... And the Hits Just Keep On Coming

Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)

Security Update not just for 10.3

[TheRedHorse]

I'm running 10.2.8 and still got the security update via Software Update.

Re:Security Update not just for 10.3

[dbirchall]

There are separate updates for 10.2.8 and 10.3.2. The 10.3.x update requires 10.3.2 and will not appear in Software Update unless/until 10.3.2 is installed.

I and a few other Dual G5 users are having problems with 10.3.2 and/or some other very recent updates (say, QuickTime 6.5 or XCode 1.1), and are thus unable to apply this particular security update. Grumble.

Re:Security Update not just for 10.3

[GlobalEcho]

Dan et al.

I posted about this on the Apple forums, but it's worth repeating here, perhaps in a little more detail. I'm running a Dual G4/800, so it looks to be a DP problem.

If you examine the stack traces that the crash catcher asks to send back to Apple you will see that all the non-working iApps (iTunes, iPhoto, Safari, Mozilla, etc.) crash at initQuickTimeFoo()+44. Sorry I don't recall the exact function.

That is consistent with the "fix" that I found...namely to grab /System/Library/Frameworks/QuickTime.framework off a machine that had not yet upgraded from QT6.4, and replace the one on the Dual G4 with it. interestingly even iTunes 4.2 appears to still be working fine with the older QT. I'm sure there's a crash lurking somewhere though.

Obviously if one has already done an Archive and Reinstall, this problem should be avoidable just by never upgrading QT to 6.5 until Apple fixes this.

For good measure I also replaced some other QT components, like the plugins, but I'm not certain that they mattered. They were

/Library/Internet Plug-Ins

/System/Library/QuickTime*

/Library/QuickTime

- Brian K Boonstra

Three days turn around on the Buffer Overflow..

[byolinux]

.. this puts Apple much closer to the Free Software Movement in terms of patching, than Microsoft.

It's pretty impressive..

Tip for any fellow 10.3 users out there...

In System Preferences > Software Update > Turn on 'Download Important Updates in the Background' - particularly handy if you leave your machine turned on at night.

Installed and all is good

[jlower]

In case anyone is waiting for user reports of installations that didn't crater their machine, here's one. G4/400 AGP installed & up and running again without any hiccups.

Re:Installed and all is good

[phatsharpie]

All is fine here too!

TiBook 667MHz (DVI) with 768MB RAM. Updated from 10.3.2 and all is well so far.

-B

10.2.8

[Johnny+Mnemonic]

The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.

The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.

Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?

More Info from Apple:

[Johnny+Mnemonic]

Apple's security-announce mailing list helps answer this question: "Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: http://docs.info.apple.com/article.html?artnum=324 78 Credit to William A. Carrel for reporting this issue."

For more on these updates: Jaguar; Panther.

The TechNote...

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.

fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.

System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.

Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

CAN-2003-1005: ASN.1 Decoding for PKI
CAN-2003-1008: Screen Saver text clippings

Re:10.2.8 kernel panic?

[awfwal]

I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.

Re:10.2.8 kernel panic?

[HiredMan]

Do you have two monitors?

I'm running dual monitors on 233 (now 500Mhz BG3) with an ATI Rad 7000 in addition to the on-board video. With 10.2.8 I ran into random monitor blacking or corruption varying from 2 hours to a 4 days.

After I heard about others with the same problem I finally rolled back to 10.2.6. *SIGH*

There's a precident for this - the same set-up had screen corruption on sleep issues until the ATI updates in 10.1.5 update.

=TKK

When you say "Java to 1.41.1_01"

[ITR81]

I'm guessing your referring to the new Java 3D and Java Advance Imaging update.

Since it's still in public beta form it won't be found in software update but here:

http://docs.info.apple.com/article.html?artnum=120 289#English The big rumor for Macworld is almost all of Apples software will see upgrades and some totally new software apps.

The IE hole

[goombah99]

This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URL
https://www.earthlink.net%01@211.154.171.106/li_pi n/verification/step1_e.htm
(mind the break inserted by the lameness filter!)
I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues

Re:The IE hole

[valmont]

yeah. i got this phisher e-mail too. 211.154.171.106 appears to be a compromised box, some lame cracker used to set-up their phisher site at /li_pi n/verification/step1_e.htm .

mm. it looks like eventually the script that gathers all the sensitive info is this one: http://211.154.171.106/li_pin/verification/form2.p hp

Please submit a spamcop report for that phisher e-mail you just received. Basic reporting account is free, i recently purchased a yearly mailbox from them, i like what spamcop does for the Internet.

Re:Cd9660.util permissions?

[pudge]

I am unfamiliar with an "s" permission for root (-rws vs. -rwx). Is this correct?

Yes. It stands for "Set UID/GID". See man chown:

The letters `rwxXstugo' select the new permissions for the affected
users: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permis-
sion for some user (X), set user or group ID on execution (s), save
program text on swap device (t), the permissions that the user who owns
the file currently has for it (u), the permissions that other users in
the file's group have for it (g), and the permissions that other users
not in the file's group have for it (o).

It means when you run it as Joe User, it will be run as root, which is why a buffer overflow is such a big problem. If the buffer is overflowed with some executable code -- thereby replacing the existing code with some other code -- then the program can be tricked into running that other code.

This is normally not a huge problem, but when the program is set to execute with setuid, then it is a huge problem. The program cd9660.util is eseentially trusted code: anyone can run it, and nothing bad can happen with it. But with a buffer overflow, now anyone can run it and (conceivably) gain root access to the system by getting it to run a root shell. You might as well, at that point, make bash setuid, or just leave your root password as an empty string.

Re:Advice

[martinX]

Given that so many things are dependent on so many other things, it's just easier to reboot really. Probably quicker too.

"And the Hits Just Keep On Coming"

[agent+dero]

Oh give me a break; an UPDATE is nothing bad, they found a problem and fixed it, come on slashdot editors; grow up.

The fact that they were identified and fixed before a worm/virus came out to exploit them is something to be proud of.

Yes, whoop-di-doo, macs have a couple holes in them, that's not why they're more secure, they're more secure because they're not on by default and they're patched quickly.

Re:Cd9660.util permissions?

[ianezz]

You might as well, at that point, make bash setuid

Just a note: making Bash suid root won't work: if the effective user ID (the one affected by the setuid bit) is 0 (read: root), Bash simply resets the effective user ID to the real user ID (the one inherithed from the parent process). Other interpreters probably do that as well.

OTOH, making Bash setuid any other user works as expected.

Of course this doesn't prevent a suid root wrapper to change its real user id before forking a shell (otherwise su, sudo and friends couldn't work...)