Toggle sidebar Toggle sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Update 2004-12-02

oh boy

MaCaDDiCT21 said:
Whats whith all the recent updates? Is there a security threat lurking about?
Click to expand...

lol... yes Microsoft it secretaly embedding windows xp to YOUR update only, also Apple is in cahoots with spyware companys that secretly track at what time you eat, and go to sleep, which then uploads it to main spyware station orbiting earth.

Seriously.... Long live the internet.

/rant over
 
I have just installed the update. Startup until login window display time is exactly the same as before on my system (56 seconds for a dual 2 Ghz Powermac G5/512 Mb RAM/ 160 Gb Hard drive/ Mac OS X 10.3.6). Everything looks okay and I just feel good about having another set of security holes patched up.

I feel that no matter how many security updates Apple releases, there will always be a few openings. however, filling these in quickly and decisively will lower the chances of someone hacking into my G5.
 
I use these updates as a good excuse to run Onyx to clean and maintain my Macs just prior to downloading. I also use it as a time to make sure I have a recent backup.
 
requies said:
for people that don't know what we're talking about... there appears to be a bug that causes sites to give a page not found error, but if you click reload they work. it's annoying.

i thought it was just my system being funky, but it seems it was introduced in a late semtember security update.
Click to expand...
I'm pretty sure I've seen behavior like this in OS X for a long time, not just recently. I would just command-R without thinking, and never got around to looking it up to see if it was an issue.

I always assumed it was a networking-related issue. Perhaps that the request packet just gets dropped somewhere before ever getting out of the Mac. Is it documented anywhere?

On another buggy note... have you ever seen Safari bring up a confirmation dialog, you press OK, then Safari brings up the same dialog again... even though OK'ing the first one started to load the new page? OK'ing the second dialog then reloads the same result page. This can cause problems if the web server is picky about reloading a page, like a form response.
 
Toe said:
On another buggy note... have you ever seen Safari bring up a confirmation dialog, you press OK, then Safari brings up the same dialog again... even though OK'ing the first one started to load the new page? OK'ing the second dialog then reloads the same result page. This can cause problems if the web server is picky about reloading a page, like a form response.
Click to expand...
Did that make any sense at all?? 😀 😎 🙄

These things can be difficult to verbalize sometimes. 😛
 
Toe said:
I'm pretty sure I've seen behavior like this in OS X for a long time, not just recently. I would just command-R without thinking, and never got around to looking it up to see if it was an issue.

I always assumed it was a networking-related issue. Perhaps that the request packet just gets dropped somewhere before ever getting out of the Mac. Is it documented anywhere?

On another buggy note... have you ever seen Safari bring up a confirmation dialog, you press OK, then Safari brings up the same dialog again... even though OK'ing the first one started to load the new page? OK'ing the second dialog then reloads the same result page. This can cause problems if the web server is picky about reloading a page, like a form response.
Click to expand...

i found this and it made sense so i didn't really look any more: http://66.218.71.225/search/cache?p...ari+timeout+issue&d=5321FD8065&icp=1&.intl=us

the behavior popped up for me about when i might have gotten around to installing the security update in question.

i don't remembver if i've seen the form thing, but i have seen a couple of times where i enter in a web address in a window with a page loaded in it and all it does is reload the page.

honestly, i think a clean reinstall is the solution, but i don't have the time to do one until after finals.
 
Updates are good. It just shows that Apple is looking out for our best interest of a secure Mac.
 
wdlove said:
Updates are good. It just shows that Apple is looking out for our best interest of a secure Mac.
Click to expand...

I agree wdlove, it makes me feel good when I see these updates being released. It's not like they're released every day, which would be excessive, but they are released frequently enough to make me know Apple is constantly keeping an eye on things and improving their products from a security perspective.

After I verify and repair permissions, I'll be tossing it on my good old 17" 1.25 GHz G4 iMac. 😎
 
Went fine on my G5 2.0 DP (Rev A) and fine on my, comparatively woefully slow, iBook G3 500. No fuss, no muss, just that annoying need for a restart (13 seconds for the G5, just past forever on the iBook).

I've never had any Safari issues that people speak of which makes me scratch my head, I use it all the time too and on a wide range of web sites. The only odd behaviour is an occasional crash on a super Java intensive web site but that's rare.
 
Wow, thanks for pointing this out

Alexander said:
Umm....

If you're running a web server, this is HUGE.

Basically, if this fix is not applied, anyone can read 1) the contents of any server-side executed file, like PHP scripts, perl scripts, etc. AND 2) bypass any Apache-applied password protection.

If you're unable to apply this fix to your webserver, apply it manually (just a tweak to httpd.conf):

http://docs.info.apple.com/article.html?artnum=300422

Attention to this should be brought in the main post, IMHO. This has the potential to MAJORLY screw things up for some people if left unpatched, especially now that it's out in the open. My site was completely vulnerable, potentially handing out custom PHP scripts, MySQL passwords, the works. Not cool.
Click to expand...

I run a small php-nuke/mySQL site; this was an eyeopener. Thanks much for the link; anyone running Apache on OS X - even if no more than "personal web sharing" needs to either apply the security update or edit /private/etc/httpd/httpd.conf as recommended by Apple.
 
12:20 and all is well.... with my 1.8 G5 iMac after installing the update.

Isn't this thread a rerun of the last time a security update was released?!? 😉
 
I'm not certain if it was caused by the update, but Personal File Sharing died on my cube. It pretends to start... but never makes it past "starting".
 
Cybornut said:
The reasoning of a hacker is that most will play the numbers game when it comes to owning systems and "more is better". At present time we don't yet have critical mass as far as malicious hacking is concerned.
Click to expand...
This is a common perception that I happen to disagree with, but it's difficult for either side of this argument to cite "real" numbers. One can assert that OS X is just as vulnerable (or more so!) but simply isn't targetted; one can also assert that it's inherently more secure. Neither assertion - absent a study with a methodogofy open to scrutiny - means much. My personal belief is that OS X is inherently a more secure OS -- but it's just that: a personal belief.
 
AndreMA said:
This is a common perception that I happen to disagree with, but it's difficult for either side of this argument to cite "real" numbers. One can assert that OS X is just as vulnerable (or more so!) but simply isn't targetted; one can also assert that it's inherently more secure. Neither assertion - absent a study with a methodogofy open to scrutiny - means much. My personal belief is that OS X is inherently a more secure OS -- but it's just that: a personal belief.
Click to expand...

Here's a recent study that I believe tends to lend credence to the concept that OS X is inherently more secure:

Unprotected PCs can be hijacked in minutes

The main points I took away were that unprotected (no firewall) Macs are attacked about evenly with unprotected XP SP1 machines but suffer far fewer compromises (0, in this case) than PCs. This is mostly attributed to that fact that automated attacks target PCs primarily, but it shows the fallacy in thinking that Macs aren't attacked as often.
 
Alexander said:
Umm....

If you're running a web server, this is HUGE.

Basically, if this fix is not applied, anyone can read 1) the contents of any server-side executed file, like PHP scripts, perl scripts, etc. AND 2) bypass any Apache-applied password protection.

If you're unable to apply this fix to your webserver, apply it manually (just a tweak to httpd.conf):

http://docs.info.apple.com/article.html?artnum=300422

Attention to this should be brought in the main post, IMHO. This has the potential to MAJORLY screw things up for some people if left unpatched, especially now that it's out in the open. My site was completely vulnerable, potentially handing out custom PHP scripts, MySQL passwords, the works. Not cool.
Click to expand...

Just out of curiosity, I assume that you have to be using some sort of editor that saves files with resource forks for this to be an issue? I just tried this hack on my unpatched laptop and couldn't get anything more untoward than a 404... or am I missing the trick? Say I've got a file

Code: 
http://localhost/dev/database_connector.php

What's the specific URL to access the resource fork?

-J
 
j_maddison said:
uh not sure what your logic is when you say there are too many security updates of late. I think its excellent! It lets me know apple take security very seriously, and unlike windoze their security updates seem to work and only cause minimul disruptions to a small amount of users.
Click to expand...

😀 I love it. Excuses make the world a more tolerable place don't they? So you are saying Apple updates don’t break things? Can everyone else attest to this? I don’t even OWN a Mac and I can list at least three instances off the top of my head where the installs did BAD things. 10.2.8, 10.3 (base install), and 10.3.3 I think.

Come off it dude. Apple is no better then MS when it comes to patches. Heck Apple should be better then MS since they, by and large, provide the total “system” MS has to cater to so much hardware, software, drivers, BIOS, etc that it’s a wonder they can release anything at all.

The reality is Apple users have been spoiled over the last couple years with no security updates. No matter what platform you are on security updates WILL always be a simple fact of life.
One thing that can be said for MS's new method in Windows XP SP2 is that you no longer have to replace entire sets of file to update the system. It’s a new feature of Windows Installer 3. Windows Update simply replaces portion of the binary file instead of the whole file so what you have is smaller easier to download patches. Add to that BITS (Background Intelligent Transfer Service) for dial-up users and corp environments where you DO not want to roll out a 16MB file to lets say 11,000 systems all at once and you have a pretty dang robust way of updating the system. So please. Crap on Windows all you want but they have a much more robust way of installing patches at this point.
 
Rower_CPU said:
Here's a recent study that I believe tends to lend credence to the concept that OS X is inherently more secure:

Unprotected PCs can be hijacked in minutes

The main points I took away were that unprotected (no firewall) Macs are attacked about evenly with unprotected XP SP1 machines but suffer far fewer compromises (0, in this case) than PCs. This is mostly attributed to that fact that automated attacks target PCs primarily, but it shows the fallacy in thinking that Macs aren't attacked as often.
Click to expand...


Don't even need to see the study to know its true. The fact of the matter is out of the box an OS X install doesn't give admin rights to the user. An OS X install doesn't have an ***load of ports open. An OS X install doesn't have Internet Imploder installed. Those three feature make OS X inherently more secure out of the box. Note I say out of the box. By spending an hour tweaking any 2K or XP box I can make it pretty dang secure. But the point is out of the box vs. a spending time tweaking. Hmmm that's a Jeopardy question there. 🙄 😎


PS- One thing to note. I've read that article already. XP SP2 boxes where attacked less frequently then as OS X boxes but if I remember right the OS X box didn't have a firewall enabled by default so if an attacker can see the box it obviously a target. What a difference a SP and a basic firewall can make.
 
JayBee said:
Just out of curiosity, I assume that you have to be using some sort of editor that saves files with resource forks for this to be an issue? I just tried this hack on my unpatched laptop and couldn't get anything more untoward than a 404... or am I missing the trick? Say I've got a file

Code: 
http://localhost/dev/database_connector.php

What's the specific URL to access the resource fork?

-J
Click to expand...

You probably don't have anything in your web directory with a resource fork, but you can also access the data fork:

Code: 
http://localhost/dev/database_connector.php/..namedfork/data

and stare wide-eyed at the result. If you know the URL, you can also access files in password-protected directories like this.

(resource fork would be ..namedfork/rsrc , but this probably isn't an issue for most people.)

The only good thing is that it's an easy fix, even if you're unable/unwilling to apply the security update.
 
So is this just for the U.S at the moment. Am running the international english version and the security update isnt showing. Am running 10.3.6...
 
Noiseboy said:
The KB article says that this is for OS 10.2.8 and 10.3.6 I am running 10.3.5 and it doesn't show up in my software update. I am (sadly) still nervous about installing 10.3.6.
Click to expand...
I'm wondering if this is some new policy from Apple. Are they now only going to release security updates for only the last version of the OS and the last version of the previous OS?

I will also keep my system at the 10.3.4 version that it's currently on. Unfortunately this also means I can't update the firmware of my 2.5 Ghz G5.

But just yesterday I got another confirmation that I should stick with 10.3.4 for now. A friend of mine called me to ask if I knew if the problems that his freshly installed and updated G4 at his new job had, with not immediately loading pages in Safari, apps suddenly crashing and network shares dropping had anything to do with the machine running 10.3.6. I told him that indeed those exact problems had been mentioned by people on this board here after updating to 10.3.6.

I don't care if people think its silly for me not to update, but my machine runs fast, starts up quickly, is totally stable and all apps work correctly with 10.3.4. I will wait and see what 10.3.7 brings till I update. If that means not being able to use the latest security updates, then thats just bad luck I guess.
 
Alexander said:
...and stare wide-eyed at the result.
Click to expand...

😱

Oh my actual god. That's just... terrifying...

"as if millions of voices suddenly cried out in terror and were suddenly silenced"
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back