... And the Hits Just Keep On Coming

Vokbain writes "Security Update 2003-12-19 is now available. This update includes the following components: AFP Server, ASN.1 Decoding for PKI, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, and System Initialization. Get it now in Software Update." This security update appears to be for 10.3.2, and, as stekylsha writes, "contains among other things -- wait for it -- the fix for the cd9660.util buffer overflow. What was the turn around on that? Three days?" EverLurking writes "Yet another update from Apple, this time they've updated Java to 1.41.1_01. You can find it in Software Update, a restart is required." I see no Java update of this sort, but I do see an update to the MPEG-2 component, as well as the 10.3.2 update for Mac OS X Server. (As usual, the technotes on Apple's site don't appear to be updated yet.)

Security Update not just for 10.3

[TheRedHorse]

I'm running 10.2.8 and still got the security update via Software Update.

Three days turn around on the Buffer Overflow..

[byolinux]

.. this puts Apple much closer to the Free Software Movement in terms of patching, than Microsoft.

It's pretty impressive..

Tip for any fellow 10.3 users out there...

In System Preferences > Software Update > Turn on 'Download Important Updates in the Background' - particularly handy if you leave your machine turned on at night.

Installed and all is good

[jlower]

In case anyone is waiting for user reports of installations that didn't crater their machine, here's one. G4/400 AGP installed & up and running again without any hiccups.

10.2.8

[Johnny+Mnemonic]

The security update is also available for 10.2.8. I downloaded it and installed it last night. It is apparently different than the one for 10.3.x, though, as the size is about a meg less.

The description says that it updates: "AFP Server, cd9660.util, Directory Services, fetchmail, fs_usage, rsync, System Initialization". I wonder what this does to directory services? Presumably it addresses the security issue raised earlier, but since the issue exploits a configuration that is necessary for NetInstall, I don't think that Apple could just "turn it off." I explicitly checked, but didn't see anything different about Directory Access after the update.

Anyways, it's great that Apple is updating 10.2.x machines still--apparently, they are listening and responding to criticism that they can't end support immediately after a new OS is released--part of their enterprise aims?

Re:Apple is killing me!

[MoneyT]

It's a matter of not being able to please everyone at once. When they did the bulk updates, people were ticked because they couldn't pick and choose what to install, so now you get them piece by piece, of course, now people want them all at once

The TechNote...

AppleFileServer: Fixes CAN-2003-1007 to improve the handling of malformed requests.

cd9660.util: Fixes CAN-2003-1006, a buffer overflow vulnerability in the filesystem utility cd9660.util. Credit to KF of Secure Network Operations for reporting this issue.

Directory Services: Fixes CAN-2003-1009. The default settings are changed to prevent an inadvertent connection in the event of a malicious DHCP server on the computer's local subnet. Further information is provided in Apple's Knowledge Base article: Credit to William A. Carrel for reporting this issue.

fetchmail: Fixes CAN-2003-0792. Updates are provided to fetchmail that improve its stability when receiving malformed messages.

fs_usage: Fixes CAN-2003-1010. The fs_usage tool has been improved to prevent a local privilege escalation vulnerability. This tool is used to collect system performance information and requires admin privileges to run. Credit to Dave G. of @stake for reporting this issue.

rsync: Fixes CAN-2003-0962 by improving the security of the rsync server.

System initialization: Fixes CAN-2003-1011. The system initialization process has been improved to restrict root access on a system that uses a USB keyboard.

Note: The following fixes which appear in "Security Update 2003-12-19 for Panther" are not included in "Security Update 2003-12-19 for Jaguar" since the Jaguar versions of Mac OS X and Mac OS X Server are not vulnerable to these issues:

CAN-2003-1005: ASN.1 Decoding for PKI
CAN-2003-1008: Screen Saver text clippings

Re:10.2.8 kernel panic?

[awfwal]

I started getting kernel panics about this time, but I traced the problem to the also-recently-updated Norton Anti-Virus auto-protect. After I disabled that ( using safe boot ) I had no more problems.

Advice

[phorking]

You want to stay current but don't want to reboot your machine every day. You want 2 completley mutualy exclusive operations here. In your choice where Apple only releases updates once a week you are not staying any more current than you would if you only patched yourself once a week. Instead, you are only being ignorant to your current patched status. The patches are still waiting at Apple and you still have not applied them. You have not actualy gained anything by waiting for Apple to release those updates on a schedule. So, just update once a week. It makes no difference in the end. If you want to stay current, stay current and don't complain about rebooting. TTFN =)

Re:Advice

[Senjaz]

Not true. Patching doesn't always require a reboot. Any system service could be updated and it's process restarted individually instead of taking down the entire system. Unfortunately Apple's updates tend to want to reboot the entire machine. I suspect further effort could be made to improve the software updater so that machine reboots were not required as often. All but very core stuff could be suspended while a updated process is swapped out for a newer one.

Re:Advice

If I update my linux boxes I reboot them.

Why? I've been caught before, having a machine up & running for months, updating a dozen small things that restart just fine, and I get used to how they work.

Then on a reboot, things AREN'T identical. It's just not worth trying to trace down why the system isn't working as I'm used to when I could have completely avoided problems with a reboot. Granted it's rare, but if I'm going to do 10 reboots over a few months that's better than spending a few hours poring over a system to find why it's not working how it used to, when it's not working how it SHOULD and not how it did without the reboot.

A reboot costs 45 seconds. That's worth it. Screw uptime

Re:Snagged this last night

[tgibbs]

Also nice to see all the other Security fixes happening. gg Apple!

Also nice to see Apple giving public credit to the people who reported these security holes.

The IE hole

[goombah99]

This post is offtopic to apple abut relevant to security and quick trurn arrounds. The scammers have done a quick turnaround on the announced but not officially patched IE security flaw. The balleyhooed IE URL spoof using %01 has now officially debuted in the wild. I got my first fake Billing statement today witht he following URL
https://www.earthlink.net%01@211.154.171.106/li_pi n/verification/step1_e.htm
(mind the break inserted by the lameness filter!)
I'll leave it to compare with Microsoft versus Apple response times, but I will mention the following. In many industries when a safety standard becomes established or ubiquitously improved it becomes the new legal definition of "reasonable and prudent action". I know many ski areas for example dont mark all the hazards because they dont want hazard marking to become an expectation and a get their asses sued if they dont do it well. In this case I think apple is setting standards for bug fixes that leave microsoft ripe for a suit by someone who get screwed by one of their slow responses to security issues

Re:Cd9660.util permissions?

[pudge]

I am unfamiliar with an "s" permission for root (-rws vs. -rwx). Is this correct?

Yes. It stands for "Set UID/GID". See man chown:

The letters `rwxXstugo' select the new permissions for the affected
users: read (r), write (w), execute (or access for directories) (x),
execute only if the file is a directory or already has execute permis-
sion for some user (X), set user or group ID on execution (s), save
program text on swap device (t), the permissions that the user who owns
the file currently has for it (u), the permissions that other users in
the file's group have for it (g), and the permissions that other users
not in the file's group have for it (o).

It means when you run it as Joe User, it will be run as root, which is why a buffer overflow is such a big problem. If the buffer is overflowed with some executable code -- thereby replacing the existing code with some other code -- then the program can be tricked into running that other code.

This is normally not a huge problem, but when the program is set to execute with setuid, then it is a huge problem. The program cd9660.util is eseentially trusted code: anyone can run it, and nothing bad can happen with it. But with a buffer overflow, now anyone can run it and (conceivably) gain root access to the system by getting it to run a root shell. You might as well, at that point, make bash setuid, or just leave your root password as an empty string.