PDA

View Full Version : 2003-12-19 Security Update and Quicktime 6 MPEG-2 Component


MacRumors
Dec 19, 2003, 08:54 PM
Apple has released a 2003-12-19 Security Update in your Mac OS X Software Update. This update is recommended for all Macintosh users:

This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services,fetchmail, fs_usage, rsync. and System Initialization.

For more information: http://www.info.apple.com/kbnum/n61798

Apple also posted an update to the Quicktime 6 MPEG-2 Component (also in Software Update). Users who had previous purchased the Quicktime MPEG-2 Component had found that the previous version expired on Dec 15th.

Booga
Dec 19, 2003, 08:59 PM
In addition, the Xcode update which was pulled yesterday was re-posted today.

bennok
Dec 19, 2003, 09:00 PM
That's a lot of updates, and a lot of updates requiring a restart ;-)

ZildjianKX
Dec 19, 2003, 09:01 PM
Please, no more OS X updates... fix the damn iPod firmware that is whacked Apple!

magi.sys
Dec 19, 2003, 09:03 PM
Also, the 10.3.2 server update is posted

I bet apple wanted to wait till they figured out the security update before they released the server update, hence the delay compared to panther client.

SFNE Freak
Dec 19, 2003, 09:05 PM
Screw that...I'll take my chances and wait until I have to restart for something else. I'm sick of restarting for software updates.

mac15
Dec 19, 2003, 09:25 PM
I'll hold off the secutiy update for a while, nothing thats there bother me all that much to install it.

sethypoo
Dec 19, 2003, 09:31 PM
Originally posted by SFNE Freak
Screw that...I'll take my chances and wait until I have to restart for something else. I'm sick of restarting for software updates.

Hear hear, but it has to happen occasionally.

So the Xcode update is back.....interesting.

TomSmithMacEd
Dec 19, 2003, 09:54 PM
I thought I went to the mac to get away from security updates??? WHo knows.

dukemeiser
Dec 19, 2003, 09:56 PM
There sure has been a lot of Security Fixes lately. And here I was getting envious of the PC users. :D

I've noticed that more people have been reporting security holes to Apple than before. Does this mean the Mac OS is reaching a larger audience than ever before? ;)

pivo6
Dec 19, 2003, 10:09 PM
Ran the update. Only 1.5 MB, not a big deal.

neonart
Dec 19, 2003, 10:11 PM
Maybe later. Doing this on 3 machines at home and one at works gets old if done more than 5 times in a week.

arn
Dec 19, 2003, 10:16 PM
Originally posted by dukemeiser

I've noticed that more people have been reporting security holes to Apple than before. Does this mean the Mac OS is reaching a larger audience than ever before? ;)

It's probably more that Mac OS X is more of a multi-user OS.

You could see it that Mac OS 9 had a huge security hole or none. It had no multiuser capability, so you didn't have to worry about anyone logging in. Anyone at the computer, however, could wipe the entire drive, or replace any file with malicious one.

arn

ITR 81
Dec 19, 2003, 10:17 PM
Xcode was pulled yesterday due to a server glitch. A Apple rep. reported it on the Apple Dis. boards yesterday.

I'll update everything now thank you.

CaptainScarlet
Dec 19, 2003, 10:25 PM
I do belive in patching all my systems, and have already patched them. No problems here.


After this install the 10.3.2 update seems "Faster".



CS.....out

bousozoku
Dec 19, 2003, 10:25 PM
Originally posted by TomSmithMacEd
I thought I went to the mac to get away from security updates??? WHo knows.

The difference is that these really fix things, not make things worse. :D The security updates don't arrive that often since things are pretty secure already.

pb1212580
Dec 19, 2003, 10:40 PM
as an ex-heavy-windows user, I can say that everything there's a security update or some sort of update, the system seems to run slower and slower... or just start doing funky things and being unstable more and more. Honest.
Yes, even in xp. There are at least 40 security updates since xp came out... at least that's what I got yesterday reinstalling my sister's "new" pc laptop. I had to do 65 download/updates; and that's just from M$.

I have to agree that Apple's updates dont' usually slow things down; usually fixes things and if anything improves the speed.

So, anyone found any interesting things about these updates? Quite quiet in here... so different from last night! :)

my 2 cents...

ddbean
Dec 19, 2003, 10:46 PM
Ran update fine here. no notice of change.
To pivo6, my update was 3.5 mb. I was wondering why yours would have only been 1.5? (Not a big deal, just curious)

pivo6
Dec 19, 2003, 11:23 PM
Originally posted by ddbean
Ran update fine here. no notice of change.
To pivo6, my update was 3.5 mb. I was wondering why yours would have only been 1.5? (Not a big deal, just curious)

I either misread, or maybe because I'm still running Jaguar 10.2.8.

Spades
Dec 19, 2003, 11:24 PM
OS X includes a huge amount of software, a lot of it NOT written by Apple. The good side of this is that OS X has more out-of-the-box functionality than Windows. The bad side of this is that there's more stuff for Apple to fix.

Of the updates listed, I immediately recognize fetchmail and rsync as not being Apple's software. I don't know what's fixed in fetchmail, but if the rsync problem is what I think it is, then it's definitely not Apple's fault.

The rsync problem I'm thinking of is the security hole which allowed the recent attacks on the Debian (http://www.debian.org/) project, and one of the systems used to mirror Gentoo (http://www.gentoo.org/). (Note that it only hit a mirror, and none of Gentoo's files were touched.)

I'm not sure how many people are even aware that OS X includes rsync, let alone use it, but I'm glad Apple is keeping the software they ship with OS X secure, even if it's not their own software.

Edit: My mistake. As pointed out below, Debian was attacked with a different method.

HoserHead
Dec 20, 2003, 12:05 AM
Originally posted by Spades

The rsync problem I'm thinking of is the security hole which allowed the recent attacks on the Debian (http://www.debian.org/) project Please note the Debian compromise had nothing to do with the rsync bug, but was instead a kernel exploit. (http://www.debian.org/News/2003/20031202)

Mr.Hey
Dec 20, 2003, 01:01 AM
Originally posted by TomSmithMacEd
WHo knows.


Did you mean-- who knew?


When the security patches outpace M$ in both size and frequency then I'll agree with you but until then.....zip it. Now you know :).

ITR 81
Dec 20, 2003, 01:02 AM
Originally posted by HoserHead
Please note the Debian compromise had nothing to do with the rsync bug, but was instead a kernel exploit. (http://www.debian.org/News/2003/20031202)

But I believe the kernel has been updated since then.

It looks like the bootup process on my Mac has slightly improved with this sec. update.

Stella
Dec 20, 2003, 01:32 AM
I'd rather have updates than an OSX than unsupported and is left to rott, or updated infequentally, such as XP. In two years, how many XP updates have there been (apart from security fixes... and fixes to fix the security fix). Little.

As for rebooting. Sometimes it really is necessary. Some upgrades update the prebinding, once this is done, you have to reboot.

Try rebinding yourself and then run affected applications..... the answer? They don't.... until you reboot.


Originally posted by ZildjianKX
Please, no more OS X updates... fix the damn iPod firmware that is whacked Apple!

SeaFox
Dec 20, 2003, 03:23 AM
Originally posted by arn
You could see it that Mac OS 9 had a huge security hole or none. It had no multiuser capability, so you didn't have to worry about anyone logging in. Anyone at the computer, however, could wipe the entire drive, or replace any file with malicious one.

arn

What do you mean it had no multiuser capability? What was the "Multiple Users" Control Panel for then? :rolleyes:

If the other users worked in Simple Finder or the "Panes" view similar to the old At Ease interface, they couldn't mess in the System Folder, defined appliactions, and external media.

BWhaler
Dec 20, 2003, 05:30 AM
I wonder if that horse's ass columist at PC Magazine is now going to write another article "discovering" Mac's (sic) are not invulnerable.

Lance Ulloff's stupidity still makes me laugh.

visor
Dec 20, 2003, 06:06 AM
that it was updated. However too bad that the root exploid was removed. how am I going to halp anyone who forgot his root password, now?

looks like we'll have to dig up another way to become root...

visor
Dec 20, 2003, 06:13 AM
Originally posted by SeaFox
What do you mean it had no multiuser capability? What was the "Multiple Users" Control Panel for then? :rolleyes:

If the other users worked in Simple Finder or the "Panes" view similar to the old At Ease interface, they couldn't mess in the System Folder, defined appliactions, and external media.

old os9 was about as multiuser as win95. in win 95 you could also havbe 'many users' on a system.all able to kill the system completely. people tend to call this type of system 'single user' since you can't differenciate privileges.

ThomasJefferson
Dec 20, 2003, 08:19 AM
Note to self - Never tell the girl that you have been getting more software updates than @@X. Response is not as expected. Try flowers instead.

Winston Smith
Dec 20, 2003, 11:32 AM
Originally posted by ThomasJefferson
Note to self - Never tell the girl that you have been getting more software updates than @@X. Response is not as expected. Try flowers instead.

Why CAN'T they see the funny side of that?

Spades
Dec 20, 2003, 03:13 PM
Originally posted by Stella

As for rebooting. Sometimes it really is necessary. Some upgrades update the prebinding, once this is done, you have to reboot.


So prebinding is why updates require a reboot? I've always wondered that. Unix in general doesn't need to be rebooted except for kernel updates. With the microkernel in OS X, I figured even kernel updates could be done without a reboot. Well...now I know better.

alamar
Dec 21, 2003, 04:05 AM
People seem to be a bit irked here about the security patch, what with their comparisons to windows and such. Truth be told, OSX is more secure than windows, and no known viruses are running the streets kicking open the ONE AND ONLY known vulnerability I know about that has yet to be patched.
You can read about it here, and also learn how to fix it, not that it makes a huge number of systems vulnerable. http://theregister.com/content/39/34240.html

OSX is typically safe, mostly due to the fact that the System is designed for security. Windows never was, and is still highly vulnerable. Reg recently has a good article on this too.
http://theregister.com/content/4/34554.html

For years the rumor of the Goodtimes virus was floating around, about an email that was a virus activiated simply by reading it. This was a lie/joke/ Then Micorsoft made an email client that made this joke a reality with Love Bug and many others.....Apple has a slightly better track record.

To see evidence of system security, portscan a windows box on your network, with or w/o a firewall (assuming you don't have it firewalled off to the point where the portscan produces no output), then scan your Mac. Really do it.

At any rate, if man made it, a man can break it, and a woman can belittle it to death, and we will always see security updates from time to time for every OS. Its good that Apple is vigilant in this respect. Really though, if someone wants to crack your box, they will, and it is likely it won't involve a security vulnerability. They will just watch you type your password, or ask you what it is, or look under your desk and find it written there...or light you on fire after you type it in....whatever.

We are lucky so far to not have any worms, viri and or system killers flying around. Be vigilant, upgrade your security, keep passwords close to the vest and change them as soon as you suspect their compromised (like when you login to your hotmail at your UBER NERD buddies house and think he might be logging keystrokes), and be wary of suspect files that pop up in your inbox or float around kazza, and make backups on a regular basis, and you should be OK. If your not willing to do that, well.....Its akin to driving a car for years on end without ever checking any fluid aside from gas.

I don't see the logic in griping about a free update that improves security and isn't hiding some subversive software.

Its a good update. I don't see anyone ranting that it has broken anything.

Sorry to be preachy.

encro
Dec 21, 2003, 08:48 AM
Originally posted by Spades
So prebinding is why updates require a reboot? I've always wondered that. Unix in general doesn't need to be rebooted except for kernel updates. With the microkernel in OS X, I figured even kernel updates could be done without a reboot. Well...now I know better.

Don't believe it Stella. Prebinding is sometimes done after the reboot but OS X can prebind on the fly so it's not why the reboot happens.

The main reason is that rather than kill -HUP most of the refreshed/updated frameworks it's a lot better (and easier) to force a restart and guarantee a stable system.

Ibjr
Dec 21, 2003, 03:58 PM
Originally posted by arn
It's probably more that Mac OS X is more of a multi-user OS.

You could see it that Mac OS 9 had a huge security hole or none. It had no multiuser capability, so you didn't have to worry about anyone logging in. Anyone at the computer, however, could wipe the entire drive, or replace any file with malicious one.

arn

I Disagree. The problem stems from Apple’s short-sided decision to have the user run as root by default.

Ibjr
Dec 21, 2003, 04:08 PM
Originally posted by bousozoku
The difference is that these really fix things, not make things worse. :D The security updates don't arrive that often since things are pretty secure already.

I will call you on that. MS fixes do not usually make things worse! They are quite adapt at ‘patching’ problems with their inherently insecure OS. Given the prevalence of XP when compared to OSX, your antidotal evidence of MS patches often exasperating the problem while Apple’s patches are helpful is ludicrous.

Pretty secure? No, Apples measly market share ensures problems are rarely discovered in their products. Zealot, if Microsoft took BSD they could create a pretty secure operating system..

bousozoku
Dec 21, 2003, 06:36 PM
Originally posted by Ibjr
I will call you on that. MS fixes do not usually make things worse! They are quite adapt at ‘patching’ problems with their inherently insecure OS. Given the prevalence of XP when compared to OSX, your antidotal evidence of MS patches often exasperating the problem while Apple’s patches are helpful is ludicrous.

Pretty secure? No, Apples measly market share ensures problems are rarely discovered in their products. Zealot, if Microsoft took BSD they could create a pretty secure operating system..

Oh, you're too funny. :D

I think I'm next to the last person here anyone would call a zealot for Apple. I quite frequently complain about Apple's problems doing the right thing.

The fact that I'm giving an anectodal account of my experiences with Microsoft operating systems over the years is based in reality.

As far as Microsoft creating a secure operating system--they could, but then, they'd compromise it later. e.g., Microsoft used the Mach kernel as the basis for Windows NT, as they did with OS/2, per IBM's design. In Windows NT 3.51, the graphics performance wasn't fast enough, so they violated the microkernel by putting the graphics subsystem into it.

Microsoft is really adept at doing what's easy and what's cheap, but never what's right.

If you'd like, we can start with the original MS BASIC interpreter on the Altair 8800. That's how back far my Microsoft experience goes.

stcanard
Dec 21, 2003, 09:20 PM
Originally posted by Ibjr
I Disagree. The problem stems from Apple’s short-sided decision to have the user run as root by default.

Are you saying that OS9 had account ownership and group permissions built into it's filesystem?

My impression was that is didn't. Multiple users was for preferences differences. As mentioned before, like Win 95.

SeaFox
Dec 21, 2003, 11:10 PM
Originally posted by stcanard
Are you saying that OS9 had account ownership and group permissions built into it's filesystem?

My impression was that is didn't. Multiple users was for preferences differences. As mentioned before, like Win 95.

It didn't have ownership and group permissions built into the filesystem like UNIX, but it did allow access to files, system control panels/compoents to be prohibited.

In Windows95, if you knew how the directory structure was set up you could dig into other user's documents folders quite easily. That wasn't possible in MacOS9.

alamar
Dec 22, 2003, 12:00 AM
Originally posted by Ibjr
I will call you on that. MS fixes do not usually make things worse! They are quite adapt at ‘patching’ problems with their inherently insecure OS. Given the prevalence of XP when compared to OSX, your antidotal evidence of MS patches often exasperating the problem while Apple’s patches are helpful is ludicrous.

Pretty secure? No, Apples measly market share ensures problems are rarely discovered in their products. Zealot, if Microsoft took BSD they could create a pretty secure operating system..

Market share has little to do with it. BSD is solid, and there are TONS of people both nice guys and bad guys who every day work to find holes in it. These holes when found by the good guys are typically quickly fixed.

Yes, it is true that an OSX worm wouldn't go very far...but that is not the point. The point is that OSX is built from the ground up for security. MS is not. Installs run rampant on system files in windows. OSX atleast promts for a password letting you know that your system is being altered an giving you a chance to back out.

The way MS gets hacked it historically a known open. Sobig.F hit one, as did the blasterworm, both in the same week. I was tech support for an ISP at the time and it was hell for any customer running a Win Lan. The vulerablilty the blaster-worm hit was well documented and MS has tried to fix it many times....I belive it was the same with SoBig.

MS is trying to sew closed a net, and in the process they do unethical things such as include a bunch of DMR in the update for their media player as the ONE and ONLY way to close the secuirty hole. That might not have made a new hole, but it slide some unwanted software onto many many machiens.

XP is solid, and maybe their best product since win 98 se. But until MS puts out an OS designed from the ground up to protect itself, and gets heavily agressive on fixing and NOTIFYING CUSTOMERS of possible security holes it will always be the biggest best target for hackers. Sobig.f could have been stopped (in most cases) with firewalls instead of mail filters and anti viri software.

Market share has little to nothing to do with who gets hacked IMHO a smart bad guy would just write a worm that runs on every OS and have it replace your ping command. This hasn't happened because its a bitch to hack Unix and Linix, but comparativley cake to hack Windows.

Anybody got a count on the known Windows vulerabilites at present?

Back to the point, a security update on any platform is typically a good thing for the survival of all us lowly fanatical Zealot consumers.

displaced
Dec 22, 2003, 08:55 AM
For my sins, I'm a Windows network admin.

We run MS Software Update Services, which is essentially a locally-cached version of Windows Update, allowing us to select and distribute patches to our Windows clients.

One handy feature is a list of totals of updates for each OS.... ready?

Internet Explorer 5.0X -- 223 items
Internet Explorer 5.5X -- 99 items
Internet Explorer 6.0 -- 326 items
Windows 2000 -- 1651 items
Windows XP -- 1379 items
Windows Server 2003 Family -- 258 items.

Note that these are English Language only updates, and are only updates classed as Security or Critical updates. None of these provide extra functionality beyond that required to fix a bug/exploit.

edit: and, no - these items aren't individual files. Each item is an update containing many modified files.

OS X is solid. Apple's patching is exemplary, quick to release updates for all bundled software in the OS, bringing us the latest updates for both Apple and Open Source Community software in a timely fashion and in a manageable way.

From a technical point of view, patching OS X is also much safer than Windows. Microsoft's technotes which cover the updates are vague at best and often downright evasive. Apple's technotes are usually informative and detailed. Since most of OS X's multi-user and internet-facing software is open source, bugs and the afflicted code is often discussed across various sites, with commentary and information from all sorts of people who have a clue about the issue and the code. Apple updates tend to be targetted fixes for known and well defined issues. MS updates feel like a band-aid on a weeping sore.

Independence
Dec 22, 2003, 10:00 AM
Originally posted by alamar
XP is solid, and maybe their best product since win 98 se.
Heheh. I hope you're joking with that statement. Windows 95 was actually a half-way decent OS. Windows 98 and its integration with Internet Explorer was a big mistake and added a huge pile of bugs to the OS. Windows 98 will never match up to the stability of the archaic Windows 95 and Windows 95 will never match up to the stability of Windows XP.