Apple's First 2005 Mac OS X Security Update Is Out

ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail. Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!). Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."

Installed, rebooted...

[bennomatic]

...and running fine!

And if you've got any questions about iLife '05, let me know. GarageBand's vocal effects are pretty cool, though I don't sound all that hot as a woman...

eBay slow in Safari ... fixed.

[timmytee]

It appears that the slowness many saw with eBay in Safari has been fixed. Previously, the fix was to turn off javascript - a pain. No more spinning beachballs here (just revving G5 fans ...)

Awesome! A New Troll!!!!

[thedbp]

I was getting SOOOOOO sick of that 17MB copy taking 20min. troll. Its good to see the trolls have banded together to stay relevant and on top of the new hardware Apple is releasing. I would hereby like to congratulate all trolls for propogating and expanding upon their repetoire of meaningless and ill-educated flamebait. Truly, being a Mac user wouldn't be nearly as much fun without the raging OS envy evident in these hilarious and thoroughly entertaining posts.

Bravo!

Re:Awesome! A New Troll!!!!

[Ohreally_factor]

I always kinda liked Kottke's opening words:

I don't want to start a holy war here, but what is the deal with you Mac fanatics?

Anyway, the original can be found at Kottke.org, from Nov 25, 1998 (Scroll to the bottom).

What I like about the Kottke troll is that it is so versatile. You can substitute brands and products for comedic effect. For instance:

I don't want to start a holy war here, but what is the deal with you <b>iPod</b> fanatics? I've been sitting here at my freelance gig in front of an <b>iPod Shuffle (1 GB)</b> for about 20 minutes now while it attempts to play an <b>Ogg Vorbis</b> file. 20 minutes. At home, on my <i>iRiveriGP-100</i>, which by all standards should be a lot slower than this iPod, the same operation would take about 2 minutes. If that.

Hilarity ensues.

Re:Did anyone else know about this?

[the+pickle]

People who want to break into weakly-secured wireless networks, duh.

Glad I haven't been using Mail. This is the first I've heard of this problem.

Side question: how would that accidentally happen in the first place? It's not as though someone would deliberately insert code to broadcast a MAC address into a mail client...yet it seems specific enough that simply calling it a "bug", with the arbitrary nature that implies, seems a bit odd.

p

Someone else check...not the airport?

[interactive_civilian]

Ummm...I just checked this out on some messages that I sent (using AirPort).

The ethernet address WAS broadcast in the Message-ID header. However, that was the hardware ethernet MAC address, and NOT the Airport card MAC address.

Can anyone else confirm that this is the case? If it is, then does this have anything with keeping WEP-based wireless networks secure?

Re:Someone else check...not the airport?

[geoffspear]

No, it has nothing to do with keeping anything secure. They use the machine's MAC address because it was a good way to generate unique message IDs, but it has nothing at all to do with the network the message was sent over.

They will continue to use the builtin ethernet MAC address to generate IDs, but now they're sticking some random junk on the end and putting them through a hash function first, so the receiver of your message can't get your MAC address from it.

Re:Someone else check...not the airport?

[ruud]

I suppose that if you were sniffing such a network (unencryted of course) you could easily get the hardware MAC address from an e-mail,

It's a lot simpler than that. If you can already sniff the network in the first place, why go to all the trouble of getting the MAC address out of an email message-id when you can simply look at the ethernet header itself which contains the MAC address!?

oh, and don't forget the local root exploit

[OmniVector]

see for yourself: http://otierney.net/files/root-osx.c. Basically exploits an suid bug in an iSync app. you can fix this local exploit by running:

chmod a-x /System/Library/SyncServices/SymbianConduit.bundle /Contents/Resources/mRouter

from the console

Re:oh, and don't forget the local root exploit

[nemo_felinemenace]

Hi, Just wondering if there's a reason you're posting my code on slashdot with the comments stripped? (code seen here: http://www.k-otik.com/exploits/20050123.fm-iSink.c .php) Regards nemo@felinemenace.org

Re:Did anyone else know about this?

[Piquan]

It's not as though someone would deliberately insert code to broadcast a MAC address into a mail client.

No, not specifically. Here's the scoop.

Each email is supposed to have a unique Message-Id header. Other than logging and tracing, this is so that, when it's referenced by other emails via the In-Reply-To: and References: headers, the mail reader can properly thread the emails.

Second, there's a common unique ID format called the UUID. This is a 128-bit value that is unique across space and time until AD 3400. If you've looked at CLSIDs in Windows RegEdit, then you've seen UUIDs. (Windows calls them GUIDs.) They're also used in a lot of RPC-type protocols, in Mozilla plugins, and other places. One common way to generate a UUID incorporates the computer's MAC address as the last 48 bits, so that no two computers will generate the same UUID (assuming the MACs were properly registered), along with the clock time.

Since UUIDs are an easily-generated random number (lots of library routines to generate them, as well as the OS X uuidgen tool), that's what Mail used for its Message-Ids.

Later versions of the UUID spec

Re:Did anyone else know about this?

[Guy+Harris]

Not a bug a feature... to generate message Ids that are traceable back to originating machine...

Not a feature an idea that perhaps seemed OK at the time... to generate unique message IDs based on an existing type of unique identifier that happened, in the original format defined for it, to use an IEEE 802 MAC address, presumably because those are intended to be unique to a piece of hardware, so the rest of the UUID merely has to be a value that will never be used again on a system where that MAC address is used to generate UUIDs.

The current Internet-Draft for a URN namespace for UUIDs mentions another scheme to generate UUIDs in that format that don't use a hardware MAC address but that won't collide with UUIDs generated from MAC addresses for hardware (by turning on the bit that would be the multicast bit in an 802 MAC address).

Repair permissions after install

[Ilgaz]

I am not totally sure but I launched dist utility after installing this update, log window flooded with wrong users, permissions. Especially files updated by this install.

Go to Applications/Utilities (Apple+U in finder window) and launch disk utility, click repair permissions.

In fact, its a good idea to do it once in a while.

Re:Repair permissions after install

[AddressException]

Isn't that Command-Shift-U for Utilities?

MAC becoming the computer equivalent of SSN

[wowbagger]

The Media Access Controller address is becoming the computing equivalent of the US Social Security Number - (ab)used for things for which it was never intended and is inappropriate.

First of all, a MAC address does not uniquely identify a computer - it uniquely identifies a network interface. I have several computers which have more than one Ethernet controller in them, and so they have several MAC addresses associated with them.

Secondly, since almost ALL modern cards allow the MAC address to be changed by software, there is no guarantee that the MAC address is unique.

These two items alone should be sufficient to convince people that using the MAC address as anything other than the physical layer address of a specific Ethernet card is a BAD IDEA.

If you want to generate a unique identifier for a message, use something else - use /dev/random (or your OS's equivalent service) or some other method.

Re:MAC becoming the computer equivalent of SSN

[wowbagger]

Actually, having written several Ethernet drivers for standard chipsets for use within embedded systems, I can say you are incorrect - the MAC address is a set of registers on the card which are programmed by the card driver. Usually, the driver just reads the MAC from a EEPROM attached to the chip, but there is nothing preventing the driver from assigning whatever values to the card it wishes, ignoring the EEPROM.

So MAC is not guaranteed to be unique among computers - in fact many consumer broadband routers will allow you to set the MAC of the router's WAN port to be identical to the MAC of your PC, if your ISP does MAC filtering (and this simply points out the futility of MAC filtering).

Re:Did anyone else know about this?

[larkost]

a) WDS is the common name used for wireless-to-wireless bridging, but it is not actually a ratified standard, it has not even been proposed. It came out of the discussions leading up to WiFi but was deliberately excluded from the standard. Therefore "WDS" can include anything the vendor wants to put under that marketing term, and there is no guarantee (or even reasonable expectation) of interoperability.

b) Apple's implementation for example does work with WPA. Other vendors devices will have different results because WDS ? WDS if you mix vendors.

how to secure your WEP network.

[anothy]

One of these fixes... ...will come as a welcome relief to those trying to keep their WEP-based wireless networks secure.

unless said fix has to do with fixing something broken in WPA, this is silly. WEP is insecure. record break-in times to WiFi networks "secured" using WEP is well under half an hour; stock tools can do it in several hours to a day. WPA is hardly iron-clad, but it's orders of magnitude better than the fatally flawed WEP. one should not rely on WEP for security of any kind.

Re:how to secure your WEP network.

[Yaztromo]

WEP is insecure. record break-in times to WiFi networks "secured" using WEP is well under half an hour; stock tools can do it in several hours to a day. WPA is hardly iron-clad, but it's orders of magnitude better than the fatally flawed WEP. one should not rely on WEP for security of any kind.

That's good advice -- but not always practical.

First off, WEP is still better than absolutely nothing. It does prevent the uneducated and unexperienced from snooping in on you -- they have to have a bit of knowledge and put in some effort to see what you're doing.

The big problem with WPA is that not all wireless devices support it. I'm in a nasty catch-22 at the moment on my WiFi network in that I've been contracted to do some development with and against a Palm Tungsten C, which is WiFi enabled, but which has absolutely no WPA support. My base station and other portables support WPA just fine, but I'm stuck with WEP because one device manufacturer for a device I absolutely need has decided not to bother with WPA support.

If I had extra money just laying around with nothing much to do, I'd consider buying another base station to be hooked into my network (heavily firewalled off from the rest of my network) to provide only WEP access, and switch everything else back to WPA. But unfortunately I'm stuck with what I have at the moment, and have to rely on SSH and other encrypted protocols as much as possible to ensure my networks security, as WEP alone, while better than absolutely nothing, isn't enough.

Before I go, an open rant: Palm, take your head out of the sand and realize that we T|C users need WPA protection, just like everyone else.

Yaz.

Re:new mac user needs help

[TheRaven64]

Others have pointed out that there is a GUI for this, which is easy to use. There is also a command-line way of doing the same thing:

$ sudo softwareupdate -i -a

This will install any available software updates (see man softwareupdate for more options). This has the advantage that it can be done remotely, and doesn't bug you to restart as much (it just tells you that you need to).