Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mac OS X 10.3.4 Released

Posted by pudge on from the get-it-while-it's-hot dept.

sizemoresr writes "The 10.3.4 Update delivers enhanced functionality and improved reliability for Mac OS X v10.3 'Panther' and is recommended for all users. Key enhancements include: improved file sharing and directory services for Mac (AFP), UNIX (NFS), PPTP, and wireless networks; improved OpenGL technology and updated ATI and NVIDIA graphics drivers; improved disc burning and recording functionality; iPods connected via USB 2.0 are now recognized by iTunes and iSync; additional FireWire audio and USB device compatibility; updated Address Book, Mail, Safari, Stickies, and QuickTime applications; improved compatibility for third party applications; previous standalone security updates."

40 of 166 comments (clear)

  1. The question is.. by Carlos+Silva · · Score: 3, Funny

    Can I grab it off Limewire?

    1. Re:The question is.. by commodoresloat · · Score: 4, Funny

      Not yet but there's a bitchin' version of Office 2004 to be had there....

    2. Re:The question is.. by Zestius · · Score: 5, Funny

      No, but if you'll just follow this url, you can get it here: help://panther-10.3.4.dmg ;-)

  2. I installed it by teamhasnoi · · Score: 5, Funny
    now my hair is falling out, food doesn't taste good anymore, and all my bath towels are missing!

    On the plus side, it now only takes 19 minutes to copy that damn file.

    I guess it's not all bad...

    1. Re:I installed it by Entropy2016 · · Score: 5, Funny

      Geek: New update ... geek urge ... rising ... must resist ... temptation to be update early ...

      Crocodile Hunter Steve Irwin: (whispering) From our hiding spot behind this potted plant, we can get a good view of a geek trying to resist his instinct to update his computer. One has to be extremely careful when handling a common Windows geek, since they quite often carry diseases like worms, but this geek appears to come from either a Linux or Mac colony. It looks like this one is fairly calm, possibly domesticated, since he's been showing some self-control ...

      But watch what happens when I yell "new features" ...

  3. No fix on recent exploits by jeffasselin · · Score: 5, Informative

    From what I could see by carefully reading the technical info on it, it doesn't appear to fix the recently discovered protocol handler exploits, apart from the earlier fix for the help: exploit (which doesn't appear to cure ALL help: exploits).

    These exploits are serious, and will require a significant overhaul of the protocol handler code as well as a possible revision on the handling of downloadable disc images in Safari (which is a factor in many of the exploits). Yes, they could have waited, but if 10.3.4 was already ready, I'd prefer for Apple to release it on time and give us the fixes they can right now, and then work on the recent problems to provide us a good security patch (or maybe a 10.3.5) when they've fixed it.

    --
    If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
    1. Re:No fix on recent exploits by ghutchis · · Score: 4, Informative

      No, I've upgraded and can confirm it does not fix any exploits that were not fixed by the recent security update patch (i.e., only the help/runscript exploit).

      I'd agree that a careful overhaul is needed to properly fix these exploits. But the clock is ticking on the exploit problem!

      -Geoff

    2. Re:No fix on recent exploits by pudge · · Score: 4, Insightful

      These exploits are serious, and will require a significant overhaul of the protocol handler code

      They are serious, but most of the fixes belong in the apps, not the underlying OS services. It's a matter of filtering unsafe data so it cannot be used for unsafe operations, in the individual applications. That, or disabling the handlers.

      Yes, they could have waited, but if 10.3.4 was already ready, I'd prefer for Apple to release it on time and give us the fixes they can right now, and then work on the recent problems to provide us a good security patch (or maybe a 10.3.5) when they've fixed it.

      Totally agreed. I prefer Apple's "release when ready" rather than "lump all our releases together" approach to security fixes.

    3. Re:No fix on recent exploits by spitzak · · Score: 4, Informative

      Nonsense. I tried the exploit and it worked. Visiting a web page popped up the finder where it displayed an ftp site, and it then ran a command off this site. It did this all without any intervention of mine except for the initial click to go to that web page. If I clicked and then walked away I would not even see the finder pop up, and I'm not sure if I could have killed it even if I did see the finder. This is a nasty and serious exploit and your denying it is not going to make it go away.

      It sounds like the problem is that programs can register as "protocol handlers" and this is done automatically when the finder sees the file. On Windows (and I guess on Linux) this is done only if you actually run a program (and if a web page could cause a program to be run you have a much more direct exploit).

      It does seem this could be fixed by not installing any handlers until the program is first run. Not sure how hard this is to do or why Apple has not done it yet. It sould also be the responsibility of anybody doing a protocol handler to not do anything dangerous no matter what command line arguments are passed (perhaps url's should add "--" before any arguments so that switches are never passed, any switches should be done by making different protocol handler names).

    4. Re:No fix on recent exploits by MonkeyBoy · · Score: 5, Informative
      From the front page of [url=http://www.macintouch.com]Macintouch[/url] today:
      The solution I came up with seems to work perfectly so far, only takes a few seconds to implement, and doesn't require installing any third-party software as other solutions I've seen do:

      Go to /Applications/Firefox.app/Contents/MacOS/chrome
      O pen all.js in any text editor, though preferably vim. :)
      Search for the term "protocol-handler".
      Under the two lines addressing "mailto" and "news", add the following lines of code:
      pref("network.protocol-handler.external.hel p" , false); // disable help protocol
      pref("network.protocol-handler.external. disk" , false); // disable disk protocol

      Restart Firefox.
      --

      Moof!

  4. Thanks! by Apiakun · · Score: 5, Informative

    Ahh, thank you ssh and apple for allowing me to do this: ($:~)-> softwareupdate -i MacOSXUpdate10.3.4-10.3.4 Now my box will be nice and updated before I even leave work.

    1. Re:Thanks! by volsung · · Score: 3, Interesting
      I'm pretty sure wake-on-lan is possible, but running your iBook with the lid closed is not very good for it. Using pbbuttonsd on Gentoo PPC, I once set the laptop not to sleep with the lid closed. Left for a couple hours while it did some stuff, and when I came back it was really hot! The iBook seems to be designed for heat exchange through the keyboard.

      That said, it would probably be okay if you kept the load low. You can check out Screen Spanning Doctor, which, in addition to enabling dual-head support on some iBooks, will allow you to run the iBook with the lid shut in OS X. Be warned! The dual-head hack only works for some iBooks, and can damage others, so check the compatibility list.

    2. Re:Thanks! by Guy+Harris · · Score: 4, Informative
      I'm pretty sure wake-on-lan is possible

      It is - see, for example, a knowledgebase article on it - but that's "wake on magic packet" (or Magic Packet(TM)) wake-on-LAN, not the more general packet matching wakeup that some network interfaces support.

      I.e., the machine won't automatically wake up when you try to ssh into it; you need to send it a Magic Packet(TM) to wake it up. A packet-matching wakeup might be able to match incoming unicast packets to the machine, broadcast ARP requests asking for the MAC address corresponding to the machine's IP address, and other packets that it would need to respond to, so that attempting to ssh into it would wake it up, without making it respond to various random broadcasts and multicasts for which it wouldn't have to wake up (e.g., a broadcast ARP request for somebody else's MAC address, assuming it doesn't have to reply to that for e.g. proxy ARP purposes).

      However, wake-on-Magic-Packet(TM) might be sufficient for the purposes of the person to whom you responded; I think one purpose for which it was intended was to allow administrators to wake up sleeping machines in order to do various remote administrative operations - including the remote software updates that they wanted to do.

    3. Re:Thanks! by mdray · · Score: 3, Informative

      Yes, wake on magic packet works. I have my ADSL router set up to forward traffic destined for 9/UDP ('discard' port) on the ADSL interface to be sent to the broadcast address (where my Mac will see it) on my LAN.

      I then use wakeonlan (perl script) to send a magic packet to the router from the internet, which wakes the Mac up. After this I can ssh in to my Mac (port forward for SSH configured on the ADSL router).

      The only problem is that I only get 30 seconds of connectivity before my Mac goes back to sleep. I think this is the amount of time the machine waits for me to type my password on the console, as if I'd woken it up by clicking the mouse. Does anyone have a workaround for this? It's *REALLY* annoying :I

    4. Re:Thanks! by xil · · Score: 3, Informative

      man pmset. You probably want to 'sudo pmset -a sleep 0' when you log in.

  5. This should help. by Padrino121 · · Score: 5, Informative

    Apple's KB article on the 10.3.4 update. http://docs.info.apple.com/article.html?artnum=257 64

  6. For what it's worth.... by Paladeen · · Score: 3, Interesting

    For what it's worth, Safari now reports itself as version 1.2.2 (v125.7).

  7. Re:Hopefully it fixes the recent exploits by MisterSquid · · Score: 5, Informative

    However, I wish Apple would provide more information on their updates.

    Apple always provides complete information about their updates in the Apple Knowledgebase. The information for the 10.3.4 update is here.

    --
    blog
  8. URL Handler Exploits appear to be fixed... by EverLurking · · Score: 4, Informative
    Well, rebooted just fine. No issues yet. Browsing and E-mail working well, grabbed my home Wireless 802.11b/g with WPA just fine, if anything, reception is LESS flaky now (fewer dropouts seen on AP Grapher and fewer random loss of connectivity).

    Doesn't seem any slower or faster.

    Most importantly, it looks like some of the URI handler problems/security holes are now patched as well. I had uninstalled the "Paranoid Android" Haxie before the update (to make sure there weren't any install issues) so it was no longer running.

    It looks like none of these exploits seem to work any more after the 10.3.4 update.

    Nice work,

    DaveC

    --
    There are no stupid questions...just stupid people.
    1. Re:URL Handler Exploits appear to be fixed... by EverLurking · · Score: 4, Informative
      The remote disk image mounts and I can see the AppleScript MalWare program, but it doesn't execute on its own. This is without any protective measures taken (no redefinition of URL Handlers and no 3rd prarty protective programs).

      I was able to run the applescript manually by clicking on it and it brought the "you have been owned" dialogue box, then when you click on the OK button it exits and dismounts the image automatically. So I know I waited long enough for everything to download. Heck I waited like 5 minutes incase of delayed execution. Nope, the hole is closed for me.

      Note, stopping the execution of the remotely mounted program WON'T protect the user from his stupid self if he/she blindly executes unknown programs/scripts downloaded indiscriminately from the internet, but then again, nothing can protect a dumb ass from themselves.

      Caveat Emptor,

      DaveC

      --
      There are no stupid questions...just stupid people.
    2. Re:URL Handler Exploits appear to be fixed... by pudge · · Score: 4, Informative

      I just ran the Paranoid Android example exploit on a basically unmodified Mac OS X 10.3.4 user account, with no extras or RCDefaultApp or changed settings etc., and it ran just fine. The hole is still there. The "you have been owned" dialogue came up without any interaction from me.

    3. Re:URL Handler Exploits appear to be fixed... by EverLurking · · Score: 3, Informative
      Yes they did work pre 10.3.4, that's what prompted me to use Paranoid Android. I had uninstalled Paranoid Android before updating to 10.3.4

      Again, I've tried all four links and none autoexecute, they just bring up the remote .dmg or ftp folder with the example code in them. NONE of these programs executed for me.

      Is this some residual side effect of having had Paranoid Android on my computer? (ie. are there lasting changes despite having it uninstalled that keeps these programs from running? Paranoid Android used to bring up a confirmation dialog when I clicked on the "Open Energy Saver..." menu option of my Menu Bar Battery Icon asking if it was ok for a URL type file to be executed with System Preferences. Now that it's uninstalled, it no longer does that so I KNOW Paranoid Android is now completely gone, even went into /Library and delete the Haxie PreferencePane.) A few others have reported that the URL Handler exploit doesn't work anymore after the update.

      I did NOT previously modify any URI Handlers by hand nor did I delete any applications prior to this update. If being protected is an isolated effect, I'm glad I got lucky I guess.

      DaveC

      --
      There are no stupid questions...just stupid people.
    4. Re:URL Handler Exploits appear to be fixed... by cft_128 · · Score: 3, Informative

      On my 'virgin' 10.3.3 machine unchecking "Open Safe files after downloading" in Safari preferences stops at least this exploit. No matter what it mounts the image, but with "Open Safe files after downloading" unchecked it will not run the script that is in the image.

      --

      Underloved Movies and Pub Quiz: donotquestionme.org

  9. Exploits are Fixed by EverLurking · · Score: 3, Informative
    If you try the various example exploit links, you will find that while the remote disk images/ftp servers do mount, none of the ssh, applescript or other commands on them are executed. Thus the URL Handler exploit hole appears for now appears to be a non-issue while retaining the convenience of being able to mount remote files/disk images.

    See this post for the links to the exploit examples I tested against. (I had not modified any of my URL handlers at all, and had already uninstalled "Paranoid Android" prior to updating so my system was unprotected from the old URL exploits).

    While the immediate danger seems to be gone, the halcyon days of being a OS X User seem to be gone now that we have the attention of the various asshole hacker/script-kiddies out there. Just a matter of time before some other hole is found (but it is inevitable with any software as complex and interoperable as an Operating System).

    Still, I'll take my chances with OS X over Windows ANY day.

    --
    There are no stupid questions...just stupid people.
  10. FireWire Audio devices... by Sneeka2 · · Score: 4, Interesting

    Well, it really seems to improve compatibility with my M-Audio Firewire 410 audio card. It now connects immediately, where before I had to try at least twice most of the time. Also the preferences are saved more reliably it seems, where before you needed to be lucky and do some odd standby/reboot combinations for preferences to be saved...

    Thanks Apple!

    --
    Bitten Apples are still better than dirty Windows...
  11. anacron-like update? by mrgeometry · · Score: 5, Interesting
    From http://docs.info.apple.com/article.html?artnum=257 64:

    Addresses an issue in which scheduled items, such as automated backups or Software Update checks, may not work if the computer is asleep at the scheduled time. With this update, the schedule will run once the computer wakes from sleep.

    What about the periodic scripts (daily, weekly, monthly)? Is anacron now unnecessary?

    zach

  12. ALL exploits still work under 10.3.4 by daveschroeder · · Score: 4, Informative

    I've put up a test page at http://test.doit.wisc.edu/, and the exploit still works via afp, ftp, disk, and downloadable file in the default configuration of Mac OS X 10.3.4.

    To protect yourself, you still MUST:

    - disable "open safe files after download" in Safari

    - disable the following protocols (or reassign to a helper other than Finder):

    afp
    ftp
    disk
    disks

    and additionally:

    telnet
    ssh

    and/or install Paranoid Android

    Hopefully Apple will find a reasonable resolution for this soon.

    1. Re:ALL exploits still work under 10.3.4 by 93+Escort+Wagon · · Score: 4, Informative

      RCDefaultApp is a simpler way to take care of this. It installs as a Preference Pane, and lets you assign default handlers to (or unassociate completely) the various protocols like afp:, disk:, etc.

      As a bonus you can use it to change your default browser without first having to launch Safari. :-)

      --
      #DeleteChrome
  13. Safari is way faster by jeffehobbs · · Score: 4, Interesting

    and I bet it's a result of this.

    This algorithm completely transforms the feel of Safari over DSL and modem connections. Page content usually comes screaming in at the 250ms mark, and if the page isn't quite ready at the 250ms, it's usually ready shortly after (at the 300-500ms mark). In the rare cases where you have nothing to display, you wait until the 1 second mark still. This algorithm makes "white flashing" quite rare (you'll typically only see it on a very slow site that is taking a long time to give you data), and it makes Safari feel orders of magnitude faster on slower network connections.

    Because Safari waits for a minimum threshold (and waits to schedule until the threshold is exceeded, benchmarks won't be adversely affected as long as you typically beat the minimum threshold. Otherwise the overall page load speed will degrade slightly in real-world usage, but I believe that to be well-worth the decrease in the time required to show displayable content.

    1. Re:Safari is way faster by pualo · · Score: 4, Informative
      This change is not present in the 10.3.4 version of Safari. Dave Hyatt writes in the comments to his blog:
      It's a placebo. The Safari in 10.3.4 contains only a handful of fixes and is no faster than previous versions.
      He also later writes/;
      I suppose something could have made it faster. In our internal tests it's no faster. As far as WebCore code, there are a slew of bugs fixes, but those are mostly for the regressions from 1.1.
  14. 10.3.4 update on DualG5... by BobWeiner · · Score: 3, Interesting

    ...installed without any issue on both Dual G5 and single processor G5 systems. Initial impressions -- my Dual G5 system does appear to run snappier -- GUI response even better than it was in 10.3.3 -- no doubt the result of the improved video drivers in the update. No problems with the update whatsoever -- the update downloaded in a few minutes with a broadband condition.

    --
    The PC Weenies: 11 Years of Online Tech 'Too
    1. Re:10.3.4 update on DualG5... by Maelikai · · Score: 4, Funny

      >> my Dual G5 system does appear to run snappier

      prick. :)

    2. Re:10.3.4 update on DualG5... by weave · · Score: 4, Insightful

      Only a Mac user would assume an update or upgrade will make their computer run faster. Us Windows users are just resigned to the fact that each improvement comes at the cost of performance, but we can always run out and buy a faster box to compensate. Whatssamatterwithyall?!

  15. Accidentally installed it. by SkiingOnMars · · Score: 5, Funny

    I was re-installing panther on a new hard disk for my cube, and did the software update thing after i got it running. When I saw 10.3.4 update, i was blankly confused, but clicked ahead anyway for some reason. Now, two hours later, I'm reading Slashdot and realizing that there actually was a new update today, and feeling like a software-installing Forrest Gump, happening to be at the 'right' place at the 'right' time.

    Everything is cool so far, but I feel like a total idiot for not noticing. And yet I feel compelled to tell this to other people...

  16. Safari by zpok · · Score: 4, Interesting

    Damn, Safari is fast!!!!

    Updated on Cube - against better judgement, for better firewire drive compatibility - and all seems well...

    --
    I think, therefore I am...I think.
  17. Anyone here maliciously hit? by scienceninja · · Score: 3, Interesting

    Alot of the comments so far have been "I hope the exploit was fixed." But was anyone actually hit by the exploit in a malicious manner. Granted, its something that should be patched, but what has the demand for it been like? Other than the example links floating around, I havn't really seen it anywhere else.

    1. Re:Anyone here maliciously hit? by bw5353 · · Score: 4, Insightful
      "But was anyone actually hit by the exploit in a malicious manner. Granted, its something that should be patched, but what has the demand for it been like? Other than the example links floating around, I havn't really seen it anywhere else. "

      The demand was the same one as for you to have a working lock on your front door when you buy a new house, even if there may be no burglars around right then right there.

      I'm sure no one has been hit for real. We would have heard about it at /.

  18. Version Numbering Schemes by Halfbaked+Plan · · Score: 3, Interesting

    It sounds like Apple isn't going to retire the 'Version 10' on their current MacOS version anytime soon. Will they indefinitely release .dot versions? It's not a negative question, nor is it necessarily a bad thing for them to do so.

    NetBSD is still at version 1 (1.6.2 is the latest I am running) and Solaris has been at version 2 through all the versions (2.5, 2.6, 2.7, 2.8, etc.) for years, even though they call 2.8 Solaris 8.

    Just an interesting thing to ponder. There's enough difference between the initial MacOS X release and the current release that they should definitely have different version numbers.

    --
    resigned
  19. I was being protected by Privoxy!!! by EverLurking · · Score: 4, Informative
    I finally figured out why I wasn't getting hit by the sample exploit code when others were. It was Privoxy preventing auto-refreshes that executed the code after mounting the image. Not a bad side effect really. I must have had Privoxy Disabled when I was testing the exploits out on 10.3.3

    OK, so my setup is apparently somewhat resistant for now, not bullet proof but nice to know: 10.3.4, disabled the "Open Safe files" option, running Privoxy (which is set to default actions)

    The help viewer URL problem is apparently patched and so is the SSL hole (according to another post on this page) so that is a comfort. Not the cleanest fix but in my case it works well.

    Sorry for the wild goosechase or if I mislead anyone into thinking the problem had completely disappeared. On first inspection, it REALLY did seem to me that I wasn't vulnerable...well I wasn't, but no thanks to Apple.

    DaveC

    --
    There are no stupid questions...just stupid people.
  20. Re:the _real_ question is...... by chrismear · · Score: 3, Informative

    I know the comment was a joke, but in case anyone's interested, the update apparently fixes an issue where the Stickies app would access the hard drive every five minutes, even when idle.