Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases Security Update 2003-03-24

Posted by pudge on from the lolly-lolly-lolly-get-your-security-related-update-here dept.

skeeter17 writes "Apple updates security again. According the description: 'Security Update 2002-03-24 addresses a Samba vulnerability which could allow unauthorized remote access to the host system. .... OpenSSL is also updated to address an issue in which RSA private keys can be compromised when communicating over LANs, Internet2/Abilene, and interprocess communication on local machine. ... It is recommended that all users install this Security Update.' Well! There you have it folks!" It is available via Software Update.

58 comments

  1. Dance! by blackmonday · · Score: 4, Funny

    ALERT: There is still known vulnerabilities with the Cha Cha Cha, the Cabbage Patch, and especially the Boogaloo. You've been warned.

  2. Macs rock. ;) by Justen · · Score: 4, Interesting

    I think it is quite admirable that Apple is so dedicated to these security updates. Certainly there is one other operating system software company in the world that isn't as vigilant. *cough*

    I know at work, whenever an exploitation was discovered on the PC, the IT department would wait and wait. After several weeks, when problems started happening, they would issue an advisory, telling the people workarounds and what not to do and such until an update happened.

    They never did that for the marketing/communications Macs. The reasons are threefold:

    a.) there are fewer exploits in Mac OS X's old age (read: UNIX/FreeBSD/Darwin),

    b.) when there are holes, they are patched, almost always very, very promptly.

    c.) they were afraid of the Macs, anyway.

    I think the latter is the least substantial, but, nonetheless, still relevant.

    Anyway. I wanted to make a note of this. I don't see how there's much else that we can regularlly pony up in Software Update discussions...

    justen

  3. Re:Why don't you just get a REAL operating system. by Pathwalker · · Score: 5, Funny

    Microsoft file sharing is the most secure in the world. In fact, you don't even need to use a firewall with Windows.

    That's right - all you need to do is leave your box hooked up to the network with no firewall, and in less than 5 minutes, one of a large number of dedicated volunteers will scan your system for any security flaws. If any are found, this tireless worker will log into your box, and install any necessary patches for you.

    Don't worry if the disk thrashes from time to time, or if there is a lot of network activity, these are just symptoms of the high level of careful service you are receiving from your unknown friend.

    To ensure the best service, be sure to tip him, by putting your credit card number, zip code, expiration date, SSN, and a suggested tip amount in a file called c:\tip.txt. A little gesture like this can go a long way!

  4. They're doin' better than Microsoft by nycroft · · Score: 3, Insightful

    Since OS X 10.2.4 came out, I think this is only the second security update. However, for XP there have been countless updates. The Service Pack One update from a few months back was 120MB! They must've had quite a bit of holes to need a upgrade that big.

    It seems that almost every week, my IT deartment is running around trying to install security updates on our computers. It's a good thing I only use my PC for e-mail (not for long, since MS Exchange will soon work with Entourage). I use my Mac for real work.

    --
    Mr. Bond, they have a saying in Chicago: Once is happenstance. Twice is coincidence. The third time is enemy action.
    1. Re:They're doin' better than Microsoft by cyb97 · · Score: 1

      I guess to make a patch 120 MB you must be using a rather specially-crafted version of patch... unless they actually replace the whole file that's borked..

    2. Re:They're doin' better than Microsoft by Anonymous Coward · · Score: 0

      As much as I adore Apple, and I LOVE my new Ti Powerbook. I think you need to compare apples to apples. XP isn't equivalent to 10.2.4, it's equivalent to 10.2 at best, and maybe 10.0. (I'll take the 10.2 comparison, though).

      Since their releases, Apple has had four major upgrades of about 100 MB. XP has had just the one Service Pack of about 120 MB. There have been dozens of hotfixes for XP, of course, and a smaller number for OS X 10.2.

      Of course, that's just silly numbers. Apple's patches certainly come out in a much more timely manner and, of course, the OS is a dream. In any case, I just wante to make sure we were doing apples to apples.

    3. Re:They're doin' better than Microsoft by Alcimedes · · Score: 4, Funny

      well, sounds to me like Apple is slacking off then. i mean, WinXP has already released DOZENS of megs of security patches. come on Apple, get off your can. only two updates.

      slackers!!!! ;)

  5. Not even Apple's updates by daveschroeder · · Score: 4, Insightful

    And let's not forget that these security updates are due to exploits and holes in the software of the OSS community at large (sendmail, samba, openssl, openssh), not due to Apple's own bungling or inattention to security.

    1. Re:Not even Apple's updates by nycroft · · Score: 4, Insightful

      Absolutely! I forgot, sorry.

      Let's face it: If you compare Apple's software AND hardware innovation to any other company, they stand up extremely well. Apple is a company that is doing both at the same time. Any other company would have folded by now (they were getting pretty close in the late '90s), but they seem to be able to keep setting trends and making money to boot. I'd like to see MS try and pull that off. They seem to be going backwards compared to Apple.

      --
      Mr. Bond, they have a saying in Chicago: Once is happenstance. Twice is coincidence. The third time is enemy action.
    2. Re:Not even Apple's updates by Ponty · · Score: 2, Funny

      Microsoft makes mice. :-)

    3. Re:Not even Apple's updates by Anonymous Coward · · Score: 0

      This pat on the back session was brought to you by the Steve Jobs in 2004 campaign.

  6. Someone tell me... by Anonymous Coward · · Score: 1

    Why did they release a patch for this so quick, but they haven't fixed the 1969/70 bug? Seriously Apple, I have not turned on this feature ever (you have to turn it on since it is off by default).

    1. Re:Someone tell me... by Juanvaldes · · Score: 3, Informative

      because that has already been fixed and is in the 10.2.5 update which will be released within a few weeks.

    2. Re:Someone tell me... by Chucker23N · · Score: 1

      Security Patches and Bug Fixes are of different priority. Exaggeratedly put, a (hypothetical) issue that can put the whole internet down (through a worm that spreads over multiple platforms) is a much bigger threat than a bug that doesn't read your system clock from the NVRAM properly.

      A workaround for your problem, if you have an always-on internet connection, btw, is to just turn network time syncing on.

  7. Yes, I agree...MS is trash by djupedal · · Score: 4, Insightful

    This patch is for SAMBA...which is a Windows file sharing protocal. Go figure.

    I know the parent is a troll. Last one I feed today, I promise.

  8. Date issues? by NeuralNet03 · · Score: 2, Interesting

    Huh. Seems in Software Update, it's titled 2003-3-24, but in the description, it's *2002*-3-24.
    Weren't they a year off last time, too?

    1. Re:Date issues? by Anonymous Coward · · Score: 0

      I guess they're so good that they had patches ready an entire year in advance, and just waited to release them until the vulns were actually found. Kinda scary.

    2. Re:Date issues? by commodoresloat · · Score: 0, Flamebait

      At least it isn't titled 1969-12-31.

  9. OpenSSL again? by tbmaddux · · Score: 3, Interesting
    I thought that Security Update 2003-03-03 was supposed to patch OpenSSL: "This update also includes a newer version of OpenSSL that provides improved data confidentiality by addressing a recently-discovered security issue." At the time (03-03-2003) I assumed they were talking about this bug. Plus, the "important information" section of today's patch has the same language about sendmail and OpenSSL.

    I'm confused! Anyone know what OpenSSL bugs are patched, specifically, by each security update?

    --
    Can't you see that everyone is buying station wagons?
    1. Re:OpenSSL again? by Dahan · · Score: 1
      Plus, the "important information" section of today's patch [apple.com] has the same language about sendmail and OpenSSL.

      Hmm, interesting... my guess is that's just some overzealous copy and paste from the previous security update.

      Now, as for which OpenSSL bug this is for... my /usr/lib/libssl.* and /usr/lib/libcrypto.* are still dated 03/03. Here's a list of the files included in the update:

      ./usr/bin/make_printerdef Tue Mar 18 18:40:38 2003
      ./usr/bin/make_smbcodepage Tue Mar 18 18:40:40 2003
      ./usr/bin/make_unicodemap Tue Mar 18 18:40:42 2003
      ./usr/bin/nmblookup Tue Mar 18 18:40:43 2003
      ./usr/bin/rpcclient Tue Mar 18 18:40:41 2003
      ./usr/bin/smbcacls Tue Mar 18 18:40:43 2003
      ./usr/bin/smbclient Tue Mar 18 18:40:35 2003
      ./usr/bin/smbcontrol Tue Mar 18 18:40:38 2003
      ./usr/bin/smbpasswd Tue Mar 18 18:40:39 2003
      ./usr/bin/smbspool Tue Mar 18 18:40:36 2003
      ./usr/bin/smbstatus Tue Mar 18 18:40:37 2003
      ./usr/bin/testparm Tue Mar 18 18:40:36 2003
      ./usr/bin/testprns Tue Mar 18 18:40:37 2003
      ./usr/libexec/httpd/libssl.so Tue Mar 18 11:33:25 2003
      ./usr/sbin/nmbd Tue Mar 18 18:40:34 2003
      ./usr/sbin/smbd Tue Mar 18 18:40:33 2003
      ./usr/sbin/swat Tue Mar 18 18:40:35 2003

      So it looks like OpenSSL itself wasn't updated--only mod_ssl for Apache. It's now at version 2.8.13, with fixes for the RSA timing attack. Seems like they should've instead upgraded OpenSSL itself to the version that always turns on RSA blinding.

    2. Re:OpenSSL again? by tbmaddux · · Score: 1

      Answering my own question, according to Apple Security Updates the 2003-03-24 update fixes CAN-2003-0147, and the 2003-03-03 update fixes CAN-2003-0078.

      --
      Can't you see that everyone is buying station wagons?
  10. Re:Macs rock. ;) by gnuadam · · Score: 3, Interesting

    Not to rag too much on apple, but they're still slower to release fixes than open source. Both fink and my gentoo linux box are usually patched the same week (and often the same day) that I hear about the problem.

    Gentoo is getting a reputation for releasing fixes before slashdot announces, as the smug 1337 gentoo users like to point out.

    Does that make me one of them now, too?

    I'm not meaning to say that apple is doing a poor job, by any means. I'm just wanting to point out that apple is not the only organization that takes security seriously, and that there are others that beat apple out the door with security fixes.

    --
    You say :wq, I say ZZ. Why can't we all just get along?
  11. Restart required, though. by Alex+Thorpe · · Score: 3, Funny

    There went my two weeks of uptime... ;-)

    --
    "Common Sense Ain't" -Unknown
    1. Re:Restart required, though. by capmilk · · Score: 1

      A low uptime can mean two things:

      1: The system crashes quite often.
      2: The system is patched quite often.

      Ever since realising that, I have a new view on uptime boasting...

    2. Re:Restart required, though. by Alex+Thorpe · · Score: 1

      I think my previous restart was due to the new version of Java, though I was having some serious freezing problems in Diablo II for a while. I'm not completely certain why they stopped, but I did switch from Meteorologist to WeatherPop about that time...

      --
      "Common Sense Ain't" -Unknown
    3. Re:Restart required, though. by fname · · Score: 1

      Two weeks? My PowerBook G3/333 Lombard is up to about 38 days. Mostly in sleep mode, obviously. Still, I last booted 3 states ago, and I bet I have over 100 hours of interactive use. I've had a few apps quit on me (Explorer, Chimera, maybe a few others), but the OS is rock solid. I've removed and added my WiFi card about 3 times, operated on planes and in cars, run the battery down to less than 10%, and I have updated multiple pieces of software. It includes hours of heavy iPhoto use, too.

      Not bad for a 1998-vintage computer that doesn't even meet the specs for iPhoto, was built when OS X was still a glean in Avie Tevanian's eyes and no one ever heard of Aqua or Quartz in the Apple world.

  12. Re:Macs rock. ;) by defunc · · Score: 0, Troll


    Please, do me a favor and go kiss Jobs ass. Enough of this "my OS is better than yours". When MSFT releases security updates, you probably complain. When they don't on time, you probably complain too. But when APPL releases its updates 2 weeks later, it's all praise. Squeeze those cheeks real hard.

    --
    .defuncrc
  13. Facinating..... by dethl · · Score: 1

    You have to run OS X 10.2.4 to get this patch. Does this mean that 10.2.3 is secure from this bug, or do I need to hook up to my mom's school's T1 line to be up to date? 10.2.3 has been running very, very smoothly with little or no problems (mainly due to 3rd party programs/drivers).

    --
    "Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
  14. Re:Facinating.....[ERRATA] by dethl · · Score: 1

    horribly worded.....10.2.3's problems are due to the use of 3rd party drivers and programs. Sorry for any trouble I might have caused in the reading of the parent post...

    --
    "Some fight for law. Some fight for justice. What will you fight for? One day, you will see."
  15. Re:Macs rock. ;) by Llywelyn · · Score: 1

    OpenSource does not have a major disadvantage that Apple does: Apple has to test the security update to make sure it doesn't break anything and prepare the distribution for release (which geeks normally take care of on their own in the OSS community).

    --
    Integrate Keynote and LaTeX
  16. Re:Macs rock. ;) by WatertonMan · · Score: 4, Informative
    You can still recompile most of the Apple utilities that have these patches. Indeed if you are using Apache on a production machine using OSX you are probably better off compiling the code so that you *know* exactly what is going on. For most machines that is less significant.

    Put an other way, you're right, but your confusing Apple's software with the code. Most of the services on OSX are open source and to say that "they are slower to release fixes than open source" rather misses the forest for the trees. (Or vice versa) What Apple does is provide a quick, easy update for regular users who don't want to deal with the complexities of compiling their open source programs. As such Apple reacts very timely and does a lot of checking.

    So to differentiate Apple's security and open source's security is a false dichotomy.

  17. Re:Why don't you just get a REAL operating system. by dewhite · · Score: 1

    Someone should mod this chump up, so everyone can take a moment to share with him what a fool he is...

    --
    -dewhite
  18. security update & safari by archiBEN · · Score: 1

    uh. if anyone out there hypothetically has safari v67 and has just installed the security update i would be very interested to know if safari v67 would work following the update...? thanks.

    1. Re:security update & safari by pi+radians · · Score: 1

      Yeah, Apple isn't going to intentionally kill an application in a security update.

      --

      sin(6cos(r)+5A)
  19. Re:Macs rock. ;) by Chucker23N · · Score: 1

    What, you mean MSFT ever released a security update in time? The recent "RtlDosPathNameToNtPathName_U" bug was actually discovered in Usenet about two years ago, in NT4.

  20. Limited options? by Gropo · · Score: 1

    3: The user shuts it down every night to conserve energy?
    4: The computer is located in a California 'Rolling Black-Out' zone (snnnuck)

    --
    I hate Grammar Nazi's
  21. Re:Dear Apple by Anonymous Coward · · Score: 0

    It is a statistically provable fact that there are more gay men using PCs than Macs, through sheer marketshare.

    Besides, how do you account for the gay man's superior sense of style?

    And, how do you account for proving this point by cutting-and-pasting the same woefully pathetic incendiary letter on every single goddamned Apple post?

    How, AC, do you reconcile the fact that you are somehow *threatened* by what is (by your own admission) the Mac's superior technology? How do you respond to that without looking, to all the world, like Jackass Prime?

    Answer: you don't.

  22. Just wish they'd fix the bugs by i0wnzj005uck4 · · Score: 1

    The only time my OS X machines crash is when I'm connected to windows shares. Isn't that neat?

    I just hate how the security patches kill my uptime. 5 days 18:04 since I last rebooted on my iBook, and I think that was the last security patch, too.

    --
    - Cloud
  23. Re:Dear Apple by Anonymous Coward · · Score: 0

    You know I wrote this response to the perennial Mac Troll a few weeks ago, and am greatly amused to see that it has taken on a life of its own, and continues to plague said Mac Troll autonomously. Kudos.

  24. Apache Problems by TwP · · Score: 1

    The security fix causes the Apache webserver to crash when a secure connection is requested. The Apache SSL library was updated, but there is a memory addressing error manifesting itself in the "ssl_var_lookup_ssl_cert" function. This causes a segmentation fault and crashes that instance of the Apache server.

    I'd be interested in hearing from anyone else having similar difficulties.

    1. Re:Apache Problems by japhar81 · · Score: 1

      Recompile apache -- that fixes it. Don't ask my how/why.

    2. Re:Apache Problems by TwP · · Score: 1

      Hmmmm . . . I think you are in error when you use the word recompile; you are assuming that I compiled Apache in the first place. No, I'm just using the stock Apache server that comes with OS-X.

    3. Re:Apache Problems by randito · · Score: 1

      I am having the same problem. I am using the stock Apache server too. Very annoying. I have found no solutions yet and I am not about to compile a new version of apache.

      Any solutions out there?

    4. Re:Apache Problems by Anonymous Coward · · Score: 0

      I'm also having the same segmentation fault error. Argh. My webserver works but not SSL.

    5. Re:Apache Problems by TwP · · Score: 1

      Yes, there is a solution out there. Basically you need to restore the previous version of libssl.so This will get your webserver up and running again, but it will still have the RSA keysnoop vulnerability. So use at your own risk!

      You can find the old libssl.so at two places:

      http://ganter.dyndns.org/misc/apple_ssl.php
      http://www.zippy6.net/misc/

      You have Thomas Ganter to thank for this solution. It was first published on the Apple discussion site, and I mirrored it on my webserver (just to keep Ganter's site from being slasdotted).

  25. Flamebait? by Anonymous Coward · · Score: 0

    Jesus, moderaters, get a fucking sense of humor.

  26. Apple Mail by portwojc · · Score: 1

    I just wish they would have released OS X with a mail server (Apple Mail) that wasn't open to relaying by default.

  27. Re:Macs rock. ;) by Anonymous Coward · · Score: 0

    'false dichotomy'? What an asshole. He can't write English either.