Security Update 2004-10-27

MacRumors

macrumors bot
Original poster
Apr 12, 2001
7,446
8,512
Now available via Software Update:
Security Update 2004-10-27 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following component:

Apple Remote Desktop

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
36,051
3,268
Los Angeles
The phrase "recommended for all Macintosh users" doesn't seem warranted due to the specialized nature of the patch.
 

Macaddicttt

macrumors 6502a
Apr 22, 2004
992
2
San Diego, CA
So my question is, should I install it? Will I have to have it installed in order to install later security patches? I mean, it seems silly to install something if it's only for Remote Desktop and I don't use it.
 

russed

macrumors 68000
Jan 16, 2004
1,613
0
well i dont have ARD and it is there for me to download. infact i'm getting it now!

well i have installed it and my pb hasnt blown up yet! thankfully no restart!!
 

Rower_CPU

Moderator emeritus
Oct 5, 2001
11,111
0
San Diego, CA
Hmmm, not showing up for me, and I have the admin app installed... :confused:

edit - Looks like it's looking for a very specific user scenario. This is from the KB article:
Security Update 2004-10-27
Apple Remote Desktop

Available for: Apple Remote Desktop Client 1.2.4 with Mac OS X 10.3.x
CVE-ID: CAN-2004-0962
Impact: An application can be started behind the loginwindow and it will run as root.
Description: For a system with these following conditions
Apple Remote Desktop client installed
A user on the client system has been enabled with the Open and quit applications privilege
The username and password of the ARD user is known
Fast user switching has been enabled
A user is logged in, and loginwindow is active via Fast User Switching

If the Apple Remote Desktop Administrator application on another system is used to start a GUI application on the client, then the GUI application would run as root behind the loginwindow. This update prevents Apple Remote Desktop from launching applications when the loginwindow is active. This security enhancement is also present in Apple Remote Desktop v2.1. This issue does not affect systems prior to Mac OS X 10.3. Credit to Andrew Nakhla and Secunia Research for reporting this issue.
edit #2 - NM, didn't see that this was 1.2.4 only and doesn't apply to the latest version (2.1) which I, of course, am running. :)
 

russed

macrumors 68000
Jan 16, 2004
1,613
0
its quite odd. on a similar note did anyone get the new updates yesterday (ipod, itunes and quicktime) in their updater things? i didnt.
 

Porchland

macrumors 65816
Apr 26, 2004
1,071
0
Georgia
My update included a Quicktime update as well.

Did anyone who didn't download iTunes 4.7 yesterday get it included in the update today?
 

AmigoMac

macrumors 68020
Aug 5, 2003
2,064
0
l'Allemagne
Amazing, my mac is a lot faster, apps bounce just once, safari renders a lot better and I go to sleep, it's late for me and I'm tired... ;)
 

russed

macrumors 68000
Jan 16, 2004
1,613
0
Porchland said:
My update included a Quicktime update as well.

Did anyone who didn't download iTunes 4.7 yesterday get it included in the update today?
i downloaded it off the apple site at about lunchtime as it hadnt appeared on software update.
 

TopCatz

macrumors member
Aug 31, 2004
41
0
UK
Boy, everything sure feels snappier!
(sorry, had to do one of those...to release my frustration at not being able to go to the grand opening of London's new store)
 

bousozoku

Moderator emeritus
Jun 25, 2002
13,951
3
Gone but not forgotten.
Funny, I just looked at Secunia's site today and they reported no unpatched security issues for Mac OS X. :D I suppose this mostly affects corporations and universities but it's an opportunity.

Good for Apple to have patched it quickly.
 

donniedarko

macrumors regular
Jan 1, 2004
206
6
Los Angeles
nothing in software update but security update

Quicktime and iTunes I had to do manually. Seems the iTunes update was directly applicable to Euro iTunes, as for the Quicktime update was not available for my machine. Wasn't clear why it wasn't available.

All updates done and things are snappy and on point....
 

MegaSignal

macrumors 6502
Oct 20, 2003
304
0
Nothin' new with Jag

Did the update. No problems. No improvements. (Which is fine)

Just thought I'd let you all know...
 

nfocus design

macrumors regular
Aug 3, 2004
207
0
Texas
russed said:
its quite odd. on a similar note did anyone get the new updates yesterday (ipod, itunes and quicktime) in their updater things? i didnt.
As of yesterday afternoon, mine hadn't shown up in Software Update, so I downloaded it off Apple's site.
 

encro

macrumors 6502
May 6, 2002
451
1
bendigo.victoria.au
Wow, it really is snappier ;) </joking>

I'm not sure I would regard this as a security issue.

Maybe I haven't read the report properly but if you login as the user then you should be able to operate a Mac in any state as long as you have the relevant credential to access the machine. Perhaps rather than restricting remote access on the login screen the 2004-10-27 Security Update should assign the proper user ID rather than defaulting to run as root instead?