... And the Hits Just Keep On Coming

Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)

Security Update not just for 10.3

[TheRedHorse]

I'm running 10.2.8 and still got the security update via Software Update.

10.2.8

[Johnny+Mnemonic]

The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.

The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.

Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?

The TechNote...

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.

fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.

System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.

Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

CAN-2003-1005: ASN.1 Decoding for PKI
CAN-2003-1008: Screen Saver text clippings

Re:10.2.8 kernel panic?

[awfwal]

I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.

The IE hole

[goombah99]

This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URL
https://www.earthlink.net%01@211.154.171.106/li_pi n/verification/step1_e.htm
(mind the break inserted by the lameness filter!)
I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues