Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Update 2003-08-14 Released

Posted by pudge on from the if-you-can-read-this-you-are-not-in-nyc dept.

Delta-9 writes "Today, Apple released Security Update 2003-08-14, which 'addresses a potential vulnerability in the fb_realpath() function which could allow a local or remote user to gain unauthorized root privileges to a system.'" It's on Software Update, and will likely soon appear on the support downloads page.

63 comments

  1. Good work Apple by wyvern5 · · Score: 5, Interesting

    Nice to see Apple is responding more quickly to security problems. I didn't even hear about this through my regular channels until after I had seen the update in Software Update.

    --
    -- Apple: Where Microsoft wants to go today.
  2. Some info about the vulnerability by remahl · · Score: 3, Informative

    The security update addresses the following vulnerability: http://isec.pl/vulnerabilities/isec-0011-wu-ftpd.t xt Users who haven't activated the FTP server in the Sharing preference pane should not be vulnerable in any way to this bug. Furthermore, FTP servers running with anonymous access, aren't vulnerable either (unless anonymous write access is enabled), since the overflow exploit requires creating deep hierarchies of directories. Only users with regular accounts on the machine can use this bug to gain more privileges on the machine. The advisory claims to have successfully exploited the problem on several Linux i386 platforms, but they "believe that exploitation of other little-endian systems is also possible". Note "litle-endian". This may suggest that the bug is not exploitable in a useful way on big-endian machines (like all Mac's, for example). Or it may simply suggest that they haven't investigated the matter thoroughly on big-endian processors. The advisory was posted some full two weeks ago, meaning that Apple was not as quick to respond as they normally are. Perhaps they were a bit too involved in Panther right now, and had to let this relatively minor insecurity wait a little while.

    1. Re:Some info about the vulnerability by sevenofnine · · Score: 1, Flamebait

      I think you are seriously dearranged in the head if you think Steve Jobs is in charge of selecting what ftp server is shipped with osx... im pretty sure it was some project manager not jobs him self... so i believe your end remark of first paragraph should be "Thanks Apple".... Ofcourse i could be wrong..

    2. Re:Some info about the vulnerability by Anonymous Coward · · Score: 5, Informative

      The FTP server included with Jaguar and Panther is lukemftpd, not wu-ftpd.

      But that's okay. Don't let the facts get in the way of your skreed. Carry on.

    3. Re:Some info about the vulnerability by HaloZero · · Score: 1

      For my own edification, and not in a trolling manner whatsoever (honest question), what would you suggest I use to replace wu-ftpd?

      --
      Informatus Technologicus
    4. Re:Some info about the vulnerability by Klaruz · · Score: 4, Informative

      No, apple didn't use wu-ftpd, give them some credit, they used lukemftpd. Originally from netbsd I believe.

      The realpath() function from bsd calculates the length of a resolved directory path. The problem is an off by one error. It actually affects more than than just an ftp deamon since it's a library function, just like the gzip vulnerabilty a while ago. See the sans report for more info.

      3 days from disclosure to security update is pretty good though.

    5. Re:Some info about the vulnerability by Klaruz · · Score: 3, Informative

      Anything but wu-ftp. I like pure ftpd, YMMV.

      However, if you use os x just stick with the stock ftpd since it's not wu-ftp. Like I said earlier, the bug wasn't with the ftpd, it was a library call. Just run software update and get on with your life.

    6. Re:Some info about the vulnerability by mhesseltine · · Score: 1

      Since I don't run an FTP server, I couldn't tell you for sure. I believe that ProFTP is supposed to be fairly capable. I also note that OpenBSD seems to lean toward PureFTP. Not sure what to make of that, but given the OpenBSD philosophy towards security, I'd say it's probably not a bad choice.

      --
      Overrated / Underrated : Moderation :: Anonymous Coward : Posting
    7. Re:Some info about the vulnerability by zpok · · Score: 5, Insightful

      The advisory was posted some full two weeks ago, meaning that Apple was not as quick to respond as they normally are.

      The East Coast has reverted to the stone age, my Windows machine is insulting me, but there's Apple with another Security Update for a *potential* weakness...

      Damn, you've got to admire their timing ;-)

      --
      I think, therefore I am...I think.
    8. Re:Some info about the vulnerability by MrFancyPants · · Score: 1

      I'm using vsftpd in Debian, it's pretty nice. Supposed to be secure, although I haven't seen any stats/docs to support that one way or the other.

    9. Re:Some info about the vulnerability by Dahan · · Score: 1
      3 days from disclosure to security update is pretty good though.

      The SANS report is just a summary of current vulnerabilities. While that issue of the report was published on August 11, the vulnerability itself was first published on July 31. Apple was a bit slow on this one for some reason...

    10. Re:Some info about the vulnerability by wyvern5 · · Score: 1

      I also recommend purefptd (pureftpd.org). Its most recent revision now supports TLS-encrypted authentication, as well. Its mailing list is active and helpful, and the main developer (Frank Denis) jumps on bugs very quickly. It supports MySQL and LDAP authentication, as well as other goodies.

      --
      -- Apple: Where Microsoft wants to go today.
    11. Re:Some info about the vulnerability by Anonymous Coward · · Score: 0

      The patch was available for OpenBSD on the 4th.

  3. Ok, people. I'm really sorry. by remahl · · Score: 5, Informative

    It looks like I jumped the gun on this...On several levels...

    First, wu-ftpd is not the ftp server in Mac OS X. lukemftpd is.

    Second, the most relevant advisory is not the quoted one, but this one (which previously appeared on Slashdot): FreeBSD-SA-03:08.realpath.

    As the name implies, the bug originates from FreeBSD, and potentially leaves a long list of programs vulnerable (listed in the advisory).

    This means that the problem is broader than my original message anticipated. It means that other remote services may be vulnerable, including sftp.

    Thanks to the anonymous user who brought my attention to my (pretty bad) mistake.

    Please spread this information instead of the wrongful information in the parent post. Mod parent down.

    1. Re:Ok, people. I'm really sorry. by Anonymous Coward · · Score: 0

      Surely the most relevant and comprehensive is the one at http://isec.pl ? it is mentioned in the FreeBSD advisory.

  4. Signing???? by basking2 · · Score: 1

    Did anyone notice that the email that went out to the mailing list had a bad signature???

    --
    Sam
  5. Beware of updating... by irving47 · · Score: 0, Offtopic

    As soon as the update finished downloading, I was no longer able to launch Camino, Firebird, or Mozilla. In other words, any Mozilla-based browser. Can anyone else confirm that???

    --
    I had a sucky sig.
    1. Re:Beware of updating... by squiggleslash · · Score: 1
      I don't have any of those on the laptop I updated, but I do have Chimera, the last version before it became Camino. It's working fine.

      Whatever the problem is, I doubt it's gecko related.

      --
      You are not alone. This is not normal. None of this is normal.
    2. Re:Beware of updating... by Anonymous Coward · · Score: 0

      Be sure to turn your computer on before attempting to run any software.

      Hope this helps!

    3. Re:Beware of updating... by Anonymous Coward · · Score: 1, Informative

      No problem here using Camino 0.7. Just finished the install of the update with reboot.

    4. Re:Beware of updating... by xiaodidi · · Score: 1

      I don't have any mozilla, but... go to the Network System Preference Pane. Under "Proxies", set "passive ftp" or something like that. That helped me in the past with Safari.

    5. Re:Beware of updating... by jabberjaw · · Score: 1

      I am afraid not. I just downloaded the update and Camino 0.7 works like a charm on OS X 10.2.6.

    6. Re:Beware of updating... by datkinso · · Score: 1

      No problems with: Camino 0.7 Mozilla 1.5a Safari 1.0 Omniweb 4.5 or Explorer 5.2 All were there prior to the update and all still work fine.

    7. Re:Beware of updating... by irving47 · · Score: 1

      I haven't tried Omniweb, but safari and IE work fine. I just can't believe it's a coincidence. This particular misery would sure love some company!

      --
      I had a sucky sig.
    8. Re:Beware of updating... by lost_n_mad · · Score: 1

      It killed Safari on my iBook, a reinstall fixed it just fine (thankfully I have Camino as a backup!) but Camino worked for me. I think it breaks something in the default browser and blocks it from launching until it times out and becomes a "crash".

      --
      TANSTAAFL
  6. :sigh: Mac Zealots by Anonymous Coward · · Score: 0

    I'm a former Mac user, only because I cant afford them anymore, otherwise I love them.

    However, if people like you would quit pissing in your pants everytime someone makes fun of you, you might just find out that this shit doesn't get posted due to lack of attention.

  7. Odd Side Effect?! by juniormaj · · Score: 3, Interesting

    I've posted this elsewhere, also. I know this seems odd, but imagine my surprise. In my home/Documents folder I have a subfolder named "Unstuffed". I have dircted Stuffit to place all of its results in this folder. It's been there for over a year. After running todays security update the subfolder was renamed "Documents", and a file called "Documents.1" was created in the original "Documents" folder. So now, in my home/Documents folder I have a subfolder called "Documents" (with the contents of the old "Unstuffed" folder) and a strange zero k file called "Documents.1". Never seen that happen before.

  8. Just in time! by Anonymous Coward · · Score: 0

    This coincides with the release of the new g5 laptops with Panther on them. I'm glad I won't have to worry about my new g5 laptop getting r00ted.

  9. Re:Dear Apple by zpok · · Score: 0, Offtopic

    I bet your big-breasted wife doesn't know you're wasting your time playing with the boys here on \.

    --
    I think, therefore I am...I think.
  10. Re:Dear Apple by Anonymous Coward · · Score: 1, Funny

    Wake me up when you pass English 101 and can manage to post something that can be readily comprehended.

  11. Re:Dear Apple by zpok · · Score: 0, Flamebait

    Sorry to disappoint you, I'm as straight as one can be, it just seems you're reaching out. All the signals are there: anger, denial, insults, taunts... the way a 12year old begs for his first kiss.

    There are several community groups and counselors who can help you feel comfortable with who you are.

    Let go of the fear and insecurity. We don't hate you. There there, feeling better?

    --
    I think, therefore I am...I think.
  12. Not here: by tres · · Score: 2, Interesting

    took longer than usual to open "Navigator," but it opened just fine. Don't know if you restarted or not -- I haven't yet.

    But, I only use Navigator on rare occasions; testing session based problems was the order of the day today.

    --
    Notes From Under *nix: blas.phemo.us
  13. Zoom Zoom! by Farley+Mullet · · Score: 0, Offtopic

    It's amazing how fast that download went, what with half the computers in the U.S. offline. Slashdot, on the other hand, is crawling for some reason. Could be that most of Ontario still doesn't have power, so there are fewer local links to the backbone.

  14. OSX 10.1.5? by HSpirit · · Score: 3, Interesting

    My reading of the issue on the FreeBSD advisory is that it is likely 10.1.x is affected by this too.

    Can anyone confirm?

    Is a fix from Apple likely? I would find it very disappointing if Apple have stopped issuing security fixes for this OS - even Microsoft support their previous generation products (Windows 2000 Professional, for example).

    If not, given this affects the (open-source) Darwin core of the OS, is a patch to the affected library/ies a possibility?

    1. Re:OSX 10.1.5? by tlindner · · Score: 1

      After examining my 10.1.5 server it appears the standard ftp server is not lukemftpd.

      The advisory states that ftpd is not affected by the bug.

      So at least that deamon isn't vunerable. But others can be. It would be nice to have apple release an update for these systems.

  15. Not Panther by Draoi · · Score: 2, Informative
    I've just tried running it on Panther DP1 & it doesn't want to install.Better wait, I guess ...

    Furthermore, I just noticed that the installer said; "The installer needs to run a program to determine if it can be installed. Do you want to continue?" - that's a cool security feature!

    Oh, and the update is now up on Apple's downloads page

    --
    Alison

    "It is a miracle that curiosity survives formal education." - Albert Einstein

  16. Reboot Reqired (sigh) by Jeremy+Erwin · · Score: 3, Interesting

    Another update, another reboot. Sigh.. When is Apple going to stop requiring reboots?
    And they do require them,as I discovered last night. I wanted to install 10.2.0 on another machine. Rather than try to download a whopping 100Megs of updates, I would use the 6 mini updates I already had to upgrade the computer to 10.2.6. And rather than repeat the install-reboot cycle a half dozen times, I would mount the other machine as a Firewire drive on my 10.2.6 machine. No reboots required, right?

    Well, half an hour later, with the 10.2.6 upgrades installed, I boot up. Nothing except a grey screen with an Apple logo. No cyclic symbol. The only way to solve the problem was to reinstall 10.2.0, and upgrade piecemeal, rebooting each time.

    1. Re:Reboot Reqired (sigh) by mkldev · · Score: 4, Interesting
      I tend to ignore the request to reboot and simply force-quit the installer, then continue working until it is convenient to reboot (which may or may not be that day). The only exception is when I'm installing a new device driver. To make the device driver usable, I do a "sudo kill -HUP xxx" where xxx is the PID of kextd.

      In the case of a security update that changes libraries, though, it's prudent to reboot, or at least shut down any daemon processes and restart them.... Anything newly launched will be bound to the new library, but anything already running will continue using the old one, hence any program that uses the buggy function needs to be restarted. A reboot is certainly the easiest way. :-)

      --
      120 character sigs suck. Make it 250.
    2. Re:Reboot Reqired (sigh) by njpomeroy · · Score: 2, Insightful

      More often than not, the reboots are *technically* unnecessary. Sometimes the reboots are just to ensure some daemon gets reloaded correctly and by the correct parent process. It could be done with a script, but could easily be foiled by the unknown state of any given user's machine.

      Finally, sometimes reboots are necessary because they are replacing/updating the kernel itself. IANAKE (I am not a kernel engineer), but I have heard that not all kernel alterations can be done without reboot.

      For the record, I hope they quit the reboot thing, and I wish every 3rd party developer realizes that NOTHING he is installing needs a reboot, EVER.

    3. Re:Reboot Reqired (sigh) by eduo · · Score: 0

      It's even easier to do "sudo killall -HUP kextd" where you don't have to pay attention to the PID of it.

      Of course, the actual reason for the reboot is that Apple can't give the option of rebooting or not because most users would choose not to and then might afterwards have problems with their computers.

      N00b users have already ingrained in their heads that it's normal to restart the computer after installations (even minor ones). The ones I've seen like to reboot the machine after an installation even if it was not required.

      I wish MacOSX had somewhere an option where you can tell it you're a "power user" and then it should leave the reboot decisions to you, giving you just the recommendation that you reboot when it's actually appliccable.

      What I don't forgive are installers like the newer Virtual PC (which was a useless update made only so the graphics displayed "Microsoft" in the windows (and check the "Microsoft" name in the installation screen, it's not even properly aligned!)) but ask you to quit all other running applications. What's that? That's SO OS8..:)

      Eduo

    4. Re:Reboot Reqired (sigh) by thatguywhoiam · · Score: 2, Insightful
      Another update, another reboot. Sigh.. When is Apple going to stop requiring reboots?

      Yeah, you know what else sucks? I have to turn off my car to work on the engine. Its a huge pain in the ass, you gotta get out and walk around....

      In seriousness, OS X is sooo much better than OS 9 in this regard. Device drivers don't usually need a reboot, just security updates and really low-level stuff... and these are things you want to reboot for, to take advantage of the improvements!

      Besides, if you want to, you can force-quit the installer. Just keep working and shut down when you're done - tomorrow your update will be there.

      --
      If Jesus wants me it knows where to find me.
    5. Re:Reboot Reqired (sigh) by Anonymous Coward · · Score: 0

      You obviously don't have any idea how libraries work. Besides, Apple is only one of the many kinds of Unix platforms that require a reboot after an update.

      Moron.

  17. SMB problems?!? by tholomyes · · Score: 1

    Well, I ran this security update this morning, and the XP security updates a few days ago, and now my PowerBook and Compaq refuse to talk to each other. It seems one update or the other broke SMB between the 2 platforms, because it worked fine last week.

    Now, after I try to connect to the XP box, it tries & then won't do it. A few moments later, it gives me that very annoying, very modal dialog box that grays out everything else, and says (in several languages) that I need to reboot. Ugh! Anyone else come across this problem?

    --
    When did the future switch from being a promise to a threat? -C. Palahniuk
    1. Re:SMB problems?!? by Squidgee · · Score: 1

      You sir, have experienced a kernel panic.

  18. Re:Dear Apple by Anonymous Coward · · Score: 0

    Holy shit, that's the funniest fucking thing I've ever read. I mean I am totally busting a seam..... hahahahahahaha..... you dumb bastard...I can't imagine a knucklehead like you ever getting a chance to date much less do anything else. I know, you're one of the dorks from Wierd Science. Dude, seriously I got tears. And I modded you up as funny, keep all those proxies coming through I never get tired of reading the same stupid comment everytime, I mean seriously it lets me know I'm reading slashdot. Keep up the good work ya' dumb fuck.