Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

MacRumors

macrumors bot
Original poster
Apr 12, 2001
55,035
17,417
Now available in Software Update (as of 5-21-04), Apple released a security update to address the recently exposed security hole that takes advantage of a theoretical vulnerability in the Help Viewer application that could have been exposed when browsing the web.
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

HelpViewer

The reason for the mismatch of dates is not known.
 

Freg3000

macrumors 68000
Sep 22, 2002
1,914
0
New York
I dunno I am going to wait to install it. Maybe it is paranoia, maybe it is a typo, but the mistaken date is annoying to me. Maybe Apple accidentally released this early?

Ok fine, i just don't want to break my uptime. :D

Edit: Well, no restarted needed......but I'll still wait. :confused:
 

Stewie

macrumors 6502
Jan 6, 2004
470
295
Austin
Installed without any issues, but I am not sure it is a 100% fix for the problem. Prior to installing the patch if I loaded http://bronosky.com/pub/AppleScript.htm Help.app would start followed by Terminal and would run the 'du' command, which freaked me out when it first happened. After the patch, Help.app still opens, but nothing else happens.

Apple still needs to do some work to tighten up security.
 

Knox

Administrator
Staff member
Jul 1, 2002
1,267
1
UK
eroyce said:
Fast update, and you don't have to restart. Nice fun for a Friday night. :)

Ah, but was it fast, or just fast between public disclosure and the fix? If you believe the author, he told them about it several months ago, so it could be pretty slow.

I dunno about the theoretical part either - there are demonstration exploits for it.
 

cristiana

macrumors newbie
Jul 2, 2003
9
0
wrong date

I think since this patch was released after hours, they just marked it as the 24th, which is the next business day.


Freg3000 said:
I dunno I am going to wait to install it. Maybe it is paranoia, maybe it is a type, but the mistaken date is annoying to me. Maybe Apple accidentally released this early?

Ok fine, i just don't want to break my uptime. :D

Edit: Well, no restarted needed......but I'll still wait. :confused:
 

wtmcgee

macrumors regular
May 21, 2003
127
1
Orlando
hopefully 10.3.4 fully fixes this issue. glad to see apple has fixed the problem (fairly quickly) for the most part.
 

Stewie

macrumors 6502
Jan 6, 2004
470
295
Austin
evoluzione said:
i don't know if i like all these security updates, just reminds of microsoft if you ask me :(

I have seen this comment repeated every time apple puts out a security update and I have no CLUE how the hand-full of security updates put out by apple compares to the dozens & dozens put out by microsoft?

The math just doesn't add up :confused:
 

greg75

macrumors member
Apr 5, 2004
70
0
Yeah, over 2 months is really fast :rolleyes:


Apple's statement claims the company has an "excellent track record of identifying and rapidly correcting potential vulnerabilities," but the German Web designer who discovered the hole says he warned Apple in February and was ignored.

LixelPixel, a Web designer who lives near Munich but asked not to be identified, said he warned Apple of the vulnerability through its Bug Reporter system.

LixelPixel said his server logs show an Apple representative visited his website shortly after. But after waiting 10 weeks for word or action from Apple, he posted a public warning advising users on how to close the hole. The warning prompted Secunia to release its security advisory.

LixelPixel said the decision to go public cost him several sleepless nights, but he felt obliged to warn the Mac community before crackers discovered the vulnerability.
 

johnnyjibbs

macrumors 68030
Sep 18, 2003
2,960
118
London, UK
Security updates normally appear on a Monday. The 24th is a Monday. They just released it prematurely, that's all. Everything fine here.
 

Hugin777

macrumors regular
Aug 1, 2003
102
0
Copenhagen
Stewie said:
Installed without any issues, but I am not sure it is a 100% fix for the problem. Prior to installing the patch if I loaded http://bronosky.com/pub/AppleScript.htm Help.app would start followed by Terminal and would run the 'du' command, which freaked me out when it first happened. After the patch, Help.app still opens, but nothing else happens.

Actually something more happens: a line is written by HelpViewer to console.log containing "Help Viewer[17960] help://runscript called by another application!".

A nice fix for the help:runscript vulnerability. And the telnet: vulnerability may be fixed in 10.3.4, according to some.

But y'all still need the Paranoid Android to surf safely (or just ignore the risk as I do ;) ) until Apple fixes a newly discovered vulnerability: Unsanity whitepaper.
 

Mudbug

Administrator emeritus
Jun 28, 2002
3,848
1
North Central Colorado
apparently terminal is updated too

On my beige box G3 running 10.2.8, my security update type reads like this:
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

HelpViewer
Terminal

Interesting - probably a fix for something in 10.2.x since it didn't show in 10.3.3
 

greg75

macrumors member
Apr 5, 2004
70
0
7on said:
Here's Microsoft's

Though remember, Service Packs are a collection of security updates.

Actually, Service Packs contain security updates as well as other updates.


Game stops responding/quits unexpectedly when Introductory video is played - Home Edition only- Added 23/11/2002.

Problems with InterVideo DVD software - Added 9/12/2002.

Preview is unavailable in Fax Console - Added 9/12/2002.

Nice try though.
 

Hugin777

macrumors regular
Aug 1, 2003
102
0
Copenhagen
Mudbug said:
On my beige box G3 running 10.2.8, my security update type reads like this:
[..]
Interesting - probably a fix for something in 10.2.x since it didn't show in 10.3.3

Or maybe Apple thinks we on Panther can wait for 10.3.4 - and we sure can. The telnet: exploit is not very likely to be exploited; what fun is it to just be able to delete a random (named) file from another computer ?
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.