Apple's First 2005 Mac OS X Security Update Is Out

ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail. Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!). Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."

eBay slow in Safari ... fixed.

[timmytee]

It appears that the slowness many saw with eBay in Safari has been fixed. Previously, the fix was to turn off javascript - a pain. No more spinning beachballs here (just revving G5 fans ...)

Awesome! A New Troll!!!!

[thedbp]

I was getting SOOOOOO sick of that 17MB copy taking 20min. troll. Its good to see the trolls have banded together to stay relevant and on top of the new hardware Apple is releasing. I would hereby like to congratulate all trolls for propogating and expanding upon their repetoire of meaningless and ill-educated flamebait. Truly, being a Mac user wouldn't be nearly as much fun without the raging OS envy evident in these hilarious and thoroughly entertaining posts.

Bravo!

Someone else check...not the airport?

[interactive_civilian]

Ummm...I just checked this out on some messages that I sent (using AirPort).

The ethernet address WAS broadcast in the Message-ID header. However, that was the hardware ethernet MAC address, and NOT the Airport card MAC address.

Can anyone else confirm that this is the case? If it is, then does this have anything with keeping WEP-based wireless networks secure?

Re:Someone else check...not the airport?

[geoffspear]

No, it has nothing to do with keeping anything secure. They use the machine's MAC address because it was a good way to generate unique message IDs, but it has nothing at all to do with the network the message was sent over.

They will continue to use the builtin ethernet MAC address to generate IDs, but now they're sticking some random junk on the end and putting them through a hash function first, so the receiver of your message can't get your MAC address from it.

oh, and don't forget the local root exploit

[OmniVector]

see for yourself: http://otierney.net/files/root-osx.c. Basically exploits an suid bug in an iSync app. you can fix this local exploit by running:

chmod a-x /System/Library/SyncServices/SymbianConduit.bundle /Contents/Resources/mRouter

from the console

Re:oh, and don't forget the local root exploit

[nemo_felinemenace]

Hi, Just wondering if there's a reason you're posting my code on slashdot with the comments stripped? (code seen here: http://www.k-otik.com/exploits/20050123.fm-iSink.c .php) Regards nemo@felinemenace.org

Re:Did anyone else know about this?

[Piquan]

It's not as though someone would deliberately insert code to broadcast a MAC address into a mail client.

No, not specifically. Here's the scoop.

Each email is supposed to have a unique Message-Id header. Other than logging and tracing, this is so that, when it's referenced by other emails via the In-Reply-To: and References: headers, the mail reader can properly thread the emails.

Second, there's a common unique ID format called the UUID. This is a 128-bit value that is unique across space and time until AD 3400. If you've looked at CLSIDs in Windows RegEdit, then you've seen UUIDs. (Windows calls them GUIDs.) They're also used in a lot of RPC-type protocols, in Mozilla plugins, and other places. One common way to generate a UUID incorporates the computer's MAC address as the last 48 bits, so that no two computers will generate the same UUID (assuming the MACs were properly registered), along with the clock time.

Since UUIDs are an easily-generated random number (lots of library routines to generate them, as well as the OS X uuidgen tool), that's what Mail used for its Message-Ids.

Later versions of the UUID spec

Re:Did anyone else know about this?

[Guy+Harris]

Not a bug a feature... to generate message Ids that are traceable back to originating machine...

Not a feature an idea that perhaps seemed OK at the time... to generate unique message IDs based on an existing type of unique identifier that happened, in the original format defined for it, to use an IEEE 802 MAC address, presumably because those are intended to be unique to a piece of hardware, so the rest of the UUID merely has to be a value that will never be used again on a system where that MAC address is used to generate UUIDs.

The current Internet-Draft for a URN namespace for UUIDs mentions another scheme to generate UUIDs in that format that don't use a hardware MAC address but that won't collide with UUIDs generated from MAC addresses for hardware (by turning on the bit that would be the multicast bit in an 802 MAC address).

Re:how to secure your WEP network.

[Yaztromo]

WEP is insecure. record break-in times to WiFi networks "secured" using WEP is well under half an hour; stock tools can do it in several hours to a day. WPA is hardly iron-clad, but it's orders of magnitude better than the fatally flawed WEP. one should not rely on WEP for security of any kind.

That's good advice -- but not always practical.

First off, WEP is still better than absolutely nothing. It does prevent the uneducated and unexperienced from snooping in on you -- they have to have a bit of knowledge and put in some effort to see what you're doing.

The big problem with WPA is that not all wireless devices support it. I'm in a nasty catch-22 at the moment on my WiFi network in that I've been contracted to do some development with and against a Palm Tungsten C, which is WiFi enabled, but which has absolutely no WPA support. My base station and other portables support WPA just fine, but I'm stuck with WEP because one device manufacturer for a device I absolutely need has decided not to bother with WPA support.

If I had extra money just laying around with nothing much to do, I'd consider buying another base station to be hooked into my network (heavily firewalled off from the rest of my network) to provide only WEP access, and switch everything else back to WPA. But unfortunately I'm stuck with what I have at the moment, and have to rely on SSH and other encrypted protocols as much as possible to ensure my networks security, as WEP alone, while better than absolutely nothing, isn't enough.

Before I go, an open rant: Palm, take your head out of the sand and realize that we T|C users need WPA protection, just like everyone else.

Yaz.

Re:Repair permissions after install

[AddressException]

Isn't that Command-Shift-U for Utilities?

Re:new mac user needs help

[TheRaven64]

Others have pointed out that there is a GUI for this, which is easy to use. There is also a command-line way of doing the same thing:

$ sudo softwareupdate -i -a

This will install any available software updates (see man softwareupdate for more options). This has the advantage that it can be done remotely, and doesn't bug you to restart as much (it just tells you that you need to).