Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases Mac OS X Patches

Posted by michael on from the little-dutch-boy dept.

phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."

14 of 84 comments (clear)

  1. Any exploits "in the wild"? by TFGeditor · · Score: 4, Interesting

    Seems odd. Is anyone aware of any malware that takes advantage of the exploits?

    --
    Ignorance is curable, stupid is forever.
    1. Re:Any exploits "in the wild"? by boola-boola · · Score: 1, Interesting
      That one was pretty weak though. It might have been good for phishing clueless people.

      ...oh, so you mean 99% of users on the Internet (the masses are dumb). Anything that can take advantage of clueless people is a threat in my book.

  2. MSFT says URL spoofing security a feature by cuijian · · Score: 4, Interesting

    Apple fixed a URL spoofing vulnerability in Safari with this release. (The URL shown in the status bar when you click on a link was not necessarily where you were going to be taken)

    Just today, a MSFT IE secutity tester posted an entry on the IE Blog that dismisses the vulnerabilty. He feels that allowing web sites to display arbitrary text on the status bar is a feature and that users need to learn that they can only trust the address bar URL field, and the lock icon in the status bar. IE users need to know that "the status bar text is not helpful in making trust decisions."

    I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!

    Here is the link to the blog:
    http://blogs.msdn.com/ie/archive/2004/12/03 /274330 .aspx

    1. Re:MSFT says URL spoofing security a feature by MarkGriz · · Score: 4, Interesting

      I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!

      This amazes you?
      On the one hand, you have Apple fixing potentially exploitable holes.
      One the other hand, Microsoft regularly downplays holes with "Mitigating Factors"

      Nope, seems like business as usual to me.

      --
      Beauty is in the eye of the beerholder.
    2. Re:MSFT says URL spoofing security a feature by cuijian · · Score: 3, Interesting

      I can't seem to access the vulnerability report, but it doesn't sound like the same thing to me at all. Virtually every browser allows you to set the status bar text with Javascript. If you don't like that, you can switch client-side scripting off, or that particular feature in some browsers. The Safari hole sounds like websites can do this without any client-side scripting at all.

      Not true. Check out the Secunia test case below with IE, FireFox, and Safari. Only IE is vulnerable. FireFox and Safari do not allow the website to spoof the URL in the status field.

      http://secunia.com/internet_explorer_address_bar_s poofing_test/

    3. Re:MSFT says URL spoofing security a feature by Anonymous Coward · · Score: 1, Interesting

      "I'm amazed that you find this an issue AT ALL. It IS NOT a security flaw."

      That would be true it it was called the arbitray text bar, but it isn't, it is the status bar, it should show me the URL of the link or tell me status info. Rename to the, "Whatever the fuck people want to sho up here" bar and I would not mind as much.

  3. Re:Now, before anyone says it... by Sancho · · Score: 4, Interesting

    It's a nice contrast to Microsoft, who has allegedly known about security bugs and waited until there were out-of-control exploits before issuing fixes.

  4. Re:Now, before anyone says it... by Anonymous Coward · · Score: 4, Interesting

    Oh yeah? Here's an exploit in the wild, created just now: http://macslash.org/comments.pl/..namedfork/data

    That's one serious hole. Hope they upgrade soon.

  5. Error? by azav · · Score: 3, Interesting

    From the article:

    "Apple said the problem exists because its HFS+ file system handles file access in a case-sensitive way, while the Apache configuration blocks access in a case-sensitive way."

    Shouldn't that be case insensitive?

    --
    - Zav - Imagine a Beowulf cluster of insensitive clods...
  6. Re:Now, before anyone says it... by the+pickle · · Score: 1, Interesting

    And that's OS X's fault how, exactly?

    Looks more like a vulnerability in Slashcode to me...

    p

    --
    In Korea, long hair is for old people!
  7. Interesting note: by ZackSchil · · Score: 4, Interesting

    According to the details on the update, Apple patched an internal system bug that stopped other locally running programs from intercepting data entered into a secure text field. You know, the kind that shows up as dots when you write in it. Nice to see Apple protecting users from phishing spyware before it even exists in OS X.

  8. Re:Now, before anyone says it... by anothergene · · Score: 2, Interesting

    Every last one of them was -- and still is -- theoretical.

    So would you sooner have them wait until there are threats in the wild? I would call this rather proactive.
    Of course if you use your own compiled version of apache and are on top of it then you've probably patched these hole a long time ago.

    --
    Who's leg do I have to hump to get a dry martini around here?
  9. Re:Now, before anyone says it... by Fry+a+Lad+Up · · Score: 2, Interesting

    There are two reasons it's OS X's fault:

    First, Apple provides the faulty default Apache configuration that doesn't secure against this attack. No web admin should have to know intricate details of the operating system's file system to think up every single possible exploit that could come about due to idiosyncrasies in that particular system.

    Two, they put in that nonstandard behavior in the first place.

    All true.

    Still, there's more blame to spread. "allow all, but these that we explicitly deny" is a standard Apache config. Shouldn't it allow only ".html", ".", and, perhaps, ".txt" by default?

    BTW, how does the case-insensitive FS fall out with, for example, "file.PHP"?

  10. Dear Steve Jobs: retire HFS+ for Chrissakes! by jbordall · · Score: 2, Interesting

    It looks like most of the Apache problems stem from Apple's own HFS+ filesystem and its lack of case-sensitive filenaming. HFS+ needs to be retired. I mean, what kind of *nix uses a default filesystem that is *not* case-sensitive? There's a myriad of worthy file systems out there (UFS being my personal favorite.) Before you Mac people flame me, I must point out that I am writing this on my iBook, which I treasure dearly.