Slashdot Mirror

← Back to Stories (view on slashdot.org)

Apple Posts Security Update 2005-002

Posted by pudge on from the i-am-scared dept.

thelemmings writes "Today, Apple released Security Update 2005-002 for Mac OS X. It fixes a bug in the Java 1.4.2 implementation where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary."

5 of 84 comments (clear)

  1. Re:Safari Popup Fix by the+pickle · · Score: 3, Interesting

    Has it fixed the IDN vulnerability yet? 10.3.8 didn't...

    p

    --
    In Korea, long hair is for old people!
  2. Scary? Well... by JavaRob · · Score: 4, Interesting

    This is an serious bug and an important security update, and I'm not blowing that off... but I gotta live up to my username and point out the other side of the coin.

    So what happened is one version of the JVM, on OSX, has an exploitable flaw that still leaves it less dangerous than... well, Active-X, unflawed.

    It's not as serious a problem as it looks, also. They can't install a rootkit or anything like that, just because of the way OSX is designed. Say you have a Mac, and browsed to a site hosting a malicious applet (it's not a virus, so you'd have to *go* there to be in danger, and the website creator is obviously easier to trace than a virus writer). That applet could overwrite your documents, and wreak a lot of havoc, but you're not going to get owned. The Mac will prompt you for a password before it lets any software touch the core software (even its own security update!).

    So -- yes, get the fix if you've got a mac, but it's not "scary".

  3. Re:Apple Proactive? by commodoresloat · · Score: 3, Interesting
    the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.

    You seem surprised. That's only because so many other companies have trained us not to expect this. We would not expect less than this from other products; operating systems should be the same. Imagine if cars were sold without crash tests. Security in a commercial OS should undergo constant (and pro-active) testing by the company (you can certainly bet its enemies are doing that). The fact that we don't expect that kind of work, and are surprised when we see it, speaks volumes about the practices of the current leaders of the commercial OS industry.

  4. Re:Apple Proactive? by TheRaven64 · · Score: 3, Interesting

    Microsoft also do this. Part of the problem they have is that once a fix is released, it is relatively easy to diff the original and the fix and find the original flaw. This is why they tend to roll security updates up with other things whenever possible - so it takes more time for a black hat to find the actual security hole. The same thing happens with a lot of open source projects - particularly things like OpenBSD where all code is security audited within the project.

    --
    I am TheRaven on Soylent News
  5. Re:Scary? Well... by Anonymous Coward · · Score: 3, Interesting
    Which OS X's user accounts do nothing to prevent.

    You misspelled "allow." You also used a sentence fragment. It's a real mess. Here, let me help make your point a little more clear and accurate.

    Most malicous websites are not trying to delete your documents or "own" your machine. Their purpose is to turn your computer into a spam relay, which OS X's user accounts do not allow.


    That's much better.