Apple Releases Mac OS X 10.3.9 Update

OmniVector writes "Right after the Mac OS X 10.4 Tiger announcement just a few days ago, Apple has released an update to version 10.3.9 for Mac OS X and Mac OS X Server (both available via Software Update). The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week.

Undocumented bug fix

[objekt]

Now my Mac doesn't lock up when I choose the "Restart..."/"Shut Down..." and then sleep the screen during the optional 2-minute wait period.

Re:Undocumented bug fix

[FaasNat]

Okay, I'm not sure why you'd be wanting to put the computer to sleep after you've selected restart or shut down. So are you now expecting the behavior to be when you wake the computer up, it'll continue with the two minute countdown to restart/shut down? Jus' wonderin'.......

Re:Undocumented bug fix

[objekt]

I expect it to shut down or restart, which ever I chose, not to lock up. Sleeping the screen is something I do a lot. With a mouse in hand I might want to sleep it and walk away knowing that no one will be able to stop the shutdown sequence without knowing my password (to unlock the screen saver). Sure, hitting the return/enter key or clicking the little "shut down" button might seem the better choice. Sleeping the screen is more of a reflex action for me and it should work without incident--it now does. I'm happy.

Re:Undocumented bug fix

Unfortunately the macs are still vulnerable to a local root exploit published over six months ago.

I wonder when they're going to bother fixing little things like root privilege escalations. After they finish polishing those Aqua buttons a little more?

Re:Undocumented bug fix

Macs are for single user desktops. Nobody cares about local root exploits.

Safari 1.3

[OmniVector]

wow i'm a dumbass, and completely left out something really important! Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders. Also, one of my Safari plugins caused safari to crash on launch. (AcidSearch it appears).

lastly, folks, beware of the warning on apple's front page with this update if you're running mac os x server! You must have an administrator account password that does not contain spaces or Option-keyed characters to install this update.

Re:Safari 1.3

Wonder why that is? Doesn't OS X have full support for Unicode? Or are they using some chincy shell script again? (memories of the iTunes update that deleted your hard drive.)

Re:Safari 1.3

[Hes+Nikke]

my guess is that it has something to do with the upgrade to directory services.... as far as what... you'll have to ask apple (in the process of installing the server update remotely)

Re:Safari 1.3

Hi, that's pretty cool. 1.3. Do you know how I can block flash in Safari, by the way? A slashdot flash ad just made a bunch of noise and startled me right now.

Re:Safari 1.3

[Matthias+Wiesmann]

Information about the changes in Safari 1.3 can be found on on David Hyatt's blog.

Re:Safari 1.3

[qengho]

block flash in Safari

A nifty ad-blocker called PithHelmet will do this, either globally or by site (set preferences to disable plugins). Unfortunately it broke in 1.3, but the developer is working on a fix.

Man, I hate the Internet without ad-blocking...

Re:Safari 1.3

[theWrkncacnter]

Yeah, you can turn off java in the preferences.

Re:Safari 1.3

Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders.

They changed the keyboard shortcut to change tabs too. The previous command-shift-arrows has been replaced with command-{/}. Not a joy for example people using the Finnish layout, as it has become now command-shift-alt-8/9. Cannot switch tabs anymore with one hand via keyboard, and you fellow slashdotters should know how bad that is!

Re:Safari 1.3

[zhiwenchong]

Also I found a problem with Sogudi. Whenever I tried to type a URL without a www, ie. "apple.com", the spinning beachball of death pops up.

I removed Sogudi, and everything works again. And yes, I finally noticed the speed improvement.

Re:Safari 1.3

[macmurph]

One handed tab changing using command-shift-arrow is very awkward and impractical on my titanium powerbook... the new shortcut will be better for English layout powerbook users.

Re:Safari 1.3

[zhiwenchong]

And jipes... google maps's sidebar got messed up by this update.

Re:Safari 1.3

[M.+Baranczak]

seems to have caused problems with some of my Adium themes

Care to elaborate? Some of Adium's themes had problems before this update. Are you sure these are new problems?

Re:Safari 1.3

Not Java, plug-ins.

Re:Safari 1.3

[tcoady]

Same here. But AcidSearch 0.4 fixes include "Support for Safari 1.3 added".

More info here http://www.pozytron.com/acidsearch/

Re:Safari 1.3

[madhok]

After updating, I had the problem with AcidSearch, removed it, problem with Java, reinstalled Safari (1.2), problem persisted, search in support groups, installed Security Update 2, old version of Safari, resintalled 10.3.9 (Combo), problem with "localized string not found", search in support groups, open Combo updater 10.3.9 package, installed English.lproj, problem persisted... Is this the quality control we expect from Apple? I am a recent switcher and I have to say that the image I got is not the best. I was thinking to update to Tiger, but now...

Re:Safari 1.3

Before you turn off Flash, you should try this little puzzle. Very neat, and awesome use of subtle sounds. But yeah, other than that, Flash pretty much sucks. :/

Re:Safari 1.3

[uRigoe]

yeah, I've noticed that occurrence too... it's great, now on my slow 12" I can scroll smoothly with other apps chugging away! Vv0o7!

Vindicated, yes!

[hrbrmstr]

I've been bug reporting and complaining about the SSL performance in Safari for almost two years. Folks here and on other Mac forums have dismissed me as some type of loon (they are more right than I'd like to admit most of the time). Apple finally does something about it (though, we'll see if it really helps...I'm installing it now).

It's nice to be right...

Re:Vindicated, yes!

[Maserati]

I work in one of the most pro-Apple commercial shops in North America. We're stuck recommending Firefox for an HR section of the Intranet because the SSL support in Safari is so damn slow. Fixing that before we have to roll Tiger out will be nice.

I still need to double check that we've got a current Firefox on the standard build.

Re:Vindicated, yes!

Whereas, slashdot trolls get all the ladies.

Trackpad

[BigZaphod]

It seems as if this update fixed the sensitivity problems with my PowerBook trackpad. I have a 1.67Ghz PB with the new trackpad that supports the vertical/horizontal scrolling stuff and it has always been far less sensitive than my old PB -- until I rebooted after this update. Cool!

Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.

Re:Trackpad

[poopdeville]

Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.

That's because Software Update downloaded a fresh copy of Safari for you. Your "personal" bookmarks are stored in your ~/Library/ directory somewhere, whereas the stock ones are in the application bundle.

Hopefully not like the last 10.2 update...

[andrewski]

The last update to 10.2 made it far slower and buggier, and in my somewhat paranoid mind they 'broke' 10.2 so one would be more motivated to buy 10.3.

Does this update break 10.3 so I will be encouraged to get 10.4?

Re:Hopefully not like the last 10.2 update...

You are about to get attacked by rabid Mac zealots who insist that Apple does not charge for bugfixes. But I had the same experience -- kernel panics and finder lockups all the time with 10.2 SMB. Fortunately I do not pay for MacOS upgrades.

Re:Hopefully not like the last 10.2 update...

[sedna]

You are right that the last 10.2.* update was kind of a fiasco. Even if consipiarion theories allways are fun, I would believe the reason for this being that basically all beta-testers were using the new version. Hopefully this is not the case now...

Re:Hopefully not like the last 10.2 update...

[dmarcoot]

conspiracy theories such as this are just plain stupid. In Apple's history, having buggy systems never has contributed to people buying "fixed" system updates. Quite the contrary, system 7.5 and 7.5 probably lost apple more market share than any thing else in their history.

Apple is in a fragile enough place without purposely sending out bad software under the impression they will encourage software sales. they are just as likely to lose people who go to windows under that strategy and would suggest marketing people are telling engineers to make thing go bad. sounds implausible at best given that lead on OS X has was guy who developed Next and Steve Jobs in infamous for demanding things work the first time.

Apple as small market, is under more pressure to makes things work well because they dont have the crutch of a monopoly to hold them up until they fix their shit. one of reasons most apple users are repeat customers.

the more likely answer, they fucked up, makes a lot more sense.

but because apple sells updates, rabid Linux zealots see conspiracy in anything they do.

Re:Hopefully not like the last 10.2 update...

FWIW, I don't think it's a conspiracy theory, but I do think that Apple QA was working on the latest and greatest and not the backlevel patches. Plus Apple's small and loyal market actually makes forced upgrades easier, not harder.

How many times have I read "Apple does not charge for patches ... That's fixed in $latest_version, so you can't flame Apple." in the same damn Mac forum. Mac user => upgrade treadmill, it's a fact.

Re:Hopefully not like the last 10.2 update...

[demondawn]

Troll much? Geez...

Re:Hopefully not like the last 10.2 update...

[andrewski]

1. I am not a rabid Linux zealot.

2. Apple's final update to 10.2 made it kind of suck.

Are you saying it works great? I found that the previous update was much more reliable. I am not implying a conspiracy, but it isn't completely, totally impossible.

Wow!

[numbski]

Everything feels peppier and more responsive! Doesn't take 15 minutes to copy a 20MB file anymore either.

Haven't even run the update yet either. ;)

Re:Wow!

[BeerCat]

Come on, if you're going to quote a joke, at least get the punchline right! It's "20 minutes to copy a 17Mb file"

Mainly bugfixes? You should do PR for microsoft:)

[dfelznic]

There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."

For whatever reason apple felt icky about calling it an "update," so they threw in this language:

"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-04-15 Mac OS X v10.3.9

Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:

Kernel
CVE ID: CAN-2005-0969
Impact: A kernel input validation issue can lead to a local denial of service
Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.

Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.

Kernel
CVE ID: CAN-2005-0971
CERT: VU#212190
Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.

Kernel
CVE ID: CAN-2005-0972
CERT: VU#185702
Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.

Kernel
CVE ID: CAN-2005-0973
Impact: Local system users can cause a system resource starvation
Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.

Kernel
CVE ID: CAN-2005-0974
CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.

Kernel
CVE ID: CAN-2005-0975
Impact: Local system users can cause a temporary interruption of system operation
Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.

Safari
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.

Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.

Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:

No problems with the install...

[BobWeiner]

...installed fine on both the single proc. G5 at work and the dual G5 I have at home. Subjectively, it feels faster in the Finder, as well as Safari.

Bring on Tiger!

No issues on my PowerBook

[jht]

Installed it tonight on my 15" PowerBook (1.5 GHz), and all is fine. PithHelmet is disabled by the long-awaited Safari 1.3 update, for those of you who count on it, but the developer's site says he's already finishing up a fix for it. It's nice to finally see 1.3, even if it's only a couple more weeks until Tiger and 2.0.

I haven't really noticed any other changes so far - my mileage hasn't magically improved, it's not Snappier (tm), and I haven't gotten a whiter, brighter smile from it. But it's good to see that they've gotten Panther into a fairly solid state, since this will probably be the final release other than security patches from here on in with this codebase.

Re:No issues on my PowerBook

[modapi]

Safari 1.3 tabbed browsing doesn't work anymore -- even after I trashed the safari .plist file and then took the safari folder out. It worked ok with a new user, though, so I must have some kind of special condition. It also broke SafariSorter. I've got an 867 mhz 12" pbook.

Re:No issues on my PowerBook

[Moofie]

For what it's worth, it still works great for me. Bummer for you, mate. : /

Re:No issues on my PowerBook

[scribblez]

I'm thinking that there may be another reason. I just tested my tabbed browsing and it's doing okay.

repair permissions seems to be the generic answer

Re:No issues on my PowerBook

[mr100percent]

Try Repairing Permissions on your volume and rebooting. Did you install any 3rd party apps like ICeCoffEE or PithHelmet or AcidSearch? They all released updates to fix bugs.

OT: Trackpad in Firefox

Does anyone have a problem with the trackpad in Firefox? On my girlfriend's 12" Powerbook, Firefox goes "Back" when trying to use the trackpad to scroll (no keys pressed).

Re:OT: Trackpad in Firefox

[steeviant]

It's actually an issue with firefox interpreting inadvertent horizontal scrolling (easy to do with iscroll2 or the new [USB] trackpads) as back/forward requests. Here's how to fix this intentionally broken behaviour...

From macosxhints.com:
In Firefox, type about:config into the address bar and hit return. This gives you a list of all possible configuration options. The ones we want are those that start with mousewheel.horizscroll.withnokey. Make the following changes by double-clicking the appropriate option in the list:

* mousewheel.horizscroll.withnokey.action => 0
* mousewheel.horizscroll.withnokey.sysnumlines => true

Re:OT: Trackpad in Firefox

Firefox & Mozilla has problems for their OS X versions... when you set the scroll to "system default" it usually scrolls about three times the speed of system default, and also behaviours of scroll wheel with modifiers don't apply nomatter what you set it to in preferences for the suite.

Java broken now?

[MasterofSpork]

Hey has anyone else found that java apps stop working. I can't get Eclipse or FurtherNET to start.

Are any of you getting a segfault when running java from the Terminal?

Anyone have this problem and found a fix? I'm out of ideas.

Re:Java broken now?

[Mr.+Cancelled]

Same here... Jedit no longer runs, resulting in a segmentation fault.

Anyone have any solutions for this problem?

Re:Java broken now?

[evilskull]

Azureus is broken now, segfaults into a long error message.

Re:Java broken now?

[rworne]

Same here:

Last login: Fri Apr 15 20:45:01 on ttyp1
Welcome to Darwin!
DualG4:~ robert$ java -version
Segmentation fault
DualG4:~ robert$

Re:Java broken now?

[BigZaphod]

Works for me. Sorry, nothing more helpful... 15" PowerBook G4 1.67Ghz.

Re:Java broken now?

[BioCS.Nerd]

Eclipse 3.1 works fine, and I don't get the "java -version" crash another user reported.

Re:Java broken now?

After the 10.3.9 update, Java is broken on my machine as well (pb 1.33gHz). I get the same segmentation fault that other /.ers are reporting.

Re:Java broken now?

[rworne]

It's fixed.

Downloaded Security Update 2005-002 from Apple
Apply update
Reboot
Verify Java works: "java -version" in Terminal.app
Apply 10.3.9 Combo Updater
Reboot
Verify Java works: "java -version" in Terminal.app

All I know is that it works again for me.

Re:Java broken now?

[jweatherley]

Azureus seems to work fine for me - have you tried trashing its preferences? Or any java preference files that are lurking around...

Re:Java broken now?

[jweatherley]

Here's a tip from Surfin' Safari for those with Java issues: reinstall the security update 2005-002 to fix the java issue.

No idea if it works but something to try...

Re:Java broken now?

[vague+disclaimer]

This has now been reported many times over on Apple Discussions as resolving the java problems.

Re:Java broken now?

I don't have Eclipse or FurtherNet. However, my custom Java apps all work, both double-clicking and from the command line. This is on a dual G5 and an Albook G4.

Re:Java broken now?

[easter1916]

I'm getting segfaults on a 17" PB G4 1GHz. Crap.

Re:Java broken now?

[Jacob+Moogberg]

Try "java -version" through the terminal. When I did this, I got a segfault, then I reinstalled Security Update 2005-002 http://www.apple.com/support/downloads/securityupd ate2005002macosx1034orlater.html. Everything seems to be working now.

Re:Java broken now?

[waffleman]

Java seems to be fine. A couple of folks are saying to run java -version:

***:~/***/$ java -version
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.4)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)

There was an update to java 1.4.2 Update 2 that perhaps you missed?

Re:Java broken now?

[M.+Baranczak]

Same thing here. Thanks to all the people who pointed out the fix.

Anybody have any ideas on what exactly happened? Why did java get broken on some systems, but not others?

Re:Java broken now?

[camel_lover]

I had the same problem with Jedit, and I applied the solution further in the thread, which worked! Re:Java broken now? (Score:5, Informative) by rworne (538610) Alter Relationship on Saturday April 16, @02:51AM (#12253120) (http://slashdot.org/)

Re:Java broken now?

[a1291762]

I have had this before... (can't remember the update though). Just re-install the latest Java updater and you should be good again.

Re:Java broken now?

[easter1916]

Downloading and installing the 10.3.9 combo update fixed this for me.

Safari crashes after update?

[fsck!]

If you use AcidSearch, you'll find that Safari segfaults on startup. You can get Safari back by removing /Library/Application Support/SIMBL/Plugins/AcidSearch.bundle. AcidSearch is cool; I hope they update soon.

Re:Safari crashes after update?

[inertia187]

Good call. That was exactly what was wrong for me. Thanks!

Re:Safari crashes after update?

[tcoady]

See http://apple.slashdot.org/comments.pl?sid=146286&c id=12260346/

Ambient light sensor works again

[MasterofSpork]

The light sensor in my Powerbook isn't going nuts changing my screen brightness anymore. Maybe this issue has been fixed too. I'm not in fluorescent lighting to give it a good test though.

Re:Ambient light sensor works again

[BigZaphod]

Maybe I'm missing something, but why does it turn off the keyboard light if you happen to bump the keyboard light adjustment keys while the ambient light is bright? It appears this new update didn't address that.

I wonder if there's some checkbox that I need to check or something. Grr. It is the most annoying thing.

I suppose this isn't really a question directed at you, but your comment about the light sensor reminded me to test for it on my PowerBook. :-)

Re:Ambient light sensor works again

[nuxx]

This is good to hear. I've been using my 15" under a under-cabinet fluorescent light at work quite often for the past few days, and it almost looks like the backlight will flicker along with the light.

Also, did you notice that your logs tend to fill with requests to change the brightness almost constantly? Have you noticed (yet) if this fixes that?

As a rule of thumb I'll probably wait until tomorrow night to apply this update...

Network Browsing from Finder messed up

[Zaurus]

Um, wierd. I just installed 10.3.9 on my 1.67GHz PB, and now in the finder under the network browser it shows:

Applications
Library
Users

...all of which appear to be empty, instead of the regular:

Local
Servers
WORKGROUP

Anyone know how to get the network browsing back to normal?

Re:Network Browsing from Finder messed up

[Puggs]

have u got samba enabled? try stopping and starting the (Windows File Sharing) service again (from sharing in System Preferences)

Re:Network Browsing from Finder messed up

Yeah, that occasionally happens to me and other Mac users I know too. I would try a reboot first. If that doesn't work, report back and I'll try to think of other ideas. I can tell you that force-deleting Network from Computer (you have to type your admin password) to try and get it to re-generate doesn't work, at least if you don't reboot; however, if just rebooting doesn't work, I might try force-deleting it and then rebooting again. *shrug*

Thanks

[paulius_g]

Yeah, thanks. I just updated to 10.3.8 this morning and there's already a new update.

Guess I'll have to cheer for the bugfixes :-)

Re:Thanks

[Shag]

Well, think about it this way: If you install 10.3.9 the same day as 10.3.8, your uptime results start incrementing sooner than they would if you'd waited. And by not installing 10.3.8 until 10.3.9 came out, maybe you had some extra uptime before, as well.

Re:Thanks

And by not installing 10.3.8 until 10.3.9 came out, maybe you had some extra uptime before, as well.

And when you die and go to heaven, St. Peter will reward you for every extra tick on the uptime clock.

Re:Thanks

And you care about your uptime why? When you think of it uptime is the geek way to measure your man-hood girth... but now stop and think about it... do you REALLY care or even want to know the size of your roommate... do you care...

The think that got me was he waited how long to update to 10.3.8 do ya really think he will update to 10.3.9 today? Do ya think he will update to 10.4 before for the twenty-O-six?

Fix for PithHelmet

[rohanl]

If you can't wait for the developer's fix, you can patch the Info.plist file so it will load in the new Safari.

In the file "/Library/Application Support/SIMBL/Plugins/PithHelmet.bundle/Contents/I nfo.plist" change the MaxBundleVersion from "146" to "312"

It seems to load and work without any problems for me

Java works for me

[poemofatic]

Hugo2:~ robert$ java -version
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.4)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)

Re:Network Browsing from Finder messed up - FIXED

[Zaurus]

Good call. Rebooting a second time after the update fixed it. Apparently there's still some bugs left in Panther :)

Re:Safari 1.3!?!

Safari is FAST, it's like Christmas in um, April.

It put things in my Safari Bookmarks bar

[mogabog]

1.3 17 PB.

Just the standard bookmarks, don't know why

The Fix

Download and reinstall Security Update-002

Re:Mainly bugfixes? You should do PR for microsoft

[remahl]

I was credited with discovery of the Safari flaw.

Due to lacking communications, Apple did not notify me in advance that the issue was addressed in 10.3.9, and failed to link to my independent advisory on the issue. Hopefully they will rectify that on Monday.

My advisory for CAN-2005-0976 is called DR001 and is available on my web site at remahl.se/david/vuln/001/. It has also been posted to bugtraq.

what exploit is that?

nt

Re:what exploit is that?

google for k-otik mrouter

I'm worried about one of the security updates.

[argent]

Not about the update itself, but what it implies about webcore.

Safari
Available for: Mac OS X v10.3.9, Mac OS X Server v10.3.9
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.

"local domain" sounds a lot like Microsoft's "local security zone". I had assumed that Apple would be smarter than Microsoft here, and rather than copying their dangerous idea of treating webpages differently depending on where they were loaded from it would use some irrevocable and inheritable rights control established by the application... and this there would be no code path available to a webpage loaded from Safari to do anything dangerous... no matter where the page was loaded from.

If that's not the case... Apple, before going any further down this path, please reconsider.

Re:I'm worried about one of the security updates.

[remahl]

I discovered this vulnerability, and i can confirm that Apple is indeed starting to think in zone separation paths...

I have written a detailed advisory about the problem (Apple conveniently "forgot" to link to it). Apple allows XMLHttpRequest more privileges when running from a file: URL than from http:. This created a problem combined with the fact that disk images are automatically mounted with predictable paths and that Safari did not enforce separation between the http: and file: zones.

Apple took the approach of separating the zones instead of limiting XMLHttpRequest access from file: URLs.

Note that Konqueror is already separating zones, and also allows file: URLs to use XMLHttpRequest to access local resources.

I don't know if there are any other instances where the local zone is given higher privileges than the Internet zone. That's something for future research. If you haven't already updated, feel free to test the demo exploit on the advisory page.

Re:I'm worried about one of the security updates.

[argent]

Apple took the approach of separating the zones instead of limiting XMLHttpRequest access from file: URLs.

Note that Konqueror is already separating zones, and also allows file: URLs to use XMLHttpRequest to access local resources.

Stercus stercus stercus moriturus sum.

Microsoft has spent seven years proving conclusively that these kinds of zones are an unworkable approach to security. A web browser has to operate in a mandatory access control environment, and that means that rights once given up must never be granted again except by explicit request from a more trusted object. For example, calling it by "open" from the command line (since you can execute anything from the command line, the command line can be granted full local rights).

Zones don't work. You have to have inherited rights irrevocably discarded, there's no other way to guarantee there's no path from an untrusted object to a trusted one.

Re:I'm worried about one of the security updates.

You know all this squaking makes you sound a lot like a credit whore... sorry but call down a bit... stop patting yourself on the back while slapping apple for not linking to you.. they DID give you credit... do they really need to link to your "write up"? Taking credit is fine but the more you bitch about apple not linking to you the more I say good for apple. Your point would have been stronger if you took a different tack.

Safari 1.3

[Kabal`]

Safari 1.3 seems considerably faster to me in terms of page scrolling on my 1.42ghz mac mini.

Not Broken Here

[ibentmywookie]

Just installed 10.3.9. Opened up eclipse no problems.

Weird.

Apple removes basic UNIX features from 10.3.9

Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.


Isn't the ability to run SUID/SGID scripts or apps a fundemental part of Unix. Yes it can be used for naughty things. But that is the responsibility of the end user not Apple.

Why are Apple taking a Nanny State stance about what can be permitted or not ? It's none of their business what scripts I run on my machine.

All this leaves me with a bad taste in the mouth when it comes to OS X and security updates where they seem to be taking a too trigger happy approach to appear as though they are 'on top of the problem' to the computing media etc. Yet notoriously Apple's security updates often break basic functionality for many users.

While many would argue that MS are often perceived to be behind on security issues, I think I understand their mentality now which seems to more about giving the end user choice.

Apple, since OS X have become something more like a high street bank in their attitude towards end users. Cold, silent and we simply don't give a shit about you and will dictate the terms on which you use our operating system. (which ironically is in large part something they didn't even write)

That's my feeling about the security updates rolled into 10.3.9

On 10.3.9 itself, perhaps unsuprisingly Apple have yet again annouced features they have fixed in the update which were already working. Several times they have done this now. Again much like a big high street bank, one department doesn't know what the other department is doing and the customer is left confused.

Re:Apple removes basic UNIX features from 10.3.9

[pete_yandell]

Apple haven't disabled SUID binaries, just SUID scripts. SUID scripts are fundamentally insecure (do a google on "setuid script" for some references) and are already disabled in every other major unix distribution.

Re:Apple removes basic UNIX features from 10.3.9

[dfelznic]

I do not understand why setuid scripts are any different than setuid binaries?

Re:Apple removes basic UNIX features from 10.3.9

[biftek]

Take a look at the -i option in the bash manpage, iirc.

Re:Apple removes basic UNIX features from 10.3.9

[dfelznic]

That is the interactive command line option. did you mean -r for restricted?

Re:Apple removes basic UNIX features from 10.3.9

[biftek]

A setuid script exists named "/tmp/foo/one.sh" ln -s -- /tmp/foo/one.sh -i python >>> import os >>> os.execl("-i", "-i") sh-2.05b# I think it's an old unix trick.

Re:Apple removes basic UNIX features from 10.3.9

[biftek]

bleh preview.

ln -s -- /tmp/foo/one.sh -i
python
>>> import os
>>> os.execl("-i", "-i")
sh-2.05b#

Re:Apple removes basic UNIX features from 10.3.9

[argent]

I do not understand why setuid scripts are any different than setuid binaries?

You can't change the behaviour of binaries by tweaking environment variables that change the syntax of shell scripts, at least not in the general case.

Stickies?

[jellomizer]

I guess I don't use Stickies enough. But it seems like a very simple application.

Re:Stickies?

But it seems like a very simple application.

Which just goes to show how hard programming can be, and how immature (in the young and developing meaning of the word) the computer "science" and software "engineering" fields are.

Re:Stickies?

[Maserati]

Since the anonymous comment hasn't been modded up yet...

Stickies is a beautiful application, sheer coding elegance. It does one thing very well. All it does is display a bunch of text windows in a variety of pastel colors. Each window can be 'windowshaded', which minimizes a window in place by displaying just the title bar (toggled with a double click). I keep all of my stickies windowshaded - the first line of text shows in the title bar so you can tell them apart. And you can drag and drop in and out of a sticky.

That's all Stickies does. It displays windows you can type into. Nothing fancy, sheer minimalism in action. Adding more features would destroy the program's simplicity.

Give 'em a try, they're a great place to stash snippets of text without going to multiple clipboards.

But they aren't plain vanilla text windows. When Apple wrote the default text editing widget for Cocoa they made it very powerful. Because of that text in a sticky note can be be in any mix of fonts and faces, images can be pasted in, and the text can be kerned, and styles can be copied and re-applied. You even inherit the system-wide spellchecker by using the standard text widget.

Apple has provided a very rich application framework, which raises the quality of software produced by small shops. We've all seen the infinity variety (and range of quality) of widgets that turn up in shareware for Windows. Having a rich frameowrk provided with the OS (and the developer tools) is much better, trust me on this.

The drag and drop feature is really nice. Windows has it, but it's much more widely support in Mac apps, again because of the rich frameworks.

Mac OS 9 had that windowshading for all windows, some miss it so there are extensions for OS X that do that.

Firewire Audio devices

This update was going to fix firewire audio issues. With an M-Audio Firewire 410, Audacity no longer causes a kernel panic, it just doesn't work. :-/ At least you don't have to power off the computer now when you try it.

Shoe on other foot?

[Math,+The+Ancient]

"The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week."

Gee, where are the flames about "having to update all the time because of bugs"? (and quite a few are security related, hah-ha-a) It obviously happens often enough to put a "Software Updates" link somewhere in the OS.

Re:Shoe on other foot?

[argent]

I just finished reinstalling Windows because it had eaten its little brain.

Install Windows. Reboot.
Install VIA 4-in-1 drivers. Reboot.
Install Audio drivers. Reboot.
Install Ethernet and USB drivers. Reboot.
Install video card drivers. Reboot.
1 service pack. Reboot.
42 "security and critical updates". Reboot.
4 post service-pack updates. Reboot.
DirectX. Reboot. .NET. Reboot.
Windows Media Player. Reboot.
7 reboots to bring Norton Antivirus up to date.
2 driver updates for the motherboard. 2 more reboots.

If I'd updated IE instead of using Firefox that would be 2 more reboots because you can't update IE at the same time as other applications.

Gee, where are the flames about "having to update all the time because of bugs"?

Well, I could update to Windows XP with its boobytrapped OS, but I'd rather not have a system decide I'm a pirate because I have to replace the motherboard. And I'd still have to do most of the same updates, so I don't think it's fair to flame about Windows 2000 that much. That's what you were talking about, right?

Re:Mainly bugfixes? You should do PR for microsoft

[wealthychef]

Where did you get this information? Perhaps you are running and older version than 10.3.8? Or maybe the readme that comes with the update is incomplete? The update from 10.3.8 to 10.3.9 does not mention any security updates.

Many Beige G3s had problems with 10.2.8

[Vandil+X]

The new display drivers and energy saver settings made for some trouble on Beige G3s, especially Beige G3 DTs.

Turning off display sleep and swapping the display drivers with a previous version via Pacifist did the trick to "fix" it, but for those who didn't want to bother with all that just stuck with 10.2.6.

Does this fix the 10 year old bug?

[olcrazypete]

I'm sure this is too quick for that, and we know what happened the last time apple added something at the last minute for 10.2.8, but has apple said anything at all about the 10 year old bug ? P

Re:Does this fix the 10 year old bug?

[chochos]

Of course it does. This is what it's all about. The 10 year old bug is hiding inside the Stickies app. There is a security vulnerability in Stickies.app which can cause a remote privilege escalation but notifies xinetd, ultimately causing the kernel panic mentioned in the news item you refer to, as a measure of protection hidden in xinetd against remote privilege escalation attacks.

The bug can be reproduced by creating a purple sticky, setting the font to Arial 12 Bold, and typing:

ALL YOUR BASE ARE BELONG TO US

Re:Mainly bugfixes? You should do PR for microsoft

[Val314]

thats the email that Apple sent out today. Subject was "APPLE-SA-2005-04-15 Mac OS X v10.3.9"

you can subscribe to this mailinglist here: http://lists.apple.com/mailman/options/security-an nounce/

Re:Mainly bugfixes? You should do PR for microsoft

[remahl]

The information can also be found on the web: KB 301327.

It is quite unfortunate that Apple "forgot" to mention the new security vulnerabilities that the update addresses in the short blurb. It does mention "previous stand-alone security updates", but not the new ones.

Beats the update processes on other major OSes

Beats having to open up a terminal, typing apt-get, then praying that the updated items will not break the dependencies of your current applications and system tweaks.

Also beats opening up an insecure Web browser, visiting Windows Update, being shown a list of updates with vague descriptons, and getting your machine updated without being asked for an Administrator's password.

Re:Mainly bugfixes? You should do PR for microsoft

[dfelznic]

I got it from Apple's Security mailing list, it is also available on the security website. Where else?

http://docs.info.apple.com/article.html?artnum=3 01 327

I wish I was wrong about this but it seems apple tried to pull a fast one on this. It really would have been nice if apple released these security updates separately from the OS upgrade like they said they did. But I can not find these updates anywhere else...

Cool addition to Safari

[mh101]

I always wished Safari's download manager would list the transfer rate in addition to the file size and estimated time remaining.

And lo and behold, after installing 10.3.9 it does! Way to go, Apple!

Re:Cool addition to Safari

[Angostura]

Option-clicking on the estimated time figure has toggled to transfer rate for quite a long time (since Safari came out?)

Re:Cool addition to Safari

[mh101]

Cool, too bad I didn't know about that earlier. =( At least that appears to be the default now (unless I accidentally enabled it myself...).

Re:Cool addition to Safari

[dohcvtec]

Speaking of Safari nuances, anyone know if there's a way to pull down a list of recently typed URLs in the Safari address bar? Most other browsers allow this, but in my limited use of Safari, if this is possible I haven't found it. That's one of my 2 gripes with Safari; the other one is lack of back/forward/etc. by right-clicking in a page. Again, most if not all other browsers have this convenient capability.

wonder what the server update breaks?

[intmainvoid]

After the last update, it might pay to let this one sit a few days!

Nice New Feature In Safari 1.3

[ian+rogers]

Now if I'm typing something online, and hit Command+Shift+Left/Right, it will actually select everything from where I am to the beginning of the line, just like it does in TextEdit and most other apps.

I like it a lot more than when I would hit it and it would switch tabs, even though I was typing something in a text box.

Securemote doesn't work anymore

[mobley02]

Does anyone here use securemote VPN ? it used to work with 10.3.8, rebooting in 10.3.9, securemote says it can't start :(

Re:Securemote doesn't work anymore

[akiro]

I (== the company i work in) use it, and it broke here too, wont start anymore. Hopefully Checkpoint will release a fix soon, now I actually have to go the office to get some work done :-P

Re:Securemote doesn't work anymore

A-A-A-A

I'm also installed the update yesterday and o-ops I cannot connect to my work.

I think that Apple should announce this problem.

Re:Securemote doesn't work anymore

[hankster164]

yup..me too! Had it working just fine. But after applying 10.3.9 it doesnt start. I understand there was change to racoon with 10.3.9. Wonder if that has anything to do with it. From what I can tell 'net.inet.ipsec.esp_port' changed from 0 to 4500 with the upgrade and its the only ipsec related kernel variable that's changed

Re:Securemote doesn't work anymore

[excyberlabber]

My securemote vpn also broke, with the same error. It tries hard to start on boot, then after a couple of minutes thrashing, gives the message the it couldn't start, reboot to start it. Of course rebooting doesn't start it. My java broke as well, and I reapplied the security patch, and that fixed java. But not securemote. I then ran:

sudo update_prebinding -root / -force

but this had no effect on the vpn...

Google maps and Safari

I just installed the update and the first thing I noticed was that the tooltips in Google maps no longer render correctly. Anyone know how I can fix this or revert to the older safari version?

WebCT Fix

[edibleplastic]

Not that this will affect many people but for some reason in the past when I would surf to my school's WebCT page Safari would beachball right after I logged in. This seems to be fixed with the new update. Good job!

Re:WebCT Fix

[GrahamCox]

Ah, WebCT. What a crock of poop that is. I always have to force a WebCT page (any editor view, content is OK) to refresh manually by tweaking the browser window size to get it to display in Safari. I hope that's fixed too.

Bloody extra bookmars in my bar!!!

[johnny_sas]

WTF APPLE? Did I ask you to put extra shit in my bookmark bar???? NO!!! Apple, the next Netscape?

Re:Bloody extra bookmars in my bar!!!

[acidblue]

Why are some people getting this? It didn't happen to me.

Re:Safari 1.3 - improvements

[Rouxfus]

+ Undo in text fields! + improved pop-up window blocking + faster, especially on https connection + command-shift-arrow works properly now + improved javascript compatibility All around, a great release for this browser. I was on the cusp of switching to Firefox, but undo and spelling checking in the web form text areas are the dog's bollocks!

Re:Safari 1.3 - improvements

[pudge]

Yeah, I just noticed undo in text fields. That alone is worth the entire update, as anyone on Slashdot who uses Safari and has lost an entire comment or journal entry because they selected all and then hit 'c' instead of cmd-'c' can attest.

lacie usb hard drive

well after my update to 10.3.9, the image of my external hard drive no longer appears in my finder, can't get files off it, can't play my music which is on it, can't do anything about it.*bugger*

-1, Troll?

[Professor+S.+Brown]

Wow. I guess my little play on words there flew over some heads.

one weird fix

[alex_guy_CA]

I just updated, and opened Safari and noticed that I had a new bookmark in my bookmark bar; .Mac

I don't use .Mac, and did not know that not having it bookmarked was a bug.

This reminds me of my other Safari pet peeve. When I type a URL into the address bar, Safari "helpfully" tries to fill in my URL with sites that I don't even have bookmarked and have never visited as I type. How much do you think those companies paid for that placement?

Re:one weird fix

Mine doesn't. I removed them from the default bookmarks and they went away. Go figure.

Re:Adobe Version Cue users be advised

[HSpirit]

% file /Applications/Adobe\ Version\ Cue/*.sh
/Applications/Adobe Version Cue/productname.sh: empty
/Applications/Adobe Version Cue/startserver.sh: setuid a /bin/sh script text excutable
/Applications/Adobe Version Cue/stopserver.sh: setuid a /bin/sh script text excutable

Safari Feature degredation.

[macmurph]

When I right-click an image in Safari, I am no longer able to specify which folder I want to save it to. The only option is "Save to Safari Downloads".

This does streamline things... but I think I miss the customization options that a save dialog provides.

Re:Safari Feature degredation.

I'm glad that you noted this (I would have if you hadn't). I download a lot of pictures from the net and found this change to be a real problem. Safari now only allows you to save the image to the desktop.

Hope this change this back in TIGER!!! :)

Re:Safari Feature degredation.

[pmdboi]

Yeah, that is kind of irritating. However, dragging images from Safari to the Finder still works, so another thing you can do is navigate to the folder you want to download to in the Finder, go to Safari, start dragging the image, hit Expose if necessary, and drop the image in that folder. A little convoluted, but it works. (If Safari is in the background, you can drag stuff from it without bringing it to the foreground by holding the Command key while doing so.)

Unfortunately, it looks like you can't drag images from Safari to folders in the Dock.

Re:Safari Feature degredation.

[macmurph]

You can still specify an alternative to the Desktop... just go to Safari preferences and set the download folder to whatever you like. This still wont present the old dialog box though.

FIX for securemote under 10.3.9

[akiro]

Long live the apple forums, there's a fix for this problem.

http://discussions.info.apple.com/webx?14@472.eTM5 awFHYat.2@.68ac466a/15