Apple Addresses AFP Vulnerability With Security Update 2010-006

[MacRumors]

Apple today released Security Update 2010-006, a minor update to Mac OS X Snow Leopard. According to a support document, the update addresses a single issue related to AFP shared folders.

An error handling issue exists in AFP Server. A remote attacker with knowledge of an account name on a target system may bypass the password validation and access AFP shared folders. By default, File Sharing is not enabled. This issue does not affect systems prior to Mac OS X v10.6. Credit to Richard Noll for reporting this issue.

The update weighs in at 1.93 MB and requires Mac OS X 10.6.4. A system restart is required after installation.

Article Link: Apple Addresses AFP Vulnerability With Security Update 2010-006

 

[pawelthegreat]

Just less than 1MB for me.

I like updates for Mac OS X.

 

[longofest]

That's quite a huge bug.

Glad they fixed it, but that kind of thing should have never been allowed to exist in the firstplace.

 

[aarond12]

That's quite a huge bug.

Glad they fixed it, but that kind of thing should have never been allowed to exist in the firstplace.

Why do you think that's such a huge bug? Do you know the account name on my computer? I don't know yours, either. Not only that, you would have to share your computer's files (something you have to do yourself) then open port 548 for the world to see through your router.

-Aaron-

 

[Agent OrangeZ]

Worked great on my Hack Pro. No issues.

 

[derekamoss]

But if I was on the same network as you, you very well might show up in the finder side bar account name and all. For people who file sharing is enabled this is a huge flaw.

Why do you think that's such a huge bug? Do you know the account name on my computer? I don't know yours, either. Not only that, you would have to share your computer's files (something you have to do yourself) then open port 548 for the world to see through your router.

-Aaron-

 

[Nri1]

Richard Noll

Props to Richard Noll for sending it in. We need more people like that in this world.

 

[longofest]

But if I was on the same network as you, you very well might show up in the finder side bar account name and all. For people who file sharing is enabled this is a huge flaw.

Agreed. And even though file sharing may not be enabled my default, I'd venture a decent amount of people have had need to turn it on.

 

[overcast]

But if I was on the same network as you, you very well might show up in the finder side bar account name and all. For people who file sharing is enabled this is a huge flaw.

Except you forgot the part where you need to have knowledge of how the hack actually works. The majority of bugs are just not common knowledge or as easy as browsing someone on the same network.

 

[derekamoss]

and people have two legs. Of course it isn't common knowledge, that still doesn't not make it a huge security breach. Obviously Apple thought people could figure it out if they released a security update just for this. Does apple normally wait for just one bug? Usually in security updates it is multiple bugs I think.

Except you forgot the part where you need to have knowledge of how the hack actually works. The majority of bugs are just not common knowledge or as easy as browsing someone on the same network.

 

[RichardI]

I like updates for Mac OS X.

Ha ha! I thought I was the only one. This is one of the great things about owning a Mac.

Rich

 

[res1233]

and people have two legs. Of course it isn't common knowledge, that still doesn't not make it a huge security breach. Obviously Apple thought people could figure it out if they released a security update just for this. Does apple normally wait for just one bug? Usually in security updates it is multiple bugs I think.

Would you stop putting your quotes at the bottom of your posts like that? It's driving me insane...

 

[derekamoss]

Would you stop putting your quotes at the bottom of your posts like that? It's driving me insane...

Just for you!

 

[baryon]

Didn't know you get credit in the Support Notes for reporting a bug time to start bug hunting...

 

[Mattie Num Nums]

Didn't know you get credit in the Support Notes for reporting a bug time to start bug hunting...

Well probably for this one. This is a huge security breach for people who run corporate networks.

 

[drspringfield]

Well probably for this one. This is a huge security breach for people who run corporate networks.

Apple always credits responsible reporters of security issues.

 

[RobertMartens]

The update weighs in at 1.93 MB

Did I mention that updates are ones and zeros and have no actual weight. MB refers to the number of ones and zeros in groups of eight. Numbers don't actually weigh anything, so you probably shouldn't write this same trite phrase every time you want to mention how big a file is.

I'm just saying, that's all.

 

[Mattie Num Nums]

Apple always credits responsible reporters of security issues.

They don't always. Just like they don't always acknowledge security issues within OSX.

 

[matthew12]

RE: Apple Addresses AFP Vulnerability With Security Update 2010-006

The update for me registered at only 381 KB, not a few MB.

 

[ToM7]

apple releases an update to itunes too

10.0.1
This release also provides a number of important bug fixes, including:

• Addresses an issue where the picture quality of a video changes depending on whether the on-screen controls are visible.
• Resolves an issue where iTunes may unexpectedly quit while interacting with album artwork viewed in a separate window.
• Fixes a problem that affects the performance of some third-party visualizers.
• Addresses an issue where the iTunes library and playlists appear empty.
• Resolves an issue that created an incompatibility with some third-party shared libraries

 

[foidulus]

Didn't know you get credit in the Support Notes for reporting a bug time to start bug hunting...

It actually depends(largely on the group at Apple I think)

I reported a bug with an Apple product(Java), and while the engineer was quite responsive and eventually fixed the bug, I unfortunately didn't get a nod in the release notes.

It seems that most security bug finders get nods, probably as a way to encourage them to discretely report them to Apple instead of just announcing them to the world.

 

[Kdeberk]

Just registered to say that the new security update bricked my laptop.

Thanks, Apple. It just works huh?

Edit:
Tried to reinstall the update, but that crashes with an unknown error. Is there some tool that I can use to debug this installation and see the specific error condition?

Edit2:
Okay. I solved it, here is a description for anyone suffering from the same problem:
After installing 2010-006 the laptop (13" macbook pro OSX 10.6) came back from restarting, my clock was reset to January 1st 2001 and the system could not get a wireless connection. Manually downloaded the update using another computer and moved it over to the laptop. Manual reinstall failed. Set the date back to the present day and manual reinstall worked. The computer restarted and everything worked again.

 

[Pine Pienaar]

Just less than 1MB for me.

I like updates for Mac OS X.

I thought that Mac OS is immune to security threats?

 

[yayitsezekiel]

I thought that Mac OS is immune to security threats?

no operating system is immune, mac osx just does a better job of protecting itself and hackers usually go for windows because more people use it