Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Hemingray

macrumors 68030
Original poster
Jan 9, 2002
2,924
33
Ha ha haaa!
In your software update:

Security Update 2004-09-07 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:


CoreFoundation
IPSec
Kerberos
libpcap
lukemftpd
NetworkConfig
OpenLDAP
OpenSSH
PPPDialer
rsync
Safari
tcpdump



For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798
 

TopCatz

macrumors member
Aug 31, 2004
41
0
UK
No Probs

Just installed on iMac G3 - no meltdown so far!
Damn - I wish I just installed Win SP 2 so I would have something to moan about. Guess I'll have to suffer an easy life. :rolleyes:
 

stcanard

macrumors 65816
Oct 19, 2003
1,485
0
Vancouver
AmigoMac said:
Safari? What should be wrong with safari? The version and build is the same...

Just checked the link, and apparently this one is only for 10.2.8 users. Newer versions of Safari are unaffected. (It's a javascript/array bounds check issue)
 

Gordon Werner

macrumors newbie
Oct 27, 2003
16
0
just becasue they update libraries belonging to the application doesn't mean they have to increment the version number

here is the complete list of changes:

Component: Apache 2
CVE-IDs: CAN-2004-0493, CAN-2004-0488
Available for: Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: Exposure to a potential Denial of Service.
Description: The Apache Organization has released Apache version 2.0.50. This release fixes a number of denial of service vulnerabilities. We have updated Apache to version 2.0.50 which only ships with Mac OS X Server, and is off by default.

Component: CoreFoundation
CVE-ID: CAN-2004-0821
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: Privileged programs using CoreFoundation can be made to load a user supplied library.
Description: Bundles using the CoreFoundation CFPlugIn facilities can include directions to automatically load plugin executables. With a specially crafted bundle this could also occur for privileged programs, permitting a local privilege escalation. CoreFoundation now prevents automatic executable loading for bundles that already have a loaded executable. Credit to Kikuchi Masashi <kik@ms.u-tokyo.ac.jp> for reporting this issue.

Component: CoreFoundation
CVE-ID: CAN-2004-0822
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: An environment variable can be manipulated to cause a buffer overflow which can result in a privilege escalation
Description: By manipulating local environment variables a program could potentially be leveraged by a local attacker to execute arbitrary code. This can only be exploited with access to a local account. Validity checks for local environment variables are now provided. Credit to <aaron@vtty.com> for reporting this issue.

Component: IPSec
CVE-ID: CAN-2004-0607
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: When using certificates, unauthenticated hosts may be able to negotiate an IPSec connection.
Description: When configured to use X.509 certificates to authenticate remote hosts, a certificate verification failure does not abort the key exchange. Mac OS X does not use certificates for IPSec by default so this issue only affects configurations that have been manually configured. IPSec now verifies and aborts a key exchange if a certificate verification failure occurs.

Component: Kerberos
CVE-ID: CAN-2004-0523
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier could permit remote attackers to execute arbitrary code.
Description: The buffer overflow can only be exploited if "auth_to_local_names" or "auth_to_local" support is also configured in the edu.mit.Kerberos file. Apple does not enable this by default. The security fix was back ported and applied to the Mac OS X versions of Kerberos. The Mac OS X and Mac OS X Server version of Kerberos is not susceptible to the recent "double-free" issue reported in the CERT vulnerability note VU#350792 (CAN-2004-0772). Credit to the MIT Kerberos Development Team for informing us of this issue.

Component: lukemftpd
CVE-ID: CAN-2004-0794
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: A race condition that can permit an authenticated remote attacker to cause a denial of service or execute arbitrary code
Description: If the FTP service has been enabled, and a remote attacker can correctly authenticate, then a race condition would permit them to stop the FTP service or execute arbitary code. The fix is to replace the lukemftpd FTP service with tnftpd. lukemftp is installed but not activated in Mac OS X Server, which instead uses xftp. Credit to Luke Mewburn of the NetBSD Foundation for informing us of this issue.

Component: OpenLDAP
CVE-ID: CAN-2004-0823
Available for: Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: A crypt password can be used as if it were a plain text password.
Description: Backwards compatibility with older LDAP implementations permits the storing of a crypt password in the userPassword attribute. Some authentication validation schemes can use this value as if it were a plain text password. The fix removes the ambiguity and always uses this type of field as a crypt password. This issue does not occur in Mac OS X 10.2.8. Credit to Steve Revilak of Kayak Software Corporation for reporting this issue.

Component: OpenSSH
CVE-ID: CAN-2004-0175
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: A malicious ssh/scp server can overwrite local files
Description: A directory traversal vulnerability in the scp program permits a malicious remote server to overwrite local files. The security fix was backported and applied to the Mac OS X versions of OpenSSH.

Component: PPPDialer
CVE-ID: CAN-2004-0824
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: A malicious user can overwrite system files resulting in a local privilege escalation
Description: PPP components performed insecure accesses of a file stored in a world-writeable location. The fix moves the log files to a non-world-writeable location.

Component: QuickTime Streaming Server
Available for: Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5

CVE-ID: CAN-2004-0825
Impact: A denial of service requiring a restart of the QuickTime Streaming Server
Description: A particular sequence of client operations can cause a deadlock on the QuickTime Streaming Server. The fix updates the code to eliminate this deadlock condition.

Component: rsync
CVE-ID: CAN-2004-0426
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: When rsync is run in daemon mode a remote attacker can write outside of the module path unless the chroot option has been set.
Description: rsync before version 2.6.1 does not properly sanitize paths when running a read/write daemon with the chroot option turned off. The fix updates rsync to version 2.6.2.

Component: Safari
CVE-ID: CAN-2004-0361
Available for: Mac OS X 10.2.8, Mac OS X Server 10.2.8
Impact: A JavaScript array of negative size can cause Safari to access out of bounds memory resulting in an application crash.
Description: Storing objects into a JavaScript array allocated with negative size can overwrite memory. Safari now stops processing JavaScript programs if an array allocation fails.
This security enhancement was previously made available in Safari 1.0.3, and is being applied inside the Mac OS X 10.2.8 operating system as an extra layer of protection for customers who have not installed that version of Safari. This is a specific fix for Mac OS X 10.2.8 and the issue does not exist in Mac OS X 10.3 or later systems.

Component: Safari
CVE-ID: CAN-2004-0720
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: An untrusted web site can inject content into a frame intended to be used by another domain.
Description: A web site that uses multiple frames can have some of its frames replaced with content from a malicious site if the malicious site is visited first. The fix imposes a set of parent/child rules preventing the attack.

Component: SquirrelMail
CVE-ID: CAN-2004-0521
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: SquirrelMail before 1.4.3 RC1 allows remote attackers to execute unauthorized SQL statements
Description: SquirrelMail before 1.4.3 RC1 is vulnerable to SQL injection which permits unauthorized SQL statements to be run. The fix updates SquirrelMail to version 1.4.3a

Component: tcpdump
CVE-IDs: CAN-2004-0183, CAN-2004-0184
Available for: Mac OS X 10.2.8, Mac OS X 10.3.4, Mac OS X 10.3.5, Mac OS X Server 10.2.8, Mac OS X Server 10.3.4, Mac OS X Server 10.3.5
Impact: Maliciously crafted packets can cause a crash of a running tcpdump
Description: The detailed printing functions for ISAKMP packets do not perform correct bounds checking and cause an out-of-bounds read which results in a crash. The fix updates tcpdump to version 3.8.3.
 

djdarlek

macrumors regular
Oct 10, 2003
130
0
DO you get the feeling we are not about to have to start worrying about viruses? :D

I've just put my crappy XP machine on the internet, and already, just a day later, i'm being bugged by this; http://www.doxdesk.com/parasite/LinkReplacer.html

It's a right pain in the ass, but at least the pop-ups start with something that makes sense.... "Microsoft Warning!" fair point.

I CANNOT wait until my G5 iMac arrives and I can thow this noisy piece-o-s**t away.
 

Tulse

macrumors regular
Nov 3, 2003
220
0
Kudos to Apple for the detail they provide about the fixes (they even mention who alerted them -- how cool is that?). This openness should go a long way towards correcting Apple's reputation for secrecy regarding security.
 

fatbarstard

macrumors member
Dec 2, 2003
87
0
New Zealand
Security Update number ??

It is me or does it seem that there are more security updates than ever from Apple??

A couple of years ago security updates were infrequently, but now it seems that they a coming every couple of months - does this indicate slippage in quality control??? :confused:
 

SiliconAddict

macrumors 603
Jun 19, 2003
5,889
0
Chicago, IL
djdarlek said:
DO you get the feeling we are not about to have to start worrying about viruses? :D

I've just put my crappy XP machine on the internet, and already, just a day later, i'm being bugged by this; http://www.doxdesk.com/parasite/LinkReplacer.html

It's a right pain in the ass, but at least the pop-ups start with something that makes sense.... "Microsoft Warning!" fair point.

I CANNOT wait until my G5 iMac arrives and I can thow this noisy piece-o-s**t away.

And that's your fault for using Internet Imploder. :rolleyes: If you don't know how to drive a car get off the road. If you don't know how to operate Windows safely get off the platform. And if you are forced to either drive a car or use Windows then LEARN how to use it safely. Easy no?
No one who is interested in a secure environment takes Internet Exploder seriously. That was your first mistake. Second. Do you have a firewall? No? Second mistake. Third. Windows Update? Never did it? Game over man! Game over!!
 

SiliconAddict

macrumors 603
Jun 19, 2003
5,889
0
Chicago, IL
fatbarstard said:
It is me or does it seem that there are more security updates than ever from Apple??

A couple of years ago security updates were infrequently, but now it seems that they a coming every couple of months - does this indicate slippage in quality control??? :confused:

No its reality kicking in. To clue people in who think the fabled perfect OS exists *hands them a cheat sheet that says: No such thing!!!!!*

No OS is going to be flawless and that sure as heck includes OS X or OS XI or OS XII. or OS pi.
 

swissmann

macrumors 6502a
Sep 17, 2003
789
42
The Utah Alps
I have a theory - can anyone back me up on it. Apple releases a new major OS update which is quick because it doesn't have to patch all this stuff. People find security holes and now all the patches get in the way and slow things down. It just seems like each time I install one of these patches things to slow down a bit. Any experience from anyone?
 

shawnce

macrumors 65816
Jun 1, 2004
1,442
0
fatbarstard said:
It is me or does it seem that there are more security updates than ever from Apple??

I don't see much of a change given the history...

http://docs.info.apple.com/article.html?artnum=61798
http://docs.info.apple.com/article.html?artnum=25631

fatbarstard said:
A couple of years ago security updates were infrequently, but now it seems that they a coming every couple of months - does this indicate slippage in quality control??? :confused:

More folks then ever are using Mac OS X hence more developers, etc. playing around finding issues as well as Mac OS X is including more and more functionality (Apples own and third-party). Also Apple is being relatively proactive about getting patches out quickly more so then in the beginning of Mac OS X. I don't think is shows much of a quality issue...
 

musicpyrite

macrumors 68000
Jan 6, 2004
1,639
0
Cape Cod
You shouldn't notice any slowdown if you take the proper procedures. (although I've never experienced any slow down of any kind when installing an Apple update, rather an increase in speed)

Repair Permissions
periodic daily/weekly/monthly
fsck
update prebindings
pray to god that your computer does not melt down.
 

njmac

macrumors 68000
Jan 6, 2004
1,756
2
musicpyrite said:
You shouldn't notice any slowdown if you take the proper procedures. (although I've never experienced any slow down of any kind when installing an Apple update, rather an increase in speed)

Repair Permissions
periodic daily/weekly/monthly
fsck
update prebindings
pray to god that your computer does not melt down.
I know about the first 2. What's fsck and prebindings?
 

Mehmet

macrumors member
Jun 21, 2003
67
0
djdarlek said:
DO you get the feeling we are not about to have to start worrying about viruses? :D

I've just put my crappy XP machine on the internet, and already, just a day later, i'm being bugged by this; http://www.doxdesk.com/parasite/LinkReplacer.html

It's a right pain in the ass, but at least the pop-ups start with something that makes sense.... "Microsoft Warning!" fair point.

I CANNOT wait until my G5 iMac arrives and I can thow this noisy piece-o-s**t away.


hey dude, if you're gonna throw it away, i'll pay for shipping/pick up and get it from you. I wouldn't mind another websurfing machine :)
 

rainman::|:|

macrumors 603
Feb 2, 2002
5,438
2
iowa
SiliconAddict said:
And that's your fault for using Internet Imploder. :rolleyes: If you don't know how to drive a car get off the road. If you don't know how to operate Windows safely get off the platform. And if you are forced to either drive a car or use Windows then LEARN how to use it safely. Easy no?
No one who is interested in a secure environment takes Internet Exploder seriously. That was your first mistake. Second. Do you have a firewall? No? Second mistake. Third. Windows Update? Never did it? Game over man! Game over!!

So you're saying then, that:

1. It's not Microsoft's fault if an XP user uses Internet Explorer and bad things happen;

2. You must learn to fully and properly use the software before using a computer (this would prohibit 99% of people from using them)

3. The user, not the software manufacturer, is responsible for making the software secure enough to use in real-life applications...

Need I go on?

Seriously, it's one thing to blindly say "PCs suck Macs rule end of debate", but everything he mentioned were valid points that many, many users deal with. PC users, not Mac users. I've never had a page hijack my browser simply because I dared use the software that came installed :eek:

having a bad day are we?

paul
 

musicpyrite

macrumors 68000
Jan 6, 2004
1,639
0
Cape Cod
njmac said:
I know about the first 2. What's fsck and prebindings?

I have absolutely no idea. :D

I just know it's good for your computer if you do it a couple of times every month.

Google it if you want more info. ;)

EDIT: i forgot how to use them. open up the terminal, type fsck, fsck will do it's thing then when your done type 'sudo update_prebinding -root -force /' and that will update your prebindings. to repair permissions in the terminal type 'diskutil repairpermissions /'.
 

djdarlek

macrumors regular
Oct 10, 2003
130
0
SiliconAddict said:
And that's your fault for using Internet Imploder.

hey man, where exactly did I say IE? :confused: I may have to switch back to XP for a while but i'm not suicidal! Firefox all the way. :)

As to the updates.. i wish I could've gotten that far. It says there's 18 or so updates, but it completely died while trying to install them. :eek: I don't think it'll ever get to SP2 at this rate. And have installed about 5 virus checkers which all tell me that I have x and y viruses but than ask for $z to remove them. :(
 

keysersoze

macrumors 68000
Jan 6, 2004
1,596
10
NH
Installed update.

Restarted.
Repaired permissions.
Opened Safari.
Tried to reply to this thread.

Kernel Panic!

Stupid security update. :mad:
 

jwhitnah

macrumors regular
Aug 20, 2003
181
111
WI
SiliconAddict said:
And that's your fault for using Internet Imploder. :rolleyes: If you don't know how to drive a car get off the road. If you don't know how to operate Windows safely get off the platform. And if you are forced to either drive a car or use Windows then LEARN how to use it safely. Easy no?
No one who is interested in a secure environment takes Internet Exploder seriously. That was your first mistake. Second. Do you have a firewall? No? Second mistake. Third. Windows Update? Never did it? Game over man! Game over!!

Kind of harsh. It's easy to say, but learning the platform and its problems can take a while. I have to have a PC because of my work. Setting it loose on the internet is like dropping off a hot promiscuous teen in the inner city, that is, it is quickly infected.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.