Slashdot Mirror


Apple Releases Mac OS X Patches

phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."

8 of 84 comments (clear)

  1. Any exploits "in the wild"? by TFGeditor · · Score: 4, Interesting

    Seems odd. Is anyone aware of any malware that takes advantage of the exploits?

    --
    Ignorance is curable, stupid is forever.
  2. MSFT says URL spoofing security a feature by cuijian · · Score: 4, Interesting

    Apple fixed a URL spoofing vulnerability in Safari with this release. (The URL shown in the status bar when you click on a link was not necessarily where you were going to be taken)

    Just today, a MSFT IE secutity tester posted an entry on the IE Blog that dismisses the vulnerabilty. He feels that allowing web sites to display arbitrary text on the status bar is a feature and that users need to learn that they can only trust the address bar URL field, and the lock icon in the status bar. IE users need to know that "the status bar text is not helpful in making trust decisions."

    I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!

    Here is the link to the blog:
    http://blogs.msdn.com/ie/archive/2004/12/03 /274330 .aspx

    1. Re:MSFT says URL spoofing security a feature by MarkGriz · · Score: 4, Interesting

      I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!

      This amazes you?
      On the one hand, you have Apple fixing potentially exploitable holes.
      One the other hand, Microsoft regularly downplays holes with "Mitigating Factors"

      Nope, seems like business as usual to me.

      --
      Beauty is in the eye of the beerholder.
    2. Re:MSFT says URL spoofing security a feature by cuijian · · Score: 3, Interesting

      I can't seem to access the vulnerability report, but it doesn't sound like the same thing to me at all. Virtually every browser allows you to set the status bar text with Javascript. If you don't like that, you can switch client-side scripting off, or that particular feature in some browsers. The Safari hole sounds like websites can do this without any client-side scripting at all.

      Not true. Check out the Secunia test case below with IE, FireFox, and Safari. Only IE is vulnerable. FireFox and Safari do not allow the website to spoof the URL in the status field.

      http://secunia.com/internet_explorer_address_bar_s poofing_test/

  3. Re:Now, before anyone says it... by Sancho · · Score: 4, Interesting

    It's a nice contrast to Microsoft, who has allegedly known about security bugs and waited until there were out-of-control exploits before issuing fixes.

  4. Re:Now, before anyone says it... by Anonymous Coward · · Score: 4, Interesting

    Oh yeah? Here's an exploit in the wild, created just now: http://macslash.org/comments.pl/..namedfork/data

    That's one serious hole. Hope they upgrade soon.

  5. Error? by azav · · Score: 3, Interesting

    From the article:

    "Apple said the problem exists because its HFS+ file system handles file access in a case-sensitive way, while the Apache configuration blocks access in a case-sensitive way."

    Shouldn't that be case insensitive?

    --
    - Zav - Imagine a Beowulf cluster of insensitive clods...
  6. Interesting note: by ZackSchil · · Score: 4, Interesting

    According to the details on the update, Apple patched an internal system bug that stopped other locally running programs from intercepting data entered into a secure text field. You know, the kind that shows up as dots when you write in it. Nice to see Apple protecting users from phishing spyware before it even exists in OS X.