Along with the latest system update (http://www.macrumors.com/pages/2004/08/20040809173213.shtml) made available earlier today, Apple has released a security update to address a recent issue regarding a security breach in Safari. The breach affects Safari and Mozilla-based browsers, including Camino & Firefox and their handling of .png (portable network graphic) graphic files. The Security Update is available via Software Update. A standard download version is not yet available.
Security Update 2004-08-09 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

libpng (Portable Network Graphics)

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798

The 2004-08-09 Security Update is included in the 10.3.5 update package, or as a stand alone download.

On topic--how long before its pulled?

Damn you guys are fast!!

I know I'm going to get flamed for this, but do any of you think that Safari is becoming the Internet Explorer of Windows??

Since when is Safari Mozilla-based? It uses KHTML, not Gecko. Or if the app itself is "Mozilla-based" then how so?

edit: never mind, the original post on the front page said "Mozilla-based browsers, including Safari, Camino, [...]" but that has since been fixed.

I know I'm going to get flamed for this, but do any of you think that Safari is becoming the Internet Explorer of Windows??

This "vulnerability" had nothing to do with Apple, and they've applied the fix very very quickly. In addition, it's system-wide.

So no, I don't.

AppleMatt

Since when is Safari Mozilla-based? It uses KHTML, not Gecko. Or if the app itself is "Mozilla-based" then how so?

I edited the frontpage directly after this - you're right - it's KHTML, not Mozilla based (although the render engines are similar)

Grab it jsut now with upgrade to 10.3.5... :D

Also got an update called iPhoto 2.0.1.... haven't seen any mention of this... didn't buy iLife cos I'm a cheapskate...

Was this included in the 10.3.5 update? i'm not seeing it in my software update...

Lee Tom

Grab it jsut now with upgrade to 10.3.5... :D

Also got an update called iPhoto 2.0.1.... haven't seen any mention of this... didn't buy iLife cos I'm a cheapskate...

yep, i get a iphoto 2.01 upgrade as well. probably just a performance update. looks like some significant underpinning updates with this one.

Was this included in the 10.3.5 update? i'm not seeing it in my software update...

Lee Tom

It was included - the only way you'd see it in SWU is if you didn't already install 10.3.5

frontpage edited to reflect this.

Was this included in the 10.3.5 update? i'm not seeing it in my software update...Yes, just confirmed that. Installing the Mac OS X update will remove the security update from Software Update.

I edited the frontpage directly after this - you're right - it's KHTML, not Mozilla based (although the render engines are similar)

Sorry to nitpick, but the rendering engines are totally different. The result is quite similar.

As for Safari becoming the IE of Windows, its a little hard. Safari does not run with root privileges.

Guys this is a major thing. This png thing could of been huge, had not apple/open source community been quick to get a patch out. libpng is everywhere, mail, preview, keynote ect... its a major system lib (as far as images are concerned).

If one was so inclined, and had some time, one could create a special png image that would buffer overflow, and give the attacker at least your privileges. You could view this image in mail, safari and it could then sent its self to every one in your address book.

Apple has adverted a major !virus! problem with this update.

btw. this is not apple library its an open source library, that every one uses. So lets not start with the apple is turning in to $M, or Safari is turning into MSIE

Malicious PNG?

Whew... glad we dodged that bullet. I was violently assaulted by an Animated Gif last September, I was on crutches for two months.

Wow, Apple sure did jump on this one and patched it quickly.

Yeah, one time a .png file spit in my face and yelled out some racial slurs. How uncouth!! :mad:

A minor iPhoto update -- which had been predicted on Page Two -- and a security update. The Cupertino crowd is keeping a VERY tight lid on whatever is in store for Apple Expo Paris.

At Apple Expo 2003 we got new PowerBooks, wireless keyboard and mouse.

This year, obviously, it's going to be the new iMac, but.... *chirp, chirp, chirp*

It's good to see this security update out so fast. I wonder if Windows XP Service Pack 2 had this fix?

Yes, just confirmed that. Installing the Mac OS X update will remove the security update from Software Update.

I'm updating our backup iBook G3 iPhoto 2.0.1 1.7 MB, Mac OS X 10.3.5 22.9 MB, & Security Update 2004-08-09 1.0 5.3 MB. It's running the optimization right now.

It's good to see this security update out so fast. I wonder if Windows XP Service Pack 2 had this fix?

i'm not sure that Microsoft uses libpng. They might, then again i doubt it. They stay away from open source like the plague.

edited: i installed all updates, 12" powerbook 1.33 superdrive. No problems to report.

i'm not sure that Microsoft uses libpng. They might, then again i doubt it. They stay away from open source like the plague.

Seems like some kind of joke is necessary here....hmm....when you say "like the plague," who exactly is like the plague now? :p

But still, Safari security updates aren't coming so frequently. Yes, there have been a handful. But compared to MSIE....

I know I'm going to get flamed for this, but do any of you think that Safari is becoming the Internet Explorer of Windows??

hey, I've been using Camino for months now ...

hey, I've been using Camino for months now ...

Yea, I've tried them all, Camino, OmniWeb, Firefox, Mozilla, Internet Explorer, just about every browser I can find for the Mac, and they all have problems, and I just like Safari better, but Firefox comes in a close second, and if Apple screws this up, like MS did with IE, I'll be using Firefox.

Seems like some kind of joke is necessary here....hmm....when you say "like the plague," who exactly is like the plague now? :p

But still, Safari security updates aren't coming so frequently. Yes, there have been a handful. But compared to MSIE....

its not who, but what, windows :)

btw. everyone is seeing this as a safari update, (is that what apple called it). It is not a browser update.


These vulnerabilities have been corrected in libpng which is used by the CoreGraphics and AppKit frameworks in Mac OS X.


This a a big part of the OS.

Doesn't sound like anything serious but it's good to see Apple reacting so fast. I was about to download this but then realized it was included on the 10.3.5 update! :cool:

i'm not sure that Microsoft uses libpng. They might, then again i doubt it. They stay away from open source like the plague.
According to this article (http://news.com.com/Image+flaw+pierces+Linux+security/2100-1002_3-5298999.html), Microsoft uses libPNG for Internet Explorer.

it's security BREACH, not BREECH.

Oh, well.

Yea, I've tried them all, Camino, OmniWeb, Firefox, Mozilla, Internet Explorer, just about every browser I can find for the Mac, and they all have problems, and I just like Safari better, but Firefox comes in a close second, and if Apple screws this up, like MS did with IE, I'll be using Firefox.

I like Firefox over Camino for sure, but I don't like the hidden floating window that it creates (hit your all windows expose key) ... something about windows that I don't open on my sceen that bothers me.

...but I don't like the hidden floating window that it creates (hit your all windows expose key)...

Holy Crap! I just opened up firefox to test this out. What's up with that lil' spy window? Is that where they hide the malicious .PNG? I bet it hides in the shadows so it can hit you over the head with a sock full of nickels when you're not paying attention.

Holy Crap! I just opened up firefox to test this out. What's up with that lil' spy window? Is that where they hide the malicious .PNG? I bet it hides in the shadows so it can hit you over the head with a sock full of nickels when you're not paying attention.

It's there to give a home to the menu bar when all "real" windows are closed. If not for Exposé, no one would have ever known about it; it's just another ugly hack like in so much other multiplatform software.

I do remember reading that someone was going to fix it, but I guess it's not much of a priority until the socks come out.

It's there to give a home to the menu bar when all "real" windows are closed. If not for Exposé, no one would have ever known about it; it's just another ugly hack like in so much other multiplatform software.

I do remember reading that someone was going to fix it, but I guess it's not much of a priority until the socks come out.

That's wierd...

Anyways, so if I update to 10.3.5 are you saying that I do not need to update again? The .5 update will take care of all the .png problems?

Mike

It's there to give a home to the menu bar when all "real" windows are closed. If not for Exposé, no one would have ever known about it; it's just another ugly hack like in so much other multiplatform software.

I do remember reading that someone was going to fix it, but I guess it's not much of a priority until the socks come out.

huh, I always figured it was there to provide some sort of Cocoa functionality

Brother Michael: The secret little Firefox window has nothing to do with libpng, it's just a cosmetic bug in the browser. I wouldn't worry about it.

morkintosh: Even though it's a bundle, Firefox is really a Carbon app with all the gunk from a normal Unix installation hidden in there. Camino's the one that uses a Cocoa wrapper.

...Apple has released a security update to address a recent issue regarding a security breech in Safari. The breech affects Safari and Mozilla-based browsers, including Camino & Firefox...

Am I really the first among 32 readers to notice that our friends do NOT mean "breech" but "breach" ?? A breach is a gap or opening, while a breech is either the human rear end or the clothing put over it, as in breeches (pronounced "britches" where I grew up).

Sorry, I know security is a serious issue, but so is good writing and editing. Someone on the staff has made a breech of him/her self.

Onward...

it's nice to see they reacted to this security issue pretty quickly, but I think we shouldn't have to dl these updates anyway.. I know it's too much asked, but these issues do pop up much too often.

I know I'm going to get flamed for this, but do any of you think that Safari is becoming the Internet Explorer of Windows??

That logic would be:

1. Microsoft has frequent, massive problems with dire real-world consequences. Data is lost, privacy is compromised, computers are hijacked, and protecting yourself often breaks other things unexpectedly. Critical patches are constant, and keeping your system and virus definitions up-to-date is a vital task to stay ahead of.

2. Apple doesn't have such severe issues and consequences, and doesn't need to patch things anywhere near as often, but no OS will ever be perfect.

3. Therefore Apple security is as bad as Microsoft's.

I don't get it, but there you go :D People repeat that logic all the time.

That's wierd...

Anyways, so if I update to 10.3.5 are you saying that I do not need to update again? The .5 update will take care of all the .png problems?

Mike
No. The Security Update is apparently NOT included in 10.3.5

It's really good that Apple got this patch out so quickly. Impressive stuff!

The Apple Store is down. I repeat, the Apple Store is down.

The Apple Store is down. I repeat, the Apple Store is down.

@0915 EDT - Nope: Looks like Motion and Production Suite

The Apple Store was down but now it's back up :)

The Apple Store features the release of Motion and Apple Production Suite (FCP HD, DVDSP2 and Motion). There is also an upgrade from Final Cut HD to the Production Suite (akin to Adobe's Creative Suite bundle). Shake remains a seperate product as of this time.

Motion is AU$449
Production Suite is AU$1999
Upgrade from Final Cut Pro HD is AU$1099

Err make that the Production Suite is an upgrade from ANY version of Final Cut Pro for exactly the same price. Nice!

Hope this isnt too far off topic. But i'd like to see some web publishing tools added to Safari. I use Mozilla for this, and it's the only time I have to use another browser other than safari.

Although I see that there are negative ratings, I haven't seen any posts here to indicate what, if any, problems anyone has had with this update.

I installed the security update (now has reappeared in Software Update) but and now I can only open Dreamweaver once. If I quit and try to reopen it, Dreamweaver will not open. I have to restart and then open it again. :( Has anyone had this issue?

-Alex

Just for the record, I've installed everything and I haven't noticed any difference...

Dreamweaver MX has no problems for me after the security update--but I haven't installed 10.3.5.