In your Software Update...Security Update 2003-03-03:

The Security Update addresses a security issue in sendmail where a remote individual could gain access and control of the system. Although sendmail is off by default in Mac OS, it is recommended that all users install this Security Update. This update also includes a newer version of OpenSSL that provides improved data confidentiality by addressing a recently-discovered security issue.

An Apple Software Update was expected (http://www.macrumors.com/pages/2003/02/20030227234459.shtml) today, but no word of Java 1.4.1 (http://www.macrumors.com/pages/2003/02/20030225181353.shtml) which was also rumored to be released today.

Always install security updates... even though you may not know exactly why.

word

These are always interesting. I rarely understand what it does, but, oh well. An update is an update. :)

can't contain myself!

Given that this sendmail vulnerability was just discovered recently, I doubt that this is any update you were expecting.

Just because you got an update today doesn't mean your expectation was right ;-)

definatly should get this...

How could a remote individual gain access and control of your system through sendmail? Do they explain this? This doesn't make sense.

By publically stating the security issues present does anyone else think this poses a security threat of it's own?

Originally posted by phampton81
By publically stating the security issues present does anyone else think this poses a security threat of it's own?

Its still better than MS, who don't post security updates with information until the entire www is swamped with viruses and other exploits for the vulnerability.
My 2 cents.

Ahmed:D

Installed, restarted, rebooted, loads software update, and it's still there.

Crap.

does anybody have any idea how this update came about? :confused:

Originally posted by jethroted
How could a remote individual gain access and control of your system through sendmail? Do they explain this? This doesn't make sense.
http://www.iss.net/mktg/sendmail/sendmail.html

http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950

this alert was just released today, Apple is fast.

Originally posted by macaca
does anybody have any idea how this update came about? :confused:

http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950

http://www.iss.net/

These links were taken from a Slashdot story: http://slashdot.org/article.pl?sid=03/03/03/198255&mode=nested&tid=126&tid=95&tid=172

Originally posted by phampton81
By publically stating the security issues present does anyone else think this poses a security threat of it's own?

Sure, if you assume the crackers can't find security holes on their own.

If you assume they are mildly intelegent about attacking (e.g. they actively look for unknown holes), then it just raises the awareness for the public, and gets the holes patched.

Of course, there are both types of crackers, so it does raise the insecurity some, but less then giving some vendors the excuse to cover it up... *cough*Microsoft*cough*

Originally posted by ryan
http://www.iss.net/mktg/sendmail/sendmail.html

Are you saiding if i send a send-mail to someone that has it like that I can easily access there computer like in the clip?

Comeon... too easy.

Love them updates! Love 'em!

Originally posted by phampton81
By publically stating the security issues present does anyone else think this poses a security threat of it's own?

No. Absolutely not.

Listen, if you're a hacker looking to break into systems, you'll do your homework. The sendmail vulnerability (and OpenSSL minor vulnerabilities) have been known for a few days, and hence anyone who might have the knowledge, desire, and lack of ethics to exploit them against you, I can assure you, already knows a heck of a lot more about them than you do!

Apple's SU blurb has no major details about the security flaw. If you wanted details on it, you could do a quick google search and find all sorts of information.

Originally posted by gotohamish
Installed, restarted, rebooted, loads software update, and it's still there.

Crap.

Me too, but went to wash the dishes, came back Mac was asleep. I woke it up, ran SU, and it's not there any more.

Weird, but never mind.

Re: user who is wondering if this means Are you saying, that if I send a send mail to someone that has it like that I can easily access there computer like in the [movie]clip?

They are saying "yes" with a few caveats.
[list=1]
The vulnerability was discovered and patched, but there are no known exploits (meaning no software test example of this written by security or hackers).
Obviously if an exploit did exist, it isn't a simple e-mail. It's a piece of malicious software masquerading as an e-mail that is doing something like flooding the receiving buffer (of your mail gateway) and overwritting parts of the OS in order to gain administrator access.
You don't break into the computer of someone reading their e-mail. You are breaking into the e-mail gateway. This issue doesn't affect you when you pick up your mail (from say mail.mac.com), it affects the server "mail.mac.com" itself. If your machine isn't running a mail gateway, you don't have to worry. Most likely, it is not, because you probably pick up your mail from various POP or IMAP servers that aren't your Macintosh.
99% of the Macs out there are immune to this vulnerability even if they don't run the update because Apple turns off sendmail by default. This is because most people don't need it (your outgoing e-mail and incoming e-mail, as mentioned above, is usually done through your corporate mailserver or Mac.com or whathaveyou). If you want to enable it (and understand it), then you can check One of many tutorials (http://www.bombich.com/mactips/sendmail.html) available on the web. Since Apple provides the software installed as part of your operating system (but turned off), it makes sense that they are obliged to ensure that software is up to date to security issues (in case you have gone through the trouble to turn on that software).
This is a security update inherited from vulernabilities discovered in an open-source unix package. This doesn't mean unix is inherently less secure that other operating systems--it's just that more vulnerabilities are discovered because the code is subject to review by a lot of people. The vulnerabilities are patched quicker too (one day turnaround between the when it was discovered and when the patch was at Apple is not bad at all IMO, some other operating system doesn't get around to their security vulnerabilities for months.
[/list=1]

I hope this helps,

terry

If I'm not running 10.2.4 can I not get this update? Anybody else?

BEN

I've got the same issue as a few other people.
Install, reboot, still there.

Originally posted by AhmedFaisal
Its still better than MS, who don't post security updates with information until the entire www is swamped with viruses and other exploits for the vulnerability.
My 2 cents.

Ahmed:D

I don't think that this statement is entirely true. . . with all of the recent big name virii (nimda, Code Red and whatever that even more current was called) it was due to bad practice of users and admins not updating their software. I should just hope that we mac users are able to trust Apple a bit more than they can trust MS and that maybe we're just a little smarter than those who choose not to update. . .

I have 10.2.3 and the update didn't appear in my auto updates. So, I went on Apple and found the update http://www.info.apple.com/support/downloads.html when I tried to install the update it showed my drives as non-candidates for an install.
My father on the other hand has .4 installed on his Pismo and it showed the update in his auto update. I'm guessing you have to have .4

Originally posted by davy the bunny
I don't think that this statement is entirely true. . . with all of the recent big name virii (nimda, Code Red and whatever that even more current was called) it was due to bad practice of users and admins not updating their software. I should just hope that we mac users are able to trust Apple a bit more than they can trust MS and that maybe we're just a little smarter than those who choose not to update. . . In the case of the most recent major Windows virus, even some of Microsoft's own computers were affected because they had not been patched. Despite protests by Microsoft apologists, it is not as simple as applying patches as Microsoft releases them. The choice is often to apply the patch and run the risk that the patch takes your system down, or defer running the patch and run the risk that the virus takes it down.

Originally posted by davy the bunny
I don't think that this statement [about Microsoft] is entirely true. . . with all of the recent big name virii (nimda, Code Red and whatever that even more current was called) it was due to bad practice of users and admins not updating their software. I should just hope that we mac users are able to trust Apple a bit more than they can trust MS and that maybe we're just a little smarter than those who choose not to update. . .

Certainly it is not entirely true, but your statement is just as misleading.

Consider that the last virus (Slammer) exploited a known vulnerability that had been patched by Microsoft in SQL server 2000 (point in your favor). However "bad practice of users and admins" is Microsoft FUD. Why? Microsoft was one of the (many) companies guilty of not applying their own patches which allowed the worm to infect. It's nearly impossible for most IT departments to keep up with the flood of patches because they introduce instability in the platform. Also consider this is Micrsoft SQL Server we're talking about, now imagine IT trying to control who opens what e-mails and what features are enabled in what e-mail readers of every notebook and desktop computer used by their employees. Hmm...
Consider SQL server leaves this vulnerability (and many others) in the default install. This is common with Linux and Windows installations in which their default install in highly promiscuous. Apple's Security Update patch involves an application that is default off, and hard to turn on so most users are protected from attack even if they don't apply the patch. Note: Apple could go a bit further in terms of security in areas where they feel that the extra security causes confusion to the user (i.e. the fact that any member of the staff group can install in /Applications).
Consider that Apple's core code where most of these remote and local vulnerabilities are found (Darwin/BSD/Unix apps) is open-source. Microsoft offers a highly restrictive "shared-source" license in which if you are among the lucky few who can view it, you cannot announce any vulnerabilities you find (at all), nor can you patch them and recompile on your own computers.
Consider the numerous reports of various Windows IE vulnerabilities (and others) that weren't addressed for months after they were reported. Some were never addressed until the reporter went public many months later. Possibly some will never be addressed. We don't know
Consider the turnaround time for the sendmail vulnerability being found to when the patch was available was one day. (Not because Apple developers are all that, and Microsoft "sux", but because the core code had already been patched by the sendmail developers and Apple simply ran ported and recompiled.)
Consider in the two cases you mention (Code Red and Nimda) and the one I did (Slammer), the affected machines are Windows not Unix. That even though a Mac user (say) is immune, their internet service dropped off the planet in all three cases because of infected Windows machines clogging the bandwidth and taking down peering points across the world.
Consider no administrator running a public web server can go a day without a scan occuring on their machine by Nimda or Code Red. Yet, that administrator is paying for that bandwidth (to their colocation/ISP/whatever).
Consider that over a year ago, Bill Gates declared security the top priority at Microsoft. Security of Windows hasn't increased one bit (because that might mean sacrificing some of the developer-centric conveniences of the OS). Instead we've gotten by this initiative is Palladium DRM. In other words the word "security" is being co-opted to mean "security for us (and the media conglomerates), not you."


I'm not saying Microsoft "sux", I'm saying that Microsoft could do a little more to ensure their operating system (Windows) and their products (IIS, SQL Server, Outlook, Word, Excel, etc.) are a bit more secure. Whenever Microsoft had to choose between security and something else (say extensibility), security has gotten the shaft.

Critical data gets destroyed, public websites pay for others to do a distributed denial of service attack on them, internet transactions fail, websites fail or get defaced, workers site idle while their machines are being repaired, sysadmins waste time rebuilding machines, draconian IT policies hinder productivity, money is spent on worthless Virus checkers (don't believe me? When was the last virus on the Mac?). That's a lot of wasted money and serious stuff!

Until Microsoft's attitude changes, their products represent a disporportionate danger to users of its products as well as (unfortunately) any internet-connected user or internet-enabled machine. :-(

Even if I were to forswear Microsoft products (silly) and work at keeping my machines "secure" (costly), I'll still get smashed by the "second-hand smoke" coming out of less secure machines out there. Due to a quirk of licensing, the manufacturer of software not liable for things that they would be if the product wasn't software creating a negative externality in our economic system, because a developer (of an operating system, application, website, whatever) has no legal incentive to think about security (which can end up being very costly). But that doesn't mean we should blame the customer. Nor does it mean that we should allow developers to be so cavalier with our computers, our information, our livelihood.

Those of us who are Microsoft customers as well as those of us who aren't should demand better and not give into myths that the current level of viruses "simply bad practice of users or admins" or believe it when Microsoft advertises "99.999%" reliability or "security is a top concern".

Take care,

terry

I just installed the patch, now I'm getting I'm getting error messages stating that I can't send messages because it refused to allow a connection on port 25 and can't receive messages cause it refused to allow a connection on port 110.

Shoot, everything was working fine too. Any suggestions? Help!

Port 25 is SMTP (the mail-sending port) and port 110 is POP (mail receiving). What are your settings in the mail app you're using re servers? If you're using an external (ISP) server then patching sendmail shouldn't change how this works.

to MisterMe:
I am definitely not a MS apologist if that's what you were trying to say and yes you do run the risk of something going wrong by installing a patch, that's part of what I was saying when I said that we could trust Apple a little more. So I definitely see your point, but I still think that end users don't care enough about their computers.

to tchay:
Well illustrated, my statement may have been somewhat misleading because you are definitely right about the risk of installing the patches and something going wrong. Instead I'll say that, in my experience with Windows Computers, if one takes enough time to learn about their system [to turn off things that may be harmful] and run regular maintenance [to check for virii] and not double-click on everything that they see then maybe you'll be as lucky as I have been up to this point and not have your system directly affected by any of these kinds of issues. But again, I'll qualify this by saying that this is only in my experience. . .

Must have been something wrong with the the ISP servers at adelphia. This happened before, but it's weird how it happened coincidentally after I had installed the security update.

If you you turned on WebDAV or other modules in Apache by modifying your httpd.conf file, this update will save your modified version as httpd.conf.applesaved and create a new one for you.

You will need to move the edits into the new file to re-establish your Apache modules.

I've installed this update 3 times and restarted each time. It's still there. What's the deal? Has anyone else with this problem resolved it somehow?

Not that I know that this will work or anything but how about trying the download rather than the direct software update.

It's here:

http://www.apple.com/downloads/macosx/apple/securityupdate.html