Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac OS X Security Update 2003-11-19
- Thread starter MacRumors
- Start date
- Sort by reaction score
check it
I'm sorry but I just thought this was amusing. I know some people have gone off on the recent updates to 10.3 but I just installed Windows XP Corp Edition under Virtual PC and after I ran Software Update it said there was 45 (forty-five) "Critical Updates and Services Packs."
Lets rethink this rash response to Apple updates.
I'm tickled with amusement.
I'm sorry but I just thought this was amusing. I know some people have gone off on the recent updates to 10.3 but I just installed Windows XP Corp Edition under Virtual PC and after I ran Software Update it said there was 45 (forty-five) "Critical Updates and Services Packs."
Lets rethink this rash response to Apple updates.
I'm tickled with amusement.
One ot two security updates, a few less crtitical software patches. Welll big deal.
I have a home built, ultra stable (researched every component for stability before purchase) win XP pro machine at home. It's not quite as rock solid as my macs but it's close. BUT every time I check for updates, there are literally dozens, some are critical, some are recommended, and some are just new small apps for beta testing. At this stage you have 2 options, install all, which may require 2 or 3 restarts ( some critical updates need restart after installing each one) or manually go through the list and check what the update is for, whether you even need it for your particular setup and whether the new app/feature is something you want to risk messing up your system for.
Given thats what apple's competition is (not unix), what is the beef about. I'm perfectly happy for my occasional osX update which is usually preselected for my particular system, and occasionally needs only one restart.
Unless you use (and maintain) both systems, its' easy to forget how good the mac, and more recently os X, actually is.
I have a home built, ultra stable (researched every component for stability before purchase) win XP pro machine at home. It's not quite as rock solid as my macs but it's close. BUT every time I check for updates, there are literally dozens, some are critical, some are recommended, and some are just new small apps for beta testing. At this stage you have 2 options, install all, which may require 2 or 3 restarts ( some critical updates need restart after installing each one) or manually go through the list and check what the update is for, whether you even need it for your particular setup and whether the new app/feature is something you want to risk messing up your system for.
Given thats what apple's competition is (not unix), what is the beef about. I'm perfectly happy for my occasional osX update which is usually preselected for my particular system, and occasionally needs only one restart.
Unless you use (and maintain) both systems, its' easy to forget how good the mac, and more recently os X, actually is.
Re: check it
Yeah... I am updating my office machines right now (cheap Dell's). They come with XP Professional with Service Pack 1a and there were 13 critical updates, 15 XP updates (directx, WMP 9, etc), and 1 driver update (video chipset). Not to mention the updates that Norton 2003 anti-virus needs (7 I believe). Turning off directory sharing, changing the default workgroup name, etc etc. It takes a while to get these things up and running.
I think you guys are missing the point.
There is no need to restart; that is if Apple spent some effort implementing a restart of any shared components that are updated. Instead they implemented the low energy path. It's not a feature that sells more personal copies, but that's high on the list when administering a server.
Look at other Unix systems with package managers... none of them require a reboot unless the kernel itself is patched. I don't care about Windows, Apple says they have UNIX, and UNIX was designed so you didn't have to restart it for any library changes. Windows is not UNIX, and used to require a restart if you changed the network address.
It's a small gripe, I admit, but Apple doesn't have to reinvent the wheel, it's pretty much already there for them to use in BSD.
-Wyrm
There is no need to restart; that is if Apple spent some effort implementing a restart of any shared components that are updated. Instead they implemented the low energy path. It's not a feature that sells more personal copies, but that's high on the list when administering a server.
Look at other Unix systems with package managers... none of them require a reboot unless the kernel itself is patched. I don't care about Windows, Apple says they have UNIX, and UNIX was designed so you didn't have to restart it for any library changes. Windows is not UNIX, and used to require a restart if you changed the network address.
It's a small gripe, I admit, but Apple doesn't have to reinvent the wheel, it's pretty much already there for them to use in BSD.
-Wyrm
Well, the funny thing is Apple is doing exactly what everybody wants; giving them a choice.
The people that want the simple install and reboot can use software update.
The more advanced users who know what to restart, or want to remotely administer their OSX server machines can do:
sudo softwareupdate -i SecurityUpd2003-11-19-1.0
Then manually restart the required deamons.
Too easy and everyone's happy.
The people that want the simple install and reboot can use software update.
The more advanced users who know what to restart, or want to remotely administer their OSX server machines can do:
sudo softwareupdate -i SecurityUpd2003-11-19-1.0
Then manually restart the required deamons.
Too easy and everyone's happy.
I agree it's a lazy approach by apple - having restart as the default action on some updates.
But I use unix servers at work on mission critical medical apps. true they don't need to be rebooted BUT they do slow down over time (usually a matter of 6-8 days), and it's always obvious when there's been a long time between reboots. So forgive me for not buying all the hype about standard unix, I use unix servers every day and the situation I've described has been true for every machine in every department I've worked in for the last 5 years.
Sure no reboot would be nice, and as already described, for those to whom this is important, there is already that option via terminal. However I'm sure most people are like me - I want a stable bug free responsive os all of the time, and don't mind the occassional 90 second reboot in order to achieve this.
But I use unix servers at work on mission critical medical apps. true they don't need to be rebooted BUT they do slow down over time (usually a matter of 6-8 days), and it's always obvious when there's been a long time between reboots. So forgive me for not buying all the hype about standard unix, I use unix servers every day and the situation I've described has been true for every machine in every department I've worked in for the last 5 years.
Sure no reboot would be nice, and as already described, for those to whom this is important, there is already that option via terminal. However I'm sure most people are like me - I want a stable bug free responsive os all of the time, and don't mind the occassional 90 second reboot in order to achieve this.
What version of unix and what are you running on the servers? That really sounds like a userspace problem to me.
I've had OpenBSD servers with a year's uptime that are still as snappy as they day they were installed.
I've got a Solaris Oracle server here that gets hammered all the time, and I just checked it's got an 86 day uptime with nary a problem.
Originally posted by stcanard
install
type "man softwareupate" and all your questions will be answered
-i is install
-l is list (so you can see what needs to be updated).
Is that just in Panther? Otherwise it's unnecessary. No argument generates a list, and any arguments get installed.
You know that Blaster worm that decimated windows back in September or was that late August? Anyways. The patch for that was released in July. Microsoft generally does release timely patches. Its just that no one bothers to applies them. (With good reason because I've had some of these patches break systems. ) *coughs*10.2.8*coughs*
I'm not defending MS. I'm not persecuting MS. I'm just stating what is.
Re: Re: check it
You have just given the reason I've handed out to everyone who has said "Ick...why do you want a Mac"
I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind.
Originally posted by iPC
It takes a while to get these things up and running.
You have just given the reason I've handed out to everyone who has said "Ick...why do you want a Mac"I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind.
Here's interesting... funny, I thought you were giving Apple until the 26...
http://www.securitytracker.com/alerts/2003/Nov/1008239.html
By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?
http://www.securitytracker.com/alerts/2003/Nov/1008239.html
By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?
So, someone needs to have physical access to your machine and be able to get to Terminal.app within 10-20 seconds of waking from standby to do this, if I'm reading it right.
I'll try it on my laptop at home and see. I have a feeling that Panther's password on waking from standby is going to make this a moot point.
I'll try it on my laptop at home and see. I have a feeling that Panther's password on waking from standby is going to make this a moot point.
Originally posted by GeeYouEye
Here's interesting... funny, I thought you were giving Apple until the 26...
http://www.securitytracker.com/alerts/2003/Nov/1008239.html
By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?
Apple does have till the 26th. That is a known problem with sudo really. Not terminal.app. The problem i speak of is not the above.
Originally posted by GeeYouEye
Here's interesting... funny, I thought you were giving Apple until the 26...
http://www.securitytracker.com/alerts/2003/Nov/1008239.html
By the way, for some reason, it doesn't work on my iBook. Bit more thorough testing anyone?
There's something to be said about priorities. The exploit that you posted a link too requires a local presence. I think this would be considered low on the totem pole vs. an exploit that can be accomplished remotely. You can bet Apple is compiling a list of exploits and most likely triaging them in a LOW - MEDIUM - CRITICAL scheme.
Re: Re: Re: check it
If you have that 6 page paper on your computer now, could you possibly send it to me? I'm interested in reading over it
PM me if you're able to send it so I can give you my email address
Originally posted by SiliconAddict
I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind.
If you have that 6 page paper on your computer now, could you possibly send it to me? I'm interested in reading over it
PM me if you're able to send it so I can give you my email address
Re: Re: Re: check it
Either that or you are describing "hell"..
-Wyrm
Originally posted by SiliconAddict
I deal with Windows 2K machines day in day out at work. I deal with their quirks at home. I want to stop tweaking a machine and start using it. I've got a bloody white paper 6 pages long on how to tweak XP to secure the system. You shouldn't have to go through 6 pages of tweaks to make a system functional!
Wait. I'm preaching to the converted. Never mind.
Either that or you are describing "hell"..
-Wyrm
The update details if your curious:
Security Update 2003-11-19 for Mac OS X 10.3:
* OpenSSLzlib: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
* zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.
Security Update 2003-11-19 for Mac OS X 10.2.8:
* gm4: Fixes CAN-2001-1411. A format string vulnerability in the gm4 utility. No setuid root programs relied on gm4 and this fix is a preventive measure against a possible future exploit.
* groff: Fixes VU#399883 where the groff component pic contained a format-string vulnerability.
* Mail w/CRAM-MD5 authentication: Fixes CAN-2003-0881. The Mac OS X Mail application will no longer fall back to plain text login when an account is configured to use MD5 Challenge Response.
* OpenSSL: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
* Personal File Sharing: Fixes CAN-2003-0878. When Personal File Sharing is enabled, the slpd daemon can no longer create a root-owned file in the /tmp directory to gain elevated privileges.
* QuickTime for Java: Fixes CAN-2003-0871. A potential vulnerability that could allow unauthorized access to a system.
* zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.
Security Update 2003-11-19 for Mac OS X 10.3:
* OpenSSLzlib: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
* zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.
Security Update 2003-11-19 for Mac OS X 10.2.8:
* gm4: Fixes CAN-2001-1411. A format string vulnerability in the gm4 utility. No setuid root programs relied on gm4 and this fix is a preventive measure against a possible future exploit.
* groff: Fixes VU#399883 where the groff component pic contained a format-string vulnerability.
* Mail w/CRAM-MD5 authentication: Fixes CAN-2003-0881. The Mac OS X Mail application will no longer fall back to plain text login when an account is configured to use MD5 Challenge Response.
* OpenSSL: Fixes CAN-2003-0851. Parsing particular malformed ASN.1 sequences are now handled in a more secure manner.
* Personal File Sharing: Fixes CAN-2003-0878. When Personal File Sharing is enabled, the slpd daemon can no longer create a root-owned file in the /tmp directory to gain elevated privileges.
* QuickTime for Java: Fixes CAN-2003-0871. A potential vulnerability that could allow unauthorized access to a system.
* zlib "gzprintf()" function: Addresses CAN-2003-0107. While there were no functions in Mac OS X that used the vulnerable gzprintf() function, the underlying issue in zlib has been fixed to protect any third-party applications that may potentially use this library.
