troubleshooting/tutorials/security

06/07/2004, 4:45pm, EDT

Monday, June 7th

Apple fixes URI exploits with security update

Apple today released Security Update 2004-06-07, which fixes the 'critical' URI security exploits noted over the past several weeks: "[It] delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components: DiskImages, LaunchServices, Safari, and Terminal, Mac OS X will now present an approval alert when an application is to be run for the first time either by opening a document or clicking on a URL related to the application."



  • LaunchServices (CVE-ID: CAN-2004-0538) Impact: LaunchServices automatically registers applications, which could be used to cause the system to run unexpected applications. Discussion: LaunchServices is a system component that discovers and opens applications. This system component has been modified to only open applications that have previously been explicitly run on the system. Attempts to run an application that has not previously been explicitly run will result in a user alert. Further information is available in this article.


  • Component: DiskImageMounter (No CVE ID--"this is only an additional preventative measure") Impact: The disk:// URI type mounts an anonymous remote file system using the http protocol. Discussion: The registration of the disk:// URI type is removed from the system as a preventative measure against attempts to automatically mount remote disk image file systems.

  • Safari (CAN-2004-0539)
    Impact: The "Show in Finder" button would open certain downloaded files, in some cases executing downloaded applications.
    Discussion: The "Show in Finder" button will now reveal files in a Finder window and will no longer attempt to open them. This modification is only available for Mac OS X v10.3.4 "Panther" and Mac OS X Server v10.3.4 "Panther" systems as the issue does not apply to Mac OS X v10.2.8 "Jaguar" or Mac OS X Server v10.2.8 "Jaguar".

  • Terminal (CVE-ID: Not applicable)
    Impact:     Attempts to use a telnet:// URI with an alternate port number fail. Discussion: A modification has been made to allow the specification of an alternate port number in a telnet:// URI. This restores functionality that was removed with the recent fix for CAN-2004-0485.


Filed under: troubleshooting

, , 18comments, del.icio.us, slashdot, digg, buzz


18 comments
Reader Reactions (Please use <i></i> for italic text)

subscribe to comments
for this article




Expand All   Global Settings
hayesk
No more free publicity...
0
06/07, 4:56pm, EDT
...for the security firms issuing press releases, blowing things out of proportion, to make a name for themselves.
Professional Poster
Joined Sep 1999
User is offline
scotty321
Hmmmm...
0
06/07, 5:02pm, EDT
This security update only alerts you the FIRST time an application tries to automatically open. What about the 2nd time or the 3rd time or whatever? Doesn't seem to be to big of a fix to me if it only alerts you once.
Fresh-Faced Recruit
Joined Nov 1999
User is offline
Rosyna
Nice fix..
0
06/07, 5:09pm, EDT
So apple basically just did the exact same thing Paranoid Android did AND they disabled a perfectly good protocol for no good reason..
Forum Regular
Joined Aug 2001
User is offline
MacnTX
Re: Hmmmm...
0
06/07, 5:09pm, EDT
Obviously if you tell it "NO" the first time an unsafe app tries to run then it hasn't actually run has it? So when/if whatever causes it to happen occurs again, you'll get the same warning...unless you're stupid enough to say yes the first time.
Fresh-Faced Recruit
Joined Apr 2004
User is offline
TheBum
Re: Hmmmm...
0
06/07, 5:56pm, EDT
I, for one, would be really annoyed if I got a warning dialog every time I tried to open a PDF by double-clicking on it. That's an example of why the dialog will only come up the first time.
Mac Enthusiast
Joined Sep 2001
User is offline
Jablabla
Dialog shows
0
06/07, 6:20pm, EDT
legal disclaimer protecting Apple if your hard disk is erased.

Just kidding...
Fresh-Faced Recruit
Joined Jan 2000
User is offline
shawnce
What?
0
06/07, 6:32pm, EDT
"past several weeks" my a$$
Fresh-Faced Recruit
Joined Nov 2000
User is offline
pdot
no install problems
0
06/07, 6:47pm, EDT
installed and rebooted w/o issues

G4/400 AGP
OS 10.3.4
Mac Enthusiast
Joined Aug 2000
User is offline
flask
outrage
0
06/07, 6:50pm, EDT
I'm waiting for the outrage of all the people who claimed the URI exploit wasn't a problem and that OS X was flawless. Apparently Apple thinks it was enough of a concern to fix it. Even our beloved Apple can make mistakes now and then; the important thing is that they acknowledge them and fix them. Those of you who denied its existence were of no help, and I'm glad Apple wasn't as big-headed as you were.
Fresh-Faced Recruit
Joined May 2004
User is offline
SomeToast
re: Nice fix..
0
06/07, 6:59pm, EDT
So apple basically just did the exact same thing Paranoid Android did AND they disabled a perfectly good protocol for no good reason..

I'm not seeing an APE requirement with Security Update 2004-06-07.   ; )
Senior User
Joined Jan 1999
User is offline
additional comments:..1..2..Next
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member?
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.

MacNN iPodNN Electronista
top searches
1. apple
2. iphone
3. apple TV
4. ipod
5. mac
6. BBC
7. icons
8. icon
9. macbook
10. leopard
search for more ..
RSS Feeds

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.



  MacNN -all

  MacNN Reviews

  MacNN Podcasts

  iPodNN

  Electronista

  Left Lane News
Want To Sell Your Laptop? Any Condition - receive Top Cash. Get an instant quote. Free shipping www.CashForLaptops.com
Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.