http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Apple has addressed the recent well-publicized security issues (http://www.macrumors.com/pages/2006/02/20060216234239.shtml) involving the Safari "Open safe files after downloading" feature, including changes to Mail, iChat, and the LaunchServices facility.

Now available via Software Update for qualifying systems:

Security Update 2006-001

For Mac OS X 10.3.9 and Mac OS X 10.4.5.

Recommended for all users and improves the security of the following components:

apache_mod_php
automount
Bom
Directory Services
iChat
IPSec
LaunchServices
LibSystem
loginwindow
Mail
rsync
Safari
Syndication

For detailed information on this Update, please visit this website: http://docs.info.apple.com/article.html?artnum=61798
Specific information can be found here (http://docs.info.apple.com/article.html?artnum=303382).

Also available for direct download: Mac OS X 10.4.5 (PPC) (http://www.apple.com/support/downloads/securityupdate2006001macosx1045ppc.html), Mac OS X 10.4.5 (Intel) (http://www.apple.com/support/downloads/securityupdate2006001macosx1045clientintel.html), Mac OS X 10.3.9 (http://www.apple.com/support/downloads/securityupdate20060011039client.html), Mac OS X 10.3.9 Server (http://www.apple.com/support/downloads/securityupdate20060011039server.html).


iTunes 6.0.4

With iTunes 6, you can preview, buy, and download over 3,000 music videos and hit TV shows on the iTunes Music Store and sync your music and purchased videos with iPod to enjoy on the go. To watch purchased videos, you must have QuickTime 7.0.3 or later and Mac OS X 10.3.9 or later.

iTunes 6.0.4 addresses stability and performance issues related to Front Row.

Note: After purchasing music from the iTunes Music Store with iTunes 6 or later, you will also need to upgrade your other computers that purchase music from the iTunes Music Store to the latest version of iTunes.
Also available as a direct download (http://www.apple.com/support/downloads/itunes604.html).


iPhoto Update 6.0.2

iPhoto 6.0.2 resolves several minor issues with playing shared slideshows in Front Row.
Also available as a direct download (http://www.apple.com/support/downloads/iphoto602.html).


Front Row 1.2.1

This Front Row update improves compatibility with iTunes and iPhoto sharing.
Also available for direct download (http://www.apple.com/support/downloads/frontrow121.html).

Just downloaded it. No problems so far on my iBook.

sounds like a good update...much better than yesterday :p

all is good here for me, installed and rebooted, all is good!

Downloaded it, installed it, but it STILL doesn't fix my problem with the $100 iPod sock!

Safari, LaunchServices

CVE-ID: CVE-2006-0394

Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9, Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

Description: It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).




so from this i would take it has solved the evil file thing! good work apple.

Sorted. No issues here.

Is it me, or is Safari snappier??!! ;) :D

It's taking quite a long time to reboot my G5. Anyone else experiencing long reboot times?

Changes in the Security Update

apache_mod_php: Multiple security issues in PHP 4.4

PHP 4.4.1 fixes several security issues in the Apache module and scripting environment. Details of the fixes are available via the PHP web site (www.php.net). PHP ships with Mac OS X but is disabled by default.

automount: Malicious network servers may cause a denial of service or arbitrary code execution

File servers on the local network may be able to cause Mac OS X systems to mount file systems with reserved names. This could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system.

BOM: Directory traversal may occur while unpacking archives with BOM

The BOM framework handles the unpacking of certain types of archives. This framework is vulnerable to a directory traversal attack that can allow archived files to be unpacked into arbitrary locations that are writable by the current user. This update addresses the issue by properly sanitizing those paths. Credit to Stéphane Kardas of CERTA for reporting this issue.

Directory Services: Malicious local users may create and manipulate files as root

The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely. Credit to Ilja van Sprundel of Suresec LTD, vade79, and iDefense (idefense.com) for reporting this issue.

FileVault: FileVault may permit access to files during when it is first enabled

User directories are mounted in an unsafe fashion when a FileVault image is created. This update secures the method in which a FileVault image is created.

IPSec: Remote denial of service against VPN connections

Incorrect handling of error conditions for virtual private networks based on IPSec may allow a remote attacker to cause a service interruption. This update addresses the issues by correctly handling the conditions that may cause crashes. Credit to OUSPG from the University of Oulu, NISCC, and CERT-FI for coordinating and reporting this issue.

LibSystem: Attackers may cause crashes or arbitrary code execution depending upon the application

An attacker able to cause an application to make requests for large amounts of memory may also be able to trigger a heap buffer overflow. This could cause the targeted application to crash or execute arbitrary code. This update addresses the issue by correctly handling these memory requests. This issue does not affect systems prior to Mac OS X v10.4. Credit to Neil Archibald of Suresec LTD for reporting this issue.

Mail: Download Validation fails to warn about unsafe file types

In Mac OS X v10.4 Tiger, when an email attachment is double-clicked in Mail, Download Validation is used to warn the user if the file type is not "safe". Certain techniques can be used to disguise the file's type so that Download Validation is bypassed. This update addresses the issue by presenting Download Validation with the entire file, providing more information for Download Validation to detect unknown or unsafe file types in attachments.

perl: Perl programs may fail to drop privileges

When a perl program running as root attempts to switch to another user ID, the operation may fail without notification to the program. This may cause a program to continue to run with root privileges, assuming they have been dropped. This can cause security issues in third-party tools. This update addresses the issue by preventing such applications from continuing if the operation fails. This issue does not affect Mac OS X v10.4 or later systems. Credit to Jason Self for reporting this issue.

rsync: Authenticated users may cause an rsync server to crash or execute arbitrary code

A heap-based buffer overflow may be triggered when the rsync server is used with the flag that allows extended attributes to be transferred. It may be possible for a malicious user with access to an rsync server to cause denial of service or code execution. This update addresses the problem by ensuring that the destination buffer is large enough to hold the extended attributes. This issue does not affect systems prior to Mac OS X v10.4. Credit to Jan-Derk Bakker for reporting this issue.

Safari: Viewing a maliciously-crafted web page may result in arbitrary code execution

A heap-based buffer overflow in WebKit's handling of certain HTML could allow a malicious web site to cause a crash or execute arbitrary code as the user viewing the site. This update addresses the issue by preventing the condition causing the overflow. Credit to Suresec LTD for reporting this issue.

Safari: Viewing a malicious web page may cause arbitrary code execution

By preparing a web page including specially-crafted JavaScript, an attacker may trigger a stack buffer overflow that could lead to arbitrary code execution with the privileges of the user. This update addresses the issue by performing additional bounds checking.

Safari: Remote web sites can redirect to local resources, allowing JavaScript to execute in the local domain

Safari's security model prevents remote resources from causing redirection to local resources. An issue involving HTTP redirection can cause the browser to access a local file, bypassing certain restrictions. This update addresses the issue by preventing cross-domain HTTP redirects.

Safari, LaunchServices: Viewing a malicious web site may result in arbitrary code execution

It is possible to construct a file which appears to be a safe file type, such as an image or movie, but is actually an application. When the "Open `safe' files after downloading" option is enabled in Safari's General preferences, visiting a malicious web site may result in the automatic download and execution of such a file. A proof-of-concept has been detected on public web sites that demonstrates the automatic execution of shell scripts. This update addresses the issue by performing additional download validation so that the user is warned (in Mac OS X v10.4.5) or the download is not automatically opened (in Mac OS X v10.3.9).

Syndication: Subscriptions to malicious RSS content can lead to cross-site scripting

Syndication (Safari RSS) may allow JavaScript code embedded in feeds to run within the context of the RSS reader document, allowing malicious feeds to circumvent Safari's security model. This update addresses the issue by properly removing JavaScript code from feeds. Syndication is only available in Mac OS X v10.4 and later.


Other security enhancements

FileVault

AES-128 encrypted FileVault disk images are now created with more restrictive operating system permissions. Credit to Eric Hall of DarkArt Consulting Services for reporting this issue.

iChat

A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.

Mmm... new Front Row for my iMac .. this is great. I live in a dorm with a LOT of shared iTunes music ... now playing on Front Row, thanks Apple. :D

Mmm... new Front Row for my iMac .. this is great. I live in a dorm with a LOT of shared iTunes music ... now playing on Front Row, thanks Apple. :D

???

I know there's an update, but isn't it separate from this security patch?

Front row is still unacceptably laggy on my G5. I really don't understand it: if the system was responsive then it would be really neat. But when the media centre software runs so poorly on a top end consumer computer that is only a few months old, there is something wronghitw it.

Thread cross reference: earlier discussion of these updates.

???

I know there's an update, but isn't it separate from this security patch?
Oh, whoops. I saw that iTunes and iPhoto was mentioned, so I assumed Front Row was mentioned as well ...

For MR reference:

http://www.apple.com/support/downloads/frontrow121.html

does this adress the "virus"-like things that came out last week?
like A-leap?

My G5 has been rebooting for nearly six minutes now. I have a blue screen and the spining propeller thing.

How long should I let it sit here thinking before I kick it in the groin or something?

what is that less than a week from apple to address the "first two OS X viruses"?

it's nice to see them fix these "viruses" in a very calm manner. they didn't treat it as an OMG the world is ending there are viruses for OS X, nor did they ignore what were effectively not-viruses. kudos. and to that george character from yesterday claiming OS X was less secure than winXP.

real world damage to OS X users = 0
real world damage to winXP users = $$$

My G5 has been rebooting for nearly six minutes now. I have a blue screen and the spining propeller thing.

How long should I let it sit here thinking before I kick it in the groin or something?

This isn't uncommon and not an immediate worry. Happens on my G5 PowerMac but not on my iBook strangely. Just be patient, subsequent boots show no lag.

Should I force quit?

Thoughts?

Should I force quit?

Thoughts?
sounds as if you have a program not shutting down as it should i would power off and hope for the best but at you own risk mind

does this adress the "virus"-like things that came out last week?
like A-leap?

From Apple Security Update Notes:

iChat.

A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.

Reboots after updates can last a long time sometimes. If the flappy pinwheel thing is still moving you should leave it alone for a while.

If your computer froze during startup you may need to force power down. If that happens you should definitely repair permissions, and you may need to repair the system directory/catalog using a utility like Disk Warrior.

I'm still waiting for this iPod update...C'mon Apple!

sounds like a good update...much better than yesterday :p

Don't be cruel... C'mon';)

It's now been 15 minutes. I'm pressing the History Eraser Button and hoping for the best.

Stand by...

There's a fairly annoying bug in the new Front Row's shared music feature. (Someone please try this on their system and confirm.)

If you try to access a shared library that has already been accessed by five users today, the iTunes app will tell you that you can't use the library; only five different users are accepted each day to prevent widespread listening of other peoples' music. (iTunes' shared music feature is intended for use in individual peoples' homes among their own computers.)

But if you access the same library in Front Row, the spinning logo will just spin indefinitely, forever. Front Row doesn't realize it can't access the library, even though (when you force quit) iTunes has the dialog box saying it's inaccessible. When Front Row is in this state, force-quitting is the only option.

From Apple Security Update Notes:

iChat.

A malicious application named Leap.A that attempts to propagate using iChat has been detected. With this update for Mac OS X v10.4.5 and Mac OS X Server v10.4.5, iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers.

Bug smashed. Nice to see Apple clamp down right away. Time to take this to the watercooler.

It will took me at least one hour to download... so, please, post your impressions about the updates.

For now, alles ok!

That's the beauty of Apple... one week after all that bla bla bla of virus that is not a virus, it came with a patch!!! I feel much more confortable with this procedure.

Nice. Wonder what "Download Validation" really does.

Downloaded and installed: 5 minutes
Restart: 30 seconds

Completely painless.

so does this mean that the iTunes/iPhoto updates are only to address FR issues? I mean...what reason is there for me to install those updates before 6.0.5/6.0.3 or whatever it is that will help non-FR macs? I just don't like changing things anymore than I have to...obviously I will run the security update...

any word on if this breaks the latest front row hack for non imacs/mbp's?

Restart went fine, everything seems normal, just like before :)

http://www.macrumors.com/images/macrumorsthreadlogo.gif (http://www.macrumors.com)

Security Update 2006-001

For Mac OS X 10.3.9 and Mac OS X 10.4.5.


I give this a negative because it it will not update 10.4.x before 5. It says "your Volume does not qualify."

Oh, and I like name "Oompa-Loompa" much better than Leap.A

any word on if this breaks the latest front row hack for non imacs/mbp's?

I would assume it would, download and try it, if it'll even run the installer ?

Front row is still unacceptably laggy on my G5. I really don't understand it: if the system was responsive then it would be really neat. But when the media centre software runs so poorly on a top end consumer computer that is only a few months old, there is something wronghitw it.
That's odd... Front Row actually runs surprisingly well on my Mac mini (PowerPC G4). Hardly any lag unless it's dealing with my enormous iPhoto library (well, it's not that big, 10,000 photos-ish).:rolleyes: :)

hey oblivious,

is front row still working on your mac mini after this update? by the way, i'm right down the pike from you in worcester!

it just warns you that it could be unsafe, you can test out it here:

http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip

should give you a second warning somehow, people are used to clicking things regardless.

It could do with something like dashboard - the first time a terminal file (or something that tries to call terminal) executes it should be 'sandboxed', and the commands it tries to do listed. Also new unrun apps. At the mo', if you open a file whose app hasn't run previously you get a warning, maybe getting a warning for all apps on their firstrun. This way you can't unwittingly open an app or something that can attack your system.

I wish it would fix some of the minor bugs that apple missed in the last iPhoto 6 update.

Maybe it does and they just didn't tell us? Or is that just wishful thinking....?

I love iPhoto 6 but i've already had one crash that resulted in me having to revert to a backup of my library (it just kept crashing on launch after something got corrupted). That is my #1 gripe with iPhoto right now.

hey oblivious,

is front row still working on your mac mini after this update? by the way, i'm right down the pike from you in worcester!
The Front Row update didn't work on the mini, but I can still use version 1.0.1. I started to alter the original applescript used to make this Front Row update useable on macs without an infrared sensor, but I didn't want to mess anything up with my terrible script skills.:p
Anyway, the security update still isn't finished downloading, and it's been an hour already.:rolleyes:

Heh, my grandmother lives right nearby Worcester, in Uxbridge.

Good, they tightened up automounting. That's a good sign, it means they're looking for the older d'oh! problems and not only the obscure.

The Front Row update didn't work on the mini, but I can still use version 1.0.1. I started to alter the original applescript used to make this Front Row update useable on macs without an infrared sensor, but I didn't want to mess anything up with my terrible script skills.:p
Anyway, the security update still isn't finished downloading, and it's been an hour already.:rolleyes:

Heh, my grandmother lives right nearby Worcester, in Uxbridge.

Lol, maybe i'll drop by for some milk and cookies! i go to school here, i'm from RI. Anywho, if you figure out how to get the new version of front row working, please let us know. it's another cool feature that will have my dormmates envious of all things mac. maybe andrew escobar will update his enabler soon?

The sad thing is this is more exciting than yesterdays "Event"...

Hmm I just did the updates and no longer have my external Lacie hard drive mounting....:mad:

Rebuilt permissions with no luck...:(

any answers yet to get front row 1.2.1 on non-IR computers?

any answers yet to get front row 1.2.1 on non-IR computers?
yeah, Oblivious mentioned that his didn't work on the Mini but 1.01 still did. hopefully someone will patch it soon...

I don't know about FrontRow on non-IR Macs, except to say it didn't break the older version on my PowerBook. I don't know if the newer version is installable, and it doesn't matter to me, as I don't use it on the PB (except just now to verify that it works). Of course, the older version won't share video.

Speaking of which: when I upgraded and brought up FrontRow in my Intellimac, I was told I needed to upgrade to the latest version of iTunes (which had happened during the upgrade).

Exited FR to see the license agreement on iTunes, answered it, went back into FR, still saw the notice to upgrade.

Rebooted, and all was well.

It would be nice if FR were smart enough to realize there were dialogs in the underlying apps - as others have mentioned.

i wish they'd add a detailed track info screen for viewing on an ipod... can it be done with a simple download update? sometimes i want to know what bitrate a song is ripped at from my ipod screen (slide it in between the 'rating' and 'artwork' screens or something) that'd be neat. please!

Hmm I just did the updates and no longer have my external Lacie hard drive mounting....:mad:

Rebuilt permissions with no luck...:(

Strange. My lacie HDs work as usual... What does Disk utilities says?

And System Profiler?

There's a fairly annoying bug in the new Front Row's shared music feature. (Someone please try this on their system and confirm.)

If you try to access a shared library that has already been accessed by five users today, the iTunes app will tell you that you can't use the library; only five different users are accepted each day to prevent widespread listening of other peoples' music. (iTunes' shared music feature is intended for use in individual peoples' homes among their own computers.)

But if you access the same library in Front Row, the spinning logo will just spin indefinitely, forever. Front Row doesn't realize it can't access the library, even though (when you force quit) iTunes has the dialog box saying it's inaccessible. When Front Row is in this state, force-quitting is the only option.

Has there always been a limit like this imposed? Or is this something new...?

Well... that still didn't solve some bug i have :(
check this website: http://www.e-upr.org/ - opens up nicely
enter comments: http://www.e-upr.org/?aid=12348

and I get : Safari can’t open the page.
Too many redirects occurred trying to open “http://www.e-upr.org/?aid=12348?action=show&object=article&id=12348?action=show&object=article&id=12348?
[cut...]
action=show&object=article&id=12348?action=show&object=article&id=12348”. This might occur if you open a page that is redirected to open another page which then is redirected to open the original page.

This heppens only on safari , i reported problem everywhere but no reply.
Do they have their script wrong ? Or is there a bug in safari? Why other browsers under OSX have no problem ? :confused:

surprised there weren't any openssl updates recently, that can always use an update

Just installed it, everything ok. Good - a very quick response to that virus/trojan thing

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx_us.html

Just one week!

Has there always been a limit like this imposed? Or is this something new...?
This has been introduced roughly half a year ago into iTunes. Until then it was a maximum of five concurrent users.

it just warns you that it could be unsafe, you can test out it here:

http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip

should give you a second warning somehow, people are used to clicking things regardless.

It could do with something like dashboard - the first time a terminal file (or something that tries to call terminal) executes it should be 'sandboxed', and the commands it tries to do listed. Also new unrun apps. At the mo', if you open a file whose app hasn't run previously you get a warning, maybe getting a warning for all apps on their firstrun. This way you can't unwittingly open an app or something that can attack your system.

Ok forget about what I wrote earlier... The trojan will still execute if you double-click it. But it won't execute automatically anymore... So Apple doesn't rock that much :(

The reason why it didn't on my system is that I removed the terminal from the utility folder... Sorry for giving the wrong information :(

/me goes hiding in shame

All OK.

Rebooted from external drive, ran disk utility on startup. Things fixed.

Quote:
Originally Posted by pawnstar
it just warns you that it could be unsafe, you can test out it here:

http://www.heise.de/security/dienste.../Heise.jpg.zip

should give you a second warning somehow, people are used to clicking things regardless.

It could do with something like dashboard - the first time a terminal file (or something that tries to call terminal) executes it should be 'sandboxed', and the commands it tries to do listed. Also new unrun apps. At the mo', if you open a file whose app hasn't run previously you get a warning, maybe getting a warning for all apps on their firstrun. This way you can't unwittingly open an app or something that can attack your system.

Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .


In my example macosx_us.html (http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx_us.html) I get a warning before the file gets extracted. But after that there is still a QuickTime icon. And just starts when clicking on it.

However I would not call this a real security flaw. There will always be a way that a user can run an application if she/he really wants.

:) All runs fine here! No problem installing/restarting... fast restart.

Safari feels snappier!!! Hehehe! ;)

VL-Tone: Thanks for reporting the details.

The primary danger from Trojans will now return to what it will likely always be: If somebody tells you to download and run an application and you do so without considering the source of this recommendation, you might be running a program with bad intentions that has access to whatever files you have access to.

The advice to avoid using your Mac as administrator except when necessary is no longer as critical, but is still a sensible idea. And don't forget your backups!

[...]
From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. [...]
That sounds ... safe.
Are there any cases where one would like to run a Unix executable by double-clicking it?

Looks like more than a quick-and-dirty band aid from Apple--and quickly released too! :) I thought there would be SOMETHING out in the next few weeks, but not so soon and not so thorough. I thought they'd spend longer to reach this point. Good for Apple.

Lots of Trojan potential squashed. Too bad--Apple didn't even give people TIME to try any Leap A copycats :p

Thanks for the details, Dr. Q and VL Tone.

Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .

Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.

Sure the actual data inside the file can be a malicious script, but there is now no way to make it execute unless you manually remove the extension after downloading and force the terminal to open it.

If you do a get info after removing the extension, you see that it shows: "Kind: Unix Executable File".

So you say "Someone can still put a custom icon on these and make people click on it!" without doing get info. Wrong! Double click this Unix Executable and what happens? It opens in TextEdit!!

It means that also squashes the Leap.A trojan to pieces. Try to download Leap.A, double click on it and it opens in TextEdit, showing you the malicious terminal code!

Apple took these issues seriously and it shows.

From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. And Safari will warn you if it finds .app files or a compressed file it cannot check before completing the download.


Apple ROCKS!!! :D

Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .

Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.

...


mine still opens up terminal and lists my directory. I get warned it looks bad, and Safari doesn't auto open it. But if I double click it, it runs.

Just need something so that if I'm launching an app, I know I'm launching an app; and if I'm launching something that opens terminal/actionscript/automator, I get told that too. Just in case I didn't know I was doing this. Once a file/app has been run, it's added to a 'safe' list or something, that way I don't get asked again.

^^^I just re-read some of your post - the bit about having to have the .app extension, that's good and addresses most of the problem.

It is a bit of a pain and it would be nice not to have dialogue boxes popping up, but how many times do you stick a new app on? If you know it's an app, it's one click to ok it - if you didn't know it was an app, then you're now safe.

I feel this update is a stopgap to the problem.

Looks like more than a quick-and-dirty band aid from Apple--and quickly released too! :) I thought there would be SOMETHING out in the next few weeks, but not so soon and not so thorough. I thought they'd spend longer to reach this point. Good for Apple.

Lots of Trojan potential squashed. Too bad--Apple didn't even give people TIME to try any Leap A copycats :p

Thanks for the details, Dr. Q and VL Tone.


Im sure the second the problem broke, they locked the OS engineers in a room and didnt let them out until they had written up the fix.

:p

Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .

Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.

Sure the actual data inside the file can be a malicious script, but there is now no way to make it execute unless you manually remove the extension after downloading and force the terminal to open it.

If you do a get info after removing the extension, you see that it shows: "Kind: Unix Executable File".

So you say "Someone can still put a custom icon on these and make people click on it!" without doing get info. Wrong! Double click this Unix Executable and what happens? It opens in TextEdit!!

It means that also squashes the Leap.A trojan to pieces. Try to download Leap.A, double click on it and it opens in TextEdit, showing you the malicious terminal code!

Apple took these issues seriously and it shows.

From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. And Safari will warn you if it finds .app files or a compressed file it cannot check before completing the download.

Hmm... I just downloaded that example file. Safari does indeed warn that it might be an executable. However, double-clicking the file still launches the script in Terminal.... and I've installed the update!

[UPDATE] This is odd... Right-clicking the file and pointing to Open With shows Terminal at the top of the list, then the next is Preview, which is marked as (Default). However, it's clearly not using Preview as the default.... it's opening with Terminal.

I wonder if clearing my LaunchServices cache will help.

it just warns you that it could be unsafe, you can test out it here:

http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip

should give you a second warning somehow, people are used to clicking things regardless.


Paranoid Android is your friend:
http://www.unsanity.com/haxies/pa/

Hmm... I just downloaded that example file. Safari does indeed warn that it might be an executable. However, double-clicking the file still launches the script in Terminal.... and I've installed the update!

[UPDATE] This is odd... Right-clicking the file and pointing to Open With shows Terminal at the top of the list, then the next is Preview, which is marked as (Default). However, it's clearly not using Preview as the default.... it's opening with Terminal.

I wonder if clearing my LaunchServices cache will help.

Yeah, this is weird. I just downloaded the same file and I received no warnings when downloading the file (open safe files is turned off), when I unzipped it, nor when I double-clicked it and it ran in terminal. Am I missing something here? I've already done the reboot and repaired permissions...

Yeah, this is weird. I just downloaded the same file and I received no warnings when downloading the file (open safe files is turned off), when I unzipped it, nor when I double-clicked it and it ran in terminal. Am I missing something here? I've already done the reboot and repaired permissions...

you only get the warning if 'open safe files' is checked.

The only way to identify it otherwise is to get info. Not the most convenient.

Peronsally I would like to be told if I'm about to run something that could trash my home folder.

from http://www.unsanity.com/haxies/pa/ :


Paranoid Android can now notify you when a file is launched with a custom application (one other than the default one for the document's file type). This does not affect opening documents from within applications.
Updated to mitigate the recent Safari/LaunchServices exploit described in detail here.


This would pretty much cover it. Thx for the link manu chao

so -- i was eagerly anticipating this feature because it would theoritcally allow me to play music from itunes libraries that were open in other user accounts on my imac. While they appear as a shared library in itunes, front row doesn't see them! Seems like there are some really silly oversights in front row, including poor communication with itunes errors causing front row to hang... anyone else having this problem?

you only get the warning if 'open safe files' is checked.

The only way to identify it otherwise is to get info. Not the most convenient.

Peronsally I would like to be told if I'm about to run something that could trash my home folder.


Seems like the advice "disable the open 'safe files' option" became dangerous.

Thanks for the clarification, pawnstar. Hmmmmm - to open safe files or not to open, that seems to be the question...

They finally fixed a few basic problems. Bands starting with "a" and "the" are now longer placed in "a" and "t" but by the band name that follows. The scrolling is much faster when the button is held down. And the song title nows scrolls if it's too long. Pretty much like the ipod interface.

I wonder why Apple didn't update the included PHP to version 4.4.2. It's been out for a month and a half, and includes some minor security fixes.

Anyone having problems buying music with iTunes? Whenever I try to purchase a shopping cart, I get this error: Your shopping cart's contents have changed, either the prices of some items have changed, or items have been added or removed from another computer. Please review your shopping cart and click buy now.

Ok, so I click the refresh button that is on that dialog bos, and it says the music store is unavailable.

I have tried emptying my cart, exiting itunes, rebooting, nothing works!!! Please help or say if you are having the same problem after updating

Apple ROCKS!!! :D
Yay. Security update makes me happy. After yesterday. :o :p

Yay. Security update makes me happy. After yesterday. :o :p


man. you are way too sensitive :)

Ok forget about what I wrote earlier... The trojan will still execute if you double-click it. But it won't execute automatically anymore... So Apple doesn't rock that much :(

The reason why it didn't on my system is that I removed the terminal from the utility folder... Sorry for giving the wrong information :(

/me goes hiding in shame

Hmm I just did the updates and no longer have my external Lacie hard drive mounting....:mad:

Rebuilt permissions with no luck...:(

My USB drive didn't mount as usual, either, even after a 2nd re-boot.

Hopefully, it's nothing permanent but I'm a little concerned.

Ok forget about what I wrote earlier... The trojan will still execute if you double-click it. But it won't execute automatically anymore... So Apple doesn't rock that much :(

Any executable will run if you double-click it. Apple can't stop a user from running programs.

Sorted. No issues here.

Is it me, or is Safari snappier??!! ;) :D

What is snappier...can it really be measured...are there different levels of snap? When I hear or read the word "snappy", or "snappier" my body breaks into uncontrollable twitches.

I had problems with Front Row the first time I used it after this update because iTunes was asking me to accept something in the background and it just kept searching and not doin anything - as someone said before, it doesn't recognise when another application is holding things up. I had to force quit and then it wouldn't even start at all after that, and the volume buttons on my keyboard stopped working too.

I restarted though and now......better than ever! Front Row works way faster than before, really quick at opening folders and you can scroll through songs or artists at a much faster speed than before - very useful for those with big libraries.

I'm happy:)

Any executable will run if you double-click it. Apple can't stop a user from running programs.Apple could choose to if they wanted to.

For example, Mac OS X could prevent you from running an application if its filename contains an extension for another filetype, e.g., KeiraKnightley.jpg.app, or if the icon was one for another known filetype, e.g.,
http://www.apple.bg/bul/Docs/macosx/25/Preview+icon.jpg
But since .app is always shown, they apparently didn't think such measures were necessary.

I just downloaded the security update for my "iMactel" and for some reason "AudioScrobbler" won't work (to those of you who don't know, Audioscrobbler is an application for last.fm members)...

Do any of you that are last.fm members, do you experience the same problem after this security update?

It very well could be the data base to last.fm... I dunno if the security update could be a factor to my problem.

Wow, the new version of Front Row is operating amazingly smoothly on my mini right now.:eek:

The only trouble is the Movie Trailers feature still doesn't work.:(

apple needs to implement a new security practice for shell scripts similar to the way it works with Applications... If the script is running for the first time, warn the user... That would stop a lot of what we've seen.

Updated to the latest version of Front Row on my G5 without any problems... Seems to work nicely. Just watched diggnation with it.

I like how it will now black out the second monitor if you have a dual-monitor setup... now if only it would let you choose which monitor to run Front Row on...

Just downloaded, installed, rebooted and the PB seems to be chuggin' along just fine!

It has taken my iBook G4 more than 60 minutes to restart after the update, and I'm still waiting.... and yes I've tried powering off and on again. Can anyone please help?

Did the update. Took usual amount of time...but now it's all messed up. I thing I did before any problems were noticed was repair disk permisions. Then I tried to get on my wireless network. Airport icon shows a great signal and the network shows I'm connected but there is no IP address and of course I can't get on. Went into keychain and it won't let me make any changes, it just locks up on me. When I've gone up to select other wireless networks, it locks up on me. Beachball galore. Somebody help a brutha out...

edit: Oh and internet connect going all beachballs on me too.

After waiting for a very long time (over 40 minutes) for my iBook G4 to restart, it seems to be stuck with the following messages:

- The following StartupItems failed to properly start:
- /System/Library/StartupItems/PrintingServices
- - execution of Startup script failed

Can anyone please help?

It has taken my iBook G4 more than 60 minutes to restart after the update, and I'm still waiting.... and yes I've tried powering off and on again. Can anyone please help?

the only thing that comes to mind immediately is to boot off your OS install disc and run disk permissions and disk first aid.

Also if you can boot off another disk you can back up essential stuff as well

Alright, figure out how to MAKE it work. Went into Activity Monitor and found that "airport" was running. Not using any processor or nothing. I decided to quit the process and then everything is working again but does the same thing after I restart. Whiskey Tango Foxtrot? Any ideas?

the only thing that comes to mind immediately is to boot off your OS install disc and run disk permissions and disk first aid.

Also if you can boot off another disk you can back up essential stuff as well

Thanks a lot! You've solved my problem!

Ok forget about what I wrote earlier... The trojan will still execute if you double-click it. But it won't execute automatically anymore... So Apple doesn't rock that much :(


And Apple still didn't fix that: You erase EVERYTHING on your system when you type
`sudo rm -rf /`
in Terminal :eek:

There's no update that can think for you. Get over it.

Quick now: try to change a background piccie.

I can't -- anymore! :(

----

One hour later... Rebooted, and now everything is fine.

I had rebooted after installing the osX update, then installed iTunes after without rebooting, which then caused the "bug". (How odd!)

This has been the best updates for me so far, FrontRow's speed seems to have doubled :D

Security is great and just bug fixes here and there are always welcome, now get out 10.4.6 with the same speed increase...and Leopard :D

Updated to the latest version of Front Row on my G5 without any problems... Seems to work nicely. Just watched diggnation with it.

I like how it will now black out the second monitor if you have a dual-monitor setup... now if only it would let you choose which monitor to run Front Row on...

I like that blackout too, but they should give some sort of preference pane in System prefs, so we could tweak FrontRow to how we like it ;)

Wow, the new version of Front Row is operating amazingly smoothly on my mini right now.:eek:

The only trouble is the Movie Trailers feature still doesn't work.:(
Hi again Oblivious. you got it working?! it still won't let me install because i don't have the proper machine. did you find a new patch for it or did you fiddle yourself? please let me know as i would really really like to get the new version working, especially if it's working as well as you say! thanks again!

*EDIT* nevermind, i just saw your PM. I have an aircraft design project due today so i'll be busy until later but i'll give it a shot then. Thanks for the help! I'll let you know if it works so you can post for everyone else's benefit too. :)


PS: Do you guys think that, if no wireless network is available, that doing a computer-to-computer wireless connection would allow the shared music to show up in front row?

At least something positive was released this week!

PS: Do you guys think that, if no wireless network is available, that doing a computer-to-computer wireless connection would allow the shared music to show up in front row?

Bonjour in general doesn't care whether a connection is wireless or wired.
It's true at least for iTunes-to-iTunes sharing, which I can test.
Unfortunately I don't have Macs with Front Row:( so I can't test for it.

I'm a UK user and I'm having problems downloading the new updates. I got 10.4.5 just fine, but I'm wondering if something is wrong, considering my Podcasts havn't been able to update for a while either...

Anyone got any ideas? I've tried clearing the cache in Safari, but it's not worked...

PS. I would download the update staight from the Apple site, but I wouldn't know where to save it to...

EDIT: I've downloaded the update, but the restart time was very quick, making me wonder if it is installed properly, considering how long it has taken for others. And it still hadn't come up when I clicked on Software Update...

I'm a UK user and I'm having problems downloading the new updates. I got 10.4.5 just fine, but I'm wondering if something is wrong, considering my Podcasts havn't been able to update for a while either...

Anyone got any ideas? I've tried clearing the cache in Safari, but it's not worked...

PS. I would download the update staight from the Apple site, but I wouldn't know where to save it to...I suggest downloading it straight from Apple. When you download a disk image, it doesn't matter where you put it on your disk.

Just downloaded the updates - working fine. :)

The improvements to Front Row are great: it feels faster, scrolling song titles, little blue glow next to unplayed podcasts, etc...

I'm happy ;)

Mail seems to have broken after this update was installed. Immediately crashes upon opening or just sits with SBOD. Anyone else got these problems?
I'll try a reboot

Since installing these last updates on my iMac Safari's built in spell-checker doesn't appear to be working. Anybody else find this or is it just me/unrelated to the update?

upgraded, no problem.

Glad to see Apple has released the security update, it should reassure some users and hopefully keep the media quiet for a while.

Sorted. No issues here.

Is it me, or is Safari snappier??!! ;) :D

And I suppose you're also expecting a Powerbook G5 next Tuesday, too....

When I hear or read the word "snappy", or "snappier" my body breaks into uncontrollable twitches.

Same happens to me, that's what I get for reading Macrumors threads about updates too often. :D

everything was working great until I installed the secuirty update and ilife 06 update
now my final cut pro 4.5 (on panther) give me an error on opening and doesnt load

did all the steps to fix

(permissions, log on as diff user, re-intsall application, trash prefs)

called tech support they were impressed I did it all right and in the right order (not listed correct here)

his fix, erase os and reinstall everything...
thanks apple, I edit for a living...

I am going to install panther, FCP4.5 and DVD SP 3, A pac, motion and few other things and never ever upgrade again

Updated using software update from Apple menu, repaired permissions before, did sudo periodic jobs before, repaired permissions after.

All is good. Thanks, Apple - ThApple.

mine still opens up terminal and lists my directory. I get warned it looks bad, and Safari doesn't auto open it. But if I double click it, it runs.

Just need something so that if I'm launching an app, I know I'm launching an app; and if I'm launching something that opens terminal/actionscript/automator, I get told that too. Just in case I didn't know I was doing this. Once a file/app has been run, it's added to a 'safe' list or something, that way I don't get asked again.

^^^I just re-read some of your post - the bit about having to have the .app extension, that's good and addresses most of the problem.

It is a bit of a pain and it would be nice not to have dialogue boxes popping up, but how many times do you stick a new app on? If you know it's an app, it's one click to ok it - if you didn't know it was an app, then you're now safe.

I feel this update is a stopgap to the problem.

Does anyone know how to clear the supposed 'safe list' - I applied the security patch, rebooted, repaired permissions, checked 'Open safe files after download' and downloaded the www.heise.de example for a second time. I wasn't warned.

Can anyone confirm this behaviour?

If there is a 'safe list', what is used as a key to identify a piece of malware? I don't want to be tricked into downloading something nasty that my system thinks it has seen before which was harmless - e.g. the www.heise.de example.

I love updates! Always nice to know Apple keep on improving things.

front row is definitely running much better and smoother. I just noticed something that i hadn't seen before (it may be new, it may be not). When watching a movie, if i pause and exit the movie, the next time i go to watch it, front row asks me if i want to start from where i watched it last or start from the beginning , much like a dvd. Like i said, i hadn't noticed it before the update, but, then again, maybe i had never stopped watching a clip in the middle either. :p

Did the update. Took usual amount of time...but now it's all messed up. I thing I did before any problems were noticed was repair disk permisions. Then I tried to get on my wireless network. Airport icon shows a great signal and the network shows I'm connected but there is no IP address and of course I can't get on. Went into keychain and it won't let me make any changes, it just locks up on me. When I've gone up to select other wireless networks, it locks up on me. Beachball galore. Somebody help a brutha out...

edit: Oh and internet connect going all beachballs on me too.

Patrick,

I'm having the same problem, none of my network preferences will set up correctly anymore. Mac OS will not even detect that I have an ethernet cable plugged in, though if use ifconfig and route I can get a LITTLE bit of traffic to go out, so I know it's connected and working.

Any one have any ideas on this? Absolutely frustrating because I can longer work until this is fixed (sitting in an internet cafe trying to figure out what the problem is). I'm running 10.3.9 on a 1.2Ghz 12" Powerbook. I don't remember my Unix days well enough to try to manually set up routes and our DNS settings, nor do I know if the appropriate tools are in Mac OS, but the Apple network preferences are clearly busted.

P

All right,

I decided to follow peoples' suggestions for other problems and ran the Disk Utility to repair permissions. After finishing, I rebooted and everything seemed to come up fine.

So if you're having problems with your network after the upgrade, try repairing the file permissions.

P

Does anyone know how to clear the supposed 'safe list' - I applied the security patch, rebooted, repaired permissions, checked 'Open safe files after download' and downloaded the www.heise.de example for a second time. I wasn't warned.

Can anyone confirm this behaviour?

If there is a 'safe list', what is used as a key to identify a piece of malware? I don't want to be tricked into downloading something nasty that my system thinks it has seen before which was harmless - e.g. the www.heise.de example.

To answer my own question: no, there's no evidence of a 'safe list'. It looks as if I merely forgot to tick the 'Open safe files after download' box under Safari Preferences, even though I thought I had done so. With it ticked I get the warning every time, with it unticked I never get the warning. This is all exactly as I'd expect. As people have said, we're all responsible for what we run on our systems. As it's not possible to read the source of every program we run, choose carefully who one trusts.

All right,

I decided to follow peoples' suggestions for other problems and ran the Disk Utility to repair permissions. After finishing, I rebooted and everything seemed to come up fine.

So if you're having problems with your network after the upgrade, try repairing the file permissions.

P

I guess I spoke too soon. I am no longer able to connect to my Airport Express, either getting an IP address using Airport or connecting to the basestation via the Airport admin utilities.

The built-in ethernet connection is now also a little flakey, if I unplug and plug it back in, I have the same problem I had before, Mac OS doesn't detect even that the cable is plugged in. Rebooting allows the cable to be recognized again. I've got a thread open on the apple support forums (http://discussions.apple.com/thread.jspa?threadID=388153&tstart=0) about this problem, though no replies yet.

Patrick

i dunno.. i applied the update and itunes froze when browsing the music store.. also safari crashed with itunes in the background of that application at one point in time.. hrm....

To add to my list of funky woes, after updating with 2006-001, my Mac OS no longer seems to be detecting when the power cable is unplugged either. The power icon remains at 99% with the little plugged in icon, even after it's been off for hours.

I'm a little at a loss of what to do, it's very dissappointing that a security update would cause so many problems and lost productivity.

Patrick

i wish they'd add a detailed track info screen for viewing on an ipod... can it be done with a simple download update? sometimes i want to know what bitrate a song is ripped at from my ipod screen (slide it in between the 'rating' and 'artwork' screens or something) that'd be neat. please!Possibly a good idea but not in my opinion. Don't most people know what bitrate their songs are in before transfering them to their iPod?

Quick now: try to change a background piccie.

I can't -- anymore! :(

----

One hour later... Rebooted, and now everything is fine.

I had rebooted after installing the osX update, then installed iTunes after without rebooting, which then caused the "bug". (How odd!)Exactly the same problem I had. When I tried to change my Desktop Picture, the System became completely unresponsive to the keyboard or Mouse clicks and the System Preferences never opened. I hit the power button on the front of my Mac and it was fine after it Rebooted. That was on a G4 Digital Audio with 10.4.5 but on a B&W G3 with 10.4.5 and a G3 MT with 10.3.9 everything was fine.

everything was working great until I installed the secuirty update and ilife 06 update
now my final cut pro 4.5 (on panther) give me an error on opening and doesnt load

did all the steps to fix

(permissions, log on as diff user, re-intsall application, trash prefs)

called tech support they were impressed I did it all right and in the right order (not listed correct here)

his fix, erase os and reinstall everything...
thanks apple, I edit for a living...

I am going to install panther, FCP4.5 and DVD SP 3, A pac, motion and few other things and never ever upgrade again
Strange. I just installed the Security Update, repaired permissions afterwards, and all the Pro Apps, (FCP HD, Motion, DVDSP3, Adobe CS2 and Macromedia Apps run fine. Will your FCP HD just not open, or is there an error message?

Something in this update killed my computer dead. It's flatlined. I installed these, then shut the computer down. I came home, turned it on, used it for a while, then it went to sleep. It wouldn't wake up. So I had to hold the power button in...10 seconds...15 seconds...nope. So I unplugged the box. Now it's dead as a doornail.

PowerMac G5 2 x 2Ghz.
Anyone?

Its funny how you have to pay to get automatic Security updates on Windows XP. This is why Apple is always on top of things

Unfortunately, the update doesnt appear to have fixed THIS security hole:

http://forums.macrumors.com/showthread.php?t=186475

anyone installed this update yet?
http://docs.info.apple.com/article.html?artnum=303453