Slashdot Mirror
Apple Releases Mac OS X 10.3.9 Update
OmniVector writes "Right after the Mac OS X 10.4 Tiger announcement just a few days ago, Apple has released an update to version 10.3.9 for Mac OS X and Mac OS X Server (both available via Software Update). The changes mostly include bugfixes with Stickies, Safari, and the Finder." The Server update also addresses issues with Open Directory, cyrus, AFP, and SMB, among others. Apple also updated iMovie, iPhoto, iDVD, and iSight this week.
Now my Mac doesn't lock up when I choose the "Restart..."/"Shut Down..." and then sleep the screen during the optional 2-minute wait period.
-- Boycott Shell
wow i'm a dumbass, and completely left out something really important! Safari 1.3 came out with this update. and consequently seems to have caused problems with some of my Adium themes and Colloquy no longer even renders. Also, one of my Safari plugins caused safari to crash on launch. (AcidSearch it appears).
lastly, folks, beware of the warning on apple's front page with this update if you're running mac os x server! You must have an administrator account password that does not contain spaces or Option-keyed characters to install this update.
- tristan
It seems as if this update fixed the sensitivity problems with my PowerBook trackpad. I have a 1.67Ghz PB with the new trackpad that supports the vertical/horizontal scrolling stuff and it has always been far less sensitive than my old PB -- until I rebooted after this update. Cool!
Although the Safari upgrade re-added Apple, Amazon, eBay, etc. links to my bookmark bar. That was sort of annoying, but easy enough to fix.
Hexy - a strategy game for iPhone/iPod Touch
Everything feels peppier and more responsive! Doesn't take 15 minutes to copy a 20MB file anymore either.
;)
Haven't even run the update yet either.
Karma: Chameleon (mostly due to the fact that you come and go).
There are definitely some bugfixes for stickies and the like. But there are also some important security fixes in the bag. That is a lot of CAN entries for a update that is "mostly bugfixes."
For whatever reason apple felt icky about calling it an "update," so they threw in this language:
"Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update."
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
APPLE-SA-2005-04-15 Mac OS X v10.3.9
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 are now available and deliver the following security enhancements:
Kernel
CVE ID: CAN-2005-0969
Impact: A kernel input validation issue can lead to a local denial of service
Description: The Kernel contains syscall emulation functionality that was never used in Mac OS X. Insufficient validation of an input parameter list could result in a heap overflow and a local denial of service through a kernel panic. The issue is addressed by removing the syscall emulation functionality. Credit to Dino Dai Zovi for reporting this issue.
Kernel
CVE ID: CAN-2005-0970
Impact: Permitting SUID/SGID scripts to be installed could lead to privilege escalation. Description: Mac OS X inherited the ability to run SUID/SGID scripts from FreeBSD. Apple does not distribute any SUID/SGID scripts, but the system would allow them to be installed or created. This update removes the ability of Mac OS X to run SUID/SGID scripts. Credit to Bruce Murphy of rattus.net and Justin Walker for reporting this issue.
Kernel
CVE ID: CAN-2005-0971
CERT: VU#212190
Impact: A Kernel stack overflow in the semop() system call could lead to a local privilege escalation.
Description: The incorrect handling of system call arguments could be used to obtain elevated privileges. This update includes a fix to check access to the kernel object.
Kernel
CVE ID: CAN-2005-0972
CERT: VU#185702
Impact: An integer overflow in the searchfs() system call could allow an unprivileged local user to execute arbitrary code with elevated privileges
Description: The searchfs() system call contains an integer overflow vulnerability that could allow an unprivileged local user to execute arbitrary code with elevated privileges. This update adds input validation on the parameters passed to searchfs() to correct the issue.
Kernel
CVE ID: CAN-2005-0973
Impact: Local system users can cause a system resource starvation
Description: A vulnerability in the handling of values passed to the setsockopt() call could allow unprivileged local users to exhaust available memory. Credit to Robert Stump for reporting this issue.
Kernel
CVE ID: CAN-2005-0974
CERT: VU#713614
Impact: Local system users can cause a local denial of service
Description: A vulnerability in the nfs_mount() call due to insufficient checks on input values could allow unprivileged local users to create a denial of service via a kernel panic.
Kernel
CVE ID: CAN-2005-0975
Impact: Local system users can cause a temporary interruption of system operation
Description: A vulnerability in the parsing of certain executable files could allow unprivileged local users to temporarily suspend system operations. Credit to Neil Archibald for reporting this issue.
Safari
CVE ID: CAN-2005-0976
Impact: Remote sites could cause html and javascript to run in the local domain.
Description: This update closes a vulnerability that allowed remote websites to load javascript to execute in the local domain. Credit to David Remahl for reporting this issue.
Note: It is Apple's standard practice to provide security fixes via a Security Update. On occasion, when a security fix is required to a core system component such as the Kernel, it will be released in a Software Update.
Mac OS X v10.3.9 and Mac OS X Server v10.3.9 may be obtained from the Software Update pane in System Preferences, or Apple's Software Downloads web site:
Douglas Calvert
Hey has anyone else found that java apps stop working. I can't get Eclipse or FurtherNET to start.
Are any of you getting a segfault when running java from the Terminal?
Anyone have this problem and found a fix? I'm out of ideas.
The light sensor in my Powerbook isn't going nuts changing my screen brightness anymore. Maybe this issue has been fixed too. I'm not in fluorescent lighting to give it a good test though.
It's actually an issue with firefox interpreting inadvertent horizontal scrolling (easy to do with iscroll2 or the new [USB] trackpads) as back/forward requests. Here's how to fix this intentionally broken behaviour...
From macosxhints.com:
In Firefox, type about:config into the address bar and hit return. This gives you a list of all possible configuration options. The ones we want are those that start with mousewheel.horizscroll.withnokey. Make the following changes by double-clicking the appropriate option in the list:
* mousewheel.horizscroll.withnokey.action => 0
* mousewheel.horizscroll.withnokey.sysnumlines => true
I discovered this vulnerability, and i can confirm that Apple is indeed starting to think in zone separation paths...
I have written a detailed advisory about the problem (Apple conveniently "forgot" to link to it). Apple allows XMLHttpRequest more privileges when running from a file: URL than from http:. This created a problem combined with the fact that disk images are automatically mounted with predictable paths and that Safari did not enforce separation between the http: and file: zones.
Apple took the approach of separating the zones instead of limiting XMLHttpRequest access from file: URLs.
Note that Konqueror is already separating zones, and also allows file: URLs to use XMLHttpRequest to access local resources.
I don't know if there are any other instances where the local zone is given higher privileges than the Internet zone. That's something for future research. If you haven't already updated, feel free to test the demo exploit on the advisory page.
Apple haven't disabled SUID binaries, just SUID scripts. SUID scripts are fundamentally insecure (do a google on "setuid script" for some references) and are already disabled in every other major unix distribution.