Slashdot Mirror
Apple Posts Security Update 2005-002
thelemmings writes "Today, Apple released Security Update 2005-002 for Mac OS X. It fixes a bug in the Java 1.4.2 implementation where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary."
Also, it appears to contain a tweak to the Safari popup blocker, as it now seems to be blocking the new popunders that everyone has been clamoring about.
This seems like a really good thing to me...
What does Roland Piquepaille think about this?
Are you running the latest Java updates for 10.3? IIRC, it'll only show up if you've installed the Java 1.4.2 update from last year, and it won't come up on 10.2 or lower at all.
I use Macs for work, Linux for education, and Windows for cardplaying.
Valenti has said a bunch of crappy things to be sure, but not that.
It was Turner Broadcasting CEO Jamie Kellner who assured us that "there's a certain amount of tolerance for going to the bathroom".
"Understand you're having a little Jimmy Page trouble."
This is an serious bug and an important security update, and I'm not blowing that off... but I gotta live up to my username and point out the other side of the coin.
So what happened is one version of the JVM, on OSX, has an exploitable flaw that still leaves it less dangerous than... well, Active-X, unflawed.
It's not as serious a problem as it looks, also. They can't install a rootkit or anything like that, just because of the way OSX is designed. Say you have a Mac, and browsed to a site hosting a malicious applet (it's not a virus, so you'd have to *go* there to be in danger, and the website creator is obviously easier to trace than a virus writer). That applet could overwrite your documents, and wreak a lot of havoc, but you're not going to get owned. The Mac will prompt you for a password before it lets any software touch the core software (even its own security update!).
So -- yes, get the fix if you've got a mac, but it's not "scary".
I installed it, and it works just f$#!@^*NO CARRIER
(sorry for posting off topic. there didn't seem to be any other way to reach the poster) I just wanted to let you know that your homepage link is broken.
- Apple Computer......proudly going out of business for over twenty years.
I don't want to start a holy war here, but what is the deal with you Java 1.4.2 fanatics? I've been sitting here at my freelance gig in front of a Java 1.4.2 rig (a 8600/300 w/64 Megs of RAM) for about 20 minutes now while it attempts to byte-compile a 17 meg file. 20 minutes! At home, on my Pentium Pro 200 running Java 1.4.1, which by all standards should be a lot slower than this Java 1.4.2 machine, the same operation would take about 2 minutes. If that.
In addition, during this file transfer, HotJava will not work. And everything else has ground to a halt. Even my IDE is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various Java 1.4.2 machines, but suffice it to say there have been many, not the least of which is I've never seen a Java 1.4.2 system that has run faster than its Java 1.4.1 counterpart, despite Java 1.4.2's faster bytecode architecture. My 486/66 with 8 megs of ram runs faster with Java 1.4.1 than this 300 mhz machine at times. From a productivity standpoint, I don't get how people can claim that Java 1.4.2 is a superior virtual machine.
Java 1.4.2 addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Java 1.4.2 over other faster, cheaper, more stable Java environments.
This is far more scary then ActiveX as Safari will not prompt you to run an applet, it will just run it and then your os x account is compromised. ActiveX on the other hand prompts you before it is run.
This means that someone who knows what they are doing is at more risk on OS X then on Windows.
I'm not claiming that OS X is less secure (I'm running it right now), but this is scary (relatively).
Just miss-type a URL and your compromised.
it's not a virus, so you'd have to *go* there to be in danger,
I don't think that word means what you think it means. A worm is self-replicating without needing any other assistance.
When you look at the state of the world, how can you not become a radical, liberal anarchist?
Before update:After update:I haven't rebooted yet, so I don't know what that'll change, but already, it's changed from version 1.4.2_05-141.3 to 141.4
Presumably, every 1.4.2_05-141.3 install can be updated with this, so just run to see if it should apply and Software Update just isn't seeing it.
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.3)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)
thx
Most malicous websites don't care about deleting your documents or "owning" your machine -- they just want to turn you into a spam relay. Which OS X's user accounts do nothing to prevent.
Can someone please explain to me something? I'm not trying to be a troll, but why is overwriting my documents/home/user directory seen as something minor?
I always see people claiming that on Linux, OS X, xyz you are safe because your system can't get hurt, only your personal data. I personally care alot more about what is in my user directory than my system. If my system gets hosed I loose maybe an Sunday afternoon installing everything again, but if my user director goes im going to cry. I have several backups of what I have deemed as important data, but thats not everything, maybe half of my data. My mp3 files aren't backed up for example. Much quicker to instal an os, and the maybe 15 apps I use, than to re-rip 400+ cds.
Am I missing something?
backups. Most nerds on /. (myself included) take the time to back up their personal documents. OTOH we also spend a great deal of time tweaking our system. It would take me mayb 10 mins to restore my home directory were it to get hosed right now (due to access controls itd probably be hard for something to hose the rest of my nonbase sys data on other drives), it would probably take me a couple hours to get my system back up to my normal level of usefulness were the base system hosed right now.
Also, its a comparison thing, in (a standard install of) windows both your docs and the base system are vulnerable. in *nix only the user docs are vulnerable, your software and base system are protected.
"goodbye and hello, as always" ~Prince Corwin, from Zelazny's Amber series
Impact: Updates Java to address an issue where an untrusted applet could gain elevated privileges and potentially execute arbitrary code.
Description: A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. Releases prior to Java 1.4.2 on Mac OS X are not affected by this vulnerability. Further information is available in Document ID 57591 from Sun.
"Money is a sign of poverty." - Iain Banks
Is it just me, or does it seem like Apple has a team of people working on *finding* bugs and security holes in OS X? Maybe it's just me, but the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.
Or maybe I just need more sleep.
~UP
Eat the Path.
Actually it is impressive they could get it out so soon. Why? Testing the patch/fix of course.
This was fixed more than a month ago in Sun Java. Lame response time, Apple.
A superior implimentation of a Java-like platform was delivered long before Oak, in NeXT's Objective-C. Lame implimentation, Sun.
Does Mozilla even use Java 1.4? According to this page, you need a special plugin to even use Java 1.4.1 or later on OSX under Mozilla. It's not clear to me whether that still applies to Camino .8.2.
I don't think that's entirely fair. OpenStep / Objective-C were cross platform at a source level, but still required a recompile. Depressingly, a dynamic language such as Objective-C would actually benefit more from the kind of optimisations something like the HotPoint VM can make at runtime, so it's a real shame that Sun went the Java route instead of simply creating a bytecode interpreter for Objective-C / OpenStep (which is still a far nicer platform to develop for).
I am TheRaven on Soylent News
geez Apple, it was barely a month since your last update. Not looking so good I gotta say.
I might have to "unswitch" to Windows, they hardly have as many security fixes. It's as rock solid as a Kryptonite lock. -gko
> It's not as serious a problem as it looks, also. They can't install
> a rootkit or anything like that, just because of the way OSX is
> designed.
The problem is it leaves a hole open to execute code on your own account.
That's fine, if you're OK with that - and if that's all it allows, then that would be all there is to it.
Problem is there is currently an exploit for OSX (been out a few months now) allowing local privilege escalation to root, from code run on a local account. google for the mrouter exploit for OS X.
So combined with that open hole which STILL isn't patched - it's as scary as complete 0wnz0rship, because that's what it allowed.
Do I read Linux - huh? Do I like to look down on Apple because [...] - no, I look up to Apple from the land of the poor. Does Linux still suck cock - yes, and it feels damn good. Yes, I am a slashdot poster. And Robert's your father's brother.
You misspelled "allow." You also used a sentence fragment. It's a real mess. Here, let me help make your point a little more clear and accurate.
That's much better.
WRT your mp3s, make them so that you don't have access to write them - chmod 444 and chown root. Then chmod sticky but group-writeable your mp3 directory and chown that root as well. Same for anything you're not editing. Then a virus can't touch anything at all.
I am trolling
In a related press release, Microsoft announced security release 1998-0173, fixing problems associated with running Open Office or Word Perfect. The specific security threat would allow users to use other word processing software than MS Word. This security update will prevent these malware products from running.
Also released is Linux security (kernel) release 2.6.8. Not wanting to feel left out. This security release, when installed in place of MS Windows, will effectively block all Windows-based malware and viruses. Unless, you're one of those who are trying to get viruses to run on WINE. If you're one of those, aren't you really an MS mole trying to keep a brother down?
What those who want activist courts fear is rule by the people.
How is this "informative"?
Don't blame me; I'm never given mod points.
Objective C was invented long before NeXT existed. Hell, it was before the first Macintosh came out, when Steve Jobs would have thought you were crazy if you suggested someone could force him out of Apple so he'd found another computer company.
Don't blame me; I'm never given mod points.
I remember finding an amusing post on usenet from 1983 or 1984 discussing the possibilities of Apple adding Objective C libraries to the Macintosh. Took a while, but they did it! :D
Hopefully it works, otherwise the message IDs are: 1174@ames.UUCP, 19400003@datacube.UUCP, and 386@aurora.UUCP in reverse chronological order. The funniest being 1174@ames.UUCP
google groups.
It's a bug which was present in Sun JVMS:
e y=1-26-57591-1&searchclause=57591
http://sunsolve.sun.com/search/document.do?assetk
Fixed in J2SE 5, J2SE 1.4.2_06, and J2SE 1.3.1_14.
I agree in part. My "works" that I make are not replaceable usually. The things I store on my machine are not easy to get back, if possible at all. I also back them up but some people don't. I would very much dislike a program that removes all of that from me.
But... if my system is compromised I very well might not know it at all. Then every time I type in a password, credit card number, anything... it's logged and sent out. This worries me equally if not more.
Either way I don't want it to happen I guess... but having your identity or such taken can arguably be worse than having your grandma's recipie for chicken soup deleted.
Yes, worm (somehow I had virus/worm/trojan mixed in my head last night).
The worst risk isn't erasure or other obvious damage to *data*, but directed modification of code and configuration that *isn't* readily detected.
Windows systems are so widely vulnerable to worms because most people running Windows work all the time as a user with full administrative rights. Anything program that can get itself launched by the user can do anything it likes to the entire system without the user noticing.
Unix-based systems like MacOS X are a mixed bag, but in general people do not routinely work as 'root' but rather as less powerful users. In MacOS the administrative rights flag for an account is not the same as it is in Windows. It is not an always-on permission to do anything, it is a group membership that says the user is allowed to interactively approve administrative changes by typing his password into an approval dialog. For example, if you want to apply a system update, modify OS config, install an application in the standard world-accessible location (/Applications) , or do anything else that requires 'root' privileges, the process seeking to switch temporarily to 'root' has to go through a mediating system service that presents the request to the user (if the user is in the admin group) and requires the user to type in his password to approve the change. There remain some risks, and MANY applications install themselves in ways that open gaping holes in their own security (which can in turn compromise the system itself) but the path from 'unknown Java Applet' to 'owned box being used by Russian gangsters' even with a hole like the one Apple has taken so long to repair is not a clear one.
Even if you backed up all of your personal files daily, losing a full day's worth of work is still a Very Bad Thing that should be avoided at all costs.
Of course, it's much worse if your OS *and* your personal data are hosed, which was the point.
But my main point is that avoiding this attack vector doesn't take "all costs" -- there aren't any reports of this attack in the wild, and you'd have to actively visit a malicious site, before applying the patch, to be affected.
That's why it's nothing to shout about -- it's actively affecting (as far as we know) nobody, as opposed to buggy spyware installations that are going on constantly which are affecting quite a lot of people.
the parent post probably thinks that you can't be a spam relay without listening on port 25 - which a mac os x user account can't do.
We've secretly replaced Slashdot with new Folgers Crystals - let's see if it notices.
Techworld has hilariously biased coverage of this:
"Apple shames itself again over security: Critical hole in Mac OS X patched three months late."
And it's interesting to look at Secunia's site (Secunia being the source of a lot of recent Microsoft apologism and Apple-bashing):
Macintosh OS X issues
Windows XP Professional Issues
(Microsoft is "Vendor 1" in their database, you'll be pleased and amused to learn.)
I'm guessing Secunia likes to drum up publicity for itself by making press releases that run counter to the general wisdom, but their conclusions and announcements don't actually match their data.
E.g. on the Windows XP page, they show a pie graph that states XP Pro as having 0% (out of 67) severe issues, but then list several severe issues immediately below, one of which ("Windows Explorer / Internet Explorer Long Share Name Buffer Overflow") has not been patched (by their reckoning) in nine months. Maybe their Excel graphing skills are lacking...
The only mention of ActiveX states that Microsoft has fixed a problem whereby web pages can install arbitrary ActiveX plugins. As far as I know, it simply requires the user to click the "OK" button, which they're quite likely to do, given that they may well have to click it for legitimate reasons in the course of their daily job.
it leaves a hole open to execute code on your own account. That's fine, if you're OK with that - and if that's all it allows, then that would be all there is to it. Problem is there is currently an exploit...
You're missing the more important point -- that avoiding the problem is pretty darned easy. In fact, since this hasn't been reported in the wild, it's probably impossible to get exploited even if you wanted to. Some of this is due to the smaller user base of OSX, plus with this particular version of the JVM. But a lot of it is because the Mac user would have to actively browse to a malicious site to be affected.
So combined with that open hole which STILL isn't patched - it's as scary as complete 0wnz0rship, because that's what it allowed.
I'd say it's not as scary, because you have to account for the actual chances of it happening. Someone technically *could* break into my house and "0wnz0r" my computers with a 20 lb sledge, but I worry much more about worms or possible vulns in my router/firewall.
I googled for stats on open relays running on windows vs. linux vs. mac, etc. but couldn't find anything.
Obviously I've never tried to set up a hidden open relay on a Mac, so I don't know what would be involved. It would need to accept incoming connections (perhaps the built-in firewall stops that?), though you could use a custom configuration where it just checks an IRC channel or webpage for messages to send and delivery addresses, etc..
I don't know enough about Macs to say exactly what's possible and what's not... but I don't think it's happening now, anyway.
"Can someone please explain to me something? I'm not trying to be a troll, but why is overwriting my documents/home/user directory seen as something minor?"
Because it allows people on here to say that OSen with usernames (i.e. theirs) are inherantly more secure than OSen without usernames (i.e. Microsoft, ignoring obvious factual errors in that comparaison)
It's a nice simplification. Linux good, Windows bad. Conveniently Apple has usernames too now, which means we get support from the latte-sipping black-cloaked artists and webdesigners (very fashionable, you see) by including them in the list of "secure" operating systems. It's based on BSD, which has never had a remote bug in its 38 years of existance.
It also means that if anything bad happens to your files, people can chastise you about your lack of an hourly-backup, and spend the rest of the comment lecturing you on their own intricate backup scheme, firewall policy, or whatever.
You're such a lamer you see, storing files on your computer when you could SSH into a networked BSD box at home and store them on a battery-backed journaling deniable steganographic filesystem with a 48-character password and IDS. Of course, the person who told you that is a complete idiot who has never been in the corporate world of enterprise-class Business applications where my IIS server has to be running 24/7 and I always know there's a support telephone number and someone to sue if it goes wrong...
Were you expecting something different? Like people who start with facts and proceed logically to a conclusion?
One of the other responses (sorry, I'm too lazy to look it up right now) suggested changing file permissions to prevent the user account from overwriting your files. I would suggest something possibly more convenient in that if you know you're going to be 'wandering' the web, use a separate login id. I do this a bit on my home machine and for 80% of my web use, it works well and doesn't expose anything but a 'throw-away' account to the world. I'm sure somebody will come up with a reason that I'm a lamer (I never professed to be a hardcore geek) for doing this, but it seems that you could minimize the exposure of your personal files by not using your personal account for random browsing. For known websites that you use often, use any account. For looking up unknown info, use the web account and save what you need into a shared directory to be accessed by other accounts, if need be.
I think so, Brain; but where are we going to get a duck and a hose at this hour?
Apple usually releases stand alone updaters. Download it and install the package.
I use Macs to up my productivity, so up yours Microsoft!
You fucking mac users amaze me. Any old webpage could have r00ted your mac, and you shrug it off as not scary, yet will jump on microsoft for the tiniest bug.
None so blind...
I don't think that's entirely fair. OpenStep / Objective-C were cross platform at a source level, but still required a recompile.
.:-)
.oO( Perhaps I should have said 'cross platform compatilbilty solution' rather than 'Java-like platform'. )
True of course, and I didn't really intend for it to be anything other than humerous
Objective C was invented long before NeXT existed. Hell, it was before the first Macintosh came out, when Steve Jobs would have thought you were crazy if you suggested someone could force him out of Apple so he'd found another computer company.
;-).
To be fair, an actual working compiler wasn't released till 86, after the debut of the Macintosh, and when it was it was licensed by NeXT shortly afterward. That, and I don't think many people would have gotten the joke if I'd said StepStone
I'm not a mac user. I have too many tools and so on that are Windows-only, and my main userbase is Windows users.
I bought one for my wife, though, because she's a "normal" computer user, and I was constantly cleaning out spyware, viruses, etc. when she was sharing my PC.
She's been using the Mac for 2-3 years now and I haven't had to do a single thing except help her with application-file associations, once.
I'm not pretending this wouldn't change (to some degree at least) if Mac OS X became the #1 targetted system... but the fact remains that it *isn't*, and the greater safety is real. Open your eyes. I don't panic at every single Windows hole either -- but when the exploits are showing up in my email on a daily basic, I notice.
You had a virus! Ahh!
When you look at the state of the world, how can you not become a radical, liberal anarchist?
You had a virus! Ahh!
And worms! And... ew... trojans! Mixed in my head!
I'm all better now though. And there's, ah, no need to mention this to the wife, right?