Mac OS X Security Update 2003-03-03

MacRumors

macrumors bot
Original poster
Apr 12, 2001
49,699
11,013
In your Software Update...Security Update 2003-03-03:

The Security Update addresses a security issue in sendmail where a remote individual could gain access and control of the system. Although sendmail is off by default in Mac OS, it is recommended that all users install this Security Update. This update also includes a newer version of OpenSSL that provides improved data confidentiality by addressing a recently-discovered security issue.
An Apple Software Update was expected today, but no word of Java 1.4.1 which was also rumored to be released today.
 

Freg3000

macrumors 68000
Sep 22, 2002
1,914
0
New York
These are always interesting. I rarely understand what it does, but, oh well. An update is an update. :)
 

testnull

macrumors member
Jun 13, 2002
39
0
Chicago
Given that this sendmail vulnerability was just discovered recently, I doubt that this is any update you were expecting.

Just because you got an update today doesn't mean your expectation was right ;-)
 

jethroted

macrumors 6502a
Jan 2, 2003
619
0
Cyberspace
How could a remote individual gain access and control of your system through sendmail? Do they explain this? This doesn't make sense.
 

phampton81

macrumors member
Jul 24, 2002
78
0
By publically stating the security issues present does anyone else think this poses a security threat of it's own?
 
A

AhmedFaisal

Guest
Originally posted by phampton81
By publically stating the security issues present does anyone else think this poses a security threat of it's own?
Its still better than MS, who don't post security updates with information until the entire www is swamped with viruses and other exploits for the vulnerability.
My 2 cents.

Ahmed:D
 

DStaal

macrumors member
Jan 2, 2003
96
13
Originally posted by phampton81
By publically stating the security issues present does anyone else think this poses a security threat of it's own?
Sure, if you assume the crackers can't find security holes on their own.

If you assume they are mildly intelegent about attacking (e.g. they actively look for unknown holes), then it just raises the awareness for the public, and gets the holes patched.

Of course, there are both types of crackers, so it does raise the insecurity some, but less then giving some vendors the excuse to cover it up... *cough*Microsoft*cough*
 

jettredmont

macrumors 68030
Jul 25, 2002
2,714
307
Originally posted by phampton81
By publically stating the security issues present does anyone else think this poses a security threat of it's own?
No. Absolutely not.

Listen, if you're a hacker looking to break into systems, you'll do your homework. The sendmail vulnerability (and OpenSSL minor vulnerabilities) have been known for a few days, and hence anyone who might have the knowledge, desire, and lack of ethics to exploit them against you, I can assure you, already knows a heck of a lot more about them than you do!

Apple's SU blurb has no major details about the security flaw. If you wanted details on it, you could do a quick google search and find all sorts of information.
 

JBracy

macrumors regular
Jan 6, 2003
119
1
Chantilly, VA
Originally posted by gotohamish
Installed, restarted, rebooted, loads software update, and it's still there.

Crap.
Me too, but went to wash the dishes, came back Mac was asleep. I woke it up, ran SU, and it's not there any more.

Weird, but never mind.
 

tychay

macrumors regular
Jul 1, 2002
221
30
San Francisco, CA
Possibly worth mentioning

Re: user who is wondering if this means
Are you saying, that if I send a send mail to someone that has it like that I can easily access there computer like in the [movie]clip?
They are saying "yes" with a few caveats.
  1. The vulnerability was discovered and patched, but there are no known exploits (meaning no software test example of this written by security or hackers).
  2. Obviously if an exploit did exist, it isn't a simple e-mail. It's a piece of malicious software masquerading as an e-mail that is doing something like flooding the receiving buffer (of your mail gateway) and overwritting parts of the OS in order to gain administrator access.
  3. You don't break into the computer of someone reading their e-mail. You are breaking into the e-mail gateway. This issue doesn't affect you when you pick up your mail (from say mail.mac.com), it affects the server "mail.mac.com" itself. If your machine isn't running a mail gateway, you don't have to worry. Most likely, it is not, because you probably pick up your mail from various POP or IMAP servers that aren't your Macintosh.
  4. 99% of the Macs out there are immune to this vulnerability even if they don't run the update because Apple turns off sendmail by default. This is because most people don't need it (your outgoing e-mail and incoming e-mail, as mentioned above, is usually done through your corporate mailserver or Mac.com or whathaveyou). If you want to enable it (and understand it), then you can check One of many tutorials available on the web. Since Apple provides the software installed as part of your operating system (but turned off), it makes sense that they are obliged to ensure that software is up to date to security issues (in case you have gone through the trouble to turn on that software).
  5. This is a security update inherited from vulernabilities discovered in an open-source unix package. This doesn't mean unix is inherently less secure that other operating systems--it's just that more vulnerabilities are discovered because the code is subject to review by a lot of people. The vulnerabilities are patched quicker too (one day turnaround between the when it was discovered and when the patch was at Apple is not bad at all IMO, some other operating system doesn't get around to their security vulnerabilities for months.
    [/list=1]

    I hope this helps,

    terry
 

davy the bunny

macrumors regular
Jan 9, 2003
156
0
Dallas
MS

Originally posted by AhmedFaisal
Its still better than MS, who don't post security updates with information until the entire www is swamped with viruses and other exploits for the vulnerability.
My 2 cents.

Ahmed:D
I don't think that this statement is entirely true. . . with all of the recent big name virii (nimda, Code Red and whatever that even more current was called) it was due to bad practice of users and admins not updating their software. I should just hope that we mac users are able to trust Apple a bit more than they can trust MS and that maybe we're just a little smarter than those who choose not to update. . .
 

skymaXimus

macrumors regular
Mar 3, 2003
216
0
I have 10.2.3 and the update didn't appear in my auto updates. So, I went on Apple and found the update http://www.info.apple.com/support/downloads.html when I tried to install the update it showed my drives as non-candidates for an install.
My father on the other hand has .4 installed on his Pismo and it showed the update in his auto update. I'm guessing you have to have .4
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.