Slashdot Mirror
Apple Releases Mac OS X Patches
phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."
...for releasing 10.2.8 client and server patches, too...from someone waiting for Tiger.
Every last one of them was -- and still is -- theoretical
Yep... as far as you know.
Every last one of them was -- and still is -- theoretical.
Well, not quite. The second Safari fix had a demo exploit published. I never got it to work on my system, but several people reported it working for them. (This was a pretty minor issue possibly tricking someone into thinking a pop-up was opened by another window). As for the other exploits, I don't know of any being leveraged either by a hacker or a worm, but that does not mean they were not found by anyone. The tiff and postscript overflows, for example, are not too different from exploits on windows and someone may have been using them.
This patch encompasses about 5 possible remote code executions most of which were discovered by the open source community or by security firms. I find it encouraging that Apple is able to leverage the OS community to help secure their system, but it seems like Apple would benefit from some more thorough security reviews internally.
Please note, I am not trying to pick on OSX here. OSX has an excellent security record, and I would trust it more than Windows or the average Linux distribution at this point. Eweek's coverage was not too bad, they mentioned them as potential vulnerabilities. I could have done without Secunia's 2 cents, and it might have been nice if they had emphasized that even with these vulnerabilities unpatched, there is little practical danger to the average user. All in all though, I did not think the article was too bad.
Apple has not described these as "highly critical" to my knowledge.
That label has been applied by Secunia, the Danish security company that has, in the past, gotten press for indicating that Windows is secure and OS X isn't, no matter what tests might show.
The browser fixes are potentially significant, but the bulk of the others involve services that aren't even on by default, or things that most users wouldn't deal with.
Sky falling, next 10 miles.
Village idiot in some extremely smart villages.
I think that your giving a little too much credit to the average user. Actually far too much credit. To the average user, there is no difference between whats displayed on a page, in a popup or as part of a window. Thats why those "YOUR COMPUTER IS BROADCASTING ITS IP" popups work so well, the average user has no idea how to tell that its a valid OS message or just some stupid popup.
It was originally intended to be a feture, just some people chose to use it to cause problems. Then again, some people choose to use Linux to attack other systems, should we also get rid of Linux?
"I use a Mac because I'm just better than you are."
Need I remind you that it is best to plug that hole before someone has time to exploit it? And no, it is not a sign that Mac OS X is any less secure than other operating systems!
You're right. I did misunderstand the specific topic that the weblog entry was talking about. Having just read about the Safari fix I had assumed they were the same thing.
I still find it distateful that a security expert would accept a potentially dangerous situation by trying to educate users (and expect users to know) that the status bar isn't to be trusted. Something you seem to agree with.
Thanks for the correction.
No, it has nothing to do with Slashcode. That exploit works regardless of what scripts you're running, and it also works to access files that are otherwise restricted. There are two reasons it's OS X's fault:
..namedfork/data and ..namedfork/rsrc. No other system does this, and Apache certainly shouldn't have to have special code to check for it. The burden falls on Apple to make sure that their supplied tools and configurations take care of any possible security risks due to features such as this.
..namedfork/data extension? I wouldn't be surprised if there are more out there. Since this isn't a standard Unix/POSIX behavior, the burden falls squarely on Apple.
First, Apple provides the faulty default Apache configuration that doesn't secure against this attack. No web admin should have to know intricate details of the operating system's file system to think up every single possible exploit that could come about due to idiosyncrasies in that particular system.
Two, they put in that nonstandard behavior in the first place. This is the kind of thing that gets Slashdot up in arms about Microsoft all the time. We feel all smug that OUR systems don't have all these extra features with no thoughts to security. Well, Apple added an extra feature for HFS+ to access a file's data and resource forks through
It's not surprising that it took someone this long to discover the hole, and it's been there all along. How many other applications might be out there that restrict access to files based on name, but would be fooled by using the
I really hope that everyone running an OS X web server runs this update quickly. Otherwise attackers will be able to read their scripts and other sensitive date - which they thought was blocked - and scrutinize it for bigger holes to truly exploit the systems. Yikes.
More info here.
It can be a security flaw and a feature at the same time. Custom status titles are a good idea, definitely. However, when they spoof URLs, it becomes a security flaw. I haven't yet examined the fix, but hopefully Apple has eliminated the flaw in a clever way instead of eliminating the feature entirely.
"I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!"
It's a widespread problem, this mindset, shared by lots and lots of admins, power users and people who happen to just spend too much time with their computer and thus know a teensy bit more than their neighbor...
I think, therefore I am...I think.
There would have to be code optimizations at work here.
Jesus was a compassionate social conservative who called individuals to sin no more.