Slashdot Mirror

← Back to Stories (view on slashdot.org)

... And the Hits Just Keep On Coming

Posted by pudge on from the mo-updates-mo-updates-mo-updates dept.

Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)

11 of 72 comments (clear)

  1. Security Update not just for 10.3 by TheRedHorse · · Score: 5, Informative

    I'm running 10.2.8 and still got the security update via Software Update.

    1. Re:Security Update not just for 10.3 by dbirchall · · Score: 3, Informative
      There are separate updates for 10.2.8 and 10.3.2. The 10.3.x update requires 10.3.2 and will not appear in Software Update unless/until 10.3.2 is installed.

      I and a few other Dual G5 users are having problems with 10.3.2 and/or some other very recent updates (say, QuickTime 6.5 or XCode 1.1), and are thus unable to apply this particular security update. Grumble.

  2. Three days turn around on the Buffer Overflow.. by byolinux · · Score: 4, Informative

    .. this puts Apple much closer to the Free Software Movement in terms of patching, than Microsoft.

    It's pretty impressive..

    Tip for any fellow 10.3 users out there...

    In System Preferences > Software Update > Turn on 'Download Important Updates in the Background' - particularly handy if you leave your machine turned on at night.

    --
    Join the Free Software Foundation
  3. Installed and all is good by jlower · · Score: 4, Informative

    In case anyone is waiting for user reports of installations that didn't crater their machine, here's one. G4/400 AGP installed & up and running again without any hiccups.

  4. 10.2.8 by Johnny+Mnemonic · · Score: 5, Informative


    The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.

    The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.

    Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?

    --

    --
    $tar -xvf .sig.tar
  5. More Info from Apple: by Johnny+Mnemonic · · Score: 3, Informative


    Apple's security-announce mailing list helps answer this question: "Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: http://docs.info.apple.com/article.html?artnum=324 78 Credit to William A. Carrel for reporting this issue."

    For more on these updates: Jaguar; Panther.

    --

    --
    $tar -xvf .sig.tar
  6. The TechNote... by Anonymous Coward · · Score: 5, Informative

    AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

    cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

    Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.

    fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.

    fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

    rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.

    System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.

    Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

    CAN-2003-1005: ASN.1 Decoding for PKI
    CAN-2003-1008: Screen Saver text clippings

  7. Re:10.2.8 kernel panic? by awfwal · · Score: 5, Informative

    I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.

  8. The IE hole by goombah99 · · Score: 5, Informative

    This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URL
    https://www.earthlink.net%01@211.154.171.106/li_pi n/verification/step1_e.htm
    (mind the break inserted by the lameness filter!)
    I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:The IE hole by valmont · · Score: 3, Informative

      yeah. i got this phisher e-mail too. 211.154.171.106 appears to be a compromised box, some lame cracker used to set-up their phisher site at /li_pi n/verification/step1_e.htm .

      mm. it looks like eventually the script that gathers all the sensitive info is this one: http://211.154.171.106/li_pin/verification/form2.p hp

      Please submit a spamcop report for that phisher e-mail you just received. Basic reporting account is free, i recently purchased a yearly mailbox from them, i like what spamcop does for the Internet.

      --
      Extraordinary Vacations. Exceptional Prices
  9. Re:Cd9660.util permissions? by pudge · · Score: 4, Informative
    I am unfamiliar with an "s" permission for root (-rws vs. -rwx). Is this correct?

    Yes. It stands for "Set UID/GID". See man chown:
    The letters `rwxXstugo' select the new permissions for the affected
    users: read (r), write (w), execute (or access for directories) (x),
    execute only if the file is a directory or already has execute permis-
    sion for some user (X), set user or group ID on execution (s), save
    program text on swap device (t), the permissions that the user who owns
    the file currently has for it (u), the permissions that other users in
    the file's group have for it (g), and the permissions that other users
    not in the file's group have for it (o).
    It means when you run it as Joe User, it will be run as root, which is why a buffer overflow is such a big problem. If the buffer is overflowed with some executable code -- thereby replacing the existing code with some other code -- then the program can be tricked into running that other code.

    This is normally not a huge problem, but when the program is set to execute with setuid, then it is a huge problem. The program cd9660.util is eseentially trusted code: anyone can run it, and nothing bad can happen with it. But with a buffer overflow, now anyone can run it and (conceivably) gain root access to the system by getting it to run a root shell. You might as well, at that point, make bash setuid, or just leave your root password as an empty string.