Apple's First 2005 Mac OS X Security Update Is Out 91
ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail.
Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!).
Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."
Re:In that case.... (Score:2)
The post is supposed to make a joke about how seemingly unnewsworthy the "first security update of the New Year" is. I guess there's not enough there to make the distinction.
Re:Airoport (Score:2)
Re:Airoport (Score:1)
Here is my system log:
Jan 26 00:26:25 localhost kernel: AirPort: Link DOWN
Jan 26 00:26:25 localhost kernel: System Sleep
Jan 26 00:26:25 localhost kernel: System Wake
Jan 26 00:26:25 localhost kernel: Wake event 0008
Jan 26 00:26:25 localhost kernel: AppleNMI unmask NMI
Jan 26 00:26:25 localhost kernel: Sound assertion "0 != err" failed in "AppleLegacyAudio/AppleTexas2Audio/AppleTexas2Aud i o.cpp" at line 960 goto Exit
Jan 26 00:26:25 localhost kernel: FWOHCI han
Re:Airoport (Score:1)
No, but (Score:2)
Re:No, but (Score:1, Informative)
Re:No, but (Score:2)
Re:PC competition for the I-Mini MAC? (Score:2)
p
are you trolling or just ignorant? (Score:1, Offtopic)
2. it's "Mac mini", not "I-Mini McIntosh"
3. it is a real computer
Re:are you trolling or just ignorant? (Score:2)
Re:are you trolling or just ignorant? (Score:1)
you didn't read grandparent, it's about that - not the summary
Awesome! A New Troll!!!! (Score:5, Funny)
Bravo!
Re:Awesome! A New Troll!!!! (Score:2)
Re:Awesome! A New Troll!!!! (Score:4, Informative)
What I like about the Kottke troll is that it is so versatile. You can substitute brands and products for comedic effect. For instance: Hilarity ensues.
Re:Awesome! A New Troll!!!! (Score:2)
Re:PC competition for the I-Mini MAC? (Score:1)
Did anyone else know about this? (Score:2)
That doesn't sound like a very good idea. Has Mail always done that?
Re:Did anyone else know about this? (Score:3, Insightful)
Glad I haven't been using Mail. This is the first I've heard of this problem.
Side question: how would that accidentally happen in the first place? It's not as though someone would deliberately insert code to broadcast a MAC address into a mail client...yet it seems specific enough that simply calling it a "bug", with the arbitrary nature that implies, seems a bit odd.
p
Re:Did anyone else know about this? (Score:5, Informative)
Not a feature an idea that perhaps seemed OK at the time... to generate unique message IDs based on an existing type of unique identifier [wikipedia.org] that happened, in the original format defined for it [opengroup.org], to use an IEEE 802 MAC address, presumably because those are intended to be unique to a piece of hardware, so the rest of the UUID merely has to be a value that will never be used again on a system where that MAC address is used to generate UUIDs.
The current Internet-Draft for a URN namespace for UUIDs [ietf.org] mentions another scheme to generate UUIDs in that format that don't use a hardware MAC address but that won't collide with UUIDs generated from MAC addresses for hardware (by turning on the bit that would be the multicast bit in an 802 MAC address).
Re:Did anyone else know about this? (Score:5, Informative)
It's not as though someone would deliberately insert code to broadcast a MAC address into a mail client.
No, not specifically. Here's the scoop.
Each email is supposed to have a unique Message-Id header. Other than logging and tracing, this is so that, when it's referenced by other emails via the In-Reply-To: and References: headers, the mail reader can properly thread the emails.
Second, there's a common unique ID format called the UUID [wikipedia.org]. This is a 128-bit value that is unique across space and time until AD 3400. If you've looked at CLSIDs in Windows RegEdit, then you've seen UUIDs. (Windows calls them GUIDs.) They're also used in a lot of RPC-type protocols, in Mozilla plugins, and other places. One common way to generate a UUID incorporates the computer's MAC address as the last 48 bits, so that no two computers will generate the same UUID (assuming the MACs were properly registered), along with the clock time.
Since UUIDs are an easily-generated random number (lots of library routines to generate them, as well as the OS X uuidgen tool), that's what Mail used for its Message-Ids.
Later versions of the UUID spec
Re:Did anyone else know about this? (Score:1)
Re: (Score:2)
Re:Did anyone else know about this? (Score:3, Informative)
b) Apple's implementation for example does work with WPA. Other vendors devices will have different resu
Re:Did anyone else know about this? (Score:1)
Someone else check...not the airport? (Score:5, Insightful)
The ethernet address WAS broadcast in the Message-ID header. However, that was the hardware ethernet MAC address, and NOT the Airport card MAC address.
Can anyone else confirm that this is the case? If it is, then does this have anything with keeping WEP-based wireless networks secure?
Re:Someone else check...not the airport? (Score:2)
Re:Someone else check...not the airport? (Score:5, Informative)
They will continue to use the builtin ethernet MAC address to generate IDs, but now they're sticking some random junk on the end and putting them through a hash function first, so the receiver of your message can't get your MAC address from it.
Re:Someone else check...not the airport? (Score:3, Insightful)
It's a lot simpler than that. If you can already sniff the network in the first place, why go to all the trouble of getting the MAC address out of an email message-id when you can simply look at the ethernet header itself which contains the MAC address!?
Installed, rebooted... (Score:3, Informative)
And if you've got any questions about iLife '05, let me know. GarageBand's vocal effects are pretty cool, though I don't sound all that hot as a woman...
Re:Installed, rebooted... (Score:2)
Re:Installed, rebooted... (Score:1)
Did you sound better as a man?
Re:Installed, rebooted... (Score:1)
eBay slow in Safari ... fixed. (Score:4, Informative)
Re:eBay slow in Safari ... fixed. (Score:1)
Nice of them to make the switchers feel at home (Score:2)
oh, and don't forget the local root exploit (Score:5, Informative)
from the console
Re:oh, and don't forget the local root exploit (Score:1)
Re:oh, and don't forget the local root exploit (Score:5, Informative)
Re:oh, and don't forget the local root exploit (Score:2)
Re:oh, and don't forget the local root exploit (Score:1)
Damn k-otik and their
Regards
nemo
Repair permissions after install (Score:3, Informative)
Go to Applications/Utilities (Apple+U in finder window) and launch disk utility, click repair permissions.
In fact, its a good idea to do it once in a while.
Re:Repair permissions after install (Score:5, Informative)
Re:Is there such a beast? (Score:2)
Try the Mac Mini.
Re:Is there such a beast? (Score:1, Funny)
Tell him to go ask mommy at the kitchen bar. : P
new mac user needs help (Score:1)
I'm expecting to get my first Mac (a Mac Mini) delivered this Friday or thereabouts.
Bearing in mind these updates, how would I go about updating them once i've turned on my Mac Mini? If it's obvious - and there's a software update tool, similar to up2date on linux, or apt-get update/upgrade - please don't trouble yourselves and just say "it is obvious, you'll see it, no problems".
Many thanks.
Re:new mac user needs help (Score:1)
Re:new mac user needs help (Score:2)
It should come up pretty quickly and inform you what's what.
Re:new mac user needs help (Score:1, Informative)
The Mac OS X Software Update prog will run (unless you specifically request it not to) once your system is up and running. You can find the controls for Software Update in your System Preferences (Apple Menu or a shortcut in the Dock).
Enjoy...
Re:new mac user needs help (Score:1)
Go to System Prefs and launch Software Update.
Hope you'll enjoy your new little friend.
Re:new mac user needs help (Score:1)
Re:new mac user needs help (Score:2)
Welcome to the world of Macintosh... I think you'll be happy with it.
Re:new mac user needs help (Score:5, Informative)
MAC becoming the computer equivalent of SSN (Score:3, Informative)
First of all, a MAC address does not uniquely identify a computer - it uniquely identifies a network interface. I have several computers which have more than one Ethernet controller in them, and so they have several MAC addresses associated with them.
Secondly, since almost ALL modern cards allow the MAC address to be changed by software, there is no guarantee that the MAC address is unique.
These two items alone should be sufficient to convince people that using the MAC address as anything other than the physical layer address of a specific Ethernet card is a BAD IDEA.
If you want to generate a unique identifier for a message, use something else - use
Re:MAC becoming the computer equivalent of SSN (Score:1)
Re:MAC becoming the computer equivalent of SSN (Score:3, Informative)
So MAC is not guaranteed to be unique among computers - in fact many consumer broadband route
Re:MAC becoming the computer equivalent of SSN (Score:2)
In this sort of instance doesn't matter one jot that they have multiple MAC addresses though (especially when it's using an internal interface, where it's not as if you can remove it and put it in another machine, nor was it used as the complete unique identi
Re:oh dear (Score:2)
Note that neither Apple Mail nor the Microsoft apps were explicitly choosing to stick the MAC address of one of the network cards into {mail messages,documents} - they were sticking UUIDs into {mail messages,documents}, and the OS's routine for generating UUIDs was using the original DCE mechanism for ge
how to secure your WEP network. (Score:3, Interesting)
Re:how to secure your WEP network. (Score:5, Informative)
That's good advice -- but not always practical.
First off, WEP is still better than absolutely nothing. It does prevent the uneducated and unexperienced from snooping in on you -- they have to have a bit of knowledge and put in some effort to see what you're doing.
The big problem with WPA is that not all wireless devices support it. I'm in a nasty catch-22 at the moment on my WiFi network in that I've been contracted to do some development with and against a Palm Tungsten C, which is WiFi enabled, but which has absolutely no WPA support. My base station and other portables support WPA just fine, but I'm stuck with WEP because one device manufacturer for a device I absolutely need has decided not to bother with WPA support.
If I had extra money just laying around with nothing much to do, I'd consider buying another base station to be hooked into my network (heavily firewalled off from the rest of my network) to provide only WEP access, and switch everything else back to WPA. But unfortunately I'm stuck with what I have at the moment, and have to rely on SSH and other encrypted protocols as much as possible to ensure my networks security, as WEP alone, while better than absolutely nothing, isn't enough.
Before I go, an open rant: Palm, take your head out of the sand and realize that we T|C users need WPA protection, just like everyone else.
Yaz.
Re:how to secure your WEP network. (Score:2)
only on paper. you note - correctly - that it will slow people down from getting in. but your comment about it preventing the "uneducated and unexperienced from snooping" exposes the problem: how many uneducated people are going to have tcpdump skills? honestly, i've seen off-the-shelf free products that do WEP cracking *more easialy* than i've seen them do TCP sniffing.
in practice, of course, your next point is the most useful: not everything supports
What's this about SquirrelMail? (Score:2)
Re:What's this about SquirrelMail? (Score:2)