Forgot your password?
typodupeerror
Security OS X Operating Systems

Apple Posts Security Update 2005-002 84

Posted by pudge
from the i-am-scared dept.
thelemmings writes "Today, Apple released Security Update 2005-002 for Mac OS X. It fixes a bug in the Java 1.4.2 implementation where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary."
This discussion has been archived. No new comments can be posted.

Apple Posts Security Update 2005-002

Comments Filter:
  • Safari Popup Fix (Score:5, Informative)

    by nuxx (10153) on Wednesday February 23, 2005 @01:06AM (#11752943) Homepage
    Also, it appears to contain a tweak to the Safari popup blocker, as it now seems to be blocking the new popunders that everyone has been clamoring about.

    This seems like a really good thing to me...
    • shhh, you'll wake up the ad guys =\
    • Re:Safari Popup Fix (Score:4, Interesting)

      by the pickle (261584) on Wednesday February 23, 2005 @01:46AM (#11753136) Homepage
      Has it fixed the IDN vulnerability yet? 10.3.8 didn't...

      p
    • Also, it appears to contain a tweak to the Safari popup blocker, as it now seems to be blocking the new popunders that everyone has been clamoring about.

      I'm running 10.3.8 with this latest security update, and I'm still getting popunders in Safari at several websites, like http://www.snopes.com/ [snopes.com] and http://www.drudgereport.com/ [drudgereport.com], so I guess it's not fixed afterall.
  • Scary? Well... (Score:5, Interesting)

    by JavaRob (28971) on Wednesday February 23, 2005 @01:53AM (#11753164) Homepage Journal
    This is an serious bug and an important security update, and I'm not blowing that off... but I gotta live up to my username and point out the other side of the coin.

    So what happened is one version of the JVM, on OSX, has an exploitable flaw that still leaves it less dangerous than... well, Active-X, unflawed.

    It's not as serious a problem as it looks, also. They can't install a rootkit or anything like that, just because of the way OSX is designed. Say you have a Mac, and browsed to a site hosting a malicious applet (it's not a virus, so you'd have to *go* there to be in danger, and the website creator is obviously easier to trace than a virus writer). That applet could overwrite your documents, and wreak a lot of havoc, but you're not going to get owned. The Mac will prompt you for a password before it lets any software touch the core software (even its own security update!).

    So -- yes, get the fix if you've got a mac, but it's not "scary".
    • This is far more scary then ActiveX as Safari will not prompt you to run an applet, it will just run it and then your os x account is compromised. ActiveX on the other hand prompts you before it is run.

      This means that someone who knows what they are doing is at more risk on OS X then on Windows.

      I'm not claiming that OS X is less secure (I'm running it right now), but this is scary (relatively).

      Just miss-type a URL and your compromised.
      • ... not quite.

        Mis-type a URL when the new URL goes to a cleverly written piece of Java designed specifically to hack your OS X and you'll be compromised.

        Mis-type the other 99.999999% (+/- 0.0000001% error) of URLs and you'll be fine.

        Still, you're correct on the bit about Safari not prompting you to run a Java applet. I think you can turn Java off though (not in front of the iBook right now, can't recall). The update fixes a potentially big hole.
      • >>ActiveX on the other hand prompts you before it is run.

        Not as default you have to set it to do that.

        So they aren't all that different except the Core of OS X will still be safe while Windows just became a spam zombie.

        Both will destroy whatever personal data they can get ahold of.
      • ActiveX exploits in the wild?

        Java Applet exploits in the wild?

        Tell me those two numbers and then we can talk about which is scarier.

    • it's not a virus, so you'd have to *go* there to be in danger,

      I don't think that word means what you think it means. A worm is self-replicating without needing any other assistance.
    • Re:Scary? Well... (Score:1, Informative)

      by Anonymous Coward
      Most malicous websites don't care about deleting your documents or "owning" your machine -- they just want to turn you into a spam relay. Which OS X's user accounts do nothing to prevent.
      • Re:Scary? Well... (Score:3, Interesting)

        by Anonymous Coward
        Which OS X's user accounts do nothing to prevent.

        You misspelled "allow." You also used a sentence fragment. It's a real mess. Here, let me help make your point a little more clear and accurate.

        Most malicous websites are not trying to delete your documents or "own" your machine. Their purpose is to turn your computer into a spam relay, which OS X's user accounts do not allow.


        That's much better.
        • All of the user accounts on my OS X machines are allowed to send as much email as they want. The OS does nothing at all to prevent my account or any other user's account from sending billions of pieces of spam. My ISP would probably cut off my DSL before I managed to send that much, but my Mac's happy to send it all.

          How is this "informative"?

          • the parent post probably thinks that you can't be a spam relay without listening on port 25 - which a mac os x user account can't do.
          • I googled for stats on open relays running on windows vs. linux vs. mac, etc. but couldn't find anything.

            Obviously I've never tried to set up a hidden open relay on a Mac, so I don't know what would be involved. It would need to accept incoming connections (perhaps the built-in firewall stops that?), though you could use a custom configuration where it just checks an IRC channel or webpage for messages to send and delivery addresses, etc..

            I don't know enough about Macs to say exactly what's possible and
            • It's not happening now because it's a lot harder to turn the Mac into a zombie in the first place. You're hardly going to build an efficient collection of spamming zombies by putting malicious Java applications on random websites that no one's likely to visit. But once you do manage to get control of a machine, it's just as easy to do bad stuff with it if it's a Mac as it is with a Windows machine. You might not be able to do bad stuff to the machine to the same extent, but anything a user can do, a comp
    • Re:Scary? Well... (Score:3, Insightful)

      by piltdownman84 (853358)
      Can someone please explain to me something? I'm not trying to be a troll, but why is overwriting my documents/home/user directory seen as something minor?

      I always see people claiming that on Linux, OS X, xyz you are safe because your system can't get hurt, only your personal data. I personally care alot more about what is in my user directory than my system. If my system gets hosed I loose maybe an Sunday afternoon installing everything again, but if my user director goes im going to cry. I have s
      • backups. Most nerds on /. (myself included) take the time to back up their personal documents. OTOH we also spend a great deal of time tweaking our system. It would take me mayb 10 mins to restore my home directory were it to get hosed right now (due to access controls itd probably be hard for something to hose the rest of my nonbase sys data on other drives), it would probably take me a couple hours to get my system back up to my normal level of usefulness were the base system hosed right now.

        Also, its a
      • "Real hackers" have spent years tweaking with their OS, getting it exactly how they like. What they've been working on is probably mostly new programs, which if they are complete, and even if they're not, are likely to be installed, so a virus can't touch them.

        WRT your mp3s, make them so that you don't have access to write them - chmod 444 and chown root. Then chmod sticky but group-writeable your mp3 directory and chown that root as well. Same for anything you're not editing. Then a virus can't touch anyth

      • I agree in part. My "works" that I make are not replaceable usually. The things I store on my machine are not easy to get back, if possible at all. I also back them up but some people don't. I would very much dislike a program that removes all of that from me.

        But... if my system is compromised I very well might not know it at all. Then every time I type in a password, credit card number, anything... it's logged and sent out. This worries me equally if not more.

        Either way I don't want it to happen I
      • The worst risk isn't erasure or other obvious damage to *data*, but directed modification of code and configuration that *isn't* readily detected.

        Windows systems are so widely vulnerable to worms because most people running Windows work all the time as a user with full administrative rights. Anything program that can get itself launched by the user can do anything it likes to the entire system without the user noticing.

        Unix-based systems like MacOS X are a mixed bag, but in general people do not routinely
      • Even if you backed up all of your personal files daily, losing a full day's worth of work is still a Very Bad Thing that should be avoided at all costs.

        Of course, it's much worse if your OS *and* your personal data are hosed, which was the point.

        But my main point is that avoiding this attack vector doesn't take "all costs" -- there aren't any reports of this attack in the wild, and you'd have to actively visit a malicious site, before applying the patch, to be affected.

        That's why it's nothing to shout ab
      • "Can someone please explain to me something? I'm not trying to be a troll, but why is overwriting my documents/home/user directory seen as something minor?"

        Because it allows people on here to say that OSen with usernames (i.e. theirs) are inherantly more secure than OSen without usernames (i.e. Microsoft, ignoring obvious factual errors in that comparaison)

        It's a nice simplification. Linux good, Windows bad. Conveniently Apple has usernames too now, which means we get support from the latte-sipping black
      • One of the other responses (sorry, I'm too lazy to look it up right now) suggested changing file permissions to prevent the user account from overwriting your files. I would suggest something possibly more convenient in that if you know you're going to be 'wandering' the web, use a separate login id. I do this a bit on my home machine and for 80% of my web use, it works well and doesn't expose anything but a 'throw-away' account to the world. I'm sure somebody will come up with a reason that I'm a lamer
    • Does Mozilla even use Java 1.4? According to this page [mozdev.org], you need a special plugin to even use Java 1.4.1 or later on OSX under Mozilla. It's not clear to me whether that still applies to Camino .8.2.
  • by Anonymous Coward
    I installed it, and it works just f$#!@^*NO CARRIER
  • by Anonymous Coward on Wednesday February 23, 2005 @02:03AM (#11753201)
    I don't want to start a holy war here, but what is the deal with you Java 1.4.2 fanatics? I've been sitting here at my freelance gig in front of a Java 1.4.2 rig (a 8600/300 w/64 Megs of RAM) for about 20 minutes now while it attempts to byte-compile a 17 meg file. 20 minutes! At home, on my Pentium Pro 200 running Java 1.4.1, which by all standards should be a lot slower than this Java 1.4.2 machine, the same operation would take about 2 minutes. If that.

    In addition, during this file transfer, HotJava will not work. And everything else has ground to a halt. Even my IDE is straining to keep up as I type this.

    I won't bore you with the laundry list of other problems that I've encountered while working on various Java 1.4.2 machines, but suffice it to say there have been many, not the least of which is I've never seen a Java 1.4.2 system that has run faster than its Java 1.4.1 counterpart, despite Java 1.4.2's faster bytecode architecture. My 486/66 with 8 megs of ram runs faster with Java 1.4.1 than this 300 mhz machine at times. From a productivity standpoint, I don't get how people can claim that Java 1.4.2 is a superior virtual machine.

    Java 1.4.2 addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Java 1.4.2 over other faster, cheaper, more stable Java environments.
  • Impact: Updates Java to address an issue where an untrusted applet could gain elevated privileges and potentially execute arbitrary code.
    Description: A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. Releases prior to Java 1.4.2 on Mac OS X are not affected by this vulnerability. Further information is available in Document ID 57591 from S
  • Apple Proactive? (Score:4, Insightful)

    by Undefined Parameter (726857) <<moc.oohay> <ta> <modeerf4leuf>> on Wednesday February 23, 2005 @04:40AM (#11753684)
    Is it just me, or does it seem like Apple has a team of people working on *finding* bugs and security holes in OS X? Maybe it's just me, but the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.

    Or maybe I just need more sleep.

    ~UP
    • Re:Apple Proactive? (Score:4, Interesting)

      by commodoresloat (172735) on Wednesday February 23, 2005 @06:11AM (#11753975)
      the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.

      You seem surprised. That's only because so many other companies have trained us not to expect this. We would not expect less than this from other products; operating systems should be the same. Imagine if cars were sold without crash tests. Security in a commercial OS should undergo constant (and pro-active) testing by the company (you can certainly bet its enemies are doing that). The fact that we don't expect that kind of work, and are surprised when we see it, speaks volumes about the practices of the current leaders of the commercial OS industry.

    • Re:Apple Proactive? (Score:4, Interesting)

      by TheRaven64 (641858) on Wednesday February 23, 2005 @06:41AM (#11754068) Journal
      Microsoft also do this. Part of the problem they have is that once a fix is released, it is relatively easy to diff the original and the fix and find the original flaw. This is why they tend to roll security updates up with other things whenever possible - so it takes more time for a black hat to find the actual security hole. The same thing happens with a lot of open source projects - particularly things like OpenBSD where all code is security audited within the project.
      • What about including dummy patches? Ones that have absolutely no effect but appear to patch things?

        (seriously, no "I thought MS already did that" or similar comments)
  • by Anonymous Coward on Wednesday February 23, 2005 @07:11AM (#11754145)

    geez Apple, it was barely a month since your last update. [apple.com] Not looking so good I gotta say.

    I might have to "unswitch" to Windows, they hardly have as many security fixes. It's as rock solid as a Kryptonite lock. -gko

  • by Dausha (546002)
    In a related press release, Microsoft announced security release 1998-0173, fixing problems associated with running Open Office or Word Perfect. The specific security threat would allow users to use other word processing software than MS Word. This security update will prevent these malware products from running.

    Also released is Linux security (kernel) release 2.6.8. Not wanting to feel left out. This security release, when installed in place of MS Windows, will effectively block all Windows-based malware
  • Not Just Apple ... (Score:5, Informative)

    by jlrobins_uncc (136569) on Wednesday February 23, 2005 @09:28AM (#11754950)
    It's a bug which was present in Sun JVMS:

    http://sunsolve.sun.com/search/document.do?assetke y=1-26-57591-1&searchclause=57591 [sun.com]

    Fixed in J2SE 5, J2SE 1.4.2_06, and J2SE 1.3.1_14.
  • Techworld has hilariously biased coverage of this:

    "Apple shames itself again over security: Critical hole in Mac OS X patched three months late." [techworld.com]

    And it's interesting to look at Secunia's site (Secunia being the source of a lot of recent Microsoft apologism and Apple-bashing):

    Macintosh OS X issues [secunia.com]

    Windows XP Professional Issues [secunia.com]

    (Microsoft is "Vendor 1" in their database, you'll be pleased and amused to learn.)

    I'm guessing Secunia likes to drum up publicity for itself by making press releases that r

The biggest mistake you can make is to believe that you are working for someone else.

Working...