Slashdot Mirror
Apple Releases Mac OS X 10.3.9 Update
OmniVector writes "Right after the Mac OS X 10.4 Tiger announcement just a few days ago, Apple has released an update to version 10.3.9 for Mac OS X and Mac OS X Server (both available via Software Update). The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week.
Now my Mac doesn't lock up when I choose the "Restart..."/"Shut Down..." and then sleep the screen during the optional 2-minute wait period.
-- Boycott Shell
wow i'm a dumbass, and completely left out something really important! Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders. Also, one of my Safari plugins caused safari to crash on launch. (AcidSearch it appears).
lastly, folks, beware of the warning on apple's front page with this update if you're running mac os x server! You must have an administrator account password that does not contain spaces or Option-keyed characters to install this update.
- tristan
I've been bug reporting and complaining about the SSL performance in Safari for almost two years. Folks here and on other Mac forums have dismissed me as some type of loon (they are more right than I'd like to admit most of the time). Apple finally does something about it (though, we'll see if it really helps...I'm installing it now).
It's nice to be right...
Mind the gap...
It seems as if this update fixed the sensitivity problems with my PowerBook trackpad. I have a 1.67Ghz PB with the new trackpad that supports the vertical/horizontal scrolling stuff and it has always been far less sensitive than my old PB -- until I rebooted after this update. Cool!
Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.
Hexy - a strategy game for iPhone/iPod Touch
Everything feels peppier and more responsive! Doesn't take 15 minutes to copy a 20MB file anymore either.
;)
Haven't even run the update yet either.
Karma: Chameleon (mostly due to the fact that you come and go).
There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."
For whatever reason apple felt icky about calling it an "update," so they threw in this language:
"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-04-15 Mac OS X v10.3.9
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:
Kernel
CVE ID: CAN-2005-0969
Impact: A kernel input validation issue can lead to a local denial of service
Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.
Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
Kernel
CVE ID: CAN-2005-0971
CERT: VU#212190
Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.
Kernel
CVE ID: CAN-2005-0972
CERT: VU#185702
Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.
Kernel
CVE ID: CAN-2005-0973
Impact: Local system users can cause a system resource starvation
Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.
Kernel
CVE ID: CAN-2005-0974
CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.
Kernel
CVE ID: CAN-2005-0975
Impact: Local system users can cause a temporary interruption of system operation
Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.
Safari
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.
Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
Douglas Calvert
Hey has anyone else found that java apps stop working. I can't get Eclipse or FurtherNET to start.
Are any of you getting a segfault when running java from the Terminal?
Anyone have this problem and found a fix? I'm out of ideas.
If you use AcidSearch, you'll find that Safari segfaults on startup. You can get Safari back by removing /Library/Application Support/SIMBL/Plugins/AcidSearch.bundle. AcidSearch is cool; I hope they update soon.
The light sensor in my Powerbook isn't going nuts changing my screen brightness anymore. Maybe this issue has been fixed too. I'm not in fluorescent lighting to give it a good test though.
It's actually an issue with firefox interpreting inadvertent horizontal scrolling (easy to do with iscroll2 or the new [USB] trackpads) as back/forward requests. Here's how to fix this intentionally broken behaviour...
From macosxhints.com:
In Firefox, type about:config into the address bar and hit return. This gives you a list of all possible configuration options. The ones we want are those that start with mousewheel.horizscroll.withnokey. Make the following changes by double-clicking the appropriate option in the list:
* mousewheel.horizscroll.withnokey.action => 0
* mousewheel.horizscroll.withnokey.sysnumlines => true
I discovered this vulnerability, and i can confirm that Apple is indeed starting to think in zone separation paths...
I have written a detailed advisory about the problem (Apple conveniently "forgot" to link to it). Apple allows XMLHttpRequest more privileges when running from a file: URL than from http:. This created a problem combined with the fact that disk images are automatically mounted with predictable paths and that Safari did not enforce separation between the http: and file: zones.
Apple took the approach of separating the zones instead of limiting XMLHttpRequest access from file: URLs.
Note that Konqueror is already separating zones, and also allows file: URLs to use XMLHttpRequest to access local resources.
I don't know if there are any other instances where the local zone is given higher privileges than the Internet zone. That's something for future research. If you haven't already updated, feel free to test the demo exploit on the advisory page.
Apple haven't disabled SUID binaries, just SUID scripts. SUID scripts are fundamentally insecure (do a google on "setuid script" for some references) and are already disabled in every other major unix distribution.
conspiracy theories such as this are just plain stupid. In Apple's history, having buggy systems never has contributed to people buying "fixed" system updates. Quite the contrary, system 7.5 and 7.5 probably lost apple more market share than any thing else in their history.
Apple is in a fragile enough place without purposely sending out bad software under the impression they will encourage software sales. they are just as likely to lose people who go to windows under that strategy and would suggest marketing people are telling engineers to make thing go bad. sounds implausible at best given that lead on OS X has was guy who developed Next and Steve Jobs in infamous for demanding things work the first time.
Apple as small market, is under more pressure to makes things work well because they dont have the crutch of a monopoly to hold them up until they fix their shit. one of reasons most apple users are repeat customers.
the more likely answer, they fucked up, makes a lot more sense.
but because apple sells updates, rabid Linux zealots see conspiracy in anything they do.
Since the anonymous comment hasn't been modded up yet...
Stickies is a beautiful application, sheer coding elegance. It does one thing very well. All it does is display a bunch of text windows in a variety of pastel colors. Each window can be 'windowshaded', which minimizes a window in place by displaying just the title bar (toggled with a double click). I keep all of my stickies windowshaded - the first line of text shows in the title bar so you can tell them apart. And you can drag and drop in and out of a sticky.
That's all Stickies does. It displays windows you can type into. Nothing fancy, sheer minimalism in action. Adding more features would destroy the program's simplicity.
Give 'em a try, they're a great place to stash snippets of text without going to multiple clipboards.
But they aren't plain vanilla text windows. When Apple wrote the default text editing widget for Cocoa they made it very powerful. Because of that text in a sticky note can be be in any mix of fonts and faces, images can be pasted in, and the text can be kerned, and styles can be copied and re-applied. You even inherit the system-wide spellchecker by using the standard text widget.
Apple has provided a very rich application framework, which raises the quality of software produced by small shops. We've all seen the infinity variety (and range of quality) of widgets that turn up in shareware for Windows. Having a rich frameowrk provided with the OS (and the developer tools) is much better, trust me on this.
The drag and drop feature is really nice. Windows has it, but it's much more widely support in Mac apps, again because of the rich frameworks.
Mac OS 9 had that windowshading for all windows, some miss it so there are extensions for OS X that do that.
Veteran, Bermuda Triangle Expeditionary Force, 1992-1951