Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
Security OS X Operating Systems

Apple Posts Security Update 2005-002 84

Posted by pudge from the i-am-scared dept.
thelemmings writes "Today, Apple released Security Update 2005-002 for Mac OS X. It fixes a bug in the Java 1.4.2 implementation where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary."
This discussion has been archived. No new comments can be posted.

Apple Posts Security Update 2005-002 More

Apple Posts Security Update 2005-002

Comments Filter:

  • Re:Safari Popup Fix (Score:4, Interesting)

    by the pickle ( 261584 ) on Wednesday February 23, 2005 @02:46AM (#11753136) Homepage
    Has it fixed the IDN vulnerability yet? 10.3.8 didn't...

    p

  • Scary? Well... (Score:5, Interesting)

    by JavaRob ( 28971 ) on Wednesday February 23, 2005 @02:53AM (#11753164) Homepage Journal
    This is an serious bug and an important security update, and I'm not blowing that off... but I gotta live up to my username and point out the other side of the coin.

    So what happened is one version of the JVM, on OSX, has an exploitable flaw that still leaves it less dangerous than... well, Active-X, unflawed.

    It's not as serious a problem as it looks, also. They can't install a rootkit or anything like that, just because of the way OSX is designed. Say you have a Mac, and browsed to a site hosting a malicious applet (it's not a virus, so you'd have to *go* there to be in danger, and the website creator is obviously easier to trace than a virus writer). That applet could overwrite your documents, and wreak a lot of havoc, but you're not going to get owned. The Mac will prompt you for a password before it lets any software touch the core software (even its own security update!).

    So -- yes, get the fix if you've got a mac, but it's not "scary".

  • It's more scary then ActiveX (Score:3, Interesting)

    by AnEmbodiedMind ( 612071 ) on Wednesday February 23, 2005 @03:09AM (#11753223)
    This is far more scary then ActiveX as Safari will not prompt you to run an applet, it will just run it and then your os x account is compromised. ActiveX on the other hand prompts you before it is run.

    This means that someone who knows what they are doing is at more risk on OS X then on Windows.

    I'm not claiming that OS X is less secure (I'm running it right now), but this is scary (relatively).

    Just miss-type a URL and your compromised.

  • Mozilla/Camino vulnerable? (Score:3, Interesting)

    by commodoresloat ( 172735 ) on Wednesday February 23, 2005 @07:03AM (#11753949)
    Does Mozilla even use Java 1.4? According to this page [mozdev.org], you need a special plugin to even use Java 1.4.1 or later on OSX under Mozilla. It's not clear to me whether that still applies to Camino .8.2.

  • Re:Apple Proactive? (Score:4, Interesting)

    by commodoresloat ( 172735 ) on Wednesday February 23, 2005 @07:11AM (#11753975)
    the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.

    You seem surprised. That's only because so many other companies have trained us not to expect this. We would not expect less than this from other products; operating systems should be the same. Imagine if cars were sold without crash tests. Security in a commercial OS should undergo constant (and pro-active) testing by the company (you can certainly bet its enemies are doing that). The fact that we don't expect that kind of work, and are surprised when we see it, speaks volumes about the practices of the current leaders of the commercial OS industry.

  • Re:Go Go Apple (Score:3, Interesting)

    by TheRaven64 ( 641858 ) on Wednesday February 23, 2005 @07:35AM (#11754054) Journal
    I don't think that's entirely fair. OpenStep / Objective-C were cross platform at a source level, but still required a recompile. Depressingly, a dynamic language such as Objective-C would actually benefit more from the kind of optimisations something like the HotPoint VM can make at runtime, so it's a real shame that Sun went the Java route instead of simply creating a bytecode interpreter for Objective-C / OpenStep (which is still a far nicer platform to develop for).

  • Re:Apple Proactive? (Score:4, Interesting)

    by TheRaven64 ( 641858 ) on Wednesday February 23, 2005 @07:41AM (#11754068) Journal
    Microsoft also do this. Part of the problem they have is that once a fix is released, it is relatively easy to diff the original and the fix and find the original flaw. This is why they tend to roll security updates up with other things whenever possible - so it takes more time for a black hat to find the actual security hole. The same thing happens with a lot of open source projects - particularly things like OpenBSD where all code is security audited within the project.

  • Re:Scary? Well... (Score:3, Interesting)

    by Anonymous Coward on Wednesday February 23, 2005 @08:53AM (#11754315)
    Which OS X's user accounts do nothing to prevent.

    You misspelled "allow." You also used a sentence fragment. It's a real mess. Here, let me help make your point a little more clear and accurate.

    Most malicous websites are not trying to delete your documents or "own" your machine. Their purpose is to turn your computer into a spam relay, which OS X's user accounts do not allow.


    That's much better.

Slashdot Top Deals

"May your future be limited only by your dreams." -- Christa McAuliffe

Close