Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Security Update 2006-001; iTunes 6.0.4; iPhoto Update 6.0.2

Well... that still didn't solve some bug i have :(
check this website: http://www.e-upr.org/ - opens up nicely
enter comments: http://www.e-upr.org/?aid=12348

and I get :
Safari can’t open the page.
Too many redirects occurred trying to open “http://www.e-upr.org/?aid=12348?act...id=12348?action=show&object=article&id=12348?
[cut...]
action=show&object=article&id=12348?action=show&object=article&id=12348”. This might occur if you open a page that is redirected to open another page which then is redirected to open the original page.
Click to expand...

This heppens only on safari , i reported problem everywhere but no reply.
Do they have their script wrong ? Or is there a bug in safari? Why other browsers under OSX have no problem ? :confused:
 
Just installed it, everything ok. Good - a very quick response to that virus/trojan thing
 
thejadedmonkey said:
Has there always been a limit like this imposed? Or is this something new...?
Click to expand...
This has been introduced roughly half a year ago into iTunes. Until then it was a maximum of five concurrent users.
 
pawnstar said:
it just warns you that it could be unsafe, you can test out it here:

http://www.heise.de/security/dienste/browsercheck/demos/safari/Heise.jpg.zip

should give you a second warning somehow, people are used to clicking things regardless.

It could do with something like dashboard - the first time a terminal file (or something that tries to call terminal) executes it should be 'sandboxed', and the commands it tries to do listed. Also new unrun apps. At the mo', if you open a file whose app hasn't run previously you get a warning, maybe getting a warning for all apps on their firstrun. This way you can't unwittingly open an app or something that can attack your system.
Click to expand...

Ok forget about what I wrote earlier... The trojan will still execute if you double-click it. But it won't execute automatically anymore... So Apple doesn't rock that much :(

The reason why it didn't on my system is that I removed the terminal from the utility folder... Sorry for giving the wrong information :(

/me goes hiding in shame
 
All OK.

Rebooted from external drive, ran disk utility on startup. Things fixed.
 
Quote:
Originally Posted by pawnstar
it just warns you that it could be unsafe, you can test out it here:

http://www.heise.de/security/dienste.../Heise.jpg.zip

should give you a second warning somehow, people are used to clicking things regardless.

It could do with something like dashboard - the first time a terminal file (or something that tries to call terminal) executes it should be 'sandboxed', and the commands it tries to do listed. Also new unrun apps. At the mo', if you open a file whose app hasn't run previously you get a warning, maybe getting a warning for all apps on their firstrun. This way you can't unwittingly open an app or something that can attack your system.

Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .
Click to expand...

In my example macosx_us.html I get a warning before the file gets extracted. But after that there is still a QuickTime icon. And just starts when clicking on it.

However I would not call this a real security flaw. There will always be a way that a user can run an application if she/he really wants.
 
VL-Tone: Thanks for reporting the details.

The primary danger from Trojans will now return to what it will likely always be: If somebody tells you to download and run an application and you do so without considering the source of this recommendation, you might be running a program with bad intentions that has access to whatever files you have access to.

The advice to avoid using your Mac as administrator except when necessary is no longer as critical, but is still a sensible idea. And don't forget your backups!
 
VL-Tone said:
[...]
From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. [...]
Click to expand...
That sounds ... safe.
Are there any cases where one would like to run a Unix executable by double-clicking it?
 
Looks like more than a quick-and-dirty band aid from Apple--and quickly released too! :) I thought there would be SOMETHING out in the next few weeks, but not so soon and not so thorough. I thought they'd spend longer to reach this point. Good for Apple.

Lots of Trojan potential squashed. Too bad--Apple didn't even give people TIME to try any Leap A copycats :p

Thanks for the details, Dr. Q and VL Tone.
 
VL-Tone said:
Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .

Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.

Sure the actual data inside the file can be a malicious script, but there is now no way to make it execute unless you manually remove the extension after downloading and force the terminal to open it.

If you do a get info after removing the extension, you see that it shows: "Kind: Unix Executable File".

So you say "Someone can still put a custom icon on these and make people click on it!" without doing get info. Wrong! Double click this Unix Executable and what happens? It opens in TextEdit!!

It means that also squashes the Leap.A trojan to pieces. Try to download Leap.A, double click on it and it opens in TextEdit, showing you the malicious terminal code!

Apple took these issues seriously and it shows.

From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. And Safari will warn you if it finds .app files or a compressed file it cannot check before completing the download.
Click to expand...


Apple ROCKS!!! :D
 
VL-Tone said:
Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .

Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.

...
Click to expand...

mine still opens up terminal and lists my directory. I get warned it looks bad, and Safari doesn't auto open it. But if I double click it, it runs.

Just need something so that if I'm launching an app, I know I'm launching an app; and if I'm launching something that opens terminal/actionscript/automator, I get told that too. Just in case I didn't know I was doing this. Once a file/app has been run, it's added to a 'safe' list or something, that way I don't get asked again.

^^^I just re-read some of your post - the bit about having to have the .app extension, that's good and addresses most of the problem.

It is a bit of a pain and it would be nice not to have dialogue boxes popping up, but how many times do you stick a new app on? If you know it's an app, it's one click to ok it - if you didn't know it was an app, then you're now safe.

I feel this update is a stopgap to the problem.
 
nagromme said:
Looks like more than a quick-and-dirty band aid from Apple--and quickly released too! :) I thought there would be SOMETHING out in the next few weeks, but not so soon and not so thorough. I thought they'd spend longer to reach this point. Good for Apple.

Lots of Trojan potential squashed. Too bad--Apple didn't even give people TIME to try any Leap A copycats :p

Thanks for the details, Dr. Q and VL Tone.
Click to expand...


Im sure the second the problem broke, they locked the OS engineers in a room and didnt let them out until they had written up the fix.

:p
 
VL-Tone said:
Well the security fix is more deep than what you think. With the update, the Heise.jpg file won't open in the terminal even when double-clicked .

Do a get info on the file, and you'll see a difference from before the update. The get info box shows "Kind: JPEG Image" instead of "Kind: Terminal Document". If you double-click it, Preview tries to open it and report a "corrupted file" error.

Sure the actual data inside the file can be a malicious script, but there is now no way to make it execute unless you manually remove the extension after downloading and force the terminal to open it.

If you do a get info after removing the extension, you see that it shows: "Kind: Unix Executable File".

So you say "Someone can still put a custom icon on these and make people click on it!" without doing get info. Wrong! Double click this Unix Executable and what happens? It opens in TextEdit!!

It means that also squashes the Leap.A trojan to pieces. Try to download Leap.A, double click on it and it opens in TextEdit, showing you the malicious terminal code!

Apple took these issues seriously and it shows.

From now on, with this update, there is no known way to make a trojan on OS X that doesn't have the .app extension, which is forced to appear even with "show extensions" off. And each of those .app will warn you the first time you run them. And Safari will warn you if it finds .app files or a compressed file it cannot check before completing the download.
Click to expand...

Hmm... I just downloaded that example file. Safari does indeed warn that it might be an executable. However, double-clicking the file still launches the script in Terminal.... and I've installed the update!

[UPDATE] This is odd... Right-clicking the file and pointing to Open With shows Terminal at the top of the list, then the next is Preview, which is marked as (Default). However, it's clearly not using Preview as the default.... it's opening with Terminal.

I wonder if clearing my LaunchServices cache will help.
 
displaced said:
Hmm... I just downloaded that example file. Safari does indeed warn that it might be an executable. However, double-clicking the file still launches the script in Terminal.... and I've installed the update!

[UPDATE] This is odd... Right-clicking the file and pointing to Open With shows Terminal at the top of the list, then the next is Preview, which is marked as (Default). However, it's clearly not using Preview as the default.... it's opening with Terminal.

I wonder if clearing my LaunchServices cache will help.
Click to expand...

Yeah, this is weird. I just downloaded the same file and I received no warnings when downloading the file (open safe files is turned off), when I unzipped it, nor when I double-clicked it and it ran in terminal. Am I missing something here? I've already done the reboot and repaired permissions...
 
doowrehs said:
Yeah, this is weird. I just downloaded the same file and I received no warnings when downloading the file (open safe files is turned off), when I unzipped it, nor when I double-clicked it and it ran in terminal. Am I missing something here? I've already done the reboot and repaired permissions...
Click to expand...

you only get the warning if 'open safe files' is checked.

The only way to identify it otherwise is to get info. Not the most convenient.

Peronsally I would like to be told if I'm about to run something that could trash my home folder.

from http://www.unsanity.com/haxies/pa/ :

Paranoid Android can now notify you when a file is launched with a custom application (one other than the default one for the document's file type). This does not affect opening documents from within applications.
Updated to mitigate the recent Safari/LaunchServices exploit described in detail here.
Click to expand...

This would pretty much cover it. Thx for the link manu chao
 
so -- i was eagerly anticipating this feature because it would theoritcally allow me to play music from itunes libraries that were open in other user accounts on my imac. While they appear as a shared library in itunes, front row doesn't see them! Seems like there are some really silly oversights in front row, including poor communication with itunes errors causing front row to hang... anyone else having this problem?
 
pawnstar said:
you only get the warning if 'open safe files' is checked.

The only way to identify it otherwise is to get info. Not the most convenient.

Peronsally I would like to be told if I'm about to run something that could trash my home folder.
Click to expand...

Seems like the advice "disable the open 'safe files' option" became dangerous.
 
Thanks for the clarification, pawnstar. Hmmmmm - to open safe files or not to open, that seems to be the question...
 
front row

They finally fixed a few basic problems. Bands starting with "a" and "the" are now longer placed in "a" and "t" but by the band name that follows. The scrolling is much faster when the button is held down. And the song title nows scrolls if it's too long. Pretty much like the ipod interface.
 
PHP still outdated

I wonder why Apple didn't update the included PHP to version 4.4.2. It's been out for a month and a half, and includes some minor security fixes.
 
Anyone having problems buying music with iTunes? Whenever I try to purchase a shopping cart, I get this error: Your shopping cart's contents have changed, either the prices of some items have changed, or items have been added or removed from another computer. Please review your shopping cart and click buy now.

Ok, so I click the refresh button that is on that dialog bos, and it says the music store is unavailable.

I have tried emptying my cart, exiting itunes, rebooting, nothing works!!! Please help or say if you are having the same problem after updating
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back