Security Updates Released for Panther and Jaguar

ZackSchil writes "Apple has released security updates for both Mac OS X 10.3.1 and, as promised, 10.2.8. The update to 10.3.1 updates OpenSSL and zlib's gzprintf() function. In addition to those updates, the 10.2.8 update contains changes to gm4, groff, Mail w/CRAM-MD5 authentication, Personal File Sharing, and QuickTime for Java. Run Software Update for more information and to install the updates."

Already installed

[edalytical]

I've already installed Security Update 2003-11-19 and QuitTime for Java Update v2.0. No problems so far. Great to see Apple keeping their promise and supporting Jaguar.

Re:Already installed

[tuxedobob]

What?! Jaguar? 10.3 is out! You might as well use OS 9!

Seriously, though. Expose is cool.

Re:Already installed

[edalytical]

I'm poor. Not really, just haven't bought Panther yet.

seems to work

[for_usenet]

I tried the update to 10.2.8, and all seems to be well. Thanks to Apple for keeping the older OS's secure. Now if they'd only let us use 3rd party drives with their Disc-recording software in 10.3, it would be golden !! ;-)

Re:seems to work

[HTH+NE1]

Now if they'd only let us use 3rd party drives with their Disc-recording software in 10.3, it would be golden !!

Not all third-party drives are reliable. I can't burn DVD-Rs with DVD Studio Pro 2 on my DVD-R/-RAM drive because the drive reports its two burn speeds as 1x and 64x (as relayed by Toast). DSP2 presumes to use the highest speed, 64x, with no control to tell it otherwise. It then hangs. I have to have DSP2 create a disk image file instead and then burn that with Toast.

But at least I got it to run on an underpowered non-AGP Mac. (Blue & White G3 upgraded with 550 MHz G4.)

Re:seems to work

[puff+the+barbarian]

It used to be (according to things that I have read on the 'net) that as long as you installed an IDE/ATA DVD recorder internally, then iDVD would use it. Is this no longer the case?

Re:seems to work

[for_usenet]

The reason why I mentioned this is some of us would still like the choice of being able to experiment with 3rd party drives. I have the same model Toshiba DVD-ROM/CD-RW drive that Apple uses on its iBooks. However, when I installed it, all of the OS software claimed it was "unsupported." Seems like Apple used a different firmware version.

However, using the PatchBurn software, I was able to modify some of the system files to get the drive to be recognized by all of the system software (iTunes, Disc Copy, etc). With 10.3, if the drive is no longer supported out of the box, I am SOL, at least till someone else hacks the Disc Recording Framework. I am not asking Apple to give support for all these drives, just to let us be able to try them out for ourselves, and not close up the OS entirely.

Re:seems to work

Maybe an investment in some modern hardware would help your problems...

Re:seems to work

[tuxedobob]

They would, but there are licensing issues involved. I'm not exactly sure how it all works, but the MPEG4 codec has something to do with it.

Re:seems to work

[bill_mcgonigle]

Yeah, but they don't support a significant number of drives that do not have such failures.

Patchburn works great on Jaguar for most people. The drive descriptions file in 10.3 is xml-based instead of binary, but after editing the XML file (probably correctly) it still doesn't recognize my drive, so there must still be another step to get the OS to recognize the changes (compile it?).

Anybody know?

Re:seems to work

"Now if they'd only let us use 3rd party drives with their Disc-recording software in 10.3"

MissingMediaBurner 0.6.2

macosxhints - 10.3: Add support for any third-party CD-R burner

Re:seems to work

That is the plan. A new G5. And several Firewire drive bays. Meanwhile, I'm happy to have it working on the B&W G4 (also modded for more internal drive storage).

BTW, FCP4 and Compressor need the same edit to their Info.plist files as does DSP2. I haven't tested the new updates for these programs which are also out.

Re:seems to work

[General+Sherman]

In panther Apple uses XML files to store data about supported drives. All you have to do is open up something like, say, toast and look at what the drive reports itself as, then dig in /Library/Frameworks/DiscRecording.framework and find the proper XML file and add a new .

I know this sounds really complicated, but there is an easy how-to guide at www.xlr8yourmac.com. Most drives are supported, but the software doesn't believe so because of a slightly different firmware version or something silly like that.

Just downloaded and.....

[ihatewinXP]

Everything still works. I havent seen any killer bugs popping up on macfixit or versiontracker either. Also note that the QT Java update is included - fixed one broken site for me that Panther QT had knocked out.

Oh and a bluetooth update, but my Sony Ericsson already works flawlessly (and still does post-update).

And yes, it does require a restart for all of you running the "Show Off" uptime screen saver.

Lockups

[Leroy_Brown242]

I hope that ome of these patches fixes my lockup issues in 10.2.8

This just in: THE SKY DIDN'T FALL

[mattbot+5000]

Where are all the people who were crying last week about Apple not supporting Jaguar? Huh?!? WHAT DO YOU HAVE TO SAY FOR YOURSELVES NOW!!!

Go ahead and mod me +1 Flamebait, just RECOGNIZE that you people are the FISH that took the bait last week!

So high and mighty with your mod points.

Re:This just in: THE SKY DIDN'T FALL

[aristotle-dude]

They had been saying all along they were going to support Jaguar. Confirmed by @stake? I thought they were the ones that found the bug. What motivation would they have to be impartial when they can generate more publicity for themselves with sensationalism. I see nowhere where Apple said they would not release an update for Jaguar.

Re:This just in: THE SKY DIDN'T FALL

[MoneyT]

Indeed, Cnet said it was confirmed, and if you read what the guy at @stake said, he said those he spoke to did not think that Apple would. And as people quite clearly pointed out, it was an anonymous paraphrase, or IOW, nothing more than hearsay

Re:This just in: THE SKY DIDN'T FALL

David Goldsmith, director of research for @stake, a security company that found four of the vulnerabilities, confirmed that Apple said it wasn't going to patch the flaws in earlier versions of the software.

It was the director of reasearch from @stake who probably knew exactly who to talk to, not some pimply faced 5Kr1p7 k1dd13 who knows some dork who works in the shipping department at 1 Infinite Loop. Certainly not hearsay, and absent any relevant information, most likely true at the time. I'm sure Mr. Goldsmith knew who to talk to and verify the information, again, most likely not the shipping clerk.

It's not like Apple doesn't do this sort of thing on a regular basis to force a paid upgrade.

Re:This just in: THE SKY DIDN'T FALL

Its not clear that this security update fixes these issues:

CAN-2003-0895 Long argv[] buffer overflow
CAN-2003-0876 Systemic Insecure File Permissions
CAN-2003-0877 Arbitrary File Overwrite via Core Files

They were fixed in the Panther release but are not listed in this release:
http://www.securityfocus.com/advisories/ 6081

Re:This just in: THE SKY DIDN'T FALL

[sepiachrome]

"probably knowing" is not good enough. the statement was pure hearsay (as other posters have mentioned), and totally worthless.

"confirmed that Apple said" is as good as "well, i can confirm that this guy i know said he really didn't steal that car".

by the way, do you know how titles work? "director of research" could be only a step up from the "pimply faced" dork. or a step down.

Re:This just in: THE SKY DIDN'T FALL

[MoneyT]

Again, it was an anonymous paraphrase. The actual quote could very well have been "I dont' know of any plans." and he interpreted that to mean they don't have any plans.

And Apple doesn't do this on a regular basis, they have always supported one system version behind current. Always.

Re:This just in: THE SKY DIDN'T FALL

OK, since we're all about not relying on hearsay, please produce some evidence that Apple planned on supporting 10.2 all along, even before the public outcry over them dropping support.

Re:Where's Safari 1.1?

[aristotle-dude]

"It's a pretty big slap in the face to find out that the investment is worthless." What's wrong with Mozilla? It's free and cross platform and available for 10.1-10.3. If you are impatient, buy the Panther upgrade, otherwise wait for them to rewrite parts of it to use the Jaguar frameworks.

On a related note

[Tengoo]

I haven't seen this mentioned yet so I'll pass this tidbit along.
SecurityTracker has information on a new sudo vulnerability. Only laptops are affected.

Re:On a related note

This is a pretty serious issue, but there are a couple of more practical workarounds than the ones mentioned in the link, until the problem is fixed (if this security update doesn't fix it)

Users running Panther can also set the "Require password to wake this computer from sleep or screen saver" option in the Security preference pane.

Jaguar users can grab the program sleepwatcher and make it issue the 'sudo -k' command on sleep.

Remember though, if someone can get unsupervised access to your laptop, they can usually just walk off with it anyway. So if anyone does get caught out by this bug, it's a sign that they're probably too lax with physical security.

Re:On a related note

[Enrico+Pulatzo]

Wow. Maybe they'll finally get around to fixing the clock update routine. It's been bugging me since 10.0.

via terminal

[djupedal]

[Zen:~] bmt% softwareupdate -l
Software Update Tool
Copyright 2002-2003 Apple Computer, Inc.

Software Update found the following new or updated software:
! SecurityUpd2003-11-19-1.0
Security Update 2003-11-19, 1.0, 1360K [required] [restart]
[Zen:~] bmt%

Re:via terminal

But "softwareupdate -d" still crashes.

Re:via terminal

[djupedal]

Not for most, apparently. Try running PantherCacheCleaner...see http://www.versiontracker.com

Mmmmm command line...

[ellem]

~/ $ sudo softwareupdate -i -r

Re:Where's Safari 1.1?

Boo fucking woo. Shut the fuck up.

10.3 broke the network gui - fixed soon?

[gobbo]

Panther breaks the networking GUI that was pretty good in Jaguar. Now, servers you've connected to through browsing in the Finder don't show up on the desktop, and if they're an SMB share, can't be ejected without throwing your powerbook through a window, er, restarting. To get an icon on your desktop that represents a mounted server, you have to know and type in its IP address and protocol, or its precise network name --browsing doesn't work.

The Apple Discussion boards are buzzing with this one. The GUI implementation is horribly confusing to newbies especially, but bad enough for those of us who know what smb:// or afp:// or DHCP actually is. They must be getting a ton of feedback from us aggravated types.

Until this is fixed, no-one I know here at the university will be advised to upgrade to 10.3, despite the many juicy new features and optimization.

Re:10.3 broke the network gui - fixed soon?

[OmniVector]

what the hell are you talking about?
i went to the finder, hit cmd-K, typed in smb://myserver/share, and it instantly mounted on my desktop. i clicked the eject button in the finder's new sidebar and it unmounted just fine.

Re:10.3 broke the network gui - fixed soon?

[Golias]

Whatever. I turned off desktop icons for my local drives. The new Finder window is good enough that putting drives on your desktop is pointless clutter for anybody other than OS9 zealots who just can't bring themselves to let go of their Old School ways.

(FYI: What gests displayed on the desktop can be controlled via the Preferences in the Finder menu.)

Re:10.3 broke the network gui - fixed soon?

[Shenkerian]

I actually felt the same way until Panther.

Now with Expose, it's nice to have instant click'n'drag access to any drive with F11.

Re:10.3 broke the network gui - fixed soon?

[gobbo]

"i went to the finder, hit cmd-K, typed in smb://myserver/share, and it instantly mounted on my desktop. i clicked the eject button in the finder's new sidebar and it unmounted just fine."

RTFP. That's exactly what I'm talking about. You have to type in the smb address, presuming you know it (OK for me, not my newbie interns or tweedy colleagues). Then you'll get the icon showing a mounted share, and an eject button. But that isn't browsing, is it? It's a command line approach with a simple entry form, why not just use Terminal.app?

Now try that using the Finder's GUI sidepanel... click on the Network icon, drill down to an SMB share that you want, connect, then... just try it, you'll see. Try to disconnect that smb share, if it works, you're one of the lucky ones.

Re:10.3 broke the network gui - fixed soon?

[gobbo]

Even if mounted servers don't show on the desktop (one of my user configs obsoletes the desktop anyway, so I personally can understand where you're coming from), they still don't show in the Finder window sidepanel that lists drives and favorites etc. if you've connected using the Network icon. That means no feedback about mounted shares, and no eject button, and even worse behaviour like Finder locking up when you unplug.

I'd say having to ask someone or look up, then type in ip addresses and protocols is more Old School than (cmd-K, let's see, oh there it is, arrow-right arrow-down-down-down, return key), don't you think? I have more important things to think about than
smb://obscure-27.someadmincruft.weird-9.domain.con
and the like.

Axiom:
Discovery is better done in the interface than in meatspace.

Now go and describe how to use this setup to someone who reads Habermas and McLuhan all day and night, and just wants to get to their damn files, or who thinks that Windows was always called XP and Britney is cool.
[/rant]

Re:10.3 broke the network gui - fixed soon?

[seann]

I see, yes.

I dragged /private/var/automount/Network to my dock next to the trash to view activly mounted dirs.

And yeah, I wrote an applescript to umount those shares on a drop.

Kewl.

Re:10.3 broke the network gui - fixed soon?

[thunderbird46]

I"ve found one way to take care of it, at least with a Linux-running Samba server on the other end -- kill the server's smbd process corresponding to that connection. I tried that and then clicked on an item in my SMB-mounted shared folder and the mac was suddenly like "hey there's nothing here anymore." Of course you pretty much have to be root on the other box, so this is only useful for sysadmins and those of us who have personal LANs. I'd have never noticed this flaw if it weren't for these posts here -- I use AFP and NFS pretty much exclusively, only keeping Samba around on the fileserver for when I have a windows machine going (not often.)

Re:10.3 broke the network gui - fixed soon?

[Aliencow]

I haven't been able to mount an NFS export on panther yet, first it didn't work, then it completely crashed and burned.. Anyone's tried that on Panther?

Re:10.3 broke the network gui - fixed soon?

[thunderbird46]

That means no feedback about mounted shares, and no eject button, and even worse behaviour like Finder locking up when you unplug.

If there's any behaviour of OS X's that I hate, it's that. Finder attempts to reconnect WAY too long IMO. Now that I make myself disconnect all shares before I shut my iBook's lid I get along with it but I tend to think that on a laptop the OS ought to be able to handle losing a connection to a server a lot more gracefully.

Re:10.3 broke the network gui - fixed soon?

[gobbo]

" wrote an applescript to umount those shares on a drop"

Care to share? :-)

Re:Where's Safari 1.1?

[Toraz+Chryx]

How exactly is he supposed to test the way websites render _in Safari_ using Mozilla?

Re:Where's Safari 1.1?

What's wrong with Mozilla?

As I said, I bought it to test in. Not everyone in the world uses Mozilla. I bought it specifically to test in the most popular browsers for that platform - Mac IE (which has a completely different rendering engine to Win IE) and Safari (which is different enough to Konqueror to warrant testing in).

If you are impatient, buy the Panther upgrade

It's not a case of patience, it's a case of being left stranded with a laptop that will be useless for testing in unless I give Apple even more money. I could understand it if this was a five-year-old laptop, but I bought it a couple of months ago.

otherwise wait for them to rewrite parts of it to use the Jaguar frameworks.

I think that it's unlikely they will backport it when they could have used the Jaguar libs to begin with and chose not to.

Low interest in this item?

[AtariAmarok]

Sheesh. There sure is a low amount if interest in this news item. It must have to do with the security reputation of the Apple OS.

Why bother to put up another new electric fence around Fort Knox :)

Siegfried and Roy?

[AtariAmarok]

Now they put out "Security Updates for Panther and Jaguar". It's just a little late to save Roy from that pain in the neck, but it's a step in the right direction! Make those big cats safer.

Re:Siegfried and Roy?

[Enrico+Pulatzo]

I'm impressed that a post managed to refer to both Siegfried, Roy, and Apple without being an "Apple is teh ghey" troll.

Good work!

OpenSSL?

[dema]

I ran the update today, and it appears (naive?) that my OpenSSL was not updated. While the date seems accurate, the version is not the suggested update. I know I read somewhere yesterday (I can't find the link again today) that the fix was to update to 0.9.6j, although this is the output on my "updated" g4 with jag:

[akira:~] dema% openssl version
OpenSSL 0.9.6i Feb 19 2003

Any ideas what's up with that?

Re:OpenSSL?

If there are other improvements in 0.9.6j besides the security update, Apple may have decided not to include them--so they may have just patched 0.9.6i without incrementing the version number.

At least, that's what's happened before.

Re:OpenSSL?

[LochNess]

Well, I ran the update today too, and here's the output on my powerbook:

[powerbookg4:~] user% openssl version
OpenSSL 0.9.7b 10 Apr 2003
[powerbookg4:~] user%

(This is on Panther)

Re:OpenSSL?

[Frequency+Domain]

All three of the machines which I updated today report identical results, a newer version than yours:

shiva:~ freq$ openssl version
OpenSSL 0.9.7b 10 Apr 2003

Is it possible you installed your own copy, say in /usr/local/bin, and then forgot about it? Try running "which openssl", and see if it reports something other than /usr/bin/openssl. Alternatively, explicitly run the system's openssl: "/usr/bin/openssl version".

Re:OpenSSL?

[dema]

Only one is in /usr/bin. But I believe the updates are different for Panther and Jag anyway. As a friend of mine updated a Panther machine to that same version you have, but his Jaguar machine also returned the version I got. So maybe (as suggested by an AC in this thread) Apple just patched the current version in jag's case. I suppose I should be looking at technical docs at Apple for the answer to that. Thanks for the tip though. (:

Re:Where's Safari 1.1?

[ZackSchil]

If you bought a laptop for $800, you didn't pay Apple for it, you bought it off someone else used. Also, if it's JUST for testing, why not pick up a used iMac G3? It'll run panther just as well as anything for what you needs and only set you back $300-$400, less than half what you paid.

sudo vulnerability? Give me a break!

[csoto]

This is such a non-issue. First, it requires an authenticated sudo event (e.g. someone typed in their sudoers allowed password), the laptop to be put to sleep, then someone to run another sudo command immediately after the system wakes up. This is NOT a critical vulnerability by any standard.

Safari Updated (at least on 10.3)

[blb]

Note this update also brings Safari up to 1.1.1 (100.1); not sure what changed (still no mention of changes to Safari at the kbase page).

Re:Where's Safari 1.1?

[aristotle-dude]

I think that it's unlikely they will backport it when they could have used the Jaguar libs to begin with and chose not to.

They backported iChat AV and iCal to name two. They did not use Jaguar libs because of the performance increase the Panther libs would provide on Panther.

Issue not fixed!!

This still doesn't fix the disappearing unattended laptop issue. I've lost 4 notebooks this way!

HAHA

[ViperG]

I was walking into staples and was talking to one of my friends who works there. He noticed some guy walking in with a printer, then he said to me "shit that is the 4th time he has come back with a printer".. then he said, he has the new mac os, none of them would intall on his panther os.

Re:HAHA

Good excuse for testing printers at home... Why

1) It's likely Staples guys doesn't know anything about Apples.

2) Most non-mac users assume mac hardware will only play with mac hardware.

safari cookie exploit fix not in ?!!

insecure.ws: Safari cookies theft+exploit is not fixed!!

the news about the exploit is like one or two days old, and it's not even on slashdot ?? what a shame ! ;p

btw: the exploit allows about anyone to steal your cookies, including data about you, passwords, eg online bank accounts etc (or amazon/etc or such) it's quite dangerous there's also a demo here: demo /exploit

Re:Where's Safari 1.1?

whaat's wrong with safari? THAT

Fink?

[grocer]

I did the same thing on my iBook and get the same output:

[Adam-Laptop:/usr/bin] user% openssl version
OpenSSL 0.9.7a Feb 19 2003
[Adam-Laptop:/usr/bin] user%

Now, the weird thing is there is openssl command in /usr/bin/ but when I run "which openssl" I get "/sw/bin/openssl" and running "/usr/bin/openssl version" returns "Command not found."

Now I have to ask why is this?

Re:Fink?

[dema]

Well, if you look closely ours actually aren't the same. Your iBook has 0.9.7a, while my mirrordoor has 0.9.6i. My guess is that fink has installed the very newest version of it on your iBook, so the Apple update saw it was already updated, and did nothing. I would check and see if /usr/bin/openssl is a symlink to /sw/bin/openssl. The command would be "ls -l /usr/bin | grep openssl" (if you didn't know).

Re:Fink?

My guess is that fink has installed the very newest version of it on your iBook, so the Apple update saw it was already updated

Scracth that, if you're running Panther on the iBook that's the output that everyone else gets. But my guess regarding fink would be a symlink.

Re:Fink?

[grocer]

okay, I was totally braindead...I have A) Jaguar and B) everybody else's Panther output...

It doesn't look like a symbolic link to me...but I can't find the version of the /usr/bin copy...

[Adam-Laptop:~] usr% ls -l /usr/bin | grep openssl
-rwxr-xr-x 1 root wheel 935292 Sep 14 20:21 openssl
[Adam-Laptop:~] user% ls -l /sw/bin | grep openssl
-rwxr-xr-x 1 root admin 1314372 Oct 31 23:44 openssl
[Adam-Laptop:~] user%

Re:Where's Safari 1.1?

If you bought a laptop for $800, you didn't pay Apple for it, you bought it off someone else used.

Nope, I bought it new, direct from the Apple website, for 800GBP. The pound sign disappeared when I posted the comment, Slash probably screws up the character encoding or something.

Also, if it's JUST for testing, why not pick up a used iMac G3?

It's simply a matter of space. There's only so much room in my office.

Pen Drive

[tbuhler]

Does anyone know if this will help with a Pen Drive problem. Everytime I put my in my new Emac it takes 3 trys to get it to work then it wont even let me put anything in it. The finder just freezes. Pen drive worked on an IMac with 10.2.8