i'm trying to decide how i feel about this. it seems that most windows updates come while some sort of imminent danger is presently being passed around. so far this has been the only mac update that fixes something that i knew about. usually it's, oh there was a security problem? on top of that there was no imminent danger, just the possibility of one. yeah i think apple's pretty good about it.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mac OS X Security Update 2004-5-24
- Thread starter MacRumors
- Start date
- Sort by reaction score
Phew, I'm just glad the insanity surrounding that single vulnerability is over. 
I like how they called it a theoretical threat when it was clearly a threat that could have been exploited. In fact, I'm very surprised that nobody created something harmful. I mean, the hole was all over the net, and since someone actually created a pseudo-"virus" that could have theoretically harmed your computer if the creator wanted to, nobody bothered to do it. I guess us Mac users aren't self destructive enough to harm each other's computers.
I like how they called it a theoretical threat when it was clearly a threat that could have been exploited. In fact, I'm very surprised that nobody created something harmful. I mean, the hole was all over the net, and since someone actually created a pseudo-"virus" that could have theoretically harmed your computer if the creator wanted to, nobody bothered to do it. I guess us Mac users aren't self destructive enough to harm each other's computers.
greg75 said:
That was an impressive list, but 1 vulnerability doesn't equal 1 security update does it?
Here is my software update log (well I remove the software updates and only left the security updates):
...
2004-04-17 18:57:07 -0400: Installed "Mac OS X Update Combined" (10.3.3)
....
2004-04-17 19:12:04 -0400: Installed "Security Update 2004-04-05" (1.0)
...
2004-05-04 01:25:45 -0400: Installed "Security Update 2004-05-03" (1.0)
2004-05-21 20:21:17 -0400: Installed "Security Update 2004-05-24" (1.0)
The last time I built an XP box (about 2 months ago) There were over 30 fixes I had to download. However I am sure that the 10.3.3 contains multiple updates, but it is only 1 file. I wouldn't mind the Microsoft patches so much if they were combined. Nothing I hate more when doing a new install then downloading and installing all of the fixes from microsoft only to reboot and find 10+ more that I need to install.
The MS logic
Learn it well:
1. Windows has continual and major problems.
2. But no OS is ever perfect.
3. Mac OS is not perfect
4. Therefore Windows is just as good as Mac OS.
5. Therefore Windows is better than Mac OS.
QED.
Been seeing that "logic" around a LOT lately. Watch for it
Learn it well:
1. Windows has continual and major problems.
2. But no OS is ever perfect.
3. Mac OS is not perfect
4. Therefore Windows is just as good as Mac OS.
5. Therefore Windows is better than Mac OS.
QED.
Been seeing that "logic" around a LOT lately. Watch for it
Kudos to Apple
OK this has been 2 months since someone has reported the vulnerability and less than a week since it has become an issue in the press. Apple has applied a fix to the vulnerability and it works (I tested it). Thanks for the update. In the future, would our dear friends at Apple please get to the next one before the press manufactures a crisis and make items like these a non-issue.
Joe Daddy
CISSP
OK this has been 2 months since someone has reported the vulnerability and less than a week since it has become an issue in the press. Apple has applied a fix to the vulnerability and it works (I tested it). Thanks for the update. In the future, would our dear friends at Apple please get to the next one before the press manufactures a crisis and make items like these a non-issue.
Joe Daddy
CISSP
zach007 said:I'm new to mac and I just downloaded the security update on my 5 day old powerbook. Whats the problem that this fixed that I just downloaded?
Zach,
This fixed a vulnerability that could have enabled someone to execute malicous code. It is a fix worth applying. To date only proof of concept code has been produced by concerned Applites. You are safe for the moment so enjoy your new Mac.
Since help files are mostly html based, why is it an issue that the system allows a help: URI to open help viewer? It is used in various applications to link from documentation, tutorials, and such to open the help viewer. If it can't be used to do something malicious, than it isn't a security problem.
Stewie said:
The problem comes from links that say help:runscript. These links can run any script on your system. Among those scripts is one (of hundreds) that can run any application on your system. When used in combination with one of several other possible things, visiting a web page can result in the automatic execution of a malicious application.
This fix seems to prevent any application except Help Viewer from using help:runscript links.
This fix seems to prevent any application except Help Viewer from using help:runscript links.
saint.duo said:
Now if this was Microsoft you would have half the world NOT patch their systems and a virus would come out in 2 weeks decimating the unpatched systems and Microsoft would still get blamed for..er...for...oh ya releasing a...er....patch. Nevermind its Apple so it doesn't apply. Where was I....Oh ya...Apple rocks!
One thing can be said to Apple's credit. They release patches DAMN fast. But they also don't have nearly as many configurations to deal with so I guess its a tossup in the end. Results are the only thing that counts...details...*shrugs* whatever.
One thing can be said to Apple's credit. They release patches DAMN fast. But they also don't have nearly as many configurations to deal with so I guess its a tossup in the end. Results are the only thing that counts...details...*shrugs* whatever.
Stewie said:
They are...its called SP1...did you install that before applying the other patches. It takes the 34 or so odd patches and drops it to aprox 17 that need to be installed post SP1. Still a crapload but manageable.
SiliconAddict said:
It's a good thing so many pieces of Mac OS X are open source projects. Many times, it seems that the versions available for Linux have been finished for a couple of weeks before we see them for Mac OS X. I would be willing to believe that Apple does extra testing prior to releasing the patches, but maybe I'm just hoping that happens.
Not to minimize the seriousness of this and the potential for trouble with this hole but does anyone know of any instances where this exploit has actually caused anyone loss of data or other trouble? (not counting the loss of time (productivity?) spent talking discussing it)
frank5050 said:
LOL. Yeah, it seems the majority of actual damage these exploits cause it the reputation damage of the Mac platform. I have yet to hear of any damage from this or the proof of concept Intego was crowing about originally.
Now the fake Microsoft Office 2004 home directory eraser, that WAS a trojin that caused damage. But the guy was surfing for warez so it was his risk to take. I don't believe for one second he thought he was downloadng a "beta" of Office. Pleeze. The final product was being recieved by Macrumors members before he got it.
Hey all,
I fixed my computer to open help: addresses using the Chess application (cause it can't run Applescripts) using that program you all recommended. Now that the patch is here, what's the location of the help viewer so I can change it back to normal- or is there a better way to undo my fix?
-Matt
I fixed my computer to open help: addresses using the Chess application (cause it can't run Applescripts) using that program you all recommended. Now that the patch is here, what's the location of the help viewer so I can change it back to normal- or is there a better way to undo my fix?
-Matt
greg75 said:Yeah, over 2 months is really fast
Microsoft has had patches outstanding for 6+ months quite frequently.
Unfortunately, I can't seem to find the article to back that up, so take it or leave it. Being a computer science major, I can assure you that often de-bugging takes far longer than actually writing the code. Even more so when you are dealing with something as sensitive and critical as an operating system.
Fixed?
Unfortunately this doesn't seem to fix another vulnerability...
From http://forums.macnn.com/showthread.php?threadid=213043&perpage=50&pagenumber=7
Macnn Forums
link to the disk image: http://ozwix.dk/OpnAppFixer/Test.dmg - when mounted just type in "test:" in your browser. Note I'd recommend opening the script in script editor to verify its contents first...
"on idle
display dialog "You are not secure. This script could have erased all your files." buttons "OK" default button 1 with icon stop
quit
return 1
end idle"
Although less serious in some ways (if you have the disk protocol disabled you'd have to deliberately mount the disk image), this is still not a very nice hole to have in the browser, as an app can be launched from an url, rather than because of a user choice...
Also, try typing telnet://-nFoo in your browser - I tried this after the update and it still works : ) You will end up with a file called 'Foo' in your home directory. Oops. This one from
http://daringfireball.net/2004/05/telnet_protocol
Unfortunately this doesn't seem to fix another vulnerability...
From http://forums.macnn.com/showthread.php?threadid=213043&perpage=50&pagenumber=7
Macnn Forums
link to the disk image: http://ozwix.dk/OpnAppFixer/Test.dmg - when mounted just type in "test:" in your browser. Note I'd recommend opening the script in script editor to verify its contents first...
"on idle
display dialog "You are not secure. This script could have erased all your files." buttons "OK" default button 1 with icon stop
quit
return 1
end idle"
Although less serious in some ways (if you have the disk protocol disabled you'd have to deliberately mount the disk image), this is still not a very nice hole to have in the browser, as an app can be launched from an url, rather than because of a user choice...
Also, try typing telnet://-nFoo in your browser - I tried this after the update and it still works : ) You will end up with a file called 'Foo' in your home directory. Oops. This one from
http://daringfireball.net/2004/05/telnet_protocol
Maybe it is a coincidence but after trying out the assorted exploit examples posted with Mis Fox solution installed, I have just experienced my first ever screw up on OSX in 18 months. After logging in and out of accounts a couple of times, out the blue with all seemingly fine, I have lost all start up items except 2, all address book entries, most but not all iCal entries, all Safari preferences, all keyboard preferences, registered versions of synergy, iAddressX were wiped, a random folder of aliases was wiped... 15 days uptime has ended in tears! Thank god for back up / just cloning a week old Panther back up across.frank5050 said:
Oh yeah, and software update is up the creek too, asking me to make sure I am connected to the internet.
nagromme said:Learn it well:
1. Windows has continual and major problems.
2. But no OS is ever perfect.
3. Mac OS is not perfect
4. Therefore Windows is just as good as Mac OS.
5. Therefore Windows is better than Mac OS.
QED.
Been seeing that "logic" around a LOT lately. Watch for it
I don't see the logical leap between lines three and four....
stoid said:
...or as bloated as a microsoft software
seriously, you're right. and even more work than debugging is the optimizing of the software, a task apple has done wonderfully (in my opinion) in comparison to microsoft who seems to just forget the code it writes. they address bugs when they find them and have the time to fix it, but they never seem to optimize their code - every new version they release require far more power from the hardware than the new features alone would ask for, and (while the osx is still very new, but the point stands) in comparison apple has so far managed to make every major osx release run faster than any previous release, and that's something.yep. computer science major here also, in tampere university of technology. working as a dba and unix administrator to support my family and therefore maybe never a graduated M.Sc, but who knows.... (i could take out B.Sc papers any time, and if our school knows what it says, it should compare to american M.Sc papers quite equally. believe or not, i don't care.)