Mac OS X Security Update 2004-05-03

[phetish]

Killed my 10.3.3

Equipment: Dual USB iBook 600/256MB/Airport - 10.3.3 - 9.2.2

Here's what happed:

Installed the update (while doing/running many other programs) and while/after "optimizing" it locked up and froze hard. 😱

Held down the power button to shutdown/reboot

Rebooted repeatedly, couldn't get past the apple/ spinning clock thing at boot up.

Reset PRAM - no change

Reset NVRAM - no change

Could not boot in "Verbose" mode.

Booted from Panther Install CD

Used "Change Startup Disk" to set 10.3.3 as the startup OS

Rebooted in "Verbose" mode - started Booting

Froze on "Starting Virtual Memory" - tried twice

Booted from Panther CD - "Change startup disk" to Classic OS

Booted Fine...

AAARRRGGGGHHHHH!

 

[7on]

So I installed the Update and my computer beeped. Then it booted up as normal. Oh it wasn't the chime, it beeped then chimed (like a 3 second delay between the two). Startled me at first and it has done it at least once before. Any ideas?

(PS. All seems well when I boot too)

 

[iMeowbot]

Apple should be able to do the same thing and upgrade most components (except for the kernel and file-system drivers) without a reboot. For everthing else, they should be able to just restart the affected service - even the Finder.

The hard part comes in with dynamically loaded shared code used by third-party software. They're probably hoping to avoid support calls involving two instances of a program running concurrently with different versions of the same libraries sitting around -- just try to reproduce that one!

As always, there's softwareupdate(8) which leaves the rebooting task to the user, for those who know for certain what's affected and want more control over the process.

 

[iBook]

I don't understand why people get upset about these updates.

Seems like the anger should be directed toward the people who try to exploit the OS gaps these updates plug. Also, these updates demonstrate that Apple is continuously working on OS X and making it better.

 

[rainman::|:|]

I don't understand why people get upset about these updates.

Seems like the anger should be directed toward the people who try to exploit the OS gaps these updates plug. Also, these updates demonstrate that Apple is continuously working on OS X and making it better.

The point of contention seems to have originated when Apple started calling all minor subsystem updates "security updates", making it sound like there's a virus loose, when it's simply a matter of upgrading to the latest version of CUPS (printing subsystem) or something equally trivial to most users. i think Apple renamed the updates to provide more of a uniform appearance to the casual user, and making it more obvious that "hey, you should download this, stupid". But they leave the details of what subsystems are affected, so you can choose not to install the update until later.

People don't like restarting, because when X became stable (Jaguar for most), and based on an operating system that was designed to run for years without a reboot, it's an annoyance that's rather uncommon. I mean, you could have a document open for weeks, then have to find a place to save and file it when you reboot, trivial stuff like that. People, in other words, are too pampered today 🙂

paul

 

[raynegus]

Installed on 20" iMac 10.3.3 with no problems here. iTunes 4.5 is nice too. I don't know why people have a problem with these updates. I have always installed new updates when they become available and have yet to have a problem (knock on wood).

I always restart, run MacJanitor and repair permissions before installing new software. I don't know if this helps anything or not, it's just a routine I do. Restarting is not that hard people.

Or maybe the complainers are Windoze trolls, who knows.

 

[SiliconAddict]

Reality check time for all those trashing Windows without having a clue. The patch for this was released on April 13th. The RPC vulnerability that spawned the dreaded Blaster? A full solid 2 months. Virus writers learn about these vulnerabilities when Microsoft releases a patch and creates a worm accordingly. The last 4 or 5 major worms have operated this way: All in response to MS releasing a patch. If people would do two things worms would be highly neutered:
1. Enable a firewall – Just about every worm breaks into a system through an open port. A simple firewall neuters a worm to the point that you don’t even need to apply the patch. God knows I don’t. I patch and reboot my system once every 2 months or so. People act like it’s the end of the freaking world if they have to reboot. Why? Does it really take OS X that long to boot? My XP system takes about 10 second to shut down and 17 second to boot. All told less then 30 second. 😱 Oh god! The computer is down for 27 seconds! I might have missed a spam sent to my e-mail account!!
2. Enable Auto-Updates – Patches shouldn’t be this pervasive and critical but reality is that they are for Windows. Anyone with broadband this really is a non-issue. (Last I heard 60% of the US is broadband enabled.) But for the rest downloading a 3-20MB file once a month is painful. Consequently MS is coming out with Delta installs in SP2 of XP. This is a new tech that will allow installs of specific code instead of needing to overwrite specific files. This should, from what I’ve read, decrease update sizes by 60% or greater. But for the rest auto updates would take care of any security related matters weeks before it becomes a critical nightmare.

As for patches in OS X. Another reality check folks. OS X is NOT a perfect OS. There are going to be patches. This is the reality of just about any OS. Your concern shouldn’t be if Apple is releasing a patch but how timely they release a patch. The longest MS has gone in creating a patch is 200 days. Usually much less but 200 days is asinine. From what I understand with Apple its a matter of weeks if not days. IMHO that is a major accomplishment on their part.

 

[SiliconAddict]

The point of contention seems to have originated when Apple started calling all minor subsystem updates "security updates", making it sound like there's a virus loose, when it's simply a matter of upgrading to the latest version of CUPS (printing subsystem) or something equally trivial to most users. i think Apple renamed the updates to provide more of a uniform appearance to the casual user, and making it more obvious that "hey, you should download this, stupid". But they leave the details of what subsystems are affected, so you can choose not to install the update until later.
paul

Security updates do just that. Enhance the security of an OS. No one ever said anything about a virus and to assume its virus or worm related is just dumb. It could just as easily be for securing the OS from a hack attack.
For CUPS it’s a good possibility that since there is an active port associated with CUPS that there is/was a security vulnerability that was fixed in the update. Possibly a buff overflow or some other security elevation flaw.

 

[shamino]

The hard part comes in with dynamically loaded shared code used by third-party software. They're probably hoping to avoid support calls involving two instances of a program running concurrently with different versions of the same libraries sitting around -- just try to reproduce that one!

True. But most of these kinds of problems could be solved by simply forcing a logout (or simply forcing you to quit apps, the way installers for classic versions of OS used to do.)

The big problem with rebooting isn't the time, but the fact that it takes background services off line.

My G4 at home is running BIND to act as a name server for the rest of my LAN. (I have six computers on the LAN, and keeping /etc/hosts in sync for them all is a real pain in the neck). It also runs apache to serve up certain files that I use from all over my LAN (like my browsers' home page and an ad-blocking proxy-autoconfig file). When this computer goes down, even if only for a minute or two, the other computers on the LAN are all affected.

If you have several people in your house using the network at once, this interruption annoys them all. During the shutdown/restart period, they can't access the internet because DNS is off-line.

This can be a major annoyance if it happens too often. A solution that allows the update without a restart, even if it forces you to quit all your apps or logoff, won't cause this kind of interruption. Even if the update requires restarting BIND and Apache, it's better - those apps can be restarted in a second or two, whereas a full shutdown/restart takes several minutes.

When a computer is acting as a server for other computers, downtime is bad. The more clients you have, the worse it gets. An upgrade solution that doesn't take your server processes down, or takes them down for only a second or two, is better than a solution that takes them down for minutes.

Where I work, the UNIX boxes rarely, if ever, get restarted. When upgrades are performed, most of the network never even realizes it. When one of the Windows servers gets upgraded, however, we all find out, because the restart causes us to lose all kinds of basic network connectivity (like e-mail and login authentication) for several minutes.

 

[donniedarko]

These are becoming as frequent as M$ patches!

not quiet.....??!!

 

[ebow]

True. But most of these kinds of problems could be solved by simply forcing a logout (or simply forcing you to quit apps, the way installers for classic versions of OS used to do.)

The big problem with rebooting isn't the time, but the fact that it takes background services off line.

My G4 at home is running BIND to act as a name server for the rest of my LAN. (I have six computers on the LAN, and keeping /etc/hosts in sync for them all is a real pain in the neck). It also runs apache to serve up certain files that I use from all over my LAN (like my browsers' home page and an ad-blocking proxy-autoconfig file). When this computer goes down, even if only for a minute or two, the other computers on the LAN are all affected.

If you have several people in your house using the network at once, this interruption annoys them all. During the shutdown/restart period, they can't access the internet because DNS is off-line.

This can be a major annoyance if it happens too often. A solution that allows the update without a restart, even if it forces you to quit all your apps or logoff, won't cause this kind of interruption. Even if the update requires restarting BIND and Apache, it's better - those apps can be restarted in a second or two, whereas a full shutdown/restart takes several minutes.

When a computer is acting as a server for other computers, downtime is bad. The more clients you have, the worse it gets. An upgrade solution that doesn't take your server processes down, or takes them down for only a second or two, is better than a solution that takes them down for minutes.

Where I work, the UNIX boxes rarely, if ever, get restarted. When upgrades are performed, most of the network never even realizes it. When one of the Windows servers gets upgraded, however, we all find out, because the restart causes us to lose all kinds of basic network connectivity (like e-mail and login authentication) for several minutes.

I agree that Apple should get more sophisticated about reinitializing certain services and functions vs. rebooting the entire system. But for the at-home situation you described...

No one said you have to install these updates and reboot during the peak working times. Network maintenance should take place when few or no users will be affected (often late in the evening or early in the morning at a workplace, but mid-day might make more sense if home users are most active in the morning and evening). Futhermore, if you're concerned about keeping your user workstation as immediately up-to-date as possible, then the same computer shouldn't be used as a server as well. (That's probably not economically realistic for you, but technically it's sound.) Basically, if you're using your workstation as a server, you have to be prepared to maintain it like a server--namely at a time that won't impact your users but might not be convenient for you.

 

[icon4x]

switching for all the right reasons

I am waiting for my new G5 to arrive... fedex says Monday. I started out on an Apple II GS when I was a kid, and then an Apple Mac Classic, then Windows has ruled my life for the past 6 years. I am switching back from MS to Apple for all the reasons described in this thread. My old system is a Win 98 Compaq Presario, 192 M RAM, 300 MHZ PII processor.... don't even know what the bus is.. think it's probably in the 60's. I like to keep my apps up to date (Photoshop, Flash, Audio editing stuff, etc.), but my computer is reaching the limit of these apps...

I have never ever had a virus, worm, or security problem running Win 98 (keeping my patches up to date, and using the free Zone Alarm firewall and Adaware to keep the system clean.). The new Win OS's are swiss cheese, which is why I have never upgraded computers or OS's. Win ME is by far the worst of the bunch, but now I am starting to think that XP is not much better. There should be class-action law suits against Windows for the security problems they create. ALL of their security problems come from unnecessary, stupid "enhancements" to their OS. You don't see that with Apple, so much.

I can't wait to switch over to Apple, OSX, and leave MS, it's security problems, and their "enhancements" far behind. Because OSX is Unix based, they are probably vulnerable to a TCP exploit that has been exposed (so is Cisco IOS, other UInix OS's, and anything else using the ISA TCP standards). I immagine this security update for MAC OS addresses that. There is a difference in having your OS create holes in your system, and an exploit being found in an industry wide standard.

 

[wdlove]

I appreciate that Apple continues to refine OS X. Don't mind rebooting either, just figured that they have a good reason for this process. I usually run repair permissions after installations.

 

[SiliconAddict]

I have never ever had a virus, worm, or security problem running Win 98 (keeping my patches up to date, and using the free Zone Alarm firewall and Adaware to keep the system clean.). The new Win OS's are swiss cheese, which is why I have never upgraded computers or OS's. Win ME is by far the worst of the bunch, but now I am starting to think that XP is not much better. There should be class-action law suits against Windows for the security problems they create. ALL of their security problems come from unnecessary, stupid "enhancements" to their OS. You don't see that with Apple, so much.

*sighs* small bit of info. All these big bad security holes and their associated patches have had to be applied to NT, 2000, XP, and 2003 (ME is still Win9x not NT based.) which means blaming all these enhancements for the security flaws is BS. These security flaws are 10+ years old. The fact is that its only NOW that MS has started dealing with them and consequently they have had to deal with 4 iterations of the problem. Other then craptastic programming this shows that adding features doesn't always make a system less secure. It sure as heck doesn't help (Standard sec concept. More services running = Greater risk of exposure.) but its not a security killer. Where the problem lies is with the number of services MS has running by default. Last I checked it was close to 40. They give you everything out of the box and there is your big sec hole. Apple on the other hand has minimum services running with an easy interface to turn them on if/when you need them. I think MS is learning this lession since SP2 for XP will disable a whole hose of services that are usually only needed in a corp environment.

Also claiming that 9x is better then NT is like claiming DOS is better then 9x. With a more robust architecture comes more complex code which can lead to mistakes of which MS has made a LOT. I'm not going to apologize for sloppiness of MS code but claiming that 9x is better then NT is er...how do I say this tactfully....Lame. Honestly I’d rather give up computing altogether then go back to 9x.

 

[DavidCar]

Waiting to upgrade

After reading some reports here of people having problems with this security upgrade on an iBook, I am hesitant to update my Dual USB iBook 600/256MB - 10.3.3 - 9.2.2 until I hear something more favorable.

 

[icon4x]

*sighs* small bit of info. All these big bad security holes and their associated patches have had to be applied to NT, 2000, XP, and 2003 (ME is still Win9x not NT based.) which means blaming all these enhancements for the security flaws is BS. ... More services running = Greater risk of exposure.) but its not a security killer. Where the problem lies is with the number of services MS has running by default. Last I checked it was close to 40. They give you everything out of the box and there is your big sec hole.

Sure. When an application is bundled in with the OS, and that application creates a hole, you are right... the OS should not be blamed, the stupid people who put that application in the bundle without testing its security impact should be blamed. As far as what to blame on the OS, there is plenty of other stuff.

Also claiming that 9x is better then NT is like claiming DOS is better then 9x. With a more robust architecture comes more complex code which can lead to mistakes of which MS has made a LOT. I'm not going to apologize for sloppiness of MS code but claiming that 9x is better then NT is er...how do I say this tactfully....Lame. Honestly I’d rather give up computing altogether then go back to 9x.

I didn't claim that 9x was better than NT. I don't know enough about NT to make that claim. All I was saying is that in 6 years I've never had a security problem with my 98 system, granted I've done a lot of work and research securing it. I know many people with security problems on XP (people who know a thing or two about 'puters). ME was probably the worst OS (or should I say OS bundle) security wise M$ has ever released.

Anyway, this is an Apple discussion board. I won't say any more about Windows and M$. I am switching over, and looking forward to it. I can't wait to start using OSX.

 

[JFreak]

Also claiming that 9x is better then NT is like claiming DOS is better then 9x.

no - claiming that 9x is better than nt is like claiming cp/m is better than dos.

(actually the 9x is not even an operating system but rather a gui for dos.)

 

[JFreak]

I Don't mind rebooting either, just figured that they have a good reason for this process.

i do mind, and no, they don't have a good reason if they are not making updates to kernel or file system of the boot drive. these are the only two good reasons to boot a unix system.

 

[bousozoku]

no - claiming that 9x is better than nt is like claiming cp/m is better than dos.

(actually the 9x is not even an operating system but rather a gui for dos.)

CP/M was better (more flexible) than DOS. 🙂 Win9x was not better than WinNT.

 

[iBot]

Mail and Safari trouble after installing update...

I installed the latest Panther security update yesterday. Today my Mail and Safari applications have stopped working. They appear to open, but no window shows up on the screen. I can still access the command menu in each program, but the command for open new window in each app doesn't work.

Anyone else encounter this problem after yesterday's update? 🙁

 

[JFreak]

CP/M was better (more flexible) than DOS. 🙂 Win9x was not better than WinNT.

cp/m was better than dos until ms released v5.0 which btw drove ibm crazy. and as i stated before, 9x is only a gui for dos and definetely worse than nt. hell, dos isn't even an operating system (as the definition goes) but nt is - and remember, NT was not written by microsoft, but instead has inherited A LOT of vms vax code.

 

[bousozoku]

cp/m was better than dos until ms released v5.0 which btw drove ibm crazy. and as i stated before, 9x is only a gui for dos and definetely worse than nt. hell, dos isn't even an operating system (as the definition goes) but nt is - and remember, NT was not written by microsoft, but instead has inherited A LOT of vms vax code.

IBM also released their own version 5, which wasn't much different. 😉 Some of the CP/M device names were archaic at the time since we had gone away from paper tape. Writing a communications application required using PUN: and RDR: if you were using CP/M-80 v2.2. 😀

As far as WinNT not being written by Microsoft or having Vax/VMS code in it, this is the first I've heard of it. A lot of NT was derived from IBM's OS/2 design, which was a miniature version of IBM's VM/CMS. In fact, many of the original error messages in WinNT 3.51 were OS/2 messages. 😀 MS also manipulated the Mach kernel to meet their needs and changed the kernel again in WinNT 4.0 to add the graphics subsystem since the graphics performance was substandard.

 

[JFreak]

As far as WinNT not being written by Microsoft or having Vax/VMS code in it, this is the first I've heard of it. A lot of NT was derived from IBM's OS/2 design, which was a miniature version of IBM's VM/CMS. In fact, many of the original error messages in WinNT 3.51 were OS/2 messages. 😀 MS also manipulated the Mach kernel to meet their needs and changed the kernel again in WinNT 4.0 to add the graphics subsystem since the graphics performance was substandard.

well, do the research, it is true - microsoft has never written an operating system by themselves 🙂 they bought dos and asked ibm to write os/2 but didn't want to market it when it was about to be finished. their latest - the NT - is an interesting story, because they had many companies together writing the os for them (and for that reason nt initially supported many cpu architechtures, the feature later dropped by microsoft). in addition to a great deal of vax code there must have been a lot of os/2 code because ibm was also developing it at that time, plus one of the companies involved were digital, which brought a lot of insight in memory handling.

microsoft is not a software company. it is a marketing house. it does pretty damn good job in marketing somebody else's products as its own 😉

 

[Felix_the_Mac]

the point is half the people in uni have their computers shot to hell with this new virus and im here, no virus protection, no firewall, and happy as a june bug

I feel smug that (currently) I am not plagued by viruses, you seem to feel the same way.

However, I have my firewall turned ON and any unnecessary services disabled.

I don't wish to be rude, however not using simple (& free) steps to protect yourself is not sensible.

Please, everybody, turn your firewalls on. Collectively this will allow us all to stay smug for longer 🙂.

(i.e. with our firewalls on it will be much harder for some evil spotty faced kid to cause us misery).

Everybody Else:
Please, prettty please, take your discussion of Windows to a more appropriate location. As a recent switcher, I find that it gives me nightmares.

 

[iHack]

no - claiming that 9x is better than nt is like claiming cp/m is better than dos.

(actually the 9x is not even an operating system but rather a gui for dos.)

<sarcasm>
(and actually the OS X is not even an operating system but rather a gui for FreeBSD)
</sarcasm>

Jeez, I thought i had seen the last of these "it's an OS/it's a gui" discussions around '96/'97. It's pointless.