Mac OS X Security Update 2004-5-24

[Zaty]

Good job Apple! It's good to know they really care about security and do their best to fix holes as soon as possible. Now bring on 10.3.4! 🙂

 

[Savage Henry]

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.

I don't see the logical leap between lines three and four....

From a subjectivity and from a literal sense, I understand nagromme's move from three to four. It's four to five that's got me reaching for another coffee.

Incidentally, patch uploaded and everything is fine.

 

[Windowlicker]

like we would have even needed this update... well, best to be sure.

 

[discoteca]

Hey all,

I fixed my computer to open help: addresses using the Chess application (cause it can't run Applescripts) using that program you all recommended. Now that the patch is here, what's the location of the help viewer so I can change it back to normal- or is there a better way to undo my fix?

-Matt

HD:System:Libary:CoreServices:Help Viewer.app

🙂

 

[nagromme]

MS logic

Learn it well:

1. Windows has continual and major problems.

2. But no OS is ever perfect.

3. Mac OS is not perfect

4. Therefore Windows is just as good as Mac OS.

5. Therefore Windows is better than Mac OS.

QED.

Been seeing that "logic" around a LOT lately. Watch for it 🙂

I don't see the logical leap between lines three and four....

As I say, I see that "logic" around--it's not my own, and it's not logic!

3 to 4 is illogical. Two flawed products (like all OSes) are not automatically "just as good" as each other. One might just happen to be better!

4 to 5 is worse yet.

Yet watch for people to look at the news of non-stop Windows flaws, many exploited as real viruses, and at the news of occasional quickly-patched OS X flaws... and then conclude that Windows is better.

(Obviously the only logic is that they had already made up their minds that most-popular must mean best.)

 

[Darwin]

Unfortunately this doesn't seem to fix another vulnerability...

From http://forums.macnn.com/showthread.php?threadid=213043&perpage=50&pagenumber=7
Macnn Forums

link to the disk image: http://ozwix.dk/OpnAppFixer/Test.dmg - when mounted just type in "test:" in your browser. Note I'd recommend opening the script in script editor to verify its contents first...


"on idle
display dialog "You are not secure. This script could have erased all your files." buttons "OK" default button 1 with icon stop
quit
return 1
end idle"


Although less serious in some ways (if you have the disk protocol disabled you'd have to deliberately mount the disk image), this is still not a very nice hole to have in the browser, as an app can be launched from an url, rather than because of a user choice...

Also, try typing telnet://-nFoo in your browser - I tried this after the update and it still works : ) You will end up with a file called 'Foo' in your home directory. Oops. This one from
http://daringfireball.net/2004/05/telnet_protocol

Well the first problem I guess is better now then before

I tried one of those tests and it mounted automatically and ran (even if I said in Safari "don't open files")

Now I do it and it mounts, but nothing is run, I need to click on the file to launch it, so it is better now, but i guess might need improvements in the future

As for your Telnet Demo well that might need looking into 🙁

 

[Hugin777]

Now I do it and it mounts, but nothing is run, I need to click on the file to launch it

Did you try my example exploit page ??

 

[Skiniftz]

apple is da bomb...
no other company would get it out that fast!

Seeing as it was reported to them in FEBRUARY lets hope that "no other company would get it out that fast".

 

[Skiniftz]

Yeah, but they still fill half of your Add/Remove programmes list thingy with all the hotfixes. Plus sometimes when I installed a hotfix it would randomly stop some feature of the computer working, and that roll-back thingy in Windows (I've forgotten what it's called) wouldn't even work and I had to re-install Windows.
.

Sunday, November 23, 2003 22:57:32 Europe/London: Installed "QuickTime" (6.4)
Sunday, November 23, 2003 22:57:46 Europe/London: Installed "iTunes" (4.1)
Sunday, November 23, 2003 22:58:02 Europe/London: Installed "Java" (1.4.1)
Sunday, November 23, 2003 22:58:22 Europe/London: Installed "iCal" (1.5.1)
Sunday, November 23, 2003 23:03:15 Europe/London: Installed "Mac OS X Update" (10.2.8)
Sunday, November 23, 2003 23:09:58 Europe/London: Installed "Bluetooth Software" (1.3.3)
Sunday, November 23, 2003 23:10:00 Europe/London: Installed "QuickTime for Java Update" (v2.0)
Sunday, November 23, 2003 23:10:27 Europe/London: Installed "iSync" (1.3)
Sunday, November 23, 2003 23:13:43 Europe/London: Installed "Security Update 2003-11-19" (1.0)
2003-11-29 12:43:08 +0000: Installed "AirPort Software" (3.2)
2003-11-29 12:43:52 +0000: Installed "Bluetooth Software" (1.4.1)
2003-11-29 12:45:14 +0000: Installed "Mac OS X Update" (10.3.1)
2003-12-06 18:52:38 +0000: Installed "Security Update 2003-11-19" (1.0)
2003-12-06 18:52:43 +0000: Installed "Security Update 2003-12-05" (1.0)
2003-12-18 08:26:11 +0000: Installed "Apple Remote Desktop Client" (1.2.4)
2003-12-18 08:26:15 +0000: Installed "Battery Update" (1.1)
2003-12-18 08:27:57 +0000: Installed "Mac OS X Update" (10.3.2)
2003-12-20 17:17:16 +0000: Installed "iTunes" (4.2)
2003-12-20 17:18:47 +0000: Installed "QuickTime" (6.5)
2003-12-20 17:18:57 +0000: Installed "QuickTime MPEG-2" (6.4)
2003-12-20 17:19:07 +0000: Installed "Security Update 2003-12-19" (1.0)
2003-12-20 18:00:11 +0000: Installed "Xcode Update" (1.1)
2004-01-19 23:47:18 +0000: Installed "iCal" (1.5.2)
2004-01-27 02:31:29 +0000: Installed "AirPort Software" (3.3)
2004-01-27 02:31:42 +0000: Installed "Security Update 2004-01-26" (1.0)
2004-02-03 07:32:02 +0000: Installed "Java 1.4.2" (1.4.2)
2004-02-03 07:32:21 +0000: Installed "Safari" (1.2)
2004-02-05 20:34:08 +0000: Installed "Bluetooth Software" (1.5)
2004-02-17 20:07:02 +0000: Installed "iSync" (1.4)
2004-02-23 23:19:17 +0000: Installed "Security Update 2004-02-23" (1.0)
2004-02-27 16:38:23 +0000: Installed "iSight Update" (1.0.2)
2004-03-08 19:39:34 +0000: Installed "AirPort Software" (3.3.1)
2004-03-13 00:04:07 +0000: Installed "iPod Software" (1.3.1)
2004-03-16 19:07:24 +0000: Installed "Mac OS X Update" (10.3.3)
2004-03-24 07:47:12 +0000: Installed "iChat Update" (2.1)
2004-03-27 17:20:04 +0000: Installed "iPod Software" (2.1)
2004-04-06 07:18:49 +0100: Installed "Security Update 2004-04-05" (1.0)
2004-04-10 12:18:43 +0100: Installed "Apple Remote Desktop Admin" (1.2)
2004-04-25 11:23:13 +0100: Installed "AirPort Software" (3.4)
2004-04-25 11:24:29 +0100: Installed "Apple Bluetooth Module Firmware Update" (1.1)
2004-05-01 20:04:53 +0100: Installed "iPod Update 2004-04-28" (3.0)
2004-05-04 00:14:31 +0100: Installed "QuickTime" (6.5.1)
2004-05-04 00:16:02 +0100: Installed "AirPort Software" (3.4.1)
2004-05-04 00:16:15 +0100: Installed "Security Update 2004-05-03" (1.0)

 

[Digital Hybrid]

Ah, finally. It fixed my HelpViewer link-bug in Safari! 'bout damn time 🙂

 

[form]

As long as it is in their best financial interest to do security fixes, they will. Microsoft also frequently makes available patches for KNOWN security issues in very short times after PUBLIC announcement.

If it isn't well known by being put up on some often viewed news site, and then focused attention on even more by getting placed on a mac rumor page, then they will be in no hurry to do anything about it. Remember, this is business. Don't ever think Apple is in this game for the consumer half as much as Apple is in it for Apple.

Apple could easily be likened to Microsoft in the OS realm now.

 

[dstorey]

update messed up os x?

Not sure if it was this update that did it but only updated this and web objects.

Basically on Sharing in the system preferences i have personal web sharing ticked but it is greyed out and can't click start, so apache wont now work. And finder no longer works! if i click on a flder it just stays blank with the spinning thing in the corner. If i click back then forward straight after the contents show. Any folder i have been to then shows straight away. Any ideas how to fix this. I need apavhe working and this finder thing makes it near unuseable

BTW...yup i've repaired permissions

 

[eric_n_dfw]

...One thing can be said to Apple's credit. They release patches DAMN fast. But they also don't have nearly as many configurations to deal with so I guess its a tossup in the end...

I'm not sure what you meant by "many configurations", I'm asuming you are talking about the myriad of hardware platform configurations. AFAIK, the nature of the security exloits we are talking about are completely platform inspecific. They are in the application code and supporting libraries which are all written to the OS API's, not the hardware drivers. (There have been DirectX security exploits, but I'm pretty sure they were in higher level code than anything that would be platform specific.)

Am I wrong?

 

[stoid]

I'm not sure what you meant by "many configurations", I'm asuming you are talking about the myriad of hardware platform configurations. AFAIK, the nature of the security exloits we are talking about are completely platform inspecific. They are in the application code and supporting libraries which are all written to the OS API's, not the hardware drivers. (There have been DirectX security exploits, but I'm pretty sure they were in higher level code than anything that would be platform specific.)

Am I wrong?

Even if the code had to be tested on 20 times the computer hardware set-ups as Apple's code, Microsoft is a bigger company and so they should be spending more money on de-bugging patches. To say "Give MS a break, they have more work to do." is total and complete bull****.

 

[ingenious]

Did you try my example exploit page ??

The first link did not mount anything. Safari seemed to "think" about it, but it never did anything. Links two and three downloaded and mounted disk images, but the script inside did not automatically run.

 

[Hugin777]

The first link did not mount anything. Safari seemed to "think" about it, but it never did anything. Links two and three downloaded and mounted disk images, but the script inside did not automatically run.

No, of course it didn't. That's what step 3 does. A real exploit would use a simple trick to first do step 1 then step 3. I'm just a nice guy who don't want to scare you 🙂

 

[sethypoo]

i don't know if i like all these security updates, just reminds of microsoft if you ask me 🙁

Be Real. You're going to have security updates. If you are lucky, they will be far in advance of the bad guys. 🙄

 

[wdlove]

Be Real. You're going to have security updates. If you are lucky, they will be far in advance of the bad guys. 🙄

I agree, thank you Apple! 🙂

 

[Skiniftz]

Oops - it's WORSE!

Looks like the Help Viewer exploit was just the tip of the iceberg.

Turns out that ANY new application including those contained within disk images (which STILL automatically mount with no user action) AUTOMATICALLY gets ANY custom protocol handlers installed on your system!

This makes the Help Viewer problem, as serious as it was, seem insignificant!

 

[gotohamish]

I dunno I am going to wait to install it. Maybe it is paranoia, maybe it is a typo, but the mistaken date is annoying to me. Maybe Apple accidentally released this early?

Ok fine, i just don't want to break my uptime. 😀

Edit: Well, no restarted needed......but I'll still wait. 😕

wait for what? And who is actually impressed by uptime? It's what you DO in the uptime that's cool/important/impressive/useful. Surely.

 

[Juventuz]

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

 

[blueBomber]

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

Exactly. This is why MacOS seems more secure; there are less people looking for holes.

 

[Darwin]

I love Apple as much as the next person here, but let's be honest. We're slamming Windoze, but if we had as many users and if our OS was as popular as XP then we'd be experiencing the same problems. We're lucky that we're only 3-5% of the population of computer users, nobody really cares about us. If we were 40% then I could see us having more attacks and security updates.

I understand you view, I too think about this, It can happen, I guess it will happen

But then some people might bring in the fact the Apache with an Open source system is running all these web servers etc

M$ IIS servers are more vulnerable etc and they have less market share

I'm not rejecting your comment, but even if Mac OS X was popular wouldn't we avoid all the silly security flaws like the ones in Windows?

I mean the serious silly flaws, (would we call these flaws in OS X silly?)

I guess no OS is perfect, that wouldn't be fun at all, as for Windows it would give a new meaning to the word "Fun" 😀

 

[mabino]

It looks as if KDE had a similar URI handler issue.

http://www.securityfocus.com/bid/10358/discussion/

 

[sweetaction]

you are an idiot

i don't know if i like all these security updates, just reminds of microsoft if you ask me 🙁

yeah, lets be UN-MSFT and not update the os.

i think your tin-foil hat is on too tight