utilities/system updates

03/01/2006, 5:30pm, EST

Wednesday, March 1st

Apple fixes Safari, other exploits

Apple today released Security Update 2006-001 for both Mac OS X Panther and Mac OS X Tiger, which is recommended for all users and improves Safari by fixng four different security issues, including the 'extremely critical' Mac OS X zero-day exploit and three other exploits that could enable arbitrary code execution by a malicious user. It also fixes 13 other bugs in the following components: apache_mod_php, automount, Bom, Directory Services, iChat, IPSec, LaunchServices, LibSystem, loginwindow, Mail, rsync, and Syndication. Apple also said that its AES-128 encrypted FileVault disk images are now created with more restrictive operating system permissions and that improved iChat security by using Download Validation to warn of unknown or unsafe file types during file transfers--in part to protect against the recently reported Leap.A worm.

The update fixes multiple security issues in PHP, the popular web programming language included with the Apache webserver installation. The latest version is installed, but turned off in default installations of Mac OS X. The an automount issue that could cause the systems to become unresponsive, or possibly allow arbitrary code delivered from the file servers to run on the target system.

Apple also notes that the update more securely stores passwords: "The passwd program is vulnerable to temporary file attacks. This could lead to privilege elevation. This update addresses the issue by anticipating a hostile environment and by creating temporary files securely."


Filed under: software

, , 9comments, del.icio.us, slashdot, digg, buzz


9 comments
Reader Reactions (Please use <i></i> for italic text)

subscribe to comments
for this article




Expand All   Global Settings
It's nice to see . . .
0
03/01, 6:05pm, EST
Apple jump on these security issues so quickly. As Mac users, security is something which we have not had to worry all that much about, and then all of a sudden, last week saw 3 new potential exploits.

Granted none of them could cause harm in their current forms, but the concepts they were trying to display were solid enough to warrant a quick response.

And a quick response we got.
Fresh-Faced Recruit
Joined Mar 2006
User is offline
Not so fast...
0
03/01, 6:20pm, EST
These issues have been around a long time and Apple has been openly criticized for taking so long to fix them. This criticism increased last week, probably spurring some action from Apple. Finally. So sorry, but your post is the total opposite of what's been happening. It seems Apple only fixes thing when people jump up and down about them.
Fresh-Faced Recruit
Joined Feb 2005
User is offline
Consider The Alternative
0
03/01, 7:27pm, EST
Whatever. At least Apple responds with an update BEFORE it's users are negatively impacted by threats. Too bad we can't say the same for that other company that makes a major OS used by millions of people.
Fresh-Faced Recruit
Joined Apr 2004
User is offline
Get Your facts Straight
0
03/01, 7:39pm, EST
Two Three weeks ago, some "security" company exposed two supposed major possible security exploits in Apple's OS. Two Three weeks later Apple responded by fixing the exploits. That is pretty good response time.

It is also fair to point out, these were possible exploits, not actual exploits.
Fresh-Faced Recruit
Joined Jan 2006
User is offline
umm...
0
03/01, 9:11pm, EST
All of these "exploits" needed Admin access. In a professional networking environment, the end users are NOT admins and cannot be affected by most of these eploits. End users do not run PHP, as an example. Apple didn't see them as critical needs till some idiot decided to blast them for it. So, KUDOS APPLE for making them shut up. Now get back to making the OS LEAN and not BLOATED!
Fresh-Faced Recruit
Joined Jun 2003
User is offline
well now my G5 is secure.
0
03/02, 12:20am, EST
The security of the dead... did the automatic update, and it killed my primary HD. Havn't narrowed down exactly whats wrong but after the restart the partition OSX10.4.5 was on became unmountable as did a backup OS partition I had on that drive. My other HD is ok but the system can't get past trying to mount the drives. Option lets me select a CD boot but I am really hosed. - Will update if I learn more.
Fresh-Faced Recruit
Joined Mar 2006
User is offline
Re: consider the alternat
0
03/02, 12:41pm, EST
Whatever. At least Apple responds with an update BEFORE it's users are negatively impacted by threats. Too bad we can't say the same for that other company that makes a major OS used by millions of people.

Most windows holes re patched prior to their announcement and info, let alone before exploits are released. The problem with windows is that, with so many users, there's a whole segment that never runs the update feature.

I'm sure OS X has the same percentage of non-updaters. Esp if they are NOT admins, where they'll never know there's an update until the admin logs in.

Oh, and most macs are NOT used in professional networking environments, and most users are, in fact, admins (apple's default setup - hey, just like Windows!). Users would have to know what they're doing, read non-included manuals and on-line help to just know that they might want to consider setting up a limited account.
Fresh-Faced Recruit
Joined Aug 2001
User is offline
Update on Update Problems
0
03/02, 1:25pm, EST
I just spoke with 2 inidividuals who have had similar HardDrive problems directly after the patch. in one case same as mine a total loss of directory structure, in the other directory failures and constant pinwheel and crashing of applications.
Fresh-Faced Recruit
Joined Mar 2006
User is offline
At least they...
0
03/02, 5:52pm, EST
...don't take forever to patch their OS unlike SOME companies, coughMICROSOFTcough....

I had no issues doing the update on this Mac mini.

Tom
Forum Regular
Joined Aug 2000
User is offline
Your Comments

In order to post comments: If you are a registered member, please login with your MacNN Forums username and password otherwise please uncheck the checkbox below.


Registered Member?
macnn forums login:

macnn forums password:

Not a member of the MacNN forums? Register now for free.

RSS Feeds

Have the latest content delivered to your desktop via RSS. Use the links below to get access to a specific blog, news, or reviews feed.



  MacNN -all

  MacNN Reviews

  MacNN Podcasts

  iPodNN

  Electronista

  Left Lane News
Want To Sell Your Laptop? Any Condition - receive Top Cash. Get an instant quote. Free shipping www.CashForLaptops.com
Buy from The Apple Store, iTunes.com, Amazon.com, TechDepot, OfficeDepot, Computers4Sure, or donate.