Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Patches Security Flaw in Terminal.app

Posted by pudge on from the security-is-just-a-state-of-mind-if-you-think-about-it dept.

Currawong writes "Apple has posted Security Update 2002-09-20 for Mac OS X 10.2 and above in Software Update, fixing a security hole in Terminal.app which could 'allow an attacker to remotely execute arbitrary commands on the user's system.' Apple also has a useful page listing all the security updates with a short summary and links to what they patch."

5 of 83 comments (clear)

  1. Re:Apple patch installation? by xTina · · Score: 5, Informative

    It is done via the Software Update application. This app checks in certain intervals (default weekly) if new updates are available and lets the user choose the updates to install. Most updates are also available for download from Apple's website. Apple provides a security mailing list which will alert you to security updates. Since summer, all updates are signed and the signature is being checked by Software Update before installing.

  2. The test of this problem: by Anonymous Coward · · Score: 5, Informative

    I found this bug 2002/09/20, and start to make report for Apple.
    In fortunate thing, Apple fixed this bug and begin to distribute updater.
    Since Apple fixed this serious bug, I decided to open to the public.

    This is very serious security bug.
    All Jaguar user should update immediately.
    I prepared the test easy here.
    If link below is clicked, a Terminal will start and "ls -la" command will be executed by your authority.
    telnet://|ls -la

    Your use of updater vanishes this brittleness.

    name:Taiyo FUJII
    E-Mail:taiyo@vinet.or.jp
    Sorry, I don't have slashdot account.

    1. Re:The test of this problem: by Karma+Sink · · Score: 4, Informative

      Actually, I just clicked the link on multiple unpatched machines running OS X 10.2.1. The machine tried telneting to ls -la, to no effect. However, after giving it a good look, this is only because your link does not include the pipe. This is a pretty dangerous exploit, and could easily be changed to rm -rf * rather than a simple ls.

      It's a damned good thing that Apple is so quick on the draw with security fixes...

      --

      When encryption is outlawed, ?o'AZ-,++o+i++##4AoA+-/-C++bI+/.+~
  3. The changes to Terminal.app by Paladeen · · Score: 5, Informative

    This update replaces the entire Terminal.app.

    It is now 528kb in size, as opposed to the previous 439kb.

    I've also noticed that it launches noticably faster after the update. Perhaps Apple added some tweaks in addition to the security changes.

    (no, it isn't the updated prebindings. I just did that myself this morning).

  4. Re:its sad by jtdubs · · Score: 4, Informative

    Simple solution.

    Use the Mac like it's supposed to be used, not like a damned windows box.

    When you close a terminal window, use Apple+W, NOT Apple+Q. Mac's are document-based, not application-based. Close the window, not the terminal app.

    Now, when you click on the terminal again it will open up a new window in a fraction of the time.

    Justin Dubs