Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security Businesses OS X Operating Systems Apple

Apple's First 2005 Mac OS X Security Update Is Out 91

ollie_ob writes "Security Update 2005-001 has just hit Software Update for Mac OS X users, for those running 10.3.7 and 10.2.8 in both normal and server flavours of the OS. The update includes patches for: at commands, ColorSync, libxml2, Mail, PHP, Safari and SquirrelMail. Details are here. One of these fixes -- a modification to Apple Mail so it stops broadcasting your MAC address in plain text every time you send an email - will come as a welcome relief to those trying to keep their WEP-based wireless networks secure. Other highlights are PHP 4.3.10, and a Safari fix so that pop-up windows can't mislead users as to their apparent origin. The Mac OS X Server version of the patch also includes an update to SquirrelMail that stops browsers from executing scripted content in emails viewed(!). Interesting to note Apple's new naming scheme for the updates (last year, some updates came out dated days into the future - or past.) Also, there's a unified page for all future security updates."
This discussion has been archived. No new comments can be posted.

Apple's First 2005 Mac OS X Security Update Is Out

Comments Filter:
  • broadcasting your MAC address in plain text

    That doesn't sound like a very good idea. Has Mail always done that?
    • by interactive_civilian ( 205158 ) <mamoru&gmail,com> on Wednesday January 26, 2005 @01:43AM (#11477728) Homepage Journal
      Ummm...I just checked this out on some messages that I sent (using AirPort).

      The ethernet address WAS broadcast in the Message-ID header. However, that was the hardware ethernet MAC address, and NOT the Airport card MAC address.

      Can anyone else confirm that this is the case? If it is, then does this have anything with keeping WEP-based wireless networks secure?

      • Yep, you're right. I even had the built-in ethernet interface disabled because I never use it, but that was still the address that was broadcast.
      • by geoffspear ( 692508 ) * on Wednesday January 26, 2005 @08:57AM (#11479281) Homepage
        No, it has nothing to do with keeping anything secure. They use the machine's MAC address because it was a good way to generate unique message IDs, but it has nothing at all to do with the network the message was sent over.

        They will continue to use the builtin ethernet MAC address to generate IDs, but now they're sticking some random junk on the end and putting them through a hash function first, so the receiver of your message can't get your MAC address from it.

  • by bennomatic ( 691188 ) on Wednesday January 26, 2005 @12:26AM (#11477390) Homepage
    ...and running fine!

    And if you've got any questions about iLife '05, let me know. GarageBand's vocal effects are pretty cool, though I don't sound all that hot as a woman...

  • by timmytee ( 636163 ) <timmytee@NOSPam.gmail.com> on Wednesday January 26, 2005 @12:40AM (#11477464)
    It appears that the slowness many saw with eBay in Safari has been fixed. Previously, the fix was to turn off javascript - a pain. No more spinning beachballs here (just revving G5 fans ...)
  • Especially now that they have a new unified page for security updates. Just don't call them "service packs" or nobody will ever use them :)
  • by OmniVector ( 569062 ) <se e m y h o mepage> on Wednesday January 26, 2005 @02:10AM (#11477827) Homepage
    see for yourself: http://otierney.net/files/root-osx.c [otierney.net]. Basically exploits an suid bug in an iSync app. you can fix this local exploit by running:
    chmod a-x /System/Library/SyncServices/SymbianConduit.bundle /Contents/Resources/mRouter

    from the console
  • by Ilgaz ( 86384 ) on Wednesday January 26, 2005 @04:47AM (#11478367) Homepage
    I am not totally sure but I launched dist utility after installing this update, log window flooded with wrong users, permissions. Especially files updated by this install.

    Go to Applications/Utilities (Apple+U in finder window) and launch disk utility, click repair permissions.

    In fact, its a good idea to do it once in a while.
  • Hi,

    I'm expecting to get my first Mac (a Mac Mini) delivered this Friday or thereabouts.

    Bearing in mind these updates, how would I go about updating them once i've turned on my Mac Mini? If it's obvious - and there's a software update tool, similar to up2date on linux, or apt-get update/upgrade - please don't trouble yourselves and just say "it is obvious, you'll see it, no problems".

    Many thanks.
    • Under the menu Bar Apple ( Blue ) select software update. Checks and displays current updates. Once you run it once and add updates, check again, as updates are sequenced.
    • "it is obvious, you'll see it, no problems" :-)

      It should come up pretty quickly and inform you what's what.
    • *eyes other slashdotters warily*

      The Mac OS X Software Update prog will run (unless you specifically request it not to) once your system is up and running. You can find the controls for Software Update in your System Preferences (Apple Menu or a shortcut in the Dock).

      Enjoy...
    • it is obvious, you'll see it, no problems ;)

      Go to System Prefs and launch Software Update.

      Hope you'll enjoy your new little friend.
    • In addition to the others who told you it should run pretty quickly after your first start up, its default preferences are to run once every week, in the background, and check for new updates. You can change this time from that to manual (only when you want), or more often or less than the default once per week.

      Welcome to the world of Macintosh... I think you'll be happy with it.

    • by TheRaven64 ( 641858 ) on Wednesday January 26, 2005 @11:59AM (#11481477) Journal
      Others have pointed out that there is a GUI for this, which is easy to use. There is also a command-line way of doing the same thing:
      $ sudo softwareupdate -i -a
      This will install any available software updates (see man softwareupdate for more options). This has the advantage that it can be done remotely, and doesn't bug you to restart as much (it just tells you that you need to).
  • by wowbagger ( 69688 ) on Wednesday January 26, 2005 @08:12AM (#11479019) Homepage Journal
    The Media Access Controller address is becoming the computing equivalent of the US Social Security Number - (ab)used for things for which it was never intended and is inappropriate.

    First of all, a MAC address does not uniquely identify a computer - it uniquely identifies a network interface. I have several computers which have more than one Ethernet controller in them, and so they have several MAC addresses associated with them.

    Secondly, since almost ALL modern cards allow the MAC address to be changed by software, there is no guarantee that the MAC address is unique.

    These two items alone should be sufficient to convince people that using the MAC address as anything other than the physical layer address of a specific Ethernet card is a BAD IDEA.

    If you want to generate a unique identifier for a message, use something else - use /dev/random (or your OS's equivalent service) or some other method.

    • If it is unique to a network interface, then it is unique to a computer (since you aren't likely to have the same network interface in multiple computers). Also, most cards don't allow you to change the MAC address in software. They allow you to put the card into promiscuous more (where it will pass all received packets to the driver, instead of just those that match the MAC address). The driver can then send acknowledgements for those that match a different MAC, making it appear to the network that they
      • Actually, having written several Ethernet drivers for standard chipsets for use within embedded systems, I can say you are incorrect - the MAC address is a set of registers on the card which are programmed by the card driver. Usually, the driver just reads the MAC from a EEPROM attached to the chip, but there is nothing preventing the driver from assigning whatever values to the card it wishes, ignoring the EEPROM.

        So MAC is not guaranteed to be unique among computers - in fact many consumer broadband route
    • First of all, a MAC address does not uniquely identify a computer - it uniquely identifies a network interface. I have several computers which have more than one Ethernet controller in them, and so they have several MAC addresses associated with them.

      In this sort of instance doesn't matter one jot that they have multiple MAC addresses though (especially when it's using an internal interface, where it's not as if you can remove it and put it in another machine, nor was it used as the complete unique identi
  • by anothy ( 83176 ) on Wednesday January 26, 2005 @09:43AM (#11479764) Homepage
    One of these fixes... ...will come as a welcome relief to those trying to keep their WEP-based wireless networks secure.
    unless said fix has to do with fixing something broken in WPA, this is silly. WEP is insecure. record break-in times to WiFi networks "secured" using WEP is well under half an hour; stock tools can do it in several hours to a day. WPA is hardly iron-clad, but it's orders of magnitude better than the fatally flawed WEP. one should not rely on WEP for security of any kind.
    • by Yaztromo ( 655250 ) on Wednesday January 26, 2005 @10:37AM (#11480389) Homepage Journal
      WEP is insecure. record break-in times to WiFi networks "secured" using WEP is well under half an hour; stock tools can do it in several hours to a day. WPA is hardly iron-clad, but it's orders of magnitude better than the fatally flawed WEP. one should not rely on WEP for security of any kind.

      That's good advice -- but not always practical.

      First off, WEP is still better than absolutely nothing. It does prevent the uneducated and unexperienced from snooping in on you -- they have to have a bit of knowledge and put in some effort to see what you're doing.

      The big problem with WPA is that not all wireless devices support it. I'm in a nasty catch-22 at the moment on my WiFi network in that I've been contracted to do some development with and against a Palm Tungsten C, which is WiFi enabled, but which has absolutely no WPA support. My base station and other portables support WPA just fine, but I'm stuck with WEP because one device manufacturer for a device I absolutely need has decided not to bother with WPA support.

      If I had extra money just laying around with nothing much to do, I'd consider buying another base station to be hooked into my network (heavily firewalled off from the rest of my network) to provide only WEP access, and switch everything else back to WPA. But unfortunately I'm stuck with what I have at the moment, and have to rely on SSH and other encrypted protocols as much as possible to ensure my networks security, as WEP alone, while better than absolutely nothing, isn't enough.

      Before I go, an open rant: Palm, take your head out of the sand and realize that we T|C users need WPA protection, just like everyone else.

      Yaz.

      • First off, WEP is still better than absolutely nothing.

        only on paper. you note - correctly - that it will slow people down from getting in. but your comment about it preventing the "uneducated and unexperienced from snooping" exposes the problem: how many uneducated people are going to have tcpdump skills? honestly, i've seen off-the-shelf free products that do WEP cracking *more easialy* than i've seen them do TCP sniffing.

        in practice, of course, your next point is the most useful: not everything supports

  • Does SquirrelMail come with OS X?

Some people manage by the book, even though they don't know who wrote the book or even what book.

Working...