Security Update 2004-10-27

[MacRumors]

Now available via Software Update:

Security Update 2004-10-27 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following component:

Apple Remote Desktop

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798

 

[Doctor Q]

The phrase "recommended for all Macintosh users" doesn't seem warranted due to the specialized nature of the patch.

 

[musicpyrite]

I heard about an incident where someone was able to bypass Remote Desktop.

Just fyi.

 

[Macaddicttt]

So my question is, should I install it? Will I have to have it installed in order to install later security patches? I mean, it seems silly to install something if it's only for Remote Desktop and I don't use it.

 

[russed]

well i dont have ARD and it is there for me to download. infact i'm getting it now!

well i have installed it and my pb hasnt blown up yet! thankfully no restart!!

 

[Rower_CPU]

Hmmm, not showing up for me, and I have the admin app installed...

edit - Looks like it's looking for a very specific user scenario. This is from the KB article:

Security Update 2004-10-27
Apple Remote Desktop

Available for: Apple Remote Desktop Client 1.2.4 with Mac OS X 10.3.x
CVE-ID: CAN-2004-0962
Impact: An application can be started behind the loginwindow and it will run as root.
Description: For a system with these following conditions
Apple Remote Desktop client installed
A user on the client system has been enabled with the Open and quit applications privilege
The username and password of the ARD user is known
Fast user switching has been enabled
A user is logged in, and loginwindow is active via Fast User Switching
If the Apple Remote Desktop Administrator application on another system is used to start a GUI application on the client, then the GUI application would run as root behind the loginwindow. This update prevents Apple Remote Desktop from launching applications when the loginwindow is active. This security enhancement is also present in Apple Remote Desktop v2.1. This issue does not affect systems prior to Mac OS X 10.3. Credit to Andrew Nakhla and Secunia Research for reporting this issue.

edit #2 - NM, didn't see that this was 1.2.4 only and doesn't apply to the latest version (2.1) which I, of course, am running.

 

[MrMacMan]

Impact: An application can be started behind the loginwindow and it will run as root.

Read: This can take over your whole computer if you have this program.

 

[russed]

its quite odd. on a similar note did anyone get the new updates yesterday (ipod, itunes and quicktime) in their updater things? i didnt.

 

[quackattack]

No restart, why not. Its nice to be up to date

 

[Porchland]

My update included a Quicktime update as well.

Did anyone who didn't download iTunes 4.7 yesterday get it included in the update today?

 

[aricher]

Quicktime was in my SW updater but not iPod or iTunes - I had to download those myself.

 

[AmigoMac]

Amazing, my mac is a lot faster, apps bounce just once, safari renders a lot better and I go to sleep, it's late for me and I'm tired...

 

[russed]

My update included a Quicktime update as well.

Did anyone who didn't download iTunes 4.7 yesterday get it included in the update today?

i downloaded it off the apple site at about lunchtime as it hadnt appeared on software update.

 

[TopCatz]

Boy, everything sure feels snappier!
(sorry, had to do one of those...to release my frustration at not being able to go to the grand opening of London's new store)

 

[bousozoku]

Funny, I just looked at Secunia's site today and they reported no unpatched security issues for Mac OS X. I suppose this mostly affects corporations and universities but it's an opportunity.

Good for Apple to have patched it quickly.

 

[donniedarko]

nothing in software update but security update

Quicktime and iTunes I had to do manually. Seems the iTunes update was directly applicable to Euro iTunes, as for the Quicktime update was not available for my machine. Wasn't clear why it wasn't available.

All updates done and things are snappy and on point....

 

[Sharewaredemon]

Installed the sercurity update and Finder seems snappier

 

[veedubdrew]

A 432k update made the Finder snappier? Are you sure y'all aren't just grasping at straws while we all wait for Tiger?

-Drew

Installed the sercurity update and Finder seems snappier

 

[toughboy]

are you serious about the speed stuff?? or just kidding???

 

[~Shard~]

Glad to see that QT update as well, was looking for that last night when I upgraded my iTunes....

 

[MegaSignal]

Nothin' new with Jag

Did the update. No problems. No improvements. (Which is fine)

Just thought I'd let you all know...

 

[aswitcher]

Did the update. No problems. No improvements. (Which is fine)

Just thought I'd let you all know...

I actually have found start ups slower now...and user switching...

 

[nfocus design]

its quite odd. on a similar note did anyone get the new updates yesterday (ipod, itunes and quicktime) in their updater things? i didnt.

As of yesterday afternoon, mine hadn't shown up in Software Update, so I downloaded it off Apple's site.

 

[~Shard~]

Yep, installed fine on my 17" 1.25 GHz G4 iMac - no problems at all. Thanks Apple!

 

[encro]

Wow, it really is snappier </joking>

I'm not sure I would regard this as a security issue.

Maybe I haven't read the report properly but if you login as the user then you should be able to operate a Mac in any state as long as you have the relevant credential to access the machine. Perhaps rather than restricting remote access on the login screen the 2004-10-27 Security Update should assign the proper user ID rather than defaulting to run as root instead?