Apple Patches Security Flaw in Terminal.app

Currawong writes "Apple has posted Security Update 2002-09-20 for Mac OS X 10.2 and above in Software Update, fixing a security hole in Terminal.app which could 'allow an attacker to remotely execute arbitrary commands on the user's system.' Apple also has a useful page listing all the security updates with a short summary and links to what they patch."

Re:Apple patch installation?

[xTina]

It is done via the Software Update application. This app checks in certain intervals (default weekly) if new updates are available and lets the user choose the updates to install. Most updates are also available for download from Apple's website. Apple provides a security mailing list which will alert you to security updates. Since summer, all updates are signed and the signature is being checked by Software Update before installing.

The test of this problem:

I found this bug 2002/09/20, and start to make report for Apple.
In fortunate thing, Apple fixed this bug and begin to distribute updater.
Since Apple fixed this serious bug, I decided to open to the public.

This is very serious security bug.
All Jaguar user should update immediately.
I prepared the test easy here.
If link below is clicked, a Terminal will start and "ls -la" command will be executed by your authority.
telnet://|ls -la

Your use of updater vanishes this brittleness.

name:Taiyo FUJII
E-Mail:taiyo@vinet.or.jp
Sorry, I don't have slashdot account.

The changes to Terminal.app

[Paladeen]

This update replaces the entire Terminal.app.

It is now 528kb in size, as opposed to the previous 439kb.

I've also noticed that it launches noticably faster after the update. Perhaps Apple added some tweaks in addition to the security changes.

(no, it isn't the updated prebindings. I just did that myself this morning).