Security Update 2004-09-07

← Back to Stories (view on slashdot.org)

Posted by pudge on Tuesday September 7, 2004 @06:26PM from the mo-updates dept.

sizemoresr writes "Security Update 2004-09-07 delivers a number of security enhancements and is recommended for all users of Mac OS X 10.2.8 and later. This update includes the following components: CoreFoundation, IPSec, Kerberos, libpcap, lukemftpd, NetworkConfig, OpenLDAP, OpenSSH, PPPDialer, rsync, Safari and tcpdump."

39 of 77 comments (clear)

Post Install Experiences Here... by commodoresloat · 2004-09-07 18:43 · Score: 3, Funny

... guinea pigs!
;^)
1. Re:Post Install Experiences Here... by inio · 2004-09-07 18:55 · Score: 4, Informative
  
  Downloaded.
  Installed.
  Optimized................ .
  Restarted.
  Checked email.
  Posted comment.
  
  (dual 1.8 G5)
2. Re:Post Install Experiences Here... by Ford+Prefect · 2004-09-07 20:15 · Score: 5, Funny
  
  It seemed to install correctly on my iBook, but on rebooting the Apple logo morphed into a deep red pentagram. Flames then started belching from the optical drive, the screen became a window into the lower reaches of hell, sulphurous fumes vented from the keyboard and all the cables caught fire.
  
  So, seems to be working okay - haven't noticed any other differences, and it's just as stable as it was before. Kind of disappointing, really...
  
  --
  Tedious Bloggy Stuff - hooray?
3. Re:Post Install Experiences Here... by jaoswald · 2004-09-08 00:19 · Score: 5, Funny
  
  So you're saying the interface seems snappier?
4. Re:Post Install Experiences Here... by transient · 2004-09-08 02:39 · Score: 3, Funny
  
  Only after he zapped his PRAM and rebuilt his desktop.
  
  --
  
  irb(main):001:0>
5. Re:Post Install Experiences Here... by hawaiian717 · 2004-09-08 02:53 · Score: 5, Funny
  
  I think you're posting under the wrong topic. This is Security Update 2004-09-07 for Mac OS X, not Windows XP Service Pack 2.
  
  --
  End of Line.
6. Re:Post Install Experiences Here... by macthulhu · 2004-09-08 05:10 · Score: 3, Funny
  
  Sooo.... somehow you managed to install Windows on an iBook? And it works, you say? Sweet. Now I can go to Wal Mart and buy all the great software titles that are 'Windows Only'!
  Attention Windows-Lovin' Flamers and Trolls:
  This is a joke. Maybe not a super funny joke, but a joke. So, don't get your shorts in a twist over it. Take a deep breath...Hold it...Keep holding it....Aaaaaand release.
  
  --
  Someday a real rain is gonna come...
Apple's forced upgrade plans by ZackSchil · 2004-09-07 18:55 · Score: 5, Funny

I can't believe Apple would do something like this to 10.2 users! I paid $120 for Mac OS X v10.2 and now Apple refuses to fix critical security flaws in my OS, which is not yet 2 years old. I refuse to pay this annual Apple tax! And what's with the one mouse button, overpriced, non-upgradable hardware, combustible batteries, and abnormally long file copy times. I mean come on my 486 box with... wait, what?

The update IS for 10.2 and 10.3 users? Oh. Good then. I don't really feel like deleting the other stuff I wrote. Good to get it out of the way anyway, I guess.

Thanks Apple!
1. Re:Apple's forced upgrade plans by ZackSchil · 2004-09-07 19:06 · Score: 4, Funny
  
  Dearest Mods,
  
  Please read comments before moderating them.
  
  Thanks,
  
  Someone with a sense of humor
2. Re:Apple's forced upgrade plans by MarsDefenseMinister · 2004-09-08 02:55 · Score: 5, Funny
  
  I can't believe Apple would do something like this to 10.2 users!
  
  I can't believe that Apple has 10.2 users. Nice to see that they are expanding the user base.
  
  --
  No weapon in the arsenals of the world is so formidable as the will and moral courage of free men.-Ronald Reagan
It's 3 o Clock and all's well by mojoviper · 2004-09-07 19:13 · Score: 5, Funny

At least so far. Nothing's tripping up, no "Shock and Awe"-worthy problems. And most importantly, my Ti-book (10.3.5) still doesn't work like a windows machine.

--
Si hoc legere scis nimum eruditionis habes sed iliud latine dici non potest.
Worth noting this time... by danamania · 2004-09-07 19:16 · Score: 4, Informative

...s that the update is provided for two Panther releases, 10.3.5 AND for 10.3.4.
From apple's Security Announce list:

Given the relatively recent release of the Mac OS X v10.3.5 Software
Update, this security update is available for both Mac OS X v10.3.4
and Mac OS X v10.3.5. Customers who are still evaluating Mac OS X
v10.3.5 for large-scale deployment can apply the security update for
Mac OS X v10.3.4 to increase the security of their systems during the
evaluation period. After updating to Mac OS X v10.3.5, Security
Update 2004-09-07 should be installed onto Mac OS X v10.3.5 even if it
was previously installed on a Mac OS X v10.3.4 system.

From memory some of the other security updates could be put on before the release they came with, but I wouldn't trust just my memory as far as I could throw it. Anyway, it's specifically noted this time.
1. Re:Worth noting this time... by kgp · 2004-09-08 07:18 · Score: 4, Interesting
  This is the first time I recall Apple doing a security update that didn't just apply to the current minor version of Mac OS X and the last version of the "legacy OS" 10.2.
  
  So Apple have released a security update for both 10.3.4 and 10.3.5 which might imply (either/or):
  
  there is a major customer who has not moved to 10.3.5 and they need these security fixes
  
  perhaps they recognize that many xServe admins have not moved up to 10.3.5 yet.
  Apple recognizes there is a reason people are not moving from 10.3.4 to 10.3.5 (what might that be?)
  Anyone know the real answer? Inquiring minds and all that.
Safari bug still there by setesh · 2004-09-07 19:19 · Score: 5, Informative

Still does not fix the bug where if you load a page that changes a cookie and then immediatelly quit Safari the cookie change is not saved.

Thought you logged out of your super secret intranet page - no you didnt...
1. Re:Safari bug still there by MadMoses · 2004-09-07 21:35 · Score: 2, Interesting
  
  I didn't hear of this bug before. Any more infos? (E.g. define "immediately") Thanks!
  
  --
  
  Do not be alarmed. This is only a test.
2. Re:Safari bug still there by BlueLightning · 2004-09-07 21:40 · Score: 2, Insightful
  
  That doesn't sound like a security bug to me...
3. Re:Safari bug still there by oscarmv · 2004-09-07 22:35 · Score: 4, Informative
  
  That's a Safari bug that hopefully will be corrected in a Safari revision (there's one coming for both Panther and Tiger).
  
  Should be out in a few weeks I think.
Webpages not rendering correctly by Anonymous Coward · 2004-09-07 20:24 · Score: 2, Informative

Just go ahead and update and try FedEx.com or DirectTV.com

You may just want to wait a bit

Keep on Folding! Team MaC OS X rocks! Join Us!
1. Re:Webpages not rendering correctly by inblosam · 2004-09-07 23:50 · Score: 2, Informative
  
  Was this problem here before? Looks like both sites have the exact same issue, but from my quick HTML glance I couldn't tell what was causing it.
  
  Mason-powered site showcase: Utah Homes Now.com
  
  That was my sig.
2. Re:Webpages not rendering correctly by Anonymous Coward · 2004-09-08 00:13 · Score: 3, Informative
  
  Yes macslash has some coverage of this. My own experiments indicate that the problem is localized to Safari; the mozilla suite (Camino, Mozilla, Firefox) seem all to work fine.
  
  --MW
3. Re:Webpages not rendering correctly by Gogo+Dodo · 2004-09-08 05:56 · Score: 4, Informative
  
  This was a "Security Update", not a general bug fix release, so I don't expect any bugs in Safari got fixed except the security issue.
4. Re:Webpages not rendering correctly by mark-ss · 2004-09-09 03:17 · Score: 2, Interesting
  
  What's supposed to not happen with these pages? Fedex.com opens just fine for me (10.3.5, Safari 1.2.3).
Re:AH. Refreshing. by jellomizer · 2004-09-07 23:24 · Score: 5, Insightful

Well there is a big difference in security fixes. OS X and OSS OS's tend to have a lot of little low level security risks that take a quick little patch to fix. While Windows Security Modle is so flawed they are trying crazy to fix things and there solutions are rather complex because there software and other 3rd Party used these security holes to get around other problems in the system that never worked right. Most of the security holes in OSS are little things like buffer overflows where the programmer needs to put a limit on some pointers and arrays. While Microsofts has that too but the know every thime that is affected they have administer rights.

--
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
rsync? by numbski · 2004-09-08 00:04 · Score: 5, Interesting

You mean rsync runs correctly in both user and daemon mode????

On 10.2?

Yay! I've been trying to get BackupPC to backup our XServe with no luck at all to this point. Finally! I had tried compiling from sources and from Fink and both failed miserably. Something about an OS-specific bug. w00t!

--
Karma: Chameleon (mostly due to the fact that you come and go).
1. Re:rsync? by eLoco · 2004-09-08 08:06 · Score: 5, Informative
  
  I use the rsync available here because it includes support for HFS+ volumes, meaning it will preserve resource forks. It installs to /usr/local/bin so it doesn't overwrite the existing rsync at /usr/bin. You need to have it installed on all OS X machines that you are syncing between.
  
  To rsync data that includes files with resource forks from a remote server to a local server via ssh, use something like this:
  
  /usr/local/bin/rsync -ave ssh --delete --eahfs --rsync-path=/usr/local/bin/rsync \ <user>@<remoteserver>:<path> <localpath>
  
  The --eahfs switch is what tells it to preserve resource forks.
  
  --
  sig != null
killed incoming ftp by ACmtd · 2004-09-08 02:04 · Score: 5, Informative

This update apparently "secures" the FTP daemon in quite an original way, by rendering it completely inoperable.

There are a few reports about it on Apple's discussions site.

The workaround suggested in the above link is to revert to the original ftpd supplied with Panther/Jaguar using the OS X install discs and a tool like Pacifist - though I'm trying to look at the glass as half-full and use this as the kick in the pants I need to start using sftp instead..
1. Re:killed incoming ftp by mgs1000 · 2004-09-08 04:09 · Score: 4, Informative
  
  Yep, same thing happened to me. So, I just installed PureFTPd, partially because there is a pretty god (and free) management frontend out there for it.
2. Re:killed incoming ftp by Dahan · 2004-09-08 05:51 · Score: 4, Informative
  
  Hmm, well that sucks.
  Looks like ftpd was compiled with /usr/etc as its configuration directory, rather than /etc. If you create /usr/etc and copy /etc/ftpusers to /usr/etc/ftpusers, it seems to work.
3. Re:killed incoming ftp by Dahan · 2004-09-08 05:57 · Score: 4, Informative
  
  You can also patch the binary to use /etc by running this as root:
  cd /usr/libexec && cp -p ftpd ftpd.orig && printf '/etc\0' | dd of=ftpd bs=1 seek=100252 conv=notrunc
4. Re:killed incoming ftp by Em+Adespoton · 2004-09-08 08:36 · Score: 3, Informative
  
  Even better, ln -s /etc /usr/etc
  Then, you just get a symbolic link (alias) to the path at the other location, and it will pick up any future updates that come your way.
5. Re:killed incoming ftp by Dahan · 2004-09-08 11:57 · Score: 3, Informative
  
  Well, I'm expecting that Apple will release a fixed ftpd shortly, so that I won't permanently need a /usr/etc/ftpusers file. Symlinking the entire /etc directory seems like overkill for a workaround for one program, but sure, that's fine too :)
  (Actually, I'm using my patched ftpd, so I don't need /usr/etc in any case).
Not recommended for G4 users, G5 seems ok... by curtlewis · 2004-09-08 09:07 · Score: 4, Informative

Most of the problems I've encountered are with Safari. The following sites all have similar problems and are entirely unusable with Safari after applying the patch:

http://www.fedex.com/
http://www.compusa.com/
http://www.bestbuy.com/

I'm sure there are many others. G5 systems do not appear to be affected. G4s are.

As noted on http://docs.info.apple.com/article.html?artnum=617 98 :

Component: Safari
CVE-ID: CAN-2004-0361
Available for: Mac OS X 10.2.8, Mac OS X Server 10.2.8
Impact: A JavaScript array of negative size can cause Safari to access out of bounds memory resulting in an application crash.
Description: Storing objects into a JavaScript array allocated with negative size can overwrite memory. Safari now stops processing JavaScript programs if an array allocation fails.
This security enhancement was previously made available in Safari 1.0.3, and is being applied inside the Mac OS X 10.2.8 operating system as an extra layer of protection for customers who have not installed that version of Safari. This is a specific fix for Mac OS X 10.2.8 and the issue does not exist in Mac OS X 10.3 or later systems.
----

This particular fix is specific to 10.2.8 and NOT 10.3 or later, yet appears it may install with the 10.3.x update. This could well be the cause of the problems. This is further supported by the fact that all of the known sites that fail to render properly use JavaScript 1.2 extensively.

Word is the Safari team is aware of the problem and working on it.
1. Re:Not recommended for G4 users, G5 seems ok... by Guy+Harris · 2004-09-08 14:02 · Score: 4, Informative
  
  Most of the problems I've encountered are with Safari. The following sites all have similar problems and are entirely unusable with Safari after applying the patch:
  
  ...and if those sites update the version of OpenCube's QuickMenu Pro that they're using, to fix the browser type/version check, they'll probably be usable again. See the 9/8/04 item on this site and a 9/8/04 item on this site.
2. Re:Not recommended for G4 users, G5 seems ok... by curtlewis · 2004-09-09 06:34 · Score: 3, Interesting
  
  UPDATE:
  
  The problem exists in QuickMenuPro, a javascript suite that many big sites use. The company that makes it has already posted a patch which, I'm sure, the affected sites will take months to deploy.
  
  With this latest information in mind, it is probably safe to go ahead and install the security patch on a G4... at least as long as you can wait for any of the affected sites to post the patch. If you can't, hold off until they do.
Swap file bug not fixed? by jeffasselin · 2004-09-08 09:38 · Score: 2, Informative

I couldn't find anything so far about the swap file password reveal being fixed or not.

That's a serious issue that I expected to be fixed soon.

--
If he explores all forms and substances Straight homeward to their symbol-essences; He shall not die.
rsyncX by Cbs228 · 2004-09-08 10:34 · Score: 5, Informative

The latest Security Update has (predictably) broken my rsyncX install. I was able to fix this by overwriting /usr/bin/rsync (Apple's rsync) with /usr/local/bin/rsync (which is where rsyncX installs by default). However, be sure to RTF-security information first the version of rsync that rsyncX uses (2.6.0) is not secure in daemon mode (use SSH mode instead).

--
At our school, we don't earn a degree when we graduate—we earn pi/180 radians
Web site display is not Apples fault, see here!! by Anonymous Coward · 2004-09-08 14:45 · Score: 5, Informative

I did some sleuthing today on a Safari bug that came up just after this latest security update, and the problem is not Apple's fault. It's the fault of OpenCube's QuickMenu Pro product, used by FedEx, CompUSA, Best Buy and others. It causes all kinds of garbage menu text to appear before rendering the rest of the page. I reported the error to OpenCube along with the offending line of code in their tdqm_loader.js file.

update: They wrote me back that they have a fix for it available on their updates page. Of course, it's not me, but the above websites which need to apply the update. (OpenCube lists several places that use this product on their front page on the left, so if anyone wants to email them to update their software, please do. I've got to get to other things tonight.)

To verify that this isn't a Safari problem, put this identity string into any browser of your choice: "Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/125.4.2 (KHTML, like Gecko) Safari/125.9" and go to one of the above sites. The "4" in the WebKit number trips up QuickMenu Pro.

http://osx.hyperjeff.net

Good catch Jeff!!
mod parent up by cipher+chort · 2004-09-09 05:53 · Score: 2, Informative

Ahh, at least the culprit is named and shamed!

--
Someone is WRONG on the Internet!
FTP fux by steeviant · 2004-09-09 07:02 · Score: 4, Informative

go to a terminal prompt and type

sudo ln -s /etc /usr/etc

As someone pointed out above, Apple mucked up the ftpd compile and made the ftp daemon look in /usr/etc instead /etc for it's config.