Slashdot Mirror
Apple Releases Mac OS X 10.3.9 Update
OmniVector writes "Right after the Mac OS X 10.4 Tiger announcement just a few days ago, Apple has released an update to version 10.3.9 for Mac OS X and Mac OS X Server (both available via Software Update). The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week.
Now my Mac doesn't lock up when I choose the "Restart..."/"Shut Down..." and then sleep the screen during the optional 2-minute wait period.
-- Boycott Shell
wow i'm a dumbass, and completely left out something really important! Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders. Also, one of my Safari plugins caused safari to crash on launch. (AcidSearch it appears).
lastly, folks, beware of the warning on apple's front page with this update if you're running mac os x server! You must have an administrator account password that does not contain spaces or Option-keyed characters to install this update.
- tristan
I've been bug reporting and complaining about the SSL performance in Safari for almost two years. Folks here and on other Mac forums have dismissed me as some type of loon (they are more right than I'd like to admit most of the time). Apple finally does something about it (though, we'll see if it really helps...I'm installing it now).
It's nice to be right...
Mind the gap...
It seems as if this update fixed the sensitivity problems with my PowerBook trackpad. I have a 1.67Ghz PB with the new trackpad that supports the vertical/horizontal scrolling stuff and it has always been far less sensitive than my old PB -- until I rebooted after this update. Cool!
Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.
Hexy - a strategy game for iPhone/iPod Touch
Everything feels peppier and more responsive! Doesn't take 15 minutes to copy a 20MB file anymore either.
;)
Haven't even run the update yet either.
Karma: Chameleon (mostly due to the fact that you come and go).
There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."
For whatever reason apple felt icky about calling it an "update," so they threw in this language:
"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-04-15 Mac OS X v10.3.9
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:
Kernel
CVE ID: CAN-2005-0969
Impact: A kernel input validation issue can lead to a local denial of service
Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.
Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
Kernel
CVE ID: CAN-2005-0971
CERT: VU#212190
Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.
Kernel
CVE ID: CAN-2005-0972
CERT: VU#185702
Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.
Kernel
CVE ID: CAN-2005-0973
Impact: Local system users can cause a system resource starvation
Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.
Kernel
CVE ID: CAN-2005-0974
CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.
Kernel
CVE ID: CAN-2005-0975
Impact: Local system users can cause a temporary interruption of system operation
Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.
Safari
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.
Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
Douglas Calvert
...installed fine on both the single proc. G5 at work and the dual G5 I have at home. Subjectively, it feels faster in the Finder, as well as Safari.
Bring on Tiger!
The PC Weenies: 11 Years of Online Tech 'Too
Hey has anyone else found that java apps stop working. I can't get Eclipse or FurtherNET to start.
Are any of you getting a segfault when running java from the Terminal?
Anyone have this problem and found a fix? I'm out of ideas.
If you use AcidSearch, you'll find that Safari segfaults on startup. You can get Safari back by removing /Library/Application Support/SIMBL/Plugins/AcidSearch.bundle. AcidSearch is cool; I hope they update soon.
The light sensor in my Powerbook isn't going nuts changing my screen brightness anymore. Maybe this issue has been fixed too. I'm not in fluorescent lighting to give it a good test though.
It's actually an issue with firefox interpreting inadvertent horizontal scrolling (easy to do with iscroll2 or the new [USB] trackpads) as back/forward requests. Here's how to fix this intentionally broken behaviour...
From macosxhints.com:
In Firefox, type about:config into the address bar and hit return. This gives you a list of all possible configuration options. The ones we want are those that start with mousewheel.horizscroll.withnokey. Make the following changes by double-clicking the appropriate option in the list:
* mousewheel.horizscroll.withnokey.action => 0
* mousewheel.horizscroll.withnokey.sysnumlines => true
Um, wierd. I just installed 10.3.9 on my 1.67GHz PB, and now in the finder under the network browser it shows:
...all of which appear to be empty, instead of the regular:
Applications
Library
Users
Local
Servers
WORKGROUP
Anyone know how to get the network browsing back to normal?
If you can't wait for the developer's fix, you can patch the Info.plist file so it will load in the new Safari.
I nfo.plist" change the MaxBundleVersion from "146" to "312"
In the file "/Library/Application Support/SIMBL/Plugins/PithHelmet.bundle/Contents/
It seems to load and work without any problems for me
I was credited with discovery of the Safari flaw.
Due to lacking communications, Apple did not notify me in advance that the issue was addressed in 10.3.9, and failed to link to my independent advisory on the issue. Hopefully they will rectify that on Monday.
My advisory for CAN-2005-0976 is called DR001 and is available on my web site at remahl.se/david/vuln/001/. It has also been posted to bugtraq.
I discovered this vulnerability, and i can confirm that Apple is indeed starting to think in zone separation paths...
I have written a detailed advisory about the problem (Apple conveniently "forgot" to link to it). Apple allows XMLHttpRequest more privileges when running from a file: URL than from http:. This created a problem combined with the fact that disk images are automatically mounted with predictable paths and that Safari did not enforce separation between the http: and file: zones.
Apple took the approach of separating the zones instead of limiting XMLHttpRequest access from file: URLs.
Note that Konqueror is already separating zones, and also allows file: URLs to use XMLHttpRequest to access local resources.
I don't know if there are any other instances where the local zone is given higher privileges than the Internet zone. That's something for future research. If you haven't already updated, feel free to test the demo exploit on the advisory page.
Apple haven't disabled SUID binaries, just SUID scripts. SUID scripts are fundamentally insecure (do a google on "setuid script" for some references) and are already disabled in every other major unix distribution.
I'm sure this is too quick for that, and we know what happened the last time apple added something at the last minute for 10.2.8, but has apple said anything at all about the 10 year old bug ? P
-- My dog can beat up your dog.
I always wished Safari's download manager would list the transfer rate in addition to the file size and estimated time remaining.
And lo and behold, after installing 10.3.9 it does! Way to go, Apple!
Duct tape is like the Force. It has a light side, a dark side, and it holds the universe together.
conspiracy theories such as this are just plain stupid. In Apple's history, having buggy systems never has contributed to people buying "fixed" system updates. Quite the contrary, system 7.5 and 7.5 probably lost apple more market share than any thing else in their history.
Apple is in a fragile enough place without purposely sending out bad software under the impression they will encourage software sales. they are just as likely to lose people who go to windows under that strategy and would suggest marketing people are telling engineers to make thing go bad. sounds implausible at best given that lead on OS X has was guy who developed Next and Steve Jobs in infamous for demanding things work the first time.
Apple as small market, is under more pressure to makes things work well because they dont have the crutch of a monopoly to hold them up until they fix their shit. one of reasons most apple users are repeat customers.
the more likely answer, they fucked up, makes a lot more sense.
but because apple sells updates, rabid Linux zealots see conspiracy in anything they do.
Since the anonymous comment hasn't been modded up yet...
Stickies is a beautiful application, sheer coding elegance. It does one thing very well. All it does is display a bunch of text windows in a variety of pastel colors. Each window can be 'windowshaded', which minimizes a window in place by displaying just the title bar (toggled with a double click). I keep all of my stickies windowshaded - the first line of text shows in the title bar so you can tell them apart. And you can drag and drop in and out of a sticky.
That's all Stickies does. It displays windows you can type into. Nothing fancy, sheer minimalism in action. Adding more features would destroy the program's simplicity.
Give 'em a try, they're a great place to stash snippets of text without going to multiple clipboards.
But they aren't plain vanilla text windows. When Apple wrote the default text editing widget for Cocoa they made it very powerful. Because of that text in a sticky note can be be in any mix of fonts and faces, images can be pasted in, and the text can be kerned, and styles can be copied and re-applied. You even inherit the system-wide spellchecker by using the standard text widget.
Apple has provided a very rich application framework, which raises the quality of software produced by small shops. We've all seen the infinity variety (and range of quality) of widgets that turn up in shareware for Windows. Having a rich frameowrk provided with the OS (and the developer tools) is much better, trust me on this.
The drag and drop feature is really nice. Windows has it, but it's much more widely support in Mac apps, again because of the rich frameworks.
Mac OS 9 had that windowshading for all windows, some miss it so there are extensions for OS X that do that.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951
Not that this will affect many people but for some reason in the past when I would surf to my school's WebCT page Safari would beachball right after I logged in. This seems to be fixed with the new update. Good job!
+ Undo in text fields! + improved pop-up window blocking + faster, especially on https connection + command-shift-arrow works properly now + improved javascript compatibility All around, a great release for this browser. I was on the cusp of switching to Firefox, but undo and spelling checking in the web form text areas are the dog's bollocks!
I just finished reinstalling Windows because it had eaten its little brain.
.NET. Reboot.
Install Windows. Reboot.
Install VIA 4-in-1 drivers. Reboot.
Install Audio drivers. Reboot.
Install Ethernet and USB drivers. Reboot.
Install video card drivers. Reboot.
1 service pack. Reboot.
42 "security and critical updates". Reboot.
4 post service-pack updates. Reboot.
DirectX. Reboot.
Windows Media Player. Reboot.
7 reboots to bring Norton Antivirus up to date.
2 driver updates for the motherboard. 2 more reboots.
If I'd updated IE instead of using Firefox that would be 2 more reboots because you can't update IE at the same time as other applications.
Gee, where are the flames about "having to update all the time because of bugs"?
Well, I could update to Windows XP with its boobytrapped OS, but I'd rather not have a system decide I'm a pirate because I have to replace the motherboard. And I'd still have to do most of the same updates, so I don't think it's fair to flame about Windows 2000 that much. That's what you were talking about, right?
I do not understand why setuid scripts are any different than setuid binaries?
You can't change the behaviour of binaries by tweaking environment variables that change the syntax of shell scripts, at least not in the general case.
When I right-click an image in Safari, I am no longer able to specify which folder I want to save it to. The only option is "Save to Safari Downloads".
This does streamline things... but I think I miss the customization options that a save dialog provides.