PDA

View Full Version : Mac OS X Security Update 2007-001




MacRumors
Jan 23, 2007, 03:47 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Apple issued a security update for Mac OS X today. The update specifically addresses a possible security flaw in Quicktime:

Impact: Visiting malicious websites may lead to arbitrary code execution

Description: A buffer overflow exists in QuickTime's handling of RTSP URLs. By enticing a user to access a maliciously-crafted RTSP URL, an attacker can trigger the buffer overflow, which may lead to arbitrary code execution.

http://docs.info.apple.com/article.html?artnum=304989


A proof of concept exploting this bug was published (http://projects.info-pull.com/moab/MOAB-01-01-2007.html) at the Month of Apple Bugs (http://projects.info-pull.com/moab/) site.



xJulianx
Jan 23, 2007, 03:53 PM
Second Quicktime update in the past month or so...

MrCrowbar
Jan 23, 2007, 03:57 PM
5 MB update, installed, rebooted, works.

flopticalcube
Jan 23, 2007, 03:57 PM
5 minutes earlier: http://forums.macrumors.com/showthread.php?t=272897

bousozoku
Jan 23, 2007, 04:21 PM
This is from the Month of Apple Bugs business, on the second day of January.

Glad to see that they're fixing something.

Zwhaler
Jan 23, 2007, 04:22 PM
First one of 2007. Pretty cool. Well not really, but at least I feel like my computer is more safe :)

iJawn108
Jan 23, 2007, 04:25 PM
Yay! I love getting updates, it's like I'm bonding with my macbook even more. :D

BoyBach
Jan 23, 2007, 04:26 PM
Still there's no update for the iTunes/iPod error-48. :(

My Nano just doesn't want to get along with iTunes.

Kenndac
Jan 23, 2007, 04:31 PM
Still there's no update for the iTunes/iPod error-48. :(

http://docs.info.apple.com/article.html?artnum=304893

This works fine for me until they get an update out. Just set it to PST and manually bump the time to the correct one.

mkrishnan
Jan 23, 2007, 04:32 PM
Still there's no update for the iTunes/iPod error-48. :(

My Nano just doesn't want to get along with iTunes.

This is a security update...it won't do anything for anybody's iPod....

bluebomberman
Jan 23, 2007, 04:36 PM
Whatever happened to the month of Apple bugs, anyway? Was this the only (now fixed) problem they found?

BoyBach
Jan 23, 2007, 04:44 PM
http://docs.info.apple.com/article.html?artnum=304893

This works fine for me until they get an update out. Just set it to PST and manually bump the time to the correct one.


Thank you very much. :)

PDubNYC
Jan 23, 2007, 04:51 PM
Guess I can't install it, beacause I don't want to use the turd that it 10.4.8 (my opinion). It has caused me nothing but grief. I stick with 10.4.5 for now.

50548
Jan 23, 2007, 05:03 PM
Another flawless update for me, as usual...

TheBobcat
Jan 23, 2007, 05:03 PM
Ooooh yeah, I forgot about the Month of Apple Bugs. Hm, well, updates are spiffy and it shows Apple is on top of this I guess.

shawnce
Jan 23, 2007, 05:04 PM
Whatever happened to the month of Apple bugs, anyway? Was this the only (now fixed) problem they found?

MOAB: http://projects.info-pull.com/moab/

MOAB "fixes": http://landonf.bikemonkey.org/code/macosx/

nagromme
Jan 23, 2007, 05:15 PM
I see that the Month of "Apple" Bugs has a bunch of days with bugs in shareware like Colloquy... or with no bugs at all. (To say nothing of whether such bugs are practical to actually do harm with anyway.)

No wonder MOAB vanished from the press.

Still good to see benefits coming from the project... even if the flaws were released in the wrong way (released to crackers and the public without releasing to the vendor for a fix first).

durandel
Jan 23, 2007, 05:20 PM
Yay! I love getting updates, it's like I'm bonding with my macbook even more. :D

You must be really bonded with your Windows computer then. It must follow you around the house and sleep on the bed with you.:D

shawnce
Jan 23, 2007, 05:20 PM
I see that the Month of "Apple" Bugs has a bunch of days with bugs in shareware like Colloquy... or with no bugs at all. The have release issues for every day of the month and yeah some have been in 3rd party software.

daneoni
Jan 23, 2007, 05:28 PM
Guess I can't install it, beacause I don't want to use the turd that it 10.4.8 (my opinion). It has caused me nothing but grief. I stick with 10.4.5 for now.

10.4.5?, Whoa nelly!.

iomar
Jan 23, 2007, 05:36 PM
Well, this is always welcome.. but I want my leopard.

shawnce
Jan 23, 2007, 05:46 PM
Guess I can't install it, beacause I don't want to use the turd that it 10.4.8 (my opinion). It has caused me nothing but grief. I stick with 10.4.5 for now.

Huh? What issues have you had with 10.4.8?

Eraserhead
Jan 23, 2007, 06:03 PM
Well, this is always welcome.. but I want my leopard.

True, but I'd prefer the OS to stay secure so we don't need Anti-Malware like windows.

PDubNYC
Jan 23, 2007, 06:11 PM
Huh? What issues have you had with 10.4.8?

so many bizarre issues, such as spontaneously quitting the finder and bringing me to the login window, must have reinstalled half a dozen times. I've seen a handful of machines with strange behavior after the upgrade, and quite a few that were fine. After 10.4.6 gave me trouble with my FullPress servers, I have found that 10.4.5 is fine for me for now.

ppnkg
Jan 23, 2007, 06:27 PM
installed, restarted, all fine here.

Benjamindaines
Jan 23, 2007, 08:35 PM
Everything seems a little sluggish after restart. Hmm...

islandman
Jan 23, 2007, 09:20 PM
http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Apple issued a security update for Mac OS X today. The update specifically addresses a possible security flaw in Quicktime:



A proof of concept exploting this bug was published (http://projects.info-pull.com/moab/MOAB-01-01-2007.html) at the Month of Apple Bugs (http://projects.info-pull.com/moab/) site.

I use VLC mostly, but I updated anyway.

japanime
Jan 23, 2007, 09:27 PM
I think Safari seems a bit snappier.............:D

I wouldn't know. I still use IE. :eek: ;)

autrefois
Jan 23, 2007, 09:55 PM
I think Safari seems a bit snappier.............:D

And let me guess that you're also expecting a Powerbook G5 next Tuesday...

I don't think that news of the bugs should have been released to the public before they were released to Apple, but I'm glad Apple has come up with a fix.

YS2003
Jan 23, 2007, 10:09 PM
I am always puzzled with the posts which says there are problems with OS updates. I have not had update issues except for the Java and Security updates conflicts a while back.

CJD2112
Jan 23, 2007, 11:24 PM
I wouldn't know. I still use IE. :eek: ;)

Ooooooo, I'm backing away from that one lol ;)

killr_b
Jan 24, 2007, 12:20 AM
…snip…
Still good to see benefits coming from the project... even if the flaws were released in the wrong way (released to crackers and the public without releasing to the vendor for a fix first).

Personally I felt they released the flaws in this particular way to invite people to write malware on purpose.
We know how jealous Windows users are…

:D

Chundles
Jan 24, 2007, 12:26 AM
I use VLC mostly, but I updated anyway.

Quicktime is the underlying media architecture in OSX, you're using Quicktime pretty much all the time.

You may use VLC instead of Quicktime Player but you're using Quicktime all the time when you use OSX and should update regardless.

aLoC
Jan 24, 2007, 05:03 AM
What, you mean this update didn't cost $4.99? Surely they're breaking the law? ;)

mygoldens
Jan 24, 2007, 08:20 AM
And let me guess that you're also expecting a Powerbook G5 next Tuesday...

I don't think that news of the bugs should have been released to the public before they were released to Apple, but I'm glad Apple has come up with a fix.

They are NOT coming out with the G5 Powerbook !?!?!!

Just kidding, a little humor with the security update.....;)

morespce54
Jan 24, 2007, 11:10 AM
10.4.5?, Whoa nelly!.


I did the update but my OS still says 10.4.8... What's up with that?
Kidding ;) :D :D

Shadow
Jan 24, 2007, 12:16 PM
Perfect update here

war
Jan 24, 2007, 12:57 PM
Does this fix really have anything to do with the month of Apple bugs or does it have more to do with that quicktime/myspace problem that I read about a couple of weeks ago? (mmm, run on sentences) :D

frozencarbonite
Jan 24, 2007, 06:59 PM
Does this fix really have anything to do with the month of Apple bugs or does it have more to do with that quicktime/myspace problem that I read about a couple of weeks ago? (mmm, run on sentences) :D

Yes this update fixes the Month of Apple Bugs #1. It fixes the issue with RTSP.

The MySpace issue is Month of Apple Bugs #3. That one has to do with the HREFTrack attribute.

What I don't understand is why Apple doesn't issue the fix for MOAB #3 when they have already fixed it via MySpace.

Lyle
Jan 24, 2007, 09:43 PM
I know that it has to just be a coincidence, but after installing this update my MacBook no longer seems to have trouble going to sleep when I tell it to. Before the update, it was taking it a noticeably long time to go to sleep after I issued the command -- now it does it right away, like it used to.

bousozoku
Jan 24, 2007, 10:02 PM
I know that it has to just be a coincidence, but after installing this update my MacBook no longer seems to have trouble going to sleep when I tell it to. Before the update, it was taking it a noticeably long time to go to sleep after I issued the command -- now it does it right away, like it used to.

It seems to have fixed the problem with the Repairing Permissions finding minor issues for me. You have to wonder if they replaced anything not directly related to QuickTime.

Diatribe
Jan 25, 2007, 04:41 AM
I had hoped that MOAB at least gets some of the ignorance out of Mac users but I guess it hasn't. 19 of the 24 bugs they have found are direct Apple bugs.

They have fixed 1! now. There are still 18 Apple bugs out there of which the majority can lead to arbitrary code execution.

Apple is taking some major time to fix this stuff, considering that other people have already fixed more than half of the bugs in their spare time.

Something really has to be exploited before people wake up. Sad but true. :(

Pwoppet
Jan 25, 2007, 03:36 PM
Has anyone else found that Excel won't start, since this security update?

Both my wife (uses a MacBook Core Duo) and I (use a MacBook Pro Core 2 Duo) have had the same problems that Excel stops working. Basically, it is fine one minute and then refuses to startup, and you have to reboot to get it to work again.

I have also notice "weird cursor things" happening. For example, sometimes, when hovering over the buttons in the toolbar of Safari, the cursor disappears. It's still fully functional, but you can't see it. If you move it back to the main window, it reappears again.

Very weird. Never had this sort of thing happen before, and I've been using Macs for years.

Benjamindaines
Jan 25, 2007, 04:04 PM
Has anyone else found that Excel won't start, since this security update?

Both my wife (uses a MacBook Core Duo) and I (use a MacBook Pro Core 2 Duo) have had the same problems that Excel stops working. Basically, it is fine one minute and then refuses to startup, and you have to reboot to get it to work again.

I have also notice "weird cursor things" happening. For example, sometimes, when hovering over the buttons in the toolbar of Safari, the cursor disappears. It's still fully functional, but you can't see it. If you move it back to the main window, it reappears again.

Very weird. Never had this sort of thing happen before, and I've been using Macs for years.

All the MS Office apps work fine here, try running the auto updater application.

frozencarbonite
Jan 25, 2007, 04:47 PM
I had hoped that MOAB at least gets some of the ignorance out of Mac users but I guess it hasn't. 19 of the 24 bugs they have found are direct Apple bugs.

They have fixed 1! now. There are still 18 Apple bugs out there of which the majority can lead to arbitrary code execution.

Apple is taking some major time to fix this stuff, considering that other people have already fixed more than half of the bugs in their spare time.

Something really has to be exploited before people wake up. Sad but true. :(

I'm afraid you are probably right.

Only fixing 1 bug since this whole thing has started is pretty sad. I think even Microsoft would have been faster at getting bug fixes out. I wish they would forget about the stupid iPhone and new hardware and work on there software. I know they are working on Leopard. They need to be working on the OS that is on user's systems and has bugs.

I have a feeling these issues are still going to be there even with 10.4.9 is released. Also, people keep saying they will probably wait and release the fixes when Leopard is released. That is very stupid move if they do that.

I'm afraid I'm starting to loose faith in Apple. This whole Intel switch seemed to be the turning point. I hope I'm wrong, but it may be all downhill from here.

Lyle
Jan 25, 2007, 05:02 PM
Has anyone else found that Excel won't start, since this security update?Excel 2004 is working fine on my MacBook after the update and so is Safari. On the other hand, the slow-to-go-to-sleep problem has came back; I guess my MacBook got his nap out overnight.

Pwoppet
Jan 26, 2007, 03:15 AM
Excel 2004 is working fine on my MacBook after the update and so is Safari. On the other hand, the slow-to-go-to-sleep problem has came back; I guess my MacBook got his nap out overnight.

It's not that it doesn't work, it's more that it stops working, particularly when openning .xls attachments in Mail. It probably isn't an Office setup problem because my wife just installed Office 2004, whereas I installed it and then patched it with the patch from MS. We had both been running Excel fine for ages, and then both found it caused us a problem the day after this security patch.

The commonalities are:

- Both have Intel machines (but not the same processor or motherboard)
- Both run Office (but not the same config)
- Both use Mail

I can't see how a security patch for Quicktime could affect Excel, so what else could be causing this problem?

allanmac
Jan 26, 2007, 03:23 AM
I wouldn't know. I still use IE. :eek: ;)

IE, I thought that was just an abbreviation for "therefore", does it mean something else?

Allan

Diatribe
Jan 26, 2007, 03:37 AM
I'm afraid you are probably right.

Only fixing 1 bug since this whole thing has started is pretty sad. I think even Microsoft would have been faster at getting bug fixes out. I wish they would forget about the stupid iPhone and new hardware and work on there software. I know they are working on Leopard. They need to be working on the OS that is on user's systems and has bugs.

I have a feeling these issues are still going to be there even with 10.4.9 is released. Also, people keep saying they will probably wait and release the fixes when Leopard is released. That is very stupid move if they do that.

I'm afraid I'm starting to loose faith in Apple. This whole Intel switch seemed to be the turning point. I hope I'm wrong, but it may be all downhill from here.

Let's hope not. I agree that Apple needs to be serious about this but I think they need a wake up call bigger than this, like a virus/tojan/worm in the wild doing some damage before they wake up.
The only problem is that we will be the ones suffering.

Pwoppet
Jan 26, 2007, 03:37 AM
IE, I thought that was just an abbreviation for "therefore", does it mean something else?

Allan

i.e. = "that is"

IE = "heap of crap" (MS Internet Explorer)

Actually, IE 7 isn't *that* bad. I'm not going to use it, but it's not awful.

nagromme
Jan 26, 2007, 01:15 PM
I had hoped that MOAB at least gets some of the ignorance out of Mac users but I guess it hasn't. 19 of the 24 bugs they have found are direct Apple bugs.

They have fixed 1! now. There are still 18 Apple bugs out there of which the majority can lead to arbitrary code execution.

Apple is taking some major time to fix this stuff, considering that other people have already fixed more than half of the bugs in their spare time.

Something really has to be exploited before people wake up. Sad but true. :(

Does Microsoft generally fix bugs just days after they are first reported to them?

Just because Apple hasn't yet released a fix doesn't mean they aren't working on one--and days is not "major time." Some bugs are quicker to fix than others, and some fixes have more side-effects to test than others. (And some bugs sound scary on paper but actually don't present a likely immediate threat to users. So taking the time to fix them right makes good sense. Look at past Microsoft patches that have broken other things in the process.)

Most security researchers report the bug to the vendor first, so a fix can be in progress or ready by the time crackers and the public are told. In this case, Apple--and we users--have been given no such courtesy.

Apple's not perfect--they make needless mistakes--but I think you exaggerate the delay issue here.

And people should avoid the following often-repeated logic:

1. No OS will ever be perfect.

2. Therefore Mac OS is not perfect.

3. Therefore Mac OS is just AS bad as Windows.

#3 doesn't work :)

(BTW, what is the ignorance of Mac users that you refer to? Mac users all know OS X has flaws because they see the fixes download. They also know Macs have no viruses or spyware right now. And they also know that might change--but that when it does it still won't equal the nightmare on Windows. If you've ever seen anyone claim that Mac security is perfect, you've seen something I never have :) I see LOTS of people SAY Mac users say that, but I never seem to see the straw man himself. Because such ignorance is in reality nearly nonexistent. And when people "wake up" as you say, what will that mean? What new actions will the bulk of Mac users take that you are disappointed to see them not taking now?)

srf4real
Jan 28, 2007, 09:41 AM
everything was great until today when I tried to open homemade .mov files. Now Quicktime with security update is crashing the finder, crashing itself, really making me :mad: .what up!? (http://forums.macrumors.com/showthread.php?t=274326)

CeCe
Jan 28, 2007, 08:55 PM
After installing the update and restarted my C2D Macbook, I can't connect to the internet wirelessly.

Anyone know how to fix this or how to undo a software update?

Teh Don Ditty
Jan 28, 2007, 09:12 PM
CeCe, I have a CD MacBook and I had the same problem you were. I just reinstalled OS X :mad: Now, I'm working perfectly again.

EDIT: Sorry, I thought this was the AirPort update.

Mods please delete post as it is irrelevant to Quicktime update. Thanks.

Diatribe
Jan 29, 2007, 01:49 AM
Does Microsoft generally fix bugs just days after they are first reported to them?

Just because Apple hasn't yet released a fix doesn't mean they aren't working on one--and days is not "major time." Some bugs are quicker to fix than others, and some fixes have more side-effects to test than others. (And some bugs sound scary on paper but actually don't present a likely immediate threat to users. So taking the time to fix them right makes good sense. Look at past Microsoft patches that have broken other things in the process.)

Most security researchers report the bug to the vendor first, so a fix can be in progress or ready by the time crackers and the public are told. In this case, Apple--and we users--have been given no such courtesy.

Apple's not perfect--they make needless mistakes--but I think you exaggerate the delay issue here.

And people should avoid the following often-repeated logic:

1. No OS will ever be perfect.

2. Therefore Mac OS is not perfect.

3. Therefore Mac OS is just AS bad as Windows.

#3 doesn't work :)

(BTW, what is the ignorance of Mac users that you refer to? Mac users all know OS X has flaws because they see the fixes download. They also know Macs have no viruses or spyware right now. And they also know that might change--but that when it does it still won't equal the nightmare on Windows. If you've ever seen anyone claim that Mac security is perfect, you've seen something I never have :) I see LOTS of people SAY Mac users say that, but I never seem to see the straw man himself. Because such ignorance is in reality nearly nonexistent. And when people "wake up" as you say, what will that mean? What new actions will the bulk of Mac users take that you are disappointed to see them not taking now?)

Because of their history MS has become generally pretty proficient in fixing bugs, which doesn't mean that this was always this way.
Apple now fixed a bug discovered in the Month of Kernel Bugs FROM NOVEMBER. I think we can agree that this is not days anymore.

And in contrast to your experiences I have seen and heard a lot of Mac users say that there aren't any viruses with an attitude like there will never be any.

The action I think that needs to be taken is for Apple to more thoroughly check their software and for us to keep an open mind and eye. Nothing more nothing less. You think we already do, I think we don't.

dudleybaddog
Jan 29, 2007, 08:15 AM
After installing the update and restarted my C2D Macbook, I can't connect to the internet wirelessly.

Anyone know how to fix this or how to undo a software update?

I've got exactly the same problem, as do others. Checking the discussions at Apple.com, many others are experiencing this same issue.

I'm with you. I don't know how to fix it. I'm hoping that Apple will fix this soon. I did read that a reinstall of OSX might solve the problem. I think I'm going to wait and see if Apple comes out with a fix first.

CeCe
Jan 29, 2007, 09:25 AM
I've got exactly the same problem, as do others. Checking the discussions at Apple.com, many others are experiencing this same issue.

I'm with you. I don't know how to fix it. I'm hoping that Apple will fix this soon. I did read that a reinstall of OSX might solve the problem. I think I'm going to wait and see if Apple comes out with a fix first.

Me too as it's a lot of work to do it...