Now available in Software Update (as of 5-21-04), Apple released a security update (http://www.apple.com/pr/library/2004/may/21security.html) to address the recently exposed security hole (http://www.macrumors.com/pages/2004/05/20040517171110.shtml) that takes advantage of a theoretical vulnerability in the Help Viewer application that could have been exposed when browsing the web.
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

HelpViewer

The reason for the mismatch of dates is not known.

apple is da bomb...
no other company would get it out that fast!

reality

Fast update, and you don't have to restart. Nice fun for a Friday night. :)

I dunno I am going to wait to install it. Maybe it is paranoia, maybe it is a typo, but the mistaken date is annoying to me. Maybe Apple accidentally released this early?

Ok fine, i just don't want to break my uptime. :D

Edit: Well, no restarted needed......but I'll still wait. :confused:

well I installed it. If my computer blows up I'll let you all know. :)

installed, repaired permissions, restarted, no worries on a TiBook running 10.3.3

i don't know if i like all these security updates, just reminds of microsoft if you ask me :(

As this article (http://daringfireball.net/2004/05/unsafe_uri_handlers) there's still an exploit involving the telnet protocol.

Hopefully Apple will get its act together because of this scare.

Installed without any issues, but I am not sure it is a 100% fix for the problem. Prior to installing the patch if I loaded http://bronosky.com/pub/AppleScript.htm Help.app would start followed by Terminal and would run the 'du' command, which freaked me out when it first happened. After the patch, Help.app still opens, but nothing else happens.

Apple still needs to do some work to tighten up security.

Fast update, and you don't have to restart. Nice fun for a Friday night. :)

Ah, but was it fast, or just fast between public disclosure and the fix? If you believe the author, he told them about it several months ago, so it could be pretty slow.

I dunno about the theoretical part either - there are demonstration exploits for it.

I think since this patch was released after hours, they just marked it as the 24th, which is the next business day.


I dunno I am going to wait to install it. Maybe it is paranoia, maybe it is a type, but the mistaken date is annoying to me. Maybe Apple accidentally released this early?

Ok fine, i just don't want to break my uptime. :D

Edit: Well, no restarted needed......but I'll still wait. :confused:

What takes M$ 3 or 4 months/years, takes Apple less then a week. :) . I will have to install it when i get home from the long weekend.

hopefully 10.3.4 fully fixes this issue. glad to see apple has fixed the problem (fairly quickly) for the most part.

apple is da bomb...
no other company would get it out that fast!

reality

MS ususally has patches for new security holes just as fast.

thank you apple

i don't know if i like all these security updates, just reminds of microsoft if you ask me :(

I have seen this comment repeated every time apple puts out a security update and I have no CLUE how the hand-full of security updates put out by apple compares to the dozens & dozens put out by microsoft?

The math just doesn't add up :confused:

i'm so glad I didn't need to reboot

Yeah, over 2 months is really fast :rolleyes:


Apple's statement claims the company has an "excellent track record of identifying and rapidly correcting potential vulnerabilities," but the German Web designer who discovered the hole says he warned Apple in February and was ignored.

LixelPixel, a Web designer who lives near Munich but asked not to be identified, said he warned Apple of the vulnerability through its Bug Reporter system.

LixelPixel said his server logs show an Apple representative visited his website shortly after. But after waiting 10 weeks for word or action from Apple, he posted a public warning advising users on how to close the hole. The warning prompted Secunia to release its security advisory.

LixelPixel said the decision to go public cost him several sleepless nights, but he felt obliged to warn the Mac community before crackers discovered the vulnerability.

I have seen this comment repeated every time apple puts out a security update and I have no CLUE how the hand-full of security updates put out by apple compares to the dozens & dozens put out by microsoft?
How big are your hands? (http://forums.macrumors.com/showpost.php?p=846607&postcount=50)

Security updates normally appear on a Monday. The 24th is a Monday. They just released it prematurely, that's all. Everything fine here.

How big are your hands? (http://forums.macrumors.com/showpost.php?p=846607&postcount=50)

Here's Microsoft's (http://www.techspot.com/tweaks/updates/#WindowsXP)

Though remember, Service Packs are a collection of security updates.

Installed without any issues, but I am not sure it is a 100% fix for the problem. Prior to installing the patch if I loaded http://bronosky.com/pub/AppleScript.htm Help.app would start followed by Terminal and would run the 'du' command, which freaked me out when it first happened. After the patch, Help.app still opens, but nothing else happens.

Actually something more happens: a line is written by HelpViewer to console.log containing "Help Viewer[17960] help://runscript called by another application!".

A nice fix for the help:runscript vulnerability. And the telnet: vulnerability may be fixed in 10.3.4, according to some.

But y'all still need the Paranoid Android to surf safely (or just ignore the risk as I do ;) ) until Apple fixes a newly discovered vulnerability: Unsanity whitepaper (http://www.unsanity.com/haxies/pa/whitepaper).

On my beige box G3 running 10.2.8, my security update type reads like this:
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

HelpViewer
Terminal


Interesting - probably a fix for something in 10.2.x since it didn't show in 10.3.3

Here's Microsoft's (http://www.techspot.com/tweaks/updates/#WindowsXP)

Though remember, Service Packs are a collection of security updates.

Actually, Service Packs contain security updates as well as other updates.


Game stops responding/quits unexpectedly when Introductory video is played - Home Edition only- Added 23/11/2002.

Problems with InterVideo DVD software - Added 9/12/2002.

Preview is unavailable in Fax Console - Added 9/12/2002.

Nice try though.

On my beige box G3 running 10.2.8, my security update type reads like this:
[..]
Interesting - probably a fix for something in 10.2.x since it didn't show in 10.3.3

Or maybe Apple thinks we on Panther can wait for 10.3.4 - and we sure can. The telnet: exploit is not very likely to be exploited; what fun is it to just be able to delete a random (named) file from another computer ?

i'm trying to decide how i feel about this. it seems that most windows updates come while some sort of imminent danger is presently being passed around. so far this has been the only mac update that fixes something that i knew about. usually it's, oh there was a security problem? on top of that there was no imminent danger, just the possibility of one. yeah i think apple's pretty good about it.

Phew, I'm just glad the insanity surrounding that single vulnerability is over. ;)

I like how they called it a theoretical threat when it was clearly a threat that could have been exploited. In fact, I'm very surprised that nobody created something harmful. I mean, the hole was all over the net, and since someone actually created a pseudo-"virus" that could have theoretically harmed your computer if the creator wanted to, nobody bothered to do it. I guess us Mac users aren't self destructive enough to harm each other's computers. :cool:

How big are your hands? (http://forums.macrumors.com/showpost.php?p=846607&postcount=50)

That was an impressive list, but 1 vulnerability doesn't equal 1 security update does it?

Here is my software update log (well I remove the software updates and only left the security updates):

...
2004-04-17 18:57:07 -0400: Installed "Mac OS X Update Combined" (10.3.3)
....
2004-04-17 19:12:04 -0400: Installed "Security Update 2004-04-05" (1.0)
...
2004-05-04 01:25:45 -0400: Installed "Security Update 2004-05-03" (1.0)
2004-05-21 20:21:17 -0400: Installed "Security Update 2004-05-24" (1.0)

The last time I built an XP box (about 2 months ago) There were over 30 fixes I had to download. However I am sure that the 10.3.3 contains multiple updates, but it is only 1 file. I wouldn't mind the Microsoft patches so much if they were combined. Nothing I hate more when doing a new install then downloading and installing all of the fixes from microsoft only to reboot and find 10+ more that I need to install.

On my beige box G3 running 10.2.8, my security update type reads like this:


Interesting - probably a fix for something in 10.2.x since it didn't show in 10.3.3
Yes, there are separate updates for 10.2 (http://www.apple.com/support/downloads/securityupdate_2004-05-24_(10_2_8).html) and 10.3 (http://www.apple.com/support/downloads/securityupdate__2004-05-24_(10_3_3).html), and Terminal has a fix in the 10.2 version.

Oddly, this post claimed that the demonstration of the vulnerability didn't work under 10.2. I wonder if that's true and why.

Learn it well:

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.

QED.

Been seeing that "logic" around a LOT lately. Watch for it :)

I'm new to mac and I just downloaded the security update on my 5 day old powerbook. Whats the problem that this fixed that I just downloaded? :confused:

:)
OK this has been 2 months since someone has reported the vulnerability and less than a week since it has become an issue in the press. Apple has applied a fix to the vulnerability and it works (I tested it). Thanks for the update. In the future, would our dear friends at Apple please get to the next one before the press manufactures a crisis and make items like these a non-issue.

Joe Daddy
CISSP

I'm new to mac and I just downloaded the security update on my 5 day old powerbook. Whats the problem that this fixed that I just downloaded? :confused:

Zach,

This fixed a vulnerability that could have enabled someone to execute malicous code. It is a fix worth applying. To date only proof of concept code has been produced by concerned Applites. You are safe for the moment so enjoy your new Mac. ;)

hooray for no restart and for it being small, I mean I'm on dial up and it's less than a gig. That rules. Kudos apple.

Since help files are mostly html based, why is it an issue that the system allows a help: URI to open help viewer? It is used in various applications to link from documentation, tutorials, and such to open the help viewer. If it can't be used to do something malicious, than it isn't a security problem.

Installed without any issues, but I am not sure it is a 100% fix for the problem. Prior to installing the patch if I loaded http://bronosky.com/pub/AppleScript.htm Help.app would start followed by Terminal and would run the 'du' command, which freaked me out when it first happened. After the patch, Help.app still opens, but nothing else happens.

Apple still needs to do some work to tighten up security.

The problem comes from links that say help:runscript. These links can run any script on your system. Among those scripts is one (of hundreds) that can run any application on your system. When used in combination with one of several other possible things, visiting a web page can result in the automatic execution of a malicious application.

This fix seems to prevent any application except Help Viewer from using help:runscript links.

Since help files are mostly html based, why is it an issue that the system allows a help: URI to open help viewer? It is used in various applications to link from documentation, tutorials, and such to open the help viewer. If it can't be used to do something malicious, than it isn't a security problem.

...To date only proof of concept code has been produced by concerned Applites......that we know of
:eek:

:o

Now if this was Microsoft you would have half the world NOT patch their systems and a virus would come out in 2 weeks decimating the unpatched systems and Microsoft would still get blamed for..er...for...oh ya releasing a...er....patch. Nevermind its Apple so it doesn't apply. Where was I....Oh ya...Apple rocks! ;) :)

One thing can be said to Apple's credit. They release patches DAMN fast. But they also don't have nearly as many configurations to deal with so I guess its a tossup in the end. Results are the only thing that counts...details...*shrugs* whatever.

The last time I built an XP box (about 2 months ago) There were over 30 fixes I had to download. However I am sure that the 10.3.3 contains multiple updates, but it is only 1 file. I wouldn't mind the Microsoft patches so much if they were combined. Nothing I hate more when doing a new install then downloading and installing all of the fixes from microsoft only to reboot and find 10+ more that I need to install.


They are...its called SP1...did you install that before applying the other patches. It takes the 34 or so odd patches and drops it to aprox 17 that need to be installed post SP1. Still a crapload but manageable.

yay no need to restart!!!

...

One thing can be said to Apple's credit. They release patches DAMN fast. But they also don't have nearly as many configurations to deal with so I guess its a tossup in the end. Results are the only thing that counts...details...*shrugs* whatever.

It's a good thing so many pieces of Mac OS X are open source projects. Many times, it seems that the versions available for Linux have been finished for a couple of weeks before we see them for Mac OS X. I would be willing to believe that Apple does extra testing prior to releasing the patches, but maybe I'm just hoping that happens.

Not to minimize the seriousness of this and the potential for trouble with this hole but does anyone know of any instances where this exploit has actually caused anyone loss of data or other trouble? (not counting the loss of time (productivity?) spent talking discussing it)

Not to minimize the seriousness of this and the potential for trouble with this hole but does anyone know of any instances where this exploit has actually caused anyone loss of data or other trouble? (not counting the loss of time (productivity?) spent talking discussing it)

LOL. Yeah, it seems the majority of actual damage these exploits cause it the reputation damage of the Mac platform. I have yet to hear of any damage from this or the proof of concept Intego was crowing about originally.

Now the fake Microsoft Office 2004 home directory eraser, that WAS a trojin that caused damage. But the guy was surfing for warez so it was his risk to take. I don't believe for one second he thought he was downloadng a "beta" of Office. Pleeze. The final product was being recieved by Macrumors members before he got it.

Hey all,

I fixed my computer to open help: addresses using the Chess application (cause it can't run Applescripts) using that program you all recommended. Now that the patch is here, what's the location of the help viewer so I can change it back to normal- or is there a better way to undo my fix?

-Matt

Yeah, over 2 months is really fast :rolleyes:

Microsoft has had patches outstanding for 6+ months quite frequently.


Unfortunately, I can't seem to find the article to back that up, so take it or leave it. Being a computer science major, I can assure you that often de-bugging takes far longer than actually writing the code. Even more so when you are dealing with something as sensitive and critical as an operating system.

Unfortunately this doesn't seem to fix another vulnerability...

From http://forums.macnn.com/showthread.php?threadid=213043&perpage=50&pagenumber=7
Macnn Forums

link to the disk image: http://ozwix.dk/OpnAppFixer/Test.dmg - when mounted just type in "test:" in your browser. Note I'd recommend opening the script in script editor to verify its contents first...


"on idle
display dialog "You are not secure. This script could have erased all your files." buttons "OK" default button 1 with icon stop
quit
return 1
end idle"


Although less serious in some ways (if you have the disk protocol disabled you'd have to deliberately mount the disk image), this is still not a very nice hole to have in the browser, as an app can be launched from an url, rather than because of a user choice...

Also, try typing telnet://-nFoo in your browser - I tried this after the update and it still works : ) You will end up with a file called 'Foo' in your home directory. Oops. This one from
http://daringfireball.net/2004/05/telnet_protocol

hooray for no restart and for it being small, I mean I'm on dial up and it's less than a gig. That rules. Kudos apple.

I think it's even less than a meg! :p

Not to minimize the seriousness of this and the potential for trouble with this hole but does anyone know of any instances where this exploit has actually caused anyone loss of data or other trouble? (not counting the loss of time (productivity?) spent talking discussing it)
Maybe it is a coincidence but after trying out the assorted exploit examples posted with Mis Fox solution installed, I have just experienced my first ever screw up on OSX in 18 months. After logging in and out of accounts a couple of times, out the blue with all seemingly fine, I have lost all start up items except 2, all address book entries, most but not all iCal entries, all Safari preferences, all keyboard preferences, registered versions of synergy, iAddressX were wiped, a random folder of aliases was wiped... 15 days uptime has ended in tears! Thank god for back up / just cloning a week old Panther back up across.

Oh yeah, and software update is up the creek too, asking me to make sure I am connected to the internet.

Learn it well:

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.

QED.

Been seeing that "logic" around a LOT lately. Watch for it :)

I don't see the logical leap between lines three and four....

Being a computer science major, I can assure you that often de-bugging takes far longer than actually writing the code. Even more so when you are dealing with something as sensitive and critical as an operating system.

...or as bloated as a microsoft software ;) seriously, you're right. and even more work than debugging is the optimizing of the software, a task apple has done wonderfully (in my opinion) in comparison to microsoft who seems to just forget the code it writes. they address bugs when they find them and have the time to fix it, but they never seem to optimize their code - every new version they release require far more power from the hardware than the new features alone would ask for, and (while the osx is still very new, but the point stands) in comparison apple has so far managed to make every major osx release run faster than any previous release, and that's something.

yep. computer science major here also, in tampere university of technology. working as a dba and unix administrator to support my family and therefore maybe never a graduated M.Sc, but who knows.... (i could take out B.Sc papers any time, and if our school knows what it says, it should compare to american M.Sc papers quite equally. believe or not, i don't care.)

Good job Apple! It's good to know they really care about security and do their best to fix holes as soon as possible. Now bring on 10.3.4! :)

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.



I don't see the logical leap between lines three and four....

From a subjectivity and from a literal sense, I understand nagromme's move from three to four. It's four to five that's got me reaching for another coffee.

Incidentally, patch uploaded and everything is fine.

like we would have even needed this update... well, best to be sure.

Hey all,

I fixed my computer to open help: addresses using the Chess application (cause it can't run Applescripts) using that program you all recommended. Now that the patch is here, what's the location of the help viewer so I can change it back to normal- or is there a better way to undo my fix?

-Matt

HD:System:Libary:CoreServices:Help Viewer.app

:)

Learn it well:

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.

QED.

Been seeing that "logic" around a LOT lately. Watch for it :)

I don't see the logical leap between lines three and four....

As I say, I see that "logic" around--it's not my own, and it's not logic!

3 to 4 is illogical. Two flawed products (like all OSes) are not automatically "just as good" as each other. One might just happen to be better!

4 to 5 is worse yet.

Yet watch for people to look at the news of non-stop Windows flaws, many exploited as real viruses, and at the news of occasional quickly-patched OS X flaws... and then conclude that Windows is better.

(Obviously the only logic is that they had already made up their minds that most-popular must mean best.)

Unfortunately this doesn't seem to fix another vulnerability...

From http://forums.macnn.com/showthread.php?threadid=213043&perpage=50&pagenumber=7
Macnn Forums

link to the disk image: http://ozwix.dk/OpnAppFixer/Test.dmg - when mounted just type in "test:" in your browser. Note I'd recommend opening the script in script editor to verify its contents first...


"on idle
display dialog "You are not secure. This script could have erased all your files." buttons "OK" default button 1 with icon stop
quit
return 1
end idle"


Although less serious in some ways (if you have the disk protocol disabled you'd have to deliberately mount the disk image), this is still not a very nice hole to have in the browser, as an app can be launched from an url, rather than because of a user choice...

Also, try typing telnet://-nFoo in your browser - I tried this after the update and it still works : ) You will end up with a file called 'Foo' in your home directory. Oops. This one from
http://daringfireball.net/2004/05/telnet_protocol

Well the first problem I guess is better now then before

I tried one of those tests and it mounted automatically and ran (even if I said in Safari "don't open files")

Now I do it and it mounts, but nothing is run, I need to click on the file to launch it, so it is better now, but i guess might need improvements in the future

As for your Telnet Demo well that might need looking into :(

Now I do it and it mounts, but nothing is run, I need to click on the file to launch it

Did you try my example exploit page (http://ozwix.dk/OpnAppFixer/testit.html) ??

apple is da bomb...
no other company would get it out that fast!


Seeing as it was reported to them in FEBRUARY lets hope that "no other company would get it out that fast".

Yeah, but they still fill half of your Add/Remove programmes list thingy with all the hotfixes. Plus sometimes when I installed a hotfix it would randomly stop some feature of the computer working, and that roll-back thingy in Windows (I've forgotten what it's called) wouldn't even work and I had to re-install Windows.
.

Sunday, November 23, 2003 22:57:32 Europe/London: Installed "QuickTime" (6.4)
Sunday, November 23, 2003 22:57:46 Europe/London: Installed "iTunes" (4.1)
Sunday, November 23, 2003 22:58:02 Europe/London: Installed "Java" (1.4.1)
Sunday, November 23, 2003 22:58:22 Europe/London: Installed "iCal" (1.5.1)
Sunday, November 23, 2003 23:03:15 Europe/London: Installed "Mac OS X Update" (10.2.8)
Sunday, November 23, 2003 23:09:58 Europe/London: Installed "Bluetooth Software" (1.3.3)
Sunday, November 23, 2003 23:10:00 Europe/London: Installed "QuickTime for Java Update" (v2.0)
Sunday, November 23, 2003 23:10:27 Europe/London: Installed "iSync" (1.3)
Sunday, November 23, 2003 23:13:43 Europe/London: Installed "Security Update 2003-11-19" (1.0)
2003-11-29 12:43:08 +0000: Installed "AirPort Software" (3.2)
2003-11-29 12:43:52 +0000: Installed "Bluetooth Software" (1.4.1)
2003-11-29 12:45:14 +0000: Installed "Mac OS X Update" (10.3.1)
2003-12-06 18:52:38 +0000: Installed "Security Update 2003-11-19" (1.0)
2003-12-06 18:52:43 +0000: Installed "Security Update 2003-12-05" (1.0)
2003-12-18 08:26:11 +0000: Installed "Apple Remote Desktop Client" (1.2.4)
2003-12-18 08:26:15 +0000: Installed "Battery Update" (1.1)
2003-12-18 08:27:57 +0000: Installed "Mac OS X Update" (10.3.2)
2003-12-20 17:17:16 +0000: Installed "iTunes" (4.2)
2003-12-20 17:18:47 +0000: Installed "QuickTime" (6.5)
2003-12-20 17:18:57 +0000: Installed "QuickTime MPEG-2" (6.4)
2003-12-20 17:19:07 +0000: Installed "Security Update 2003-12-19" (1.0)
2003-12-20 18:00:11 +0000: Installed "Xcode Update" (1.1)
2004-01-19 23:47:18 +0000: Installed "iCal" (1.5.2)
2004-01-27 02:31:29 +0000: Installed "AirPort Software" (3.3)
2004-01-27 02:31:42 +0000: Installed "Security Update 2004-01-26" (1.0)
2004-02-03 07:32:02 +0000: Installed "Java 1.4.2" (1.4.2)
2004-02-03 07:32:21 +0000: Installed "Safari" (1.2)
2004-02-05 20:34:08 +0000: Installed "Bluetooth Software" (1.5)
2004-02-17 20:07:02 +0000: Installed "iSync" (1.4)
2004-02-23 23:19:17 +0000: Installed "Security Update 2004-02-23" (1.0)
2004-02-27 16:38:23 +0000: Installed "iSight Update" (1.0.2)
2004-03-08 19:39:34 +0000: Installed "AirPort Software" (3.3.1)
2004-03-13 00:04:07 +0000: Installed "iPod Software" (1.3.1)
2004-03-16 19:07:24 +0000: Installed "Mac OS X Update" (10.3.3)
2004-03-24 07:47:12 +0000: Installed "iChat Update" (2.1)
2004-03-27 17:20:04 +0000: Installed "iPod Software" (2.1)
2004-04-06 07:18:49 +0100: Installed "Security Update 2004-04-05" (1.0)
2004-04-10 12:18:43 +0100: Installed "Apple Remote Desktop Admin" (1.2)
2004-04-25 11:23:13 +0100: Installed "AirPort Software" (3.4)
2004-04-25 11:24:29 +0100: Installed "Apple Bluetooth Module Firmware Update" (1.1)
2004-05-01 20:04:53 +0100: Installed "iPod Update 2004-04-28" (3.0)
2004-05-04 00:14:31 +0100: Installed "QuickTime" (6.5.1)
2004-05-04 00:16:02 +0100: Installed "AirPort Software" (3.4.1)
2004-05-04 00:16:15 +0100: Installed "Security Update 2004-05-03" (1.0)

Ah, finally. It fixed my HelpViewer link-bug in Safari! 'bout damn time :)

As long as it is in their best financial interest to do security fixes, they will. Microsoft also frequently makes available patches for KNOWN security issues in very short times after PUBLIC announcement.

If it isn't well known by being put up on some often viewed news site, and then focused attention on even more by getting placed on a mac rumor page, then they will be in no hurry to do anything about it. Remember, this is business. Don't ever think Apple is in this game for the consumer half as much as Apple is in it for Apple.

Apple could easily be likened to Microsoft in the OS realm now.

Not sure if it was this update that did it but only updated this and web objects.

Basically on Sharing in the system preferences i have personal web sharing ticked but it is greyed out and can't click start, so apache wont now work. And finder no longer works! if i click on a flder it just stays blank with the spinning thing in the corner. If i click back then forward straight after the contents show. Any folder i have been to then shows straight away. Any ideas how to fix this. I need apavhe working and this finder thing makes it near unuseable

BTW...yup i've repaired permissions

...One thing can be said to Apple's credit. They release patches DAMN fast. But they also don't have nearly as many configurations to deal with so I guess its a tossup in the end...
I'm not sure what you meant by "many configurations", I'm asuming you are talking about the myriad of hardware platform configurations. AFAIK, the nature of the security exloits we are talking about are completely platform inspecific. They are in the application code and supporting libraries which are all written to the OS API's, not the hardware drivers. (There have been DirectX security exploits, but I'm pretty sure they were in higher level code than anything that would be platform specific.)

Am I wrong?

I'm not sure what you meant by "many configurations", I'm asuming you are talking about the myriad of hardware platform configurations. AFAIK, the nature of the security exloits we are talking about are completely platform inspecific. They are in the application code and supporting libraries which are all written to the OS API's, not the hardware drivers. (There have been DirectX security exploits, but I'm pretty sure they were in higher level code than anything that would be platform specific.)

Am I wrong?

Even if the code had to be tested on 20 times the computer hardware set-ups as Apple's code, Microsoft is a bigger company and so they should be spending more money on de-bugging patches. To say "Give MS a break, they have more work to do." is total and complete ************.

Did you try my example exploit page (http://ozwix.dk/OpnAppFixer/testit.html) ??

The first link did not mount anything. Safari seemed to "think" about it, but it never did anything. Links two and three downloaded and mounted disk images, but the script inside did not automatically run.

The first link did not mount anything. Safari seemed to "think" about it, but it never did anything. Links two and three downloaded and mounted disk images, but the script inside did not automatically run.

No, of course it didn't. That's what step 3 does. A real exploit would use a simple trick to first do step 1 then step 3. I'm just a nice guy who don't want to scare you :)

i don't know if i like all these security updates, just reminds of microsoft if you ask me :(

Be Real. You're going to have security updates. If you are lucky, they will be far in advance of the bad guys. :rolleyes:

Be Real. You're going to have security updates. If you are lucky, they will be far in advance of the bad guys. :rolleyes:

I agree, thank you Apple! :)

Looks like the Help Viewer exploit was just the tip of the iceberg. (http://apple.slashdot.org/article.pl?sid=04/05/22/1441233&mode=thread&tid=126&tid=172&tid=179&tid=185&tid=190)

Turns out that ANY new application including those contained within disk images (which STILL automatically mount with no user action) AUTOMATICALLY gets ANY custom protocol handlers installed on your system!

This makes the Help Viewer problem, as serious as it was, seem insignificant!

I dunno I am going to wait to install it. Maybe it is paranoia, maybe it is a typo, but the mistaken date is annoying to me. Maybe Apple accidentally released this early?

Ok fine, i just don't want to break my uptime. :D

Edit: Well, no restarted needed......but I'll still wait. :confused:

wait for what? And who is actually impressed by uptime? It's what you DO in the uptime that's cool/important/impressive/useful. Surely.

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

Exactly. This is why MacOS seems more secure; there are less people looking for holes.

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

I understand you view, I too think about this, It can happen, I guess it will happen

But then some people might bring in the fact the Apache with an Open source system is running all these web servers etc

M$ IIS servers are more vulnerable etc and they have less market share

I'm not rejecting your comment, but even if Mac OS X was popular wouldn't we avoid all the silly security flaws like the ones in Windows?

I mean the serious silly flaws, (would we call these flaws in OS X silly?)

I guess no OS is perfect, that wouldn't be fun at all, as for Windows it would give a new meaning to the word "Fun" :D

It looks as if KDE had a similar URI handler issue.

http://www.securityfocus.com/bid/10358/discussion/

i don't know if i like all these security updates, just reminds of microsoft if you ask me :(

yeah, lets be UN-MSFT and not update the os.

i think your tin-foil hat is on too tight

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

I don't love Apple as much as the next person here; however, I don't believe that it would be a similar situation. Apple is not the only contributor to the operating system where Microsoft is. There are many things that are fixed prior to Apple applying the fixes to Mac OS X.

There would be more attacks, but fewer holes, and the fixes wouldn't likely cause other holes.

No operating system is going to be full-proof. At least concerned mac users are trying to let those in the know be notified, just up to Apple to listen and respond swiftly.

I wish we could just ignore Microsoft and stop comparing Apples to Oranges, it would save all this debate that we hear time and time again.

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.
Exactly. This is why MacOS seems more secure; there are less people looking for holes.

Yes, but this is only *half* of the arguement. Yes, we would have more attacks and exploits if Apple had M$'s market share, but it would not be as bad as Windows. UNIX, and therefore Mac OS X, is more secure than Windows can ever be, or even dream about.

Yes, but this is only *half* of the arguement. Yes, we would have more attacks and exploits if Apple had M$'s market share, but it would not be as bad as Windows. UNIX, and therefore Mac OS X, is more secure than Windows can ever be, or even dream about.
The BSD core of OSX is very secure - it's the Apple bits that sit on top that are the problem. They have obviously gone down the "convenience" route for their users, at the expense of secuirity. Applications automatically getting custom protocol handlers installed in your system simply by clicking a web link? What WERE they thinking?

Mozilla shows the same vulnerability. Why is the press focusing on Safari and IE? I would also venture to speculate that Netscape and Opera are (were) affected as well......

Mozilla shows the same vulnerability. Why is the press focusing on Safari and IE? I would also venture to speculate that Netscape and Opera are (were) affected as well......

That associating protocols with applications is a system-wide setting all browsers (heck even all programs) can use might simply be too complex for them to understand.
After all it might be hard to explain that in a 5 second soundbite and still use enough buzzwords.

That associating protocols with applications is a system-wide setting all browsers (heck even all programs) can use might simply be too complex for them to understand.
After all it might be hard to explain that in a 5 second soundbite and still use enough buzzwords.

The point I'm trying to make is that Mozilla (or Netscape, or Opera, etc) users might feel an unwarranted sense of security. If the press is going to cover it, state that it's a browser-independent Mac OSX vulnerability, which it is, rather than a just browser vulnerability.

I think the reason they stated IE was its Micro$oft tie-in and Safari 'cuz it's arguably the most popular.

Mozilla shows the same vulnerability. Why is the press focusing on Safari and IE? I would also venture to speculate that Netscape and Opera are (were) affected as well......

The reason is that Safari and Internet Exploder will proceed to open files after downloading them, unless the option is de-selected. The others will not do that by default or at all.

So many people seem to assert that the ONLY aspect of security is "how big a target" your OS is. If that's NOT the ONLY factor, then you can't say "Macs would have just as many security problems if more people used them."

Isn't it obvious that there ARE other aspects of security? Like design?

How likely your chosen OS is to be successfully and seriously attacked is the result of two main factors as I see it:

FLAWS
How many holes it has, how easy it is to break into, and how easy or hard it is to patch the problems quickly and without excessive cost or breaking other things. This is the biggest factor, and Microsoft clearly is the worst in this category. OS X, and UNIXes as a group, are far better.

BEING A TARGET
Oddly, security discussions/articles often not only gloss over the flaw factors, they focus on only a SINGLE target factor: Apple's smaller market share. It's true, that does make OS X a less tempting target. Undeniably. But other factors make OS X MORE tempting to hackers.

Factors that make OS X less tempting to attack:

* Fewer Macs than Windows PCs in the world
* Much more difficult to undertake
* Many people hate MS--for their monopoly crimes, and for being forced to use their often-inferior products

Factors the make OS X MORE tempting:

* Many people have a lot of jealousy/spite towards the Mac platform
* The challenge of it and prestige of succeeding
* Macs are worth the most points in cracking contests
* Cracking OS X involves some of the same skills as other UNIXes, which as a group ARE used for many high-profile targets (OS X is partly based on BSD for instance)
* Macs are themselves used for some high-profile targets--and increasingly so. Such as: educational and research institutions, biotech companies, large media/creative companies, Apple themselves, the US Army web site... and VA Tech's third most powerful supercomputer in the world.
* Mac OS X is gaining increasing and very positive attention in IT press--it's no longer off the IT radar

Given all of that, I'd say the motivation to make the first Mac OS X virus is pretty high. Not as high as for Microsoft--but not EVERY criminal programmer on the planet is going to limit themselves to just one platform. Nobody's succeeded yet in making an OS X virus or worm, but I highly doubt that NOBODY is trying. And they have had YEARS to do so.

And they'll succeed some day, maybe soon. There WILL be a first. But there will never be the constant security/privacy risks on the level that Windows users most accept. Not even if Macs catch up to Windows in user base... which won't be happening any time soon :)

So, assuming popularity vs. security is not the ONLY factor in security... is Mac actually designed better? And if so, how and why?

The short answer is that Macs are more secure because they are based on UNIX (BSD specifically), which has many flavors but none of them are as full of holes as Windows. The well-documented bad design decisions made in Windows, the complexity of hardware Windows has to deal with, and the bloat caused by legacy compatibility issues, will challenge Microsoft for the foreseeable future. Also, OS X is based on the open source Darwin variant of BSD--which makes security fixes developed by others easily applicable by Apple.

That's a quick answer, but oversimplified. I'm really not the one to do the subject justice. So here are some links to explore if you want to learn more--technical details of Windows' problems, strengths that OS X inherits from UNIX, etc.:

http://www.washingtonpost.com/ac2/wp-dyn?pagename=article&node=&contentId=A34978-2003Aug23&notFound=true

http://www.nytimes.com/2003/09/18/technology/circuits/18POGUE-EMAIL.html?ex=1064894400&en=8a463b1175569a5f&ei=5070

http://www.theregister.co.uk/content/55/32449.html

Also see the Dept. of Energy's security bulletins listed by OS here--note how many viruses and other security issues plague Windows (even the newest and most "secure" versions) vs. any UNIX version--especially Mac OS X:

http://www.ciac.org/ciac/bulletinsByType/bul_vendor_list.html

And if you think constant patching and patch-testing is an acceptable solution that makes Windows a good idea, read here:

http://www.csoonline.com/read/080103/patch.html

Patching and keeping Windows up to date is often an impossible task in the real world, since applying a fix can break something else critical to your business. That means spending huge time and cost to test patches--often more time than it takes attackers to exploit the problem.

And what about when MS tries to patch and fails?
http://news.zdnet.co.uk/software/0,39020381,39116180,00.htm

You can find new stories just about weekly on the latest critical flaw or virus for Microsoft Windows. So I won't gather those links--a search on Google or any news site will turn up lots. Suffice it to say that critical holes remain, unpatched, even in Microsoft's top, most "trustworthy" products--like Windows Server 2003. And these flaws are being exploited. Some flaws even wait for months and months and Microsoft never patches them at all.

And here's the much-discussed research paper (20 pp, full of excellent points) regarding how MS technology is designed to promote monopoly at the expense of security--with severe consequences:

http://www.ccianet.org/papers/cyberinsecurity.pdf

(Of course, one of the authors of that paper was actually fired from the company he helped found, due to Microsoft pressure. And many researchers who privately agreed with the project refused to take part for fear of Microsoft retaliation.)

So in summary... no OS is perfect, but Macs are designed better and are less susceptible to security problems than Windows. AND they are less of a target, too. What's not to love? :)

Well, now the BBC has got a wind of this and written this article: Apple Tackles Security Flaw (http://news.bbc.co.uk/1/hi/technology/3741871.stm). I guess, with all the articles on Window's flaws, Apple is due one. But I think everyone is going over the top on this.

Yes, Mac OS X is still vunerable to viruses, etc and, yes, its low user base and general hatred for Microsoft count against making a virus for it but that's not to say there aren't any security holes.

Not that any of these vunerabilities has ever really put anyone at risk. I say that Apple certainly releases the patches much quicker than Microsoft :D

Well, now the BBC has got a wind of this and written this article: Apple Tackles Security Flaw (http://news.bbc.co.uk/1/hi/technology/3741871.stm). I guess, with all the articles on Window's flaws, Apple is due one. But I think everyone is going over the top on this.
Yes - it's not like it could delete all files your account can delete or run code of attackers choice or anything - oh wait...
Not that any of these vunerabilities has ever really put anyone at risk. I say that Apple certainly releases the patches much quicker than Microsoft :D
Yes - three months - not bad for a vulnerability that can do all of the above.

Now we just need them to fix the parent exploit that made it possible. The vulnerability that has been fixed is insignificant next to the protocol handler exploit that is still in effect.

The vulnerability that has been fixed is insignificant next to the protocol handler exploit that is still in effect.

right. i hope apple goes all the way and doesn't stop where it's easiest to do so. because osx is a unix, apple has far greater responsibility than in pre-osx era.

Back to the subject at hand...

My mom called me this morning. When she tries to install the update, the little status bit at the bottom of the window tells her that the update failed and to run software update again. She's tried three times, all with the same result. My first instinct is to talk her through repairing her permissions, but are there any other things you can think of that would be causing this and/or can fix it and allow the update to successfully install?

BTW, she's running 10.2.

My mom called me this morning. When she tries to install the update, the little status bit at the bottom of the window tells her that the update failed and to run software update again. She's tried three times, all with the same result. My first instinct is to talk her through repairing her permissions, but are there any other things you can think of that would be causing this and/or can fix it and allow the update to successfully install?This is the first report I've heard of a failed update installation. Your first instinct is a good instinct, cleo. There are no doubt various reasons an update could fail, but repairing permissions as a first step makes sense. The other easy thing to try would be to download the update instead of using Software Update. It can't hurt.

This is the first report I've heard of a failed update installation. Your first instinct is a good instinct, cleo. There are no doubt various reasons an update could fail, but repairing permissions as a first step makes sense. The other easy thing to try would be to download the update instead of using Software Update. It can't hurt.

I got the same problem. I quote error Software Setup error:

Security Update 2004-5-24: Could not download.

A networking error has occurred: timed out (-1001). Make sure you can connect to the Internet, then try again.

That was after trying to repair disk permissions.

So, I downloaded directly as you suggested and that worked.

Cheers Daniel

What about us 10.2.6 users?

My PowerMac G3 will not run 10.2.8 stably for any length of time so I had to revert back to 10.2.6 which runs flawlessly for me.

It's a shame to see that 10.2.8 is a requirement of this security patch, or is it just me being blind?

It seems Office 2004 has this limitation also.

To date, Apple has been in a good position - far less vulnerable than MS. However, this incident shows that they are hopelessly inept at dealing with issues like these. This issue was known to them months ago, they've patched a minor part of the problem, and are managing the PR very badly.

Appoint a visible head of security issues, disclose fully what the issue was and why it was important to fix it, and make sure that there are no more 'Apple was unavailable for comment' which seems to fott every article about this.

Come on Apple, make some good decisions or you'll never make headway in the corporate space (at least) again.

Beware a double-standard. MS doesn't always jump up and offer comment to every news outlet who contacts them on the latest flaw of the week.

I attended a Microsoft seminar late last year to see what Windows Server 2003 had to offer. So I'm sitting there where the Microsoft employee is bad-mouthing Linux stating that it's got more security vulnerabilities than Server 2003. Then he goes on to blame us, the consumer, for the security holes stating something like, "You wanted features, so for years we focused on that. Now you want security, so that's our top concern." What a load of tripe! He had the nerve to blame IT administrators (their customers) because they wanted "features" instead of "security"!

"You wanted features, so for years we focused on that. Now you want security, so that's our top concern."

sounds microsoftish - as if a software company could only take care of one of the two. rubbish. if you make a feature, you commit to taking care of it (optimizing, fixing, enhancing...) and that's what microsoft hasn't been doing. they have had insecure system to begin with and have just tried to put new features on top of the security holes. that policy cannot get them very far...

but then again, microsoft is not a software firm. it's a marketing house. it's good at marketing the product that isn't ready in years, and forcing distributors to distribute their stuff. that's where the money comes from, not from the products they sell. (well, they have one good piece of software: excel.)

Learn it well:

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.

QED.

Been seeing that "logic" around a LOT lately. Watch for it :)

Got that right. Where i work, I frequently hear that from the other PC techs, as the place is an all PC shop.

<mod edit>clicking this link runs a proof of concept - click at your own risk</mod edit>

Todays latest exploit brought to you by more URI problems. (http://insecure.netilus.org/kang/safari/0x06_test.html)

<me edit>Yes remember people this is a "theoretical exploit" and therefore if you click the above and see or hear anything strange, then you are obviously just imagining things</me>

well my OSX doesn't startup anymore after installing this update... something similar happened last year with another update on my imac.

so I ll probably need to install panther again....

grmbl

well my OSX doesn't startup anymore after installing this update... something similar happened last year with another update on my imac.

so I ll probably need to install panther again....

grmbl
I can't get the update from Software Update on my PowerBook - my G5 at work got it just fine.

Also mysteriously my QuickTime plugin has started freezing whenever I try to view a trailer from the Apple site. Don't know if it's related.

Mac OS Fix fails to plug security hole (http://zdnet.com.com/2100-1105_2-5220285.html)

Uh oh...

Mac OS Fix fails to plug security hole (http://zdnet.com.com/2100-1105_2-5220285.html)

Uh oh...

Already being discussed in a MacBytes thread (http://forums.macrumors.com/showthread.php?t=73118).

Keep this discussion on the security update.