Apple Releases Mac OS X Patches

phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."

Now, before anyone says it...

[the+pickle]

...how many of these holes had exploits in the wild?

0 / 16.

Every last one of them was -- and still is -- theoretical.

Do what you have to do in the name of "balanced reporting," though, eWeek.

p

Re:Now, before anyone says it...

[justMichael]

And that's OS X's fault how, exactly?

Looks more like a vulnerability in Slashcode to me...

Yeah, that was my first thought, then I tried it on my PowerBook which I use for development. It works on any file found under docroot, including .htaccess and it doesn't have to be the OS X install of Apache, I build my own and it works.

I'll provide the link that the very helpful AC posted below in case it doesn't get modded up as I think people should see it.

More info here.

Knowledge Base Article

[kuwan]

For more info on the update, here's the description from Software Update (click on the link at the bottom for the full Knowledge Base Article)

Security Update 2004-12-02 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

Apache
AppKit
HIToolbox
Kerberos
Postfix
PS Normalizer
Safari
Terminal

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798

Clickable link

[kuwan]

http://www.info.apple.com/kbnum/n61798

(Doh! I hit while correcting spelling in the subject.)

Re:Any exploits "in the wild"?

[99BottlesOfBeerInMyF]

Is anyone aware of any malware that takes advantage of the exploits?

There was a demo exploit of the Safari pop-up redirection. Anyone could have grabbed that and set up an exploit site. That one was pretty weak though. It might have been good for phishing clueless people.

For successful updates...

[madsenj37]

Always remember to repair permissions first via Disk Utility. And the hard drive, if you have time.

MAJORS PROBLEM with update! Read this!

[nordicfrost]

OK. This update b0rked my PowerBook up really well. Afteer an update and Repair Permissions (Always a good idea), I restarted the PB. After a seemingly normal reboot, it halted at Logon Window staring... And did not go any further.

On Apple Discussions, arguably the best official tech solution pages from any major computer company, a possible solution has been posted.

If the problems appear, reboot into single-user mode. Go to the /etc directory (type cd /etc and hit enter for those who seldom wander into Terminal)

There you will find a screwed up file, 'ttys' and a backup of the same file called 'ttys.applesaved'. Overwrite the borken file by typing 'sudp cp /etc/ttys.applesaved /etc/ttys' and hit enter. Type in your admin password, hit enter. Reboot the machine, rejoice as you now get in.

I was less fortunate, as the machine was the only ne at home so I never ot to read the advice. I did archive and reinstall, it worked surprisingly well. I have done this under Windows, and lost all settings ang programs. When the 10.3 system was in, even my desktop icons were right where I left them. I did another updated and it worked swell!

For MacOS X users who customise their httpd.conf

[HSpirit]

Two of the vulnerabilities reported attempt to modify the

/etc/httpd/httpd.conf

configuration file used by Apache 1.3.

Those MacOS X users (like me) who manually reconfigure their Apache configuration should note that the update (sensibly) will not modify a customised httpd.conf. If you fit into this category you should read the advice posted by Apple on how to manually update your httpd.conf to ensure your Apache is not serving up content which should not be available.