Slashdot Mirror
Friday Security Fun
rgraham writes "Apple has release a new security update for the Safari cookie bug. 'Security Update 2003-12-05 updates Safari to prevent unauthorized access to a user's cookies.' They also updated the article on how to 'Configure Directory Access to Protect Your Mac From a Malicious DHCP Server.'" We posted that the other day, but this time, pictures!
Never hand out cookies when on a Safari!
Along with this update, Steve Jobs announced today that OS 10.3.2 will include a small globe icon that will appear next to your system clock, helpfully reminding you that you have an update to install. While Jobs did acknowledge the fact that this feature has been in another operating system for years, he did point out that Apple's implementation will harness the power of Quartz Extreme to render fully three-dimensional, alpha-blended "Security Gnomes" that run around and patch your system twice a week. I'll still never Switch back though ;)
It has been suggested that even disabling Cookies won't help: http://www.securityfocus.com/archive/1/344992 As I understand it, this is because in Safari disabling cookies merely prevents creation of new cookies and not access to old ones. Therefore you should delete all cookies first.
Online & Feelin' Fine
A lot of apps use WebKit (Help, Sherlock, Safari, Mail) so it's easier to tell users to restart than to tell them to log out or to quit all those applications. A person that knows what they are doing will just force quit the installer.
The knowledgebase article for 10.2.8 and for 10.3.1.
'For example, not from advertisers on those sites'
So reads the third cookie option in Safari, but it's not true. You'll find '.doubleclick.net' in there all the time, and I doubt any of you are wandering over to DoubleClick to check out the action.
And any domain for a cookie beginning with a '.' means 'any URL in that domain' - and that is NOT just 'from sites you navigate to'.
...and the cookies only last for the current session.