Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...
As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.
A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.
The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.
It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.
The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).
My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.
Extensions are the worst solution. The file name should be just that - a name, a device for identifying the file and distinguishing it from other files.
Using the name to describe the type of file is like calling yourself "Joe Bloggs Male Student". We don't do this because we know that mixing a person's name and their other vital statistics is a bad idea.
Why should changing the name of a file from
porn.jpg
to
porn.pdf
change which application opens the file. Worst still, why should changing it to
porn.exe
cause the operating system to attempt to execute it?
If you need some further (and far more eloquent!) convincing I suggest you read this arstechnica article and I think you will change your opinion.
Don't know if anyone else got caught by this, but note that only iPhoto 4.0 - which can only be obtained in Apple's iLife bundle - is subject to the update
The latest version of iPhoto that comes free with MacOS X (even 10.3 a.k.a. Panther) is version 2.0. The update installer refuses to install the update if you have this version, and forcing the update using something like Pacifist makes iPhoto unworkable.
I've been in regular contact with an antivirus vendor's support people over 2 weeks trying to explain to them that it is NOT acceptable for users to have Power User privileges in order for their AV definitions to auto-update... It's like talking to a brick wall, here's an example of their 'support' verbatim:
You may need to change the permissions on your c drive or the vet folder to everyone
Double click on My Computer Right click on C drive
Left click on properties Left click on Sharing left click on permissions Choose everyone a click ok Then click o.k
Then perform an autodownload
Double click on My Computer Double left click on the Vet Right click on C drive
Left click on properties Left click on Sharing Then click on share this folder left click on permissions Choose everyone a click ok Then click o.k
This should allow you to perform an autodownload.
You may have to do the same on the c:\temp or c:\windows\temp folder or c:\document and settingsyour username\temp
Sorry? Do you mean give everyonefull control to my system drive, as well as your AV definitions, configuration files and executable code? You've got to be kidding!
And surely you'd think that AV vendors would understand better than most the need for their software to operate under the principle of least privilege.
Give me a Mac (or other *nix) box anyday is what I say...
...And even though it's installed by default, that doesn't mean everybody who failed to deinstall it actually used it.
Every time I do a
nmblookup -A
lookup on a machine which has not uninstalled NetBIOS over TCP (providing port 137 isn't firewalled) that box is using SMB whether its owner likes it or not:)
My first (and only) serious attempt to do some professional printing with Publisher was for a short-lived newsletter for my local football club. Fresh out of college (where we used PageMaker 5 or 6 from memory) I couldn't afford a Mac or decent software, so I used Publisher 98 on a PC.
When we took it to the printer, they were horrified that I had even considered using Publisher. The best they could do was print it to a laser printer from a PC with Publisher loaded on it, and then photocopy the output from the laser printer!
Looked god-awful, and I learned my lesson: never use anything Micro$oft for anything prepress.
I have heard that Publisher 2002 has made some great inroads in producing reliable postscript output, but the problem now is that too many prepress bureaux and offset printers have been burnt by Micro$oft's incompetence in the past. So to anybody even remotely considering producing content for professional printing, now is the time to invest in InDesign or XPress (or even PageMaker if you must).
The argument against this which I have heard in the past is that Access relies heavily on backend DLLs shipped as part of the Windows OS, and hence would require more work to port to Mac than the other Office apps.
Having said that, I've never been convinced of this argument, as the same is true of IE, but of course that didn't stop a Mac version of IE being developed.
My suspicion has always been that not porting Access is a strategic decision by Micro$oft to keep the SME market away from Macs - I have absolutely no evidence for that, I just haven't heard a better competing theory.
find yourself some half-decent DTP software (Quark XPress and Adobe InDesign come to mind, but there are cheaper offerings available too if you don't need to send your work to a commercial printer)
OR
learn how to use the full page layout capabilities of Word.
Here's a custom set of SA rules I've used to filter out most of the Mydoom crap [hopefully without too many false positives]:
### # Custom antimalware tests and measures ### # treat all messages containing Microsoft executables suspiciously score MICROSOFT_EXECUTABLE 5.0 # # test for W32.MyDoom malware body MYDOOM_FAKE_SMTP_ERROR/Mail transaction failed. Partial message is available./ body MYDOOM_UNICODE_BINARY/The message contains Unicode characters and has been sent as a binary attachment./ body MYDOOM_7BIT_BINARY/The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment./ body MYDOOM_TEST/^test$/ describe MYDOOM_FAKE_SMTP_ERROR Fake SMTP error message typically sent by W32.Mydoom malware describe MYDOOM_UNICODE_BINARY Techno mumbo-jumbo typically sent by W32.Mydoom malware (1) describe MYDOOM_7BIT_BINARY Techno mumbo-jumbo typically sent by W32.Mydoom malware (2) describe MYDOOM_TEST Message with 'test' on single line typically sent by W32.Mydoom malware score MYDOOM_FAKE_SMTP_ERROR 5.0 score MYDOOM_UNICODE_BINARY 5.0 score MYDOOM_7BIT_BINARY 5.0 score MYDOOM_TEST 5.0 #
I am not a Micro$oft/Windows apologist by any means, but Microsoft are still supporting Windows 2000 (which predates MacOS X 10.1 aka 'Puma'), and have even given a half-arsed commitment to provide security updates for a fully service-packed Windows NT4 (which probably predates MacOS 9.2, although I could be wrong on that count).
(Private Adelaide joke) Wow, as an Adelaidian I can confidently say this Slashdot article is the most exposure our little town has had since Melbourne stole our Grand Prix.
Using OpenBSD 3.3 on a Pentium 75 {yes, that's a seven and a five with no digit in front) as a firewall for a 4 client small office network. Have been for quite some time now.
I don't see what any special linux firewall distro can offer me that OpenBSD can't - that's apart from a little ease of use for those who are command-line averse, I guess... We don't have any special requirements such as VPNs, proxies or anything like that, but from what I remember from the documentation OpenBSD can handle that, too.
I've been on a campaign lately trying to get people to switch from IE. I've been pushing Netscape 7.x instead of Mozilla though, as I find explaining the difference is tedious to say the least. I'd prefer if they used the AOL-brand free version, but Netscape is better than nothing.
I used to agree with you here about using Netscape's brand recognition, but unfortunately the most recent (and from all accounts last) release - Netscape 7.1 - is based on Mozilla 1.4 which has a comparable list of vulnerabilities (not to mention other bugs) as IE.
There is an online petition for AOL to release the Netscape brand, perhaps some readers of Slashdot should consider signing it.
In the mean time, I suggest any advocacy should be towards Mozilla 1.4.1, which is functionally superior to any current version of IE while being far more stable and having far fewer known vulnerabilities.
so I guess I'll also have to script some gadget talking to messenger to keep them happy.
Very easy to do, all you need to do is install smbclient and the samba codepages on your *nix server, and then use smbclient's -m switch.
I have an OpenBSD gateway on a dial-up connection serving my small office network, and I use this solution to inform the users when the dialup connection goes down/up.
Saves me many calls of the type: "Hey, is the internet down?!"
I'm still using 10.1 on the PowerMac G4-800 at work due to my boss' tight purse-strings, and while I would dearly love (and have suggested to him) upgrading to Panther, I'm with you:
QuarkXPress 5 works just fine in Classic.
Photoshop 7 is a little slow at times, but it gets the job done.
We use the Mac to deliver mail with in-built sendmail, receive mail with fetchmail (compiles using in-built gmake), and host a basic intranet with in-built Apache.
For a small advertising design and booking agency,
our two-year old Mac with twice-superceded OS is doing the job just fine!
(My only major source of grief is the poor Windows file/print networking support in 10.1 - I am looking forward to the day we upgrade for this reason...)
Firstly, I don't judge the (in)correctness of my views by their popularity. Some of the most important thinkers we have seen [not that I am one of them] were shunned at the time their views were published.
Secondly, of course the right to drive a car is not enumerated in any Constitution, Bill of Rights, etc. Neither 'pistol' nor 'rifle' are mentioned in the US Bill of Rights, I believe, yet it is pretty much accepted that the "right to bear arms" includes these, albeit subject to conditions such as your criminal history, mental state, etc.
Thirdly, I don't live in the "boondocks" [an Americanism, not sure what that means - perhaps "the Sticks", "the country", "outback"?] but the suburbs. Many people do. Many people live on farms, too. Public transit can improve, but even then, it will never be universally available.
So I think you miss my point entirely. I am simply saying as a citizenry we must defend ourselves from intrusions from the state, and something like movement in a car is indeed a right that we should value and exercise as such, not some sort of privilege that we should be thankful to our local/state/national government for bestowing upon us. I actually agree that this Montreal motorist had everything coming to him, and don't disagree with the admission of the Black Box as evidence [subject to transparent technical assessment]. Just don't go saying something as fundamental in our modern society as driving is a privilege.
Driving is a right. Check your statutes. Sure, you need to satisfy certain conditions, but the last time I checked, in a democratic, liberal society it is the citizenry that have rights and the state is our creation to ensure nobody else infringes upon those rights.
You set a dangerous precedent by declaring that as a citizenry we do not have a right to freedom of movement. Let's face it, we're not living in communal villages anymore, most people need a car to earn a living, socialise and recreate. If you have the privilege of an acceptable public transit system, I envy you, but most citizens living in Australia (and I imagine this applies to the US too) do not.
I am not advocating a free-for-all on our roads. I accept dangerous driving is, well, dangerous, and noone has the right to drive that way. To do so they deprive others of their rights, and so the state has a mandate to intervene in such circumstances.
However, do not make the mistake of extending this into a presumption that driving is a privilege. It is a right, as important as my right to walk out of my front door and take my dog to do its business without the state intervening.
The message from Apple Product Security includes advice on fixing the sendmail vulnerability on 10.1.5 - which is a very good thing - but nothing similar for OpenSSH or OpenSSL.
Now, OK, from what I gather the sendmail bug is more serious in that the vulnerabilities in OpenSSH and OpenSSL seem to be limited to DoS, but wouldn't similar instructions to updating OpenSSH/SSL on 10.1.5 be useful?
APPLE-SA-2003-10-03 Mac OS X 10.2.8 Revised
...
How to install Sendmail for Mac OS X 10.1.5 systems:
- - From the UNIX command-line, perform the following steps:
1. Download sendmail version 8.12.10 which contains the fix to the Zalewski advisory, released on 2003/09/17, by executing the following command: curl -O ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12. 10.tar.gz
2. Verify the integrity of this file by typing: cksum sendmail.8.12.10.tar.gz which should indicate "834313764 1892497 sendmail.8.12.10.tar.gz"
3. Unpack the distribution as follows: tar xvzf sendmail.8.12.10.tar.gz
4. Add the following line to your/etc/master.passwd file: smmsp:*:25:25::0:0:Sendmail User:/private/etc/mail:/usr/bin/false
5. Add the following line to your/etc/group file: smmsp:*:25:
6. Now invoke/Applications/Utilities/Netinfo Manager.app and add the same smmsp user and group entries to your netinfo database. The easiest way is to duplicate existing entries and edit them to match the entries in steps 4 and 5. For example, in the users pane you could select and the duplicate (%D) the entry for "www" and then edit the uid/gid/name/home directory fields in the new "www copy" to match those in step 4. Similarly, for groups you could select the entry for "mail" and duplicate it, editing just the name and gid fields to match those in step 5. When you're done, you should see a users/smmsp entry and a groups/smmsp entry.
7. Now you're ready to start building the distribution. cd to the sendmail-8.12.10 directory and type "make"
8. The next two steps will install the new sendmail:
sudo mkdir/usr/share/man/cat1/usr/share/man/cat5/usr/share/man/cat8 sudo make install
Make sure the permissions on your root directory are 755 (or set DontBlameSendmail in/etc/mail/sendmail.cf) and reboot. You should now be running the patched sendmail.
When was OSX 10.1 released? After Windows 2000, right? What kind of outcry would there be if Micro$oft announced:
"There's a critical security update available for Windows XP. The issue affects Windows 2000 too, but we don't support that any more."
There'd be people wanting to charge Micro$oft with Treason...!
If I update the vendor included version with SSH with a version compiled from source, or even a binary not obtained from the vendor, in terms of support I am screwed, no?
I recommended purchase of a Mac in our office recently, due to the fact it could handle both the graphic design and web/mail serving requirements. My boss knows about Jaguar, but his opinion is that he shouldn't have to upgrade only a year after purchasing the Mac - he has a point, surely?
Slashdot Mirror
Wow, that's a pretty severe vulnerability to make it through Apple's QA processes...
As the previous poster intimates, without an intervening firewall, if you've got AFP turned on (and probably any workgroup of 2 or more Macs would) you're hosed.
A further issue with this is that the inbuilt GUI firewall front-end provided by Apple is brain-dead in that it doesn't allow you to configure per interface rules. This means that if you want a dual-homed Mac acting as a gateway to share files on its internal interface, the external interface is left vulnerable.
The actual firewall backend - ipfw, inbuilt and inherited from FreeBSD - is sufficiently sophisticated to enable per interface rules, but to access this functionality you need to completely disable the GUI firewall front-end and configure ipfw yourself using the command line.
It's been this way since Jaguar (10.2) and I sincerely hope that Apple fix this in 10.4 otherwise - with vulnerabilities like this - its reputation for security over its Windows rivals will be sorely tested.
The other day my boss called me over to check out a suspicious looking email that had made it's way past SpamAssassin. It rendered blank, but looking at the raw message code revealed it was using just this kind of exploit (with a <FORM> to obfuscate what was really happening).
My boss' account has Restricted User privileges, with Eudora as the MUA and Mozilla as the browser, so no panic, but the fact that spammers are already using this is scary.
Extensions are the worst solution. The file name should be just that - a name, a device for identifying the file and distinguishing it from other files.
Using the name to describe the type of file is like calling yourself "Joe Bloggs Male Student". We don't do this because we know that mixing a person's name and their other vital statistics is a bad idea.
Why should changing the name of a file from
to change which application opens the file. Worst still, why should changing it to cause the operating system to attempt to execute it?If you need some further (and far more eloquent!) convincing I suggest you read this arstechnica article and I think you will change your opinion.
Don't know if anyone else got caught by this, but note that only iPhoto 4.0 - which can only be obtained in Apple's iLife bundle - is subject to the update
The latest version of iPhoto that comes free with MacOS X (even 10.3 a.k.a. Panther) is version 2.0. The update installer refuses to install the update if you have this version, and forcing the update using something like Pacifist makes iPhoto unworkable.
I've been in regular contact with an antivirus vendor's support people over 2 weeks trying to explain to them that it is NOT acceptable for users to have Power User privileges in order for their AV definitions to auto-update... It's like talking to a brick wall, here's an example of their 'support' verbatim:
Sorry? Do you mean give everyone full control to my system drive, as well as your AV definitions, configuration files and executable code? You've got to be kidding!
And surely you'd think that AV vendors would understand better than most the need for their software to operate under the principle of least privilege.
Give me a Mac (or other *nix) box anyday is what I say...
My first (and only) serious attempt to do some professional printing with Publisher was for a short-lived newsletter for my local football club. Fresh out of college (where we used PageMaker 5 or 6 from memory) I couldn't afford a Mac or decent software, so I used Publisher 98 on a PC.
When we took it to the printer, they were horrified that I had even considered using Publisher. The best they could do was print it to a laser printer from a PC with Publisher loaded on it, and then photocopy the output from the laser printer!
Looked god-awful, and I learned my lesson: never use anything Micro$oft for anything prepress.
I have heard that Publisher 2002 has made some great inroads in producing reliable postscript output, but the problem now is that too many prepress bureaux and offset printers have been burnt by Micro$oft's incompetence in the past. So to anybody even remotely considering producing content for professional printing, now is the time to invest in InDesign or XPress (or even PageMaker if you must).
The argument against this which I have heard in the past is that Access relies heavily on backend DLLs shipped as part of the Windows OS, and hence would require more work to port to Mac than the other Office apps.
Having said that, I've never been convinced of this argument, as the same is true of IE, but of course that didn't stop a Mac version of IE being developed.
My suspicion has always been that not porting Access is a strategic decision by Micro$oft to keep the SME market away from Macs - I have absolutely no evidence for that, I just haven't heard a better competing theory.
Man, you've got to either:
- find yourself some half-decent DTP software (Quark XPress and Adobe InDesign come to mind, but there are cheaper offerings available too if you don't need to send your work to a commercial printer)
- learn how to use the full page layout capabilities of Word.
Publisher sucks. Really. Badly.OR
Here's a custom set of SA rules I've used to filter out most of the Mydoom crap [hopefully without too many false positives]:
I am not a Micro$oft/Windows apologist by any means, but Microsoft are still supporting Windows 2000 (which predates MacOS X 10.1 aka 'Puma'), and have even given a half-arsed commitment to provide security updates for a fully service-packed Windows NT4 (which probably predates MacOS 9.2, although I could be wrong on that count).
(Private Adelaide joke) Wow, as an Adelaidian I can confidently say this Slashdot article is the most exposure our little town has had since Melbourne stole our Grand Prix.
Using OpenBSD 3.3 on a Pentium 75 {yes, that's a seven and a five with no digit in front) as a firewall for a 4 client small office network. Have been for quite some time now.
I don't see what any special linux firewall distro can offer me that OpenBSD can't - that's apart from a little ease of use for those who are command-line averse, I guess... We don't have any special requirements such as VPNs, proxies or anything like that, but from what I remember from the documentation OpenBSD can handle that, too.
Or am I missing something, here?
There is an online petition for AOL to release the Netscape brand, perhaps some readers of Slashdot should consider signing it.
In the mean time, I suggest any advocacy should be towards Mozilla 1.4.1, which is functionally superior to any current version of IE while being far more stable and having far fewer known vulnerabilities.
I have an OpenBSD gateway on a dial-up connection serving my small office network, and I use this solution to inform the users when the dialup connection goes down/up.
Saves me many calls of the type: "Hey, is the internet down?!"
I'm still using 10.1 on the PowerMac G4-800 at work due to my boss' tight purse-strings, and while I would dearly love (and have suggested to him) upgrading to Panther, I'm with you:
- QuarkXPress 5 works just fine in Classic.
- Photoshop 7 is a little slow at times, but it gets the job done.
- We use the Mac to deliver mail with in-built sendmail, receive mail with fetchmail (compiles using in-built gmake), and host a basic intranet with in-built Apache.
For a small advertising design and booking agency, our two-year old Mac with twice-superceded OS is doing the job just fine!(My only major source of grief is the poor Windows file/print networking support in 10.1 - I am looking forward to the day we upgrade for this reason...)
Firstly, I don't judge the (in)correctness of my views by their popularity. Some of the most important thinkers we have seen [not that I am one of them] were shunned at the time their views were published.
Secondly, of course the right to drive a car is not enumerated in any Constitution, Bill of Rights, etc. Neither 'pistol' nor 'rifle' are mentioned in the US Bill of Rights, I believe, yet it is pretty much accepted that the "right to bear arms" includes these, albeit subject to conditions such as your criminal history, mental state, etc.
Thirdly, I don't live in the "boondocks" [an Americanism, not sure what that means - perhaps "the Sticks", "the country", "outback"?] but the suburbs. Many people do. Many people live on farms, too. Public transit can improve, but even then, it will never be universally available.
So I think you miss my point entirely. I am simply saying as a citizenry we must defend ourselves from intrusions from the state, and something like movement in a car is indeed a right that we should value and exercise as such, not some sort of privilege that we should be thankful to our local/state/national government for bestowing upon us. I actually agree that this Montreal motorist had everything coming to him, and don't disagree with the admission of the Black Box as evidence [subject to transparent technical assessment]. Just don't go saying something as fundamental in our modern society as driving is a privilege.
Driving is a right. Check your statutes. Sure, you need to satisfy certain conditions, but the last time I checked, in a democratic, liberal society it is the citizenry that have rights and the state is our creation to ensure nobody else infringes upon those rights.
You set a dangerous precedent by declaring that as a citizenry we do not have a right to freedom of movement. Let's face it, we're not living in communal villages anymore, most people need a car to earn a living, socialise and recreate. If you have the privilege of an acceptable public transit system, I envy you, but most citizens living in Australia (and I imagine this applies to the US too) do not.
I am not advocating a free-for-all on our roads. I accept dangerous driving is, well, dangerous, and noone has the right to drive that way. To do so they deprive others of their rights, and so the state has a mandate to intervene in such circumstances.
However, do not make the mistake of extending this into a presumption that driving is a privilege. It is a right, as important as my right to walk out of my front door and take my dog to do its business without the state intervening.
Does anyone know how/if Windows Server 2003 performs on the current release of Virtual PC?
The message from Apple Product Security includes advice on fixing the sendmail vulnerability on 10.1.5 - which is a very good thing - but nothing similar for OpenSSH or OpenSSL.
Now, OK, from what I gather the sendmail bug is more serious in that the vulnerabilities in OpenSSH and OpenSSL seem to be limited to DoS, but wouldn't similar instructions to updating OpenSSH/SSL on 10.1.5 be useful?
Yes.
That misses the point entirely.
I recommended purchase of a Mac in our office recently, due to the fact it could handle both the graphic design and web/mail serving requirements. My boss knows about Jaguar, but his opinion is that he shouldn't have to upgrade only a year after purchasing the Mac - he has a point, surely?