Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Releases Mac OS X Patches

Posted by michael on from the little-dutch-boy dept.

phoric writes "According to eWeek, Apple has released security patches to fix 16 'highly critical' holes, one-third of which deal with the open-source Apache web server. Several of the fixes address exploits such as the bypassing of security restrictions, spoofing, and potential DoS attacks."

4 of 84 comments (clear)

  1. Re:Any exploits "in the wild"? by inertia187 · · Score: 5, Funny

    Yep: Virtual PC.

    --
    A programmer is a machine for converting coffee into code.
  2. "Highly Critical" according to whom? by Shag · · Score: 5, Insightful
    The on-duty editor didn't get my mail, I guess...

    Apple has not described these as "highly critical" to my knowledge.

    That label has been applied by Secunia, the Danish security company that has, in the past, gotten press for indicating that Windows is secure and OS X isn't, no matter what tests might show.

    The browser fixes are potentially significant, but the bulk of the others involve services that aren't even on by default, or things that most users wouldn't deal with.

    Sky falling, next 10 miles.

    --
    Village idiot in some extremely smart villages.
  3. Re:Now, before anyone says it... by Anonymous Coward · · Score: 5, Insightful

    No, it has nothing to do with Slashcode. That exploit works regardless of what scripts you're running, and it also works to access files that are otherwise restricted. There are two reasons it's OS X's fault:

    First, Apple provides the faulty default Apache configuration that doesn't secure against this attack. No web admin should have to know intricate details of the operating system's file system to think up every single possible exploit that could come about due to idiosyncrasies in that particular system.

    Two, they put in that nonstandard behavior in the first place. This is the kind of thing that gets Slashdot up in arms about Microsoft all the time. We feel all smug that OUR systems don't have all these extra features with no thoughts to security. Well, Apple added an extra feature for HFS+ to access a file's data and resource forks through ..namedfork/data and ..namedfork/rsrc. No other system does this, and Apache certainly shouldn't have to have special code to check for it. The burden falls on Apple to make sure that their supplied tools and configurations take care of any possible security risks due to features such as this.

    It's not surprising that it took someone this long to discover the hole, and it's been there all along. How many other applications might be out there that restrict access to files based on name, but would be fooled by using the ..namedfork/data extension? I wouldn't be surprised if there are more out there. Since this isn't a standard Unix/POSIX behavior, the burden falls squarely on Apple.

    I really hope that everyone running an OS X web server runs this update quickly. Otherwise attackers will be able to read their scripts and other sensitive date - which they thought was blocked - and scrutinize it for bigger holes to truly exploit the systems. Yikes.

    More info here.

  4. For MacOS X users who customise their httpd.conf by HSpirit · · Score: 5, Informative

    Two of the vulnerabilities reported attempt to modify the

    /etc/httpd/httpd.conf
    configuration file used by Apache 1.3.

    Those MacOS X users (like me) who manually reconfigure their Apache configuration should note that the update (sensibly) will not modify a customised httpd.conf. If you fit into this category you should read the advice posted by Apple on how to manually update your httpd.conf to ensure your Apache is not serving up content which should not be available.