Apple Posts Security Update 2005-002 84
thelemmings writes "Today, Apple released Security Update 2005-002 for Mac OS X. It fixes a bug in the Java 1.4.2 implementation where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary."
Safari Popup Fix (Score:5, Informative)
This seems like a really good thing to me...
Re:Safari Popup Fix (Score:1, Funny)
Re:Safari Popup Fix (Score:4, Insightful)
Advertisers pay a certain fee to a website. That fee is either flat, or based on a count of click-throughs. If the fee is flat, then my blocking of the popup has no bearing on the website as a whole. If the fee is non-flat, and a large percentage of the website's visiting population objects to popups and uses software (browser or add-on) that blocks such, then the website will suffer and perhaps look for other adversting sources. Either way, I really have no bearing or guilt on the situation. I use the technology at hand to view the content I want. I signed no contract saying I must view pop-up ads- therefore, I don't at all feel bound to do so.
Websites will adapt to the changing pop-up blocking technology, or fail as a result. Either way, it is not my responsibility, as I don't manage the website.
Re:Safari Popup Fix (Score:2)
Re:Safari Popup Fix (Score:4, Insightful)
This might be one of the reasons Google is so worshipped on here: They introduced a form of web advertising (Adsense) that is clean, simple, low-bandwidth, relevent, and most of all NOT ANNOYING.
The solution for advertisers is simple: If you want your ads to be seen, don't make the user WANT to block your ads.
Sure, pop-ups and spam might make a good deal of money, but I think it would be better for everyone if advertisers instead tried implementing solutions that don't put them at odds with the customers.
More people will click and buy the products, and the web will be an overall better place.
Re:Safari Popup Fix (Score:5, Insightful)
Online advertisers are focusing too much on the short-term: get people to see the ad. Banners worked for a while, then everyone started ignoring them, so they went for more annoyingly sized and placed ads, popups, popunders, etc., which caught people's attention for a while. Then ad blockers came along, and suddenly online advertising came to a screeching halt as they tried to figure out how to get around them. Now they have, and look how quickly people are asking how to block the new popups.
Most banner ads are completely useless, and I'm not missing anything by blocking. I don't need faster downloads and more local access numbers, and I don't care that I could win a free iPod by guessing which disembodied head is Britney Spears. Maybe if I had been looking at the homepage of some well-known overpriced dialup ISP, I would have greater than zero chance of caring that some other ISP is cheaper and faster; if I were reading a website about Britney Spears, I might want to get that iPod. Okay, the last one still wouldn't apply, since I already have an iPod, and don't like Britney Spears anyway, but that's beside the point.
Other online advertisers should take a nice long look at AdSense, marvel in its simplicity and usefulness. I've seen online advertising grow up from the moderately tasteful small static banner image to the obnoxious beast that it's become and have never yet had any reason to click on a single one of them until AdSense came along and started providing relevant and interesting ads. In fact, oh-so-long ago, I didn't even know ad banners were clickable. I presume a lot of non-net-savvy people still don't realize it. This is another advantage of using text ads: people look at colored underlined text and equate it with "click this", whereas they see some out-of-place picture and mentally filter it out as irrelevant.
Re:Safari Popup Fix (Score:2)
Re:Safari Popup Fix (Score:2)
Re:Safari Popup Fix (Score:2)
Re:Safari Popup Fix (Score:2)
In one of my past jobs, I worked for a very high-volume web site. We had a policy that we would not accept any flashing or Java ads. Unfortunately, doubleclick would often rotate in "pool" ads that violated our terms. This req
Re:Safari Popup Fix (Score:2)
Not quite... (Score:2)
Valenti has said a bunch of crappy things to be sure, but not that.
It was Turner Broadcasting CEO Jamie Kellner who assured us that "there's a certain amount of tolerance for going to the bathroom" [2600.com].
Re:Safari Popup Fix (Score:1)
Re:Safari Popup Fix (Score:5, Funny)
In other words, it allows you to more effectively steal information and services from those who are kind enough to provide them for free, in exchange asking only for the opportunity to show you an easily ignored advertisement. Spoiled scum like you, with your obnoxiously oversized sense of entitlement, ought to be exiled to the desert, if you ask me. There you can establish your commune or whatever it is you hippies like to do, while we in civilized society will do our best to forget you.
I cannot imagine a more selfish attitude towards the world than that which the teabagging cocksmokers of Slashdot bring to light.
LOL! My good man, can you have reached the ripe age of harrumphing without having seen "The Big Lebowski"? You really owe it to yourself to see David Huddleston's performance as the titular character; it will cure you forever of the urge to use mothballed expressions such as "whatever it is you hippies like to do" and "we in civilized society." Conscious self-parody is one thing, after all, but your sleepwalking has moved me to unexpected sympathy in a way I've not felt since the prez fell off a Segway.
Now, in any case, no one is under any obligation to view ads in any context. Nor should imposition, the sine qua non of advertising, be euphemized as "opportunity." It's your confusion of obedience with duty that has led to your arch and sniveling denigration of your ad-free fellow man. You, sir, are no advertisement for advertisements.
Re:Safari Popup Fix (Score:1)
Re:Safari Popup Fix (Score:2)
Re:Safari Popup Fix (Score:1)
Re:Safari Popup Fix (Score:2)
Sorry, no. It is not theft, because I never agreed to look at any advertisements, nor did I sign any kind of contract obligating me to do so. I choose to look at some advertisements out of the goodness of my heart and in the spirit of supporting sites that I like. If advertisers vio
Re:Safari Popup Fix (Score:4, Interesting)
p
Re:Safari Popup Fix (Score:1)
I'm running 10.3.8 with this latest security update, and I'm still getting popunders in Safari at several websites, like http://www.snopes.com/ [snopes.com] and http://www.drudgereport.com/ [drudgereport.com], so I guess it's not fixed afterall.
Re:didnt show up in my software update (Score:4, Informative)
Are you running the latest Java updates for 10.3? IIRC, it'll only show up if you've installed the Java 1.4.2 update from last year, and it won't come up on 10.2 or lower at all.
O/T- Your home page (Score:1)
Re:didnt show up in my software update (Score:2)
Before update:
After update:
I haven't rebooted yet, so I don't know what that'll change
Re:didnt show up in my software update (Score:1)
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.3)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)
thx
Re:didnt show up in my software update (Score:2)
Re:Go Go Apple (Score:1)
Re:Go Go Apple (Score:4, Insightful)
A superior implimentation of a Java-like platform was delivered long before Oak, in NeXT's Objective-C. Lame implimentation, Sun.
Re:Go Go Apple (Score:3, Interesting)
Re:Go Go Apple (Score:1)
True of course, and I didn't really intend for it to be anything other than humerous
Re:Go Go Apple (Score:2)
Re:Go Go Apple (Score:4, Funny)
Link to thread (Score:1)
google groups [google.com].
Re:Link to thread (Score:3, Insightful)
Re:Go Go Apple (Score:1)
To be fair, an actual working compiler wasn't released till 86, after the debut of the Macintosh, and when it was it was licensed by NeXT shortly afterward. That, and I don't think many people would have gotten the joke if I'd said StepStone
Scary? Well... (Score:5, Interesting)
So what happened is one version of the JVM, on OSX, has an exploitable flaw that still leaves it less dangerous than... well, Active-X, unflawed.
It's not as serious a problem as it looks, also. They can't install a rootkit or anything like that, just because of the way OSX is designed. Say you have a Mac, and browsed to a site hosting a malicious applet (it's not a virus, so you'd have to *go* there to be in danger, and the website creator is obviously easier to trace than a virus writer). That applet could overwrite your documents, and wreak a lot of havoc, but you're not going to get owned. The Mac will prompt you for a password before it lets any software touch the core software (even its own security update!).
So -- yes, get the fix if you've got a mac, but it's not "scary".
It's more scary then ActiveX (Score:3, Interesting)
This means that someone who knows what they are doing is at more risk on OS X then on Windows.
I'm not claiming that OS X is less secure (I'm running it right now), but this is scary (relatively).
Just miss-type a URL and your compromised.
Re:It's more scary then ActiveX (Score:2, Informative)
Mis-type a URL when the new URL goes to a cleverly written piece of Java designed specifically to hack your OS X and you'll be compromised.
Mis-type the other 99.999999% (+/- 0.0000001% error) of URLs and you'll be fine.
Still, you're correct on the bit about Safari not prompting you to run a Java applet. I think you can turn Java off though (not in front of the iBook right now, can't recall). The update fixes a potentially big hole.
Re:It's more scary then ActiveX (Score:3, Informative)
Not as default you have to set it to do that.
So they aren't all that different except the Core of OS X will still be safe while Windows just became a spam zombie.
Both will destroy whatever personal data they can get ahold of.
Re:It's more scary then ActiveX (Score:2)
Java Applet exploits in the wild?
Tell me those two numbers and then we can talk about which is scarier.
Re:Scary? Well... (Score:2)
I don't think that word means what you think it means. A worm is self-replicating without needing any other assistance.
Re:Scary? Well... (Score:2)
Re:Scary? Well... (Score:2)
Re:Scary? Well... (Score:2)
And worms! And... ew... trojans! Mixed in my head!
I'm all better now though. And there's, ah, no need to mention this to the wife, right?
Re:Scary? Well... (Score:1, Informative)
Re:Scary? Well... (Score:3, Interesting)
You misspelled "allow." You also used a sentence fragment. It's a real mess. Here, let me help make your point a little more clear and accurate.
That's much better.
Re:Scary? Well... (Score:2)
How is this "informative"?
Re:Scary? Well... (Score:1)
Details (Score:2)
Obviously I've never tried to set up a hidden open relay on a Mac, so I don't know what would be involved. It would need to accept incoming connections (perhaps the built-in firewall stops that?), though you could use a custom configuration where it just checks an IRC channel or webpage for messages to send and delivery addresses, etc..
I don't know enough about Macs to say exactly what's possible and
Re:Details (Score:2)
Re:Scary? Well... (Score:3, Insightful)
I always see people claiming that on Linux, OS X, xyz you are safe because your system can't get hurt, only your personal data. I personally care alot more about what is in my user directory than my system. If my system gets hosed I loose maybe an Sunday afternoon installing everything again, but if my user director goes im going to cry. I have s
Re:Scary? Well... (Score:2)
Also, its a
Re:Scary? Well... (Score:2)
WRT your mp3s, make them so that you don't have access to write them - chmod 444 and chown root. Then chmod sticky but group-writeable your mp3 directory and chown that root as well. Same for anything you're not editing. Then a virus can't touch anyth
Re:Scary? Well... (Score:2)
But... if my system is compromised I very well might not know it at all. Then every time I type in a password, credit card number, anything... it's logged and sent out. This worries me equally if not more.
Either way I don't want it to happen I
Re:Scary? Well... (Score:1)
Windows systems are so widely vulnerable to worms because most people running Windows work all the time as a user with full administrative rights. Anything program that can get itself launched by the user can do anything it likes to the entire system without the user noticing.
Unix-based systems like MacOS X are a mixed bag, but in general people do not routinely
Of course that's bad (Score:2)
Of course, it's much worse if your OS *and* your personal data are hosed, which was the point.
But my main point is that avoiding this attack vector doesn't take "all costs" -- there aren't any reports of this attack in the wild, and you'd have to actively visit a malicious site, before applying the patch, to be affected.
That's why it's nothing to shout ab
Re:Scary? Well... (Score:1)
Because it allows people on here to say that OSen with usernames (i.e. theirs) are inherantly more secure than OSen without usernames (i.e. Microsoft, ignoring obvious factual errors in that comparaison)
It's a nice simplification. Linux good, Windows bad. Conveniently Apple has usernames too now, which means we get support from the latte-sipping black
Re:Scary? Well... (Score:1)
Mozilla/Camino vulnerable? (Score:3, Interesting)
Re:Scary? Well... (Score:2)
You're missing the more important point -- that avoiding the problem is pretty darned easy. In fact, since this hasn't been reported in the wild, it's probably impossible to get exploited even if you wanted to. Some of this is due to the smaller user base of OSX, plus with this particular version
No (Score:2)
I bought one for my wife, though, because she's a "normal" computer user, and I was constantly cleaning out spyware, viruses, etc. when she was sharing my PC.
She's been using the Mac for 2-3 years now and I haven't had to do a single thing except help her with application-file associations, once.
I'm not pretending this wouldn't change (to some degree at least) if Mac OS X became the #1 target
I tried it; it works! (Score:2, Funny)
Java 1.4.2 Sucks (Score:3, Funny)
In addition, during this file transfer, HotJava will not work. And everything else has ground to a halt. Even my IDE is straining to keep up as I type this.
I won't bore you with the laundry list of other problems that I've encountered while working on various Java 1.4.2 machines, but suffice it to say there have been many, not the least of which is I've never seen a Java 1.4.2 system that has run faster than its Java 1.4.1 counterpart, despite Java 1.4.2's faster bytecode architecture. My 486/66 with 8 megs of ram runs faster with Java 1.4.1 than this 300 mhz machine at times. From a productivity standpoint, I don't get how people can claim that Java 1.4.2 is a superior virtual machine.
Java 1.4.2 addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Java 1.4.2 over other faster, cheaper, more stable Java environments.
Description from the Apple web site (Score:1)
Description: A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. Releases prior to Java 1.4.2 on Mac OS X are not affected by this vulnerability. Further information is available in Document ID 57591 from S
Apple Proactive? (Score:4, Insightful)
Or maybe I just need more sleep.
~UP
Re:Apple Proactive? (Score:4, Interesting)
You seem surprised. That's only because so many other companies have trained us not to expect this. We would not expect less than this from other products; operating systems should be the same. Imagine if cars were sold without crash tests. Security in a commercial OS should undergo constant (and pro-active) testing by the company (you can certainly bet its enemies are doing that). The fact that we don't expect that kind of work, and are surprised when we see it, speaks volumes about the practices of the current leaders of the commercial OS industry.
Re:Apple Proactive? (Score:4, Interesting)
Re:Apple Proactive? (Score:2)
(seriously, no "I thought MS already did that" or similar comments)
ANOTHER Security Update? (Score:5, Funny)
geez Apple, it was barely a month since your last update. [apple.com] Not looking so good I gotta say.
I might have to "unswitch" to Windows, they hardly have as many security fixes. It's as rock solid as a Kryptonite lock. -gko
Related News . . . (Score:1, Offtopic)
Also released is Linux security (kernel) release 2.6.8. Not wanting to feel left out. This security release, when installed in place of MS Windows, will effectively block all Windows-based malware
Not Just Apple ... (Score:5, Informative)
http://sunsolve.sun.com/search/document.do?assetk
Fixed in J2SE 5, J2SE 1.4.2_06, and J2SE 1.3.1_14.
Secunia and Techworld Noise (Score:2)
"Apple shames itself again over security: Critical hole in Mac OS X patched three months late." [techworld.com]
And it's interesting to look at Secunia's site (Secunia being the source of a lot of recent Microsoft apologism and Apple-bashing):
Macintosh OS X issues [secunia.com]
Windows XP Professional Issues [secunia.com]
(Microsoft is "Vendor 1" in their database, you'll be pleased and amused to learn.)
I'm guessing Secunia likes to drum up publicity for itself by making press releases that r