution pages from any major computer company, a possible solution has been posted.
If the problems appear, reboot into single-user mode. Go to the
There you will find a screwed up file, 'ttys' and a backup of the same file called 'ttys.applesaved'. Overwrite the borken file by typing 'sudp cp
I was less fortunate, as the machine was the only ne at home so I never ot to read the advice. I did archive and reinstall, it worked surprisingly well. I have done this under Windows, and lost all settings ang programs. When the 10.3 system was in, even my desktop icons were right where I left them. I did another updated and it worked swell!
Re:MAJORS PROBLEM with update! Read this! (Score:3, Informative)
No need to use sudo in single user mode. You are already root.
Re:MAJORS PROBLEM with update! Read this! (Score:2)
For MacOS X users who customise their httpd.conf (Score:5, Informative)
Two of the vulnerabilities reported [apple.com] attempt to modify the
configuration file used by Apache 1.3.Those MacOS X users (like me) who manually reconfigure their Apache configuration should note that the update (sensibly) will not modify a customised httpd.conf. If you fit into this category you should read the advice [apple.com] posted by Apple on how to manually update your httpd.conf to ensure your Apache is not serving up content which should not be available.
Re:For MacOS X users who customise their httpd.con (Score:2, Informative)
Oops... my mistake: Two of the vulnerabilities reported attempt to modify the...
What I meant to say was: The fixes for two of the vulnerabilities reported attempt to modify the...
My apologies...
Re:For MacOS X users who customise their httpd.con (Score:3, Informative)
I'm not sure what the circumstances are that prevent modification. I assume it would have something to do with whether or not you'd manually modified the specific section that contained the vulner
Dear Steve Jobs: retire HFS+ for Chrissakes! (Score:2, Interesting)