Friday Security Fun

← Back to Stories (view on slashdot.org)

Posted by pudge on Friday December 5, 2003 @08:54AM from the updating-as-soon-as-i-post-this-story-and-quit-my-browser dept.

rgraham writes "Apple has release a new security update for the Safari cookie bug. 'Security Update 2003-12-05 updates Safari to prevent unauthorized access to a user's cookies.' They also updated the article on how to 'Configure Directory Access to Protect Your Mac From a Malicious DHCP Server.'" We posted that the other day, but this time, pictures!

52 comments

Min score:

Reason:

Sort:

I hope Fr. O'Day by Anonymous Coward · 2003-12-05 08:56 · Score: -1, Offtopic

has been careful online, lest he end up being promoted to bishop.
~~~
1. Re:I hope Fr. O'Day by Anonymous Coward · 2003-12-07 10:44 · Score: -1, Flamebait
  
  Come on, now. There's a REASON for questioning the sexuality of Macintosh users. The general population, contrary to the rantings of professional gay marrriage advocates, are about 0.5% to 1% homosexual. Bisexuals don't count, they're just orgasm-no-matter-how-I-get-it fiends; transgender isn't an orientation at all, it's just a slip of the scalpel. And lesbians aren't really homosexual, they just like making hetero men horny as hell.
  
  ON THE OTHER HAND... fully 75% of the Macintosh-using population are provably doing the butt-hole surfing.
  
  So, Steve "I only stole BSD twice" Job is selling a product that CAUSES homosexuality!
  
  Now I hope this puts the matter to rest.
FIRST FUCKING POST by Anonymous Coward · 2003-12-05 08:56 · Score: -1, Offtopic

or maybe not
Cookies by Anonymous Coward · 2003-12-05 08:58 · Score: 5, Funny

Never hand out cookies when on a Safari!
That's it! by Anonymous Coward · 2003-12-05 09:03 · Score: 3, Funny

I'm switching to Fig Newtons.
1. Re:That's it! by daeley · 2003-12-05 09:47 · Score: 2, Funny
  
  I'm switching to Fig Newtons.
  
  Don't bother. The handwriting recognition sucks. ;)
  
  --
  I watched C-beams glitter in the dark near the Tannhauser gate.
Or another fix by Doc+Squidly · 2003-12-05 09:04 · Score: 1, Interesting

Just don't allow cookies. (Yes, it seems too simple)

--
I think I think, therefore I think I am.
1. Re:Or another fix by the+web · 2003-12-05 09:28 · Score: 1
  
  "Just don't allow cookies. (Yes, it seems too simple)"
  
  I'll agree.
  
  CIRCLE GETS THE SQUARE!!
  
  --
  __
  Thou hast besquirted me, O leotarded one.
2. Re:Or another fix by Anonymous Coward · 2003-12-05 09:50 · Score: 3, Funny
  
  Dude, you're logged into slashdot, which means you're allowing cookies.
3. Re:Or another fix by SillyWilly · 2003-12-05 09:59 · Score: 5, Informative
  
  It has been suggested that even disabling Cookies won't help: http://www.securityfocus.com/archive/1/344992 As I understand it, this is because in Safari disabling cookies merely prevents creation of new cookies and not access to old ones. Therefore you should delete all cookies first.
  
  --
  Online & Feelin' Fine
4. Re:Or another fix by prockcore · 2003-12-05 11:31 · Score: 4, Insightful
  
  Just don't allow cookies. (Yes, it seems too simple)
  
  If by "fix" you mean "break a lot of functionality on sites" then yes, that certainly is an option.
5. Re:Or another fix by Graff · 2003-12-05 14:07 · Score: 4, Informative
  
  Just don't allow cookies.
  If by "fix" you mean "break a lot of functionality on sites" then yes, that certainly is an option.
  
  That's why I love OmniWeb. It allows you to accept cookies, but throw them out when you quit the browser. Sure I lose such nifty "features" as not having to log into some websites but I also cut ads and whatnot of the ability to track me across sites for long periods.
  
  Honestly, there need to be much better built-in controls on all browsers for limiting a server's access to data on your computer.
  
  --
  Sapere aude!
6. Re:Or another fix by valkraider · 2003-12-05 16:33 · Score: 4, Informative
  
  You can do this with Safari as well.
7. Re:Or another fix by mgahs · 2003-12-05 19:44 · Score: 2, Funny
  
  So you should...toss your cookies? Oh, stop. It was funny. (in my head, at least.)
8. Re:Or another fix by Anonymous Coward · 2003-12-06 06:22 · Score: 0
  
  He could just log on every time he adds a comment.
9. Re:Or another fix by Anonymous Coward · 2003-12-06 08:49 · Score: 0
  
  How did this get a +1, insightful?
Eerily reminiscent of my Windows days... by cbiagini · 2003-12-05 09:35 · Score: 5, Funny

Along with this update, Steve Jobs announced today that OS 10.3.2 will include a small globe icon that will appear next to your system clock, helpfully reminding you that you have an update to install. While Jobs did acknowledge the fact that this feature has been in another operating system for years, he did point out that Apple's implementation will harness the power of Quartz Extreme to render fully three-dimensional, alpha-blended "Security Gnomes" that run around and patch your system twice a week. I'll still never Switch back though ;)
1. Re:Eerily reminiscent of my Windows days... by Lars+T. · 2003-12-05 09:47 · Score: 1
  
  On Windows this feature is called the Start Menu.
  
  --
  Lars T.
  To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
2. Re:Eerily reminiscent of my Windows days... by Anonymous Coward · 2003-12-05 10:09 · Score: 0
  
  > will harness the power of Quartz Extreme
  
  exactly, i get all confused about what happens to my windows and where they go unless i see them shrink down like a CPU-crunching genie to the dockbar. BUT SERIOUSLY, i want a way to completely disable animations that are not exactly "essential". it irritates me. for someone that prefers blackbox and enlightenment on the desktop, and uses a powerbook on the road. well. it gets on my nerves.
3. Re:Eerily reminiscent of my Windows days... by billbaird · 2003-12-05 10:55 · Score: 1
  
  Actually no. The update notification/reminder appears in the system tray on the bottom right of the screen(by default) in Windows XP, 2000, and ME. The start menu would be a totally different monster.
4. Re:Eerily reminiscent of my Windows days... by Tengoo · 2003-12-05 11:02 · Score: 1
  
  Install Enlightenment or Blackbox, what is stopping you? I know Enlightenment runs fine under X11 (or used to, it's been a while), and there's always Linux.
5. Re:Eerily reminiscent of my Windows days... by transient · 2003-12-05 11:07 · Score: 2, Interesting
  
  CPU-crunching
  BZZZT. Try again. Unless that Powerbook of yours is dreadfully old, the UI is rendered by your graphics card.
  
  --
  
  irb(main):001:0>
6. Re:Eerily reminiscent of my Windows days... by tim1724 · 2003-12-05 11:17 · Score: 3, Interesting
  
  The compositing is done by the video card (remember, Quartz Extreme only accelerates compositing!), but much of the drawing is done by the CPU. The Dock's genie effect, in particular, is drawn by software.
  
  Even on my G5 the CPU does quite a bit of work to draw that effect. Not enough to slow anything down, but enough to be visible in the Activity Monitor.
  
  The scale effect ought to be done all in the video card, although I'm not sure how it was implemented. In any case, it doesn't use much CPU at all, so if CPU usage is a concern, tell the Dock to use the scale effect instead of the genie effect.
  
  --
  -- Tim Buchheim
7. Re:Eerily reminiscent of my Windows days... by Graff · 2003-12-05 14:18 · Score: 4, Informative
  
  The compositing is done by the video card (remember, Quartz Extreme only accelerates compositing!), but much of the drawing is done by the CPU. The Dock's genie effect, in particular, is drawn by software.
  
  Both of the Dock minimization effects are handled by the GPU. The window is drawn as normal by the application that owns it and is passed off to Quartz Extreme, which then hands it off to the GPU with the appropriate rendering commands. With the scale effect that is a simple scale command, with the genie effect there is stretching and scaling. All of this is done through Open GL commands.
  
  --
  Sapere aude!
8. Re:Eerily reminiscent of my Windows days... by tim1724 · 2003-12-05 14:35 · Score: 2, Interesting
  
  Upon further experimentation, it looks like you're right. The CPU slowdown I was seeing appears to be from the Dock resizing icons (to make room for the new minimized window) rather than from the genie effect ... I only see CPU usage jump when the Dock needs to scale icons to make everything fit. (Unfortunately, the Dock appears to scale and draw its icons itself, rather than keeping the 128x128 icon in a buffer and allowing the GPU to scale it.)
  
  --
  -- Tim Buchheim
9. Re:Eerily reminiscent of my Windows days... by Golias · 2003-12-08 03:33 · Score: 1
  
  Refreshing to see somebody admit when they were incorrect once in a while.
  By the way, even if the Genie effect doesn't hog CPU cycles, if you find to "too girly" or whatever, you can get rid of it via the Preferences.
  
  --
  Information wants to be anthropomorphized.
Needs a reboot... by Fulkkari · 2003-12-05 10:05 · Score: 3, Interesting

The update needs you to reboot the computer. *sigh* Why is that? This is a web browser we're talking about. Shouldn't it be enough quitting Safari + all applications that uses it's content rendering engine? As far as I know, Safari isn't integrated to the OS in any way like IE to Windows, so it shouldn't be neccesary to reboot the *whole* OS. On the other hand they effectively stop applications to interfere while updating and cause problems that way. Maybe it's some precautionary measure, but I don't think this should be neccesary...

BTW software updater was already automaticly fetching the update in the background while I read this. It's really nice when you don't have to wait while downloading them. I don't understand what's the big fuss of letting the OS fetch updates in the background, as long as it doesn't install them. I'm not sure but I think software update does only download the important updates...

--
I demand the Cone of Silence!
1. Re:Needs a reboot... by Rosyna · 2003-12-05 10:13 · Score: 5, Informative
  
  A lot of apps use WebKit (Help, Sherlock, Safari, Mail) so it's easier to tell users to restart than to tell them to log out or to quit all those applications. A person that knows what they are doing will just force quit the installer.
2. Re:Needs a reboot... by Durin_Deathless · 2003-12-05 11:01 · Score: 1
  
  As a side note, in Jaguar the update gives Safari v 1.0.1 not 1.1.1 as given in Panther.....annoys me a good bit.
  
  --
  You should use AdiumX on your Mac.
3. Re:Needs a reboot... by justMichael · 2003-12-05 11:01 · Score: 4, Informative
  
  A person that knows what they are doing will just force quit the installer.
  
  Or run the update from the CLI.
4. Re:Needs a reboot... by billbaird · 2003-12-05 11:04 · Score: 1
  
  I'm not sure but I think software update does only download the important updates...
  
  It appears as though you can not choose what software update downloads automatically. Once things are downloaded you can make them inactive(remove them from the list of available updates). You can read more here(apple.com)...
5. Re:Needs a reboot... by tim1724 · 2003-12-05 11:13 · Score: 3, Informative
  
  Safari 1.1 (and 1.1.1) uses some new features of Panther which aren't in Jaguar. Hence it is not compatible with Jaguar, and wouldn't work.
  
  --
  -- Tim Buchheim
6. Re:Needs a reboot... by Anonymous Coward · 2003-12-05 11:24 · Score: 0
  
  The problem is softwareupdate does not work from the command line.
  
  killerbean:~ root# softwareupdate -d SecurityUpd2003-12-05-1.0
  Software Update Tool
  Copyright 2002-2003 Apple Computer, Inc.
  
  Security Update 2003-12-05: 0...10...20...30...40...50Bus error
  
  You must download the update using the GUI and then from the command line
  install -verbose -target / -pkg /Library/Packages/SecurityUpd2003-12-05-1.0.pkg
7. Re:Needs a reboot... by Hes+Nikke · 2003-12-05 12:23 · Score: 4, Informative
  
  The update needs you to reboot the computer. *sigh* Why is that? This is a web browser we're talking about.
  
  oddly, this update isn't an update to Safari, instead, it's an update to the CoreFoundation framework!
  
  as the name implies, CoreFoundation is the core of all your aqua apps, or at the very least, all your cocoa apps. one of the things this framework can do is let any app that uses the framework to get data from a URL, so it would make sense that the cookie handling would be there too. yeah, in this case i'd say a reboot is absolutely called for.
  
  --
  Don't call me back. Give me a call back. Bye. So yeah. But bye our, well, but alright we are on a shirt this chill.
8. Re:Needs a reboot... by bat,+blind+as+a · 2003-12-05 14:14 · Score: 4, Informative
  
  $ sudo softwareupdate -i -a
  Password:
  Software Update Tool
  Copyright 2002-2003 Apple Computer, Inc.
  
  Security Update 2003-12-05: 0...10...20...30...40...50...60...70...80...90...1 00
  Optimizing system performance. This may take a while...
  Done.
  
  You have installed one or more updates that requires that you restart your
  computer. Please restart immediately.
9. Re:Needs a reboot... by Graff · 2003-12-05 14:23 · Score: 3, Informative
  
  BTW software updater was already automaticly fetching the update in the background while I read this. It's really nice when you don't have to wait while downloading them. I don't understand what's the big fuss of letting the OS fetch updates in the background, as long as it doesn't install them. I'm not sure but I think software update does only download the important updates...
  
  Yep, only critical updates are automatically downloaded and even that is optional. In fact the whole process is optional. You can tell the operating system to never check for updates on its own and you can choose to ignore updates.
  
  Software Update is pretty flexible and non-obtrusive. The only thing that I wish is that it had an option to allow me to register and de-register other programs for it to check. That way if the author of a program allowed it I could have Software Update automatically check for updates from him in addition to those from Apple.
  
  --
  Sapere aude!
10. Re:Needs a reboot... by Graff · 2003-12-05 14:25 · Score: 2, Insightful
  
  killerbean:~ root# softwareupdate -d SecurityUpd2003-12-05-1.0
  
  Man, do yourself a favor and don't use the root account if you can at all help it. Use sudo instead, it's much safer.
  
  --
  Sapere aude!
11. Re:Needs a reboot... by Anonymous Coward · 2003-12-05 18:40 · Score: 4, Informative
  
  The only thing that I wish is that it had an option to allow me to register and de-register other programs for it to check. That way if the author of a program allowed it I could have Software Update automatically check for updates from him in addition to those from Apple.
  According to ThinkSecret, Apple will provide this capability in a future version of Software Update. It will be limited to select developers, but surely the API will be reenigned in no time.
12. Re:Needs a reboot... by Alex+Thorpe · 2003-12-06 05:25 · Score: 1
  
  Thanks for the info, I was wondering about that. I went ahead with the reboot, since I'd rebooted the day before and had no uptime to preserve. I'd discovered the hard way that Escape Velocity: Nova needs a Panther update..
  
  --
  "Common Sense Ain't" -Unknown
13. Re:Needs a reboot... by Aqua+OS+X · 2003-12-06 16:29 · Score: 2, Informative
  
  To the user Safari doesn't appear to be integrated into the OS (like MSIE); however, its does access a lot global system resources that other applications frequently use.
  
  Webkit is a fairly major one. Mail, Help, OmniWeb, etc all access this.
  
  --
  "Things are more moderner than before- bigger, and yet smaller- it's computers-- San Dimas High School football RULES!"
14. Re:Needs a reboot... by Anonymous Coward · 2003-12-07 12:00 · Score: 1, Funny
  
  Just reboot. With the uptime I get from OS X Panther these days, it's probably not a bad idea to reboot every now and then. Everyone needs a good nose blow occasionally; picking alone just won't do it.
15. Re:Needs a reboot... by MachineShedFred · 2003-12-08 06:53 · Score: 1
  
  Especially when Apple disables the root user by default. This guy had to go in and turn it on!
  
  --
  Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
16. Re:Needs a reboot... by Anonymous Coward · 2003-12-08 08:22 · Score: 0
  
  it's called VersionTracker
Some links by blb · 2003-12-05 12:51 · Score: 5, Informative

The knowledgebase article for 10.2.8 and for 10.3.1.
Dear Apple by Anonymous Coward · 2003-12-05 15:31 · Score: -1, Flamebait

Dear Apple,
I am a homosexual. I bought an Apple computer because of its well earned reputation for being "the" gay computer. Since I have become an Apple owner, I have been exposed to a whole new world of gay friends. It is really a pleasure to meet and compute with other homos such as myself. I plan on using my new Apple computer as a way to entice and recruit young schoolboys into the homosexual lifestyle; it would be so helpful if you could produce more software which would appeal to young boys. Thanks in advance.
with much gayness,
Father Randy "Pudge" O'Day, S.J.
Dear Father "Pudge" O'Day by Anonymous Coward · 2003-12-05 15:33 · Score: -1, Troll

Dear Father O'Day,
Thanks for your letter. Being Catholic myself, I know exactly what you're talking about! It has always been our plan here at Apple Computer Inc to revolutionize personal computing with our high-quality and highly gay products.
I'm happy to answer your letter by letting you know that YES we will be releasing an entire hLife ("homo-life") software line. You'll be able to recognize it in stores by the small stylized logo depicting a large cock entering a tight anus with an Apple logo on it. ("Suddenly it all comes together" indeed!).
Anyway, I hope you and other members of our community will join us on our mission, and purchase the exciting new hLife boxed set. Only the boxed set comes with translucent cock rings!
Sincerely,
Harry Rodman
Vice-president
Homosexual Liaison Services
Apple Computer, Inc.
'Only from sites you navigate to' by rixstep · 2003-12-05 19:55 · Score: 5, Interesting

'For example, not from advertisers on those sites'

So reads the third cookie option in Safari, but it's not true. You'll find '.doubleclick.net' in there all the time, and I doubt any of you are wandering over to DoubleClick to check out the action.

And any domain for a cookie beginning with a '.' means 'any URL in that domain' - and that is NOT just 'from sites you navigate to'.
1. Re:'Only from sites you navigate to' by Anonymous Coward · 2003-12-09 19:49 · Score: 0
  
  You might be without knowing it. Some sites will pass you through advertisers by using multiple redirects, and if you're not watching you can easily miss it (especially if you have a fast connection).
Replace Cookies.plist with a folder by Anonymous Coward · 2003-12-05 20:32 · Score: 5, Interesting

...and the cookies only last for the current session.
Site by Site by chigaze · 2003-12-06 00:59 · Score: 3, Informative

OmniWeb allows this in a site by site basis rather than across the board. So I can tell it to treat Slashdot cookies normally but trash Amazon ones after every session.

It's the one thing that could drag me back to OW but I also like my Safari tabs.
Re: STOP THIS! by bursch-X · 2003-12-07 15:54 · Score: 0, Troll

Please stop being so damn reasonable and honest, after all this is Slashdot.

--
There are two rules for success:
1. Never tell everything you know.
It seems to me that Safari is as buggy as IE by Valleyman · 2003-12-13 10:55 · Score: 0

Just count the sheer number of stories Slashdot has on "Safari cookie bugs", and on the log-in page of Thinkgeek.com it specifically says that Safari users might have problems with their cookies. When I get my Mac 'net connected I'm gonna stick with Opera.

--
WINDOWS!? We don't need no steenkin' Windows!