Apple Releases Mac OS X Patches

← Back to Stories (view on slashdot.org)

Apple Releases Mac OS X Patches

Posted by michael on Friday December 3, 2004 @08:07AM from the little-dutch-boy dept.

phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."

19 of 84 comments (clear)

Min score:

Reason:

Sort:

Any exploits "in the wild"? by TFGeditor · 2004-12-03 08:09 · Score: 4, Interesting

Seems odd. Is anyone aware of any malware that takes advantage of the exploits?

--
Ignorance is curable, stupid is forever.
1. Re:Any exploits "in the wild"? by inertia187 · 2004-12-03 08:19 · Score: 5, Funny
  
  Yep: Virtual PC.
  
  --
  A programmer is a machine for converting coffee into code.
2. Re:Any exploits "in the wild"? by 99BottlesOfBeerInMyF · 2004-12-03 09:09 · Score: 4, Informative
  
  Is anyone aware of any malware that takes advantage of the exploits?
  
  There was a demo exploit of the Safari pop-up redirection. Anyone could have grabbed that and set up an exploit site. That one was pretty weak though. It might have been good for phishing clueless people.
Cool! by wizbit · 2004-12-03 08:17 · Score: 4, Funny

Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server

I've never used Software Update to apply 5.333 fixes before. This should be fun.
Now, before anyone says it... by the+pickle · 2004-12-03 08:22 · Score: 4, Informative

...how many of these holes had exploits in the wild?

0 / 16.

Every last one of them was -- and still is -- theoretical.

Do what you have to do in the name of "balanced reporting," though, eWeek.

p

--
In Korea, long hair is for old people!
1. Re:Now, before anyone says it... by Sancho · 2004-12-03 08:56 · Score: 4, Interesting
  
  It's a nice contrast to Microsoft, who has allegedly known about security bugs and waited until there were out-of-control exploits before issuing fixes.
2. Re:Now, before anyone says it... by 99BottlesOfBeerInMyF · 2004-12-03 09:05 · Score: 4, Insightful
  
  Every last one of them was -- and still is -- theoretical.
  
  Well, not quite. The second Safari fix had a demo exploit published. I never got it to work on my system, but several people reported it working for them. (This was a pretty minor issue possibly tricking someone into thinking a pop-up was opened by another window). As for the other exploits, I don't know of any being leveraged either by a hacker or a worm, but that does not mean they were not found by anyone. The tiff and postscript overflows, for example, are not too different from exploits on windows and someone may have been using them.
  
  This patch encompasses about 5 possible remote code executions most of which were discovered by the open source community or by security firms. I find it encouraging that Apple is able to leverage the OS community to help secure their system, but it seems like Apple would benefit from some more thorough security reviews internally.
  
  Please note, I am not trying to pick on OSX here. OSX has an excellent security record, and I would trust it more than Windows or the average Linux distribution at this point. Eweek's coverage was not too bad, they mentioned them as potential vulnerabilities. I could have done without Secunia's 2 cents, and it might have been nice if they had emphasized that even with these vulnerabilities unpatched, there is little practical danger to the average user. All in all though, I did not think the article was too bad.
3. Re:Now, before anyone says it... by Anonymous Coward · 2004-12-03 09:36 · Score: 4, Interesting
  
  Oh yeah? Here's an exploit in the wild, created just now: http://macslash.org/comments.pl/..namedfork/data
  
  That's one serious hole. Hope they upgrade soon.
4. Re:Now, before anyone says it... by Anonymous Coward · 2004-12-03 12:18 · Score: 5, Insightful
  
  No, it has nothing to do with Slashcode. That exploit works regardless of what scripts you're running, and it also works to access files that are otherwise restricted. There are two reasons it's OS X's fault:
  
  First, Apple provides the faulty default Apache configuration that doesn't secure against this attack. No web admin should have to know intricate details of the operating system's file system to think up every single possible exploit that could come about due to idiosyncrasies in that particular system.
  
  Two, they put in that nonstandard behavior in the first place. This is the kind of thing that gets Slashdot up in arms about Microsoft all the time. We feel all smug that OUR systems don't have all these extra features with no thoughts to security. Well, Apple added an extra feature for HFS+ to access a file's data and resource forks through ..namedfork/data and ..namedfork/rsrc. No other system does this, and Apache certainly shouldn't have to have special code to check for it. The burden falls on Apple to make sure that their supplied tools and configurations take care of any possible security risks due to features such as this.
  
  It's not surprising that it took someone this long to discover the hole, and it's been there all along. How many other applications might be out there that restrict access to files based on name, but would be fooled by using the ..namedfork/data extension? I wouldn't be surprised if there are more out there. Since this isn't a standard Unix/POSIX behavior, the burden falls squarely on Apple.
  
  I really hope that everyone running an OS X web server runs this update quickly. Otherwise attackers will be able to read their scripts and other sensitive date - which they thought was blocked - and scrutinize it for bigger holes to truly exploit the systems. Yikes.
  
  More info here.
5. Re:Now, before anyone says it... by justMichael · 2004-12-03 15:52 · Score: 4, Informative
  
  And that's OS X's fault how, exactly?
  
  Looks more like a vulnerability in Slashcode to me...
  Yeah, that was my first thought, then I tried it on my PowerBook which I use for development. It works on any file found under docroot, including .htaccess and it doesn't have to be the OS X install of Apache, I build my own and it works.
  
  I'll provide the link that the very helpful AC posted below in case it doesn't get modded up as I think people should see it.
  
  More info here.
MSFT says URL spoofing security a feature by cuijian · 2004-12-03 08:30 · Score: 4, Interesting

Apple fixed a URL spoofing vulnerability in Safari with this release. (The URL shown in the status bar when you click on a link was not necessarily where you were going to be taken)

Just today, a MSFT IE secutity tester posted an entry on the IE Blog that dismisses the vulnerabilty. He feels that allowing web sites to display arbitrary text on the status bar is a feature and that users need to learn that they can only trust the address bar URL field, and the lock icon in the status bar. IE users need to know that "the status bar text is not helpful in making trust decisions."

I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!

Here is the link to the blog:
http://blogs.msdn.com/ie/archive/2004/12/03 /274330 .aspx
1. Re:MSFT says URL spoofing security a feature by MarkGriz · 2004-12-03 08:57 · Score: 4, Interesting
  
  I'm amazed that is the mindset of an security tester and even more amazed that he feels comfortable posting that viewpoint publicly on the IE blog. No wonder they have so many security problems!
  
  This amazes you?
  On the one hand, you have Apple fixing potentially exploitable holes.
  One the other hand, Microsoft regularly downplays holes with "Mitigating Factors"
  
  Nope, seems like business as usual to me.
  
  --
  Beauty is in the eye of the beerholder.
Knowledge Base Article by kuwan · 2004-12-03 08:50 · Score: 4, Informative

For more info on the update, here's the description from Software Update (click on the link at the bottom for the full Knowledge Base Article)

Security Update 2004-12-02 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:

Apache
AppKit
HIToolbox
Kerberos
Postfix
PS Normalizer
Safari
Terminal

For detailed information on this Update, please visit this website: http://www.info.apple.com/kbnum/n61798

--
infested with jello like fishes no melotron wishes
Clickable link by kuwan · 2004-12-03 08:57 · Score: 4, Informative

http://www.info.apple.com/kbnum/n61798

(Doh! I hit while correcting spelling in the subject.)

--
infested with jello like fishes no melotron wishes
"Highly Critical" according to whom? by Shag · 2004-12-03 09:59 · Score: 5, Insightful

The on-duty editor didn't get my mail, I guess...
Apple has not described these as "highly critical" to my knowledge.
That label has been applied by Secunia, the Danish security company that has, in the past, gotten press for indicating that Windows is secure and OS X isn't, no matter what tests might show.
The browser fixes are potentially significant, but the bulk of the others involve services that aren't even on by default, or things that most users wouldn't deal with.
Sky falling, next 10 miles.

--
Village idiot in some extremely smart villages.
For successful updates... by madsenj37 · 2004-12-03 11:43 · Score: 4, Informative

Always remember to repair permissions first via Disk Utility. And the hard drive, if you have time.

--
Choosing the lesser of two evils is a choice for evil.
Interesting note: by ZackSchil · 2004-12-03 21:37 · Score: 4, Interesting

According to the details on the update, Apple patched an internal system bug that stopped other locally running programs from intercepting data entered into a secure text field. You know, the kind that shows up as dots when you write in it. Nice to see Apple protecting users from phishing spyware before it even exists in OS X.
MAJORS PROBLEM with update! Read this! by nordicfrost · 2004-12-04 02:10 · Score: 4, Informative

OK. This update b0rked my PowerBook up really well. Afteer an update and Repair Permissions (Always a good idea), I restarted the PB. After a seemingly normal reboot, it halted at Logon Window staring... And did not go any further.

On Apple Discussions, arguably the best official tech solution pages from any major computer company, a possible solution has been posted.

If the problems appear, reboot into single-user mode. Go to the /etc directory (type cd /etc and hit enter for those who seldom wander into Terminal)

There you will find a screwed up file, 'ttys' and a backup of the same file called 'ttys.applesaved'. Overwrite the borken file by typing 'sudp cp /etc/ttys.applesaved /etc/ttys' and hit enter. Type in your admin password, hit enter. Reboot the machine, rejoice as you now get in.

I was less fortunate, as the machine was the only ne at home so I never ot to read the advice. I did archive and reinstall, it worked surprisingly well. I have done this under Windows, and lost all settings ang programs. When the 10.3 system was in, even my desktop icons were right where I left them. I did another updated and it worked swell!
For MacOS X users who customise their httpd.conf by HSpirit · 2004-12-04 12:08 · Score: 5, Informative

Two of the vulnerabilities reported attempt to modify the
/etc/httpd/httpd.conf
configuration file used by Apache 1.3.
Those MacOS X users (like me) who manually reconfigure their Apache configuration should note that the update (sensibly) will not modify a customised httpd.conf. If you fit into this category you should read the advice posted by Apple on how to manually update your httpd.conf to ensure your Apache is not serving up content which should not be available.