Apple Releases Mac OS X 10.3.9 Update

OmniVector writes "Right after the Mac OS X 10.4 Tiger announcement just a few days ago, Apple has released an update to version 10.3.9 for Mac OS X and Mac OS X Server (both available via Software Update). The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week.

Undocumented bug fix

[objekt]

Now my Mac doesn't lock up when I choose the "Restart..."/"Shut Down..." and then sleep the screen during the optional 2-minute wait period.

Re:Undocumented bug fix

Unfortunately the macs are still vulnerable to a local root exploit published over six months ago.

I wonder when they're going to bother fixing little things like root privilege escalations. After they finish polishing those Aqua buttons a little more?

Safari 1.3

[OmniVector]

wow i'm a dumbass, and completely left out something really important! Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders. Also, one of my Safari plugins caused safari to crash on launch. (AcidSearch it appears).

lastly, folks, beware of the warning on apple's front page with this update if you're running mac os x server! You must have an administrator account password that does not contain spaces or Option-keyed characters to install this update.

Re:Safari 1.3

[Matthias+Wiesmann]

Information about the changes in Safari 1.3 can be found on on David Hyatt's blog.

Re:Safari 1.3

[zhiwenchong]

Also I found a problem with Sogudi. Whenever I tried to type a URL without a www, ie. "apple.com", the spinning beachball of death pops up.

I removed Sogudi, and everything works again. And yes, I finally noticed the speed improvement.

Re:Safari 1.3

[tcoady]

Same here. But AcidSearch 0.4 fixes include "Support for Safari 1.3 added".

More info here http://www.pozytron.com/acidsearch/

Vindicated, yes!

[hrbrmstr]

I've been bug reporting and complaining about the SSL performance in Safari for almost two years. Folks here and on other Mac forums have dismissed me as some type of loon (they are more right than I'd like to admit most of the time). Apple finally does something about it (though, we'll see if it really helps...I'm installing it now).

It's nice to be right...

Mainly bugfixes? You should do PR for microsoft:)

[dfelznic]

There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."

For whatever reason apple felt icky about calling it an "update," so they threw in this language:

"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

APPLE-SA-2005-04-15 Mac OS X v10.3.9

Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:

Kernel
CVE ID: CAN-2005-0969
Impact: A kernel input validation issue can lead to a local denial of service
Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.

Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.

Kernel
CVE ID: CAN-2005-0971
CERT: VU#212190
Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.

Kernel
CVE ID: CAN-2005-0972
CERT: VU#185702
Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.

Kernel
CVE ID: CAN-2005-0973
Impact: Local system users can cause a system resource starvation
Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.

Kernel
CVE ID: CAN-2005-0974
CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.

Kernel
CVE ID: CAN-2005-0975
Impact: Local system users can cause a temporary interruption of system operation
Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.

Safari
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.

Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.

Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:

No problems with the install...

[BobWeiner]

...installed fine on both the single proc. G5 at work and the dual G5 I have at home. Subjectively, it feels faster in the Finder, as well as Safari.

Bring on Tiger!

Safari crashes after update?

[fsck!]

If you use AcidSearch, you'll find that Safari segfaults on startup. You can get Safari back by removing /Library/Application Support/SIMBL/Plugins/AcidSearch.bundle. AcidSearch is cool; I hope they update soon.

Re:OT: Trackpad in Firefox

[steeviant]

It's actually an issue with firefox interpreting inadvertent horizontal scrolling (easy to do with iscroll2 or the new [USB] trackpads) as back/forward requests. Here's how to fix this intentionally broken behaviour...

From macosxhints.com:
In Firefox, type about:config into the address bar and hit return. This gives you a list of all possible configuration options. The ones we want are those that start with mousewheel.horizscroll.withnokey. Make the following changes by double-clicking the appropriate option in the list:

* mousewheel.horizscroll.withnokey.action => 0
* mousewheel.horizscroll.withnokey.sysnumlines => true

Re:Trackpad

[poopdeville]

Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.

That's because Software Update downloaded a fresh copy of Safari for you. Your "personal" bookmarks are stored in your ~/Library/ directory somewhere, whereas the stock ones are in the application bundle.

Fix for PithHelmet

[rohanl]

If you can't wait for the developer's fix, you can patch the Info.plist file so it will load in the new Safari.

In the file "/Library/Application Support/SIMBL/Plugins/PithHelmet.bundle/Contents/I nfo.plist" change the MaxBundleVersion from "146" to "312"

It seems to load and work without any problems for me

Re:Java broken now?

[rworne]

Same here:

Last login: Fri Apr 15 20:45:01 on ttyp1
Welcome to Darwin!
DualG4:~ robert$ java -version
Segmentation fault
DualG4:~ robert$

The Fix

Download and reinstall Security Update-002

Re:Java broken now?

[rworne]

It's fixed.

Downloaded Security Update 2005-002 from Apple
Apply update
Reboot
Verify Java works: "java -version" in Terminal.app
Apply 10.3.9 Combo Updater
Reboot
Verify Java works: "java -version" in Terminal.app

All I know is that it works again for me.

Re:Mainly bugfixes? You should do PR for microsoft

[remahl]

I was credited with discovery of the Safari flaw.

Due to lacking communications, Apple did not notify me in advance that the issue was addressed in 10.3.9, and failed to link to my independent advisory on the issue. Hopefully they will rectify that on Monday.

My advisory for CAN-2005-0976 is called DR001 and is available on my web site at remahl.se/david/vuln/001/. It has also been posted to bugtraq.

Re:Java broken now?

[jweatherley]

Here's a tip from Surfin' Safari for those with Java issues: reinstall the security update 2005-002 to fix the java issue.

No idea if it works but something to try...

Re:what exploit is that?

google for k-otik mrouter

Re:Apple removes basic UNIX features from 10.3.9

[pete_yandell]

Apple haven't disabled SUID binaries, just SUID scripts. SUID scripts are fundamentally insecure (do a google on "setuid script" for some references) and are already disabled in every other major unix distribution.

Cool addition to Safari

[mh101]

I always wished Safari's download manager would list the transfer rate in addition to the file size and estimated time remaining.

And lo and behold, after installing 10.3.9 it does! Way to go, Apple!

Re:Cool addition to Safari

[Angostura]

Option-clicking on the estimated time figure has toggled to transfer rate for quite a long time (since Safari came out?)

Re:Stickies?

[Maserati]

Since the anonymous comment hasn't been modded up yet...

Stickies is a beautiful application, sheer coding elegance. It does one thing very well. All it does is display a bunch of text windows in a variety of pastel colors. Each window can be 'windowshaded', which minimizes a window in place by displaying just the title bar (toggled with a double click). I keep all of my stickies windowshaded - the first line of text shows in the title bar so you can tell them apart. And you can drag and drop in and out of a sticky.

That's all Stickies does. It displays windows you can type into. Nothing fancy, sheer minimalism in action. Adding more features would destroy the program's simplicity.

Give 'em a try, they're a great place to stash snippets of text without going to multiple clipboards.

But they aren't plain vanilla text windows. When Apple wrote the default text editing widget for Cocoa they made it very powerful. Because of that text in a sticky note can be be in any mix of fonts and faces, images can be pasted in, and the text can be kerned, and styles can be copied and re-applied. You even inherit the system-wide spellchecker by using the standard text widget.

Apple has provided a very rich application framework, which raises the quality of software produced by small shops. We've all seen the infinity variety (and range of quality) of widgets that turn up in shareware for Windows. Having a rich frameowrk provided with the OS (and the developer tools) is much better, trust me on this.

The drag and drop feature is really nice. Windows has it, but it's much more widely support in Mac apps, again because of the rich frameworks.

Mac OS 9 had that windowshading for all windows, some miss it so there are extensions for OS X that do that.

Re:Java broken now?

[Jacob+Moogberg]

Try "java -version" through the terminal. When I did this, I got a segfault, then I reinstalled Security Update 2005-002 http://www.apple.com/support/downloads/securityupd ate2005002macosx1034orlater.html. Everything seems to be working now.

Re:Safari 1.3 - improvements

[Rouxfus]

+ Undo in text fields! + improved pop-up window blocking + faster, especially on https connection + command-shift-arrow works properly now + improved javascript compatibility All around, a great release for this browser. I was on the cusp of switching to Firefox, but undo and spelling checking in the web form text areas are the dog's bollocks!

Re:Apple removes basic UNIX features from 10.3.9

[argent]

I do not understand why setuid scripts are any different than setuid binaries?

You can't change the behaviour of binaries by tweaking environment variables that change the syntax of shell scripts, at least not in the general case.