Apple's First 2005 Mac OS X Security Update Is Out

← Back to Stories (view on slashdot.org)

Apple's First 2005 Mac OS X Security Update Is Out

Posted by timothy on Tuesday January 25, 2005 @05:07PM from the prosit dept.

ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail. Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!). Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."

3 of 91 comments (clear)

Min score:

Reason:

Sort:

Re:Did anyone else know about this? by the+pickle · 2005-01-25 17:58 · Score: 2, Insightful

People who want to break into weakly-secured wireless networks, duh.

Glad I haven't been using Mail. This is the first I've heard of this problem.

Side question: how would that accidentally happen in the first place? It's not as though someone would deliberately insert code to broadcast a MAC address into a mail client...yet it seems specific enough that simply calling it a "bug", with the arbitrary nature that implies, seems a bit odd.

p

--
In Korea, long hair is for old people!
Someone else check...not the airport? by interactive_civilian · 2005-01-25 18:43 · Score: 4, Insightful

Ummm...I just checked this out on some messages that I sent (using AirPort).
The ethernet address WAS broadcast in the Message-ID header. However, that was the hardware ethernet MAC address, and NOT the Airport card MAC address.
Can anyone else confirm that this is the case? If it is, then does this have anything with keeping WEP-based wireless networks secure?

--
"Empathise with stupidity, and you're halfway to thinking like an idiot." - Iain M. Banks
1. Re:Someone else check...not the airport? by ruud · 2005-01-26 09:43 · Score: 2, Insightful
  
  I suppose that if you were sniffing such a network (unencryted of course) you could easily get the hardware MAC address from an e-mail,
  
  It's a lot simpler than that. If you can already sniff the network in the first place, why go to all the trouble of getting the MAC address out of an email message-id when you can simply look at the ethernet header itself which contains the MAC address!?
  
  --
  bgphints - internet routing news, hints and ti