Slashdot Mirror
... And the Hits Just Keep On Coming
Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)
I was very happy about the MPEG-2 update, previewing my m2v files in VLC is a pain compared to QuickTime's player, simply because the control in QT is much better.
Also nice to see all the other Security fixes happening. gg Apple!
It doesn't mean much now, it's built for the future.
I'm running 10.2.8 and still got the security update via Software Update.
.. this puts Apple much closer to the Free Software Movement in terms of patching, than Microsoft.
It's pretty impressive..
Tip for any fellow 10.3 users out there...
In System Preferences > Software Update > Turn on 'Download Important Updates in the Background' - particularly handy if you leave your machine turned on at night.
Join the Free Software Foundation
In case anyone is waiting for user reports of installations that didn't crater their machine, here's one. G4/400 AGP installed & up and running again without any hiccups.
The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.
The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.
Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?
--
$tar -xvf
Apple's security-announce mailing list helps answer this question: "Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: http://docs.info.apple.com/article.html?artnum=32
For more on these updates: Jaguar; Panther.
--
$tar -xvf
It's a matter of not being able to please everyone at once. When they did the bulk updates, people were ticked because they couldn't pick and choose what to install, so now you get them piece by piece, of course, now people want them all at once
T Money
World Domination with a plastic spoon since 1984
AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.
cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.
Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.
fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.
fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.
rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.
System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.
Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:
CAN-2003-1005: ASN.1 Decoding for PKI
CAN-2003-1008: Screen Saver text clippings
I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.
Do you have two monitors?
I'm running dual monitors on 233 (now 500Mhz BG3) with an ATI Rad 7000 in addition to the on-board video. With 10.2.8 I ran into random monitor blacking or corruption varying from 2 hours to a 4 days.
After I heard about others with the same problem I finally rolled back to 10.2.6. *SIGH*
There's a precident for this - the same set-up had screen corruption on sleep issues until the ATI updates in 10.1.5 update.
=TKK
Bill Gates - Creationist?!?
You want to stay current but don't want to reboot your machine every day. You want 2 completley mutualy exclusive operations here. In your choice where Apple only releases updates once a week you are not staying any more current than you would if you only patched yourself once a week. Instead, you are only being ignorant to your current patched status. The patches are still waiting at Apple and you still have not applied them. You have not actualy gained anything by waiting for Apple to release those updates on a schedule. So, just update once a week. It makes no difference in the end. If you want to stay current, stay current and don't complain about rebooting. TTFN =)
Since it's still in public beta form it won't be found in software update but here:
http://docs.info.apple.com/article.html?artnum=120 289#English
The big rumor for Macworld is almost all of Apples software will see upgrades and some totally new software apps.
This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URLi n/verification/step1_e.htm
https://www.earthlink.net%01@211.154.171.106/li_p
(mind the break inserted by the lameness filter!)
I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues
Some drink at the fountain of knowledge. Others just gargle.
Yes. It stands for "Set UID/GID". See man chown:It means when you run it as Joe User, it will be run as root, which is why a buffer overflow is such a big problem. If the buffer is overflowed with some executable code -- thereby replacing the existing code with some other code -- then the program can be tricked into running that other code.
This is normally not a huge problem, but when the program is set to execute with setuid, then it is a huge problem. The program cd9660.util is eseentially trusted code: anyone can run it, and nothing bad can happen with it. But with a buffer overflow, now anyone can run it and (conceivably) gain root access to the system by getting it to run a root shell. You might as well, at that point, make bash setuid, or just leave your root password as an empty string.
If you have ever worked in a software company you would know how incredibly difficult it is to syncronize the release of components...even within the same product. Even if everything is on a schedule, last minute bugs can delay a component for several days.
Apple is doing the right thing by releasing updates as they become available instead of what you propose (batching updates).
As others have said, a restart is not required in many cases, and maybe apple could eventually eliminate the need to restart. But restarting is fairly harmless in most cases.
For them to release updates at the same time, they'd need to either 1) rush the later ones, involving less testing, or 2) delay the earlier ones, which you could easily do yourself.
Which one of these strikes you as a good idea?
Um, how old are you?
One one hand you're saying you'd like Apple to hold off on releasing security patches so that they come out at the same time as other stuff to save you having to reboot your machine.
On the other hand you're saying that you have Software Update checking for updates every day. And you don't want to set it to every week (or every month) because you want to stay current.
I say bite the bullet, Einstein! Set your software update to once a week. Let Apple release updates on their own schedule. Trust me -- it is better for the world when Apple releases updates as they are developed. Stop wasting your bandwidth, as well as Apple's (and Slashdot's).
Get the heck off Norton, it's a waste of money. None of their programs are of any use on a Mac running OS X, and if you run Panther, the updates don't even exist for some of the apps.
Filesaver is one sure way to damage a drive badly, as well as make a mess of your system (throwing many files everywhere) and slow everything down by half, making a point to rescan and log every single file you open or move, as well as many other things you might do in regular use. In all I've seen, heard, and read, it has *never* been used reliably to recover a drive to a fully usable state.
Antivirus is full of crap, it's lying to you that it's doing anything useful. If you're really *that* paranoid to want a commercial virus-checker on a Mac, get Virex.
The vitals: Duel 1 GHz PowerMac G4, 768 MB, Radeon 9000, 10.3.2 and all the latest and greatest.
Anyone else seen this problem?
Lawrence Person (lawrencepersonh@gmailh.com (remove all "h"s to mail)
http://www.lawrenceperson.com/
Just a note: making Bash suid root won't work: if the effective user ID (the one affected by the setuid bit) is 0 (read: root), Bash simply resets the effective user ID to the real user ID (the one inherithed from the parent process). Other interpreters probably do that as well.
OTOH, making Bash setuid any other user works as expected.
Of course this doesn't prevent a suid root wrapper to change its real user id before forking a shell (otherwise su, sudo and friends couldn't work...)