Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Forcing Panther Upgrade for Security Patch

Posted by CmdrTaco on from the well-thats-a-bit-stingy dept.

The Raindog writes "I noticed over at Tech Report that Apple is apparently only offering its latest round of OS X security fixes to Panther users, leaving older versions of OS X out in the cold. " Update: 10/31 by J : But see the next day's story.

2 of 605 comments (clear)

  1. Have you looked at the details of the bugs? by masonbrown · · Score: 4, Interesting

    From the site at @stake....

    Release: 10.28.03
    Name: Long argv[] Buffer Overflow
    Application: Mac OS X
    Platforms: Mac OS X 10.2.8 and below
    Severity: Attacker can crash Mac OS X and possibly execute commands as root
    Author: Matt Miller and Dave G.
    Overview: It is possible to cause the Mac OS X kernel to crash by specifying a long command line argument. While this primarily affects local users there may be conditions where this situation is remotely exploitable if a program which receives network input spawns another process with user input. It is possible to use this condition to dump small portions of memory back to an attacker.

    Release: 10.28.03
    Name: Systemic Insecure File Permissions
    Application: Finder (and many others)
    Platforms: Mac OS X 10.2.8 and below
    Severity: High
    Author: Dave G.
    Overview: Many applications are installed onto Mac OS X systems with insecure file permissions. This is due to two distinct classes of problems:

    A security issue regarding DMG files managed by Mac OS X
    Insecure file permissions packaged by different vendors
    The result is that many of the files and directories that compose various applications are globally writable. This allows attackers with filesystem access to an OS X machine to replace binaries and obtain additional privileges from unsuspecting users, who may run the replaced version of the binary.

    Release: 10.28.03
    Name: Arbitrary File Overwrite via Core Files
    Application: Kernel
    Platforms: Mac OS X 10.2.8 and below
    Severity: High
    Author: Dave G.
    Overview: In the event a system is running with core files enabled, attackers with interactive shell access can overwrite arbitrary files, and read core files created by root owned processes. This may result in sensitive information like authentication credentials being compromised.

    Yeah, they're bugs, and yeah, it's possible. But don't these phrases kinda limit the scope?

    "While this primarily affects local users"

    "This allows attackers with filesystem access"

    "attackers with interactive shell access"

    So to me this doesn't mean the end of the world, or that all my data is wide open and exploitable from the public internet. I'm guessing they'll patch it when they can, and the fact that it's patched in X.3 probably means they're using a different release of the software in question that is inherently invulnerable to these issues.

  2. Great reporting, guys. by Raptor+CK · · Score: 3, Interesting

    So, you mean that a vulnerability in 10.3 has to exist in 10.2?

    It's not at all possible that with new functionality comes new bugs?

    The very title of this story indicates a lack of proper investigative journalism. Of course, this is /., so I'm not at all surprised.

    --
    Raptor
    "Procrastination is great. It gives me a lot more time to do things that I'm never going to do."