Apple patch tackles two dozen Mac OS vulnerabilities

***AppleInsider*** · 04-19-2007, 04:53 PM

Apple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks.

For Mac OS X 10.4.9

A version of the software update for systems running Mac OS X 10.4.9 -- labeled Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.

The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS.

For Mac OS X 10.3.9

Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.

Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart.

The culprits

For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.

The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."

[ View this article at AppleInsider.com ]

[ Digg this story ]

digitalclips · 04-19-2007, 05:09 PM

Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!

pazimzadeh · 04-19-2007, 05:42 PM

Quote:

Originally Posted by digitalclips

Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!

Not daily actually, more like monthly (which is worse because malware comes out daily).

MacTel · 04-19-2007, 06:02 PM

Quote:

Originally Posted by pazimzadeh

Not daily actually, more like monthly (which is worse because malware comes out daily).

It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.

pazimzadeh · 04-19-2007, 06:06 PM

Quote:

Originally Posted by MacTel

It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.

Umm... I'm kind of confused. You're not being sarcastic are you?

MacTel · 04-19-2007, 06:11 PM

Quote:

Originally Posted by pazimzadeh

Umm... I'm kind of confused. You're not being sarcastic are you?

Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.

Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?

**JeffDM** · 04-19-2007, 06:19 PM

Quote:

Originally Posted by MacTel

Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.

Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?

The occasional proof of concept comes out, but I don't remember one "in the wild" for quite some time, if ever. If the hackers are as ego-driven as I think they are, I'd be surprised if there aren't any that aren't trying their darndest to make them.

I think one problem is that there's more money per unit effort in attacking Windows. Let's say it takes half the work, but there are 20x as many attackable machines, that's a 40:1 difference. If you are trying to make money doing nefarious deeds, then you are better off attacking Windows computers. Recognition from the hacker community might only give you 15 minutes of fame.

Booga · 04-19-2007, 06:44 PM

A lot of the malware for Windows is no longer ego-driven. It's a business. Spam distribution, adware click-generation, corporate spying, and other things actually generate revenue. Right now, even the strictest financial penalties one can practically expect to receive pale in comparison to the money some of these asshats make. You just can't make the same money writing malware for MacOS X.

It's also true that MacOS X, because of its default of fewer servers and non-administrator rights, tends to be more secure despite the vulnerabilities. But as soon as you start getting the big businesses using Macintoshes and there's money to be made, there will be malware.

I work for a ~10,000 person company, and we've gone from 0 to 10-20 Macs over the last couple years. It's a start, and a lot of people are determined to get them the next hardware upgrade cycle (which around here is every 2.5 years or so). I fear the day the Mac becomes a target for malware because of its popularity in companies like mine.

EruIthildur · 04-19-2007, 06:49 PM

Yes, Apple will probably get more attention from Hackers... But there are plenty out there that would LOVE to hack Apple for the fame... Come on, that would get some serious recognistion. Not many people can say they owned NASA.

I would attribute the security of the Mac firstly to it's good security principles, and secondly to it's lack of money to be made from.

Sopranino · 04-19-2007, 09:51 PM

It is good to see Apple getting out security updates within a decent timeframe (considering all of the other issues that they are dealing with.......you know, Leopard<-->iPhone.....)

Having gone through University on a Unix system I can state that getting a virus onto a *nix based system is a LOT harder than it is for a Windows based system. In its original iterations Unix was designed to be a multiuser collabaritive environment and as such had a very sophisticated user control system, however there were some gigantic security holes present in the form of open ports (one of the larger ones was exploitable through SendMail). The later releases of *nix based systems started to close those ports that were normally open by default which improved the level of security. Most of the 'security vulnerabilities' involve direct access to the hardware (in other words you must be physically at the computer) in order to be able to 'break'/'hack' the computer. Closing the open ports has all but eliminated the risk of an outside remote attack from occurring. The risk of importing and activating (without your knowledge and express permission) a virus, is virtually nil as a virus must have been given permission by yourself to run and then on top of that a virus would also have to have gained the root password in order to do any system damage.

While going through University I met a number of extremely talented individuals who had written Trojans and various other annoyances. In every case in order to 'infect' somebody elses account they needed direct access to a terminal in order to install a Trojan. Some of the brainier types wrote fairly sophisticated fake front ends that would mimic the login process and thus they would be able to gain a persons user name and password and then they could access that individuals account and cause damage. Without direct access these hackers were completely harmless.

Sopranino

gdog · 04-19-2007, 11:30 PM

any issues with update?

Kickaha · 04-20-2007, 12:16 AM

None here - had a funky double-boot, but after that, all was good.

nagromme · 04-20-2007, 12:21 AM

Quote:

Originally Posted by Kickaha

None here - had a funky double-boot, but after that, all was good.

The double-boot seems to be universal. Occasionally an update will require that--and/or an unusually slow reboot the first time.

Kickaha · 04-20-2007, 12:49 AM

While true, this is the first time I've seen it get caught in a loop waiting for the diskarb to come up... took a couple of *minutes*. Ah well, looks okay now.

(Yeah, I verbose boot after updates just to see what all it is doing...)

HiddenWolf · 04-20-2007, 03:14 AM

Quote:

Originally Posted by Sopranino

It is good to see Apple getting out security updates within a decent timeframe (considering all of the other issues that they are dealing with.......you know, Leopard<-->iPhone.....)

*snip*

Sopranino

Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.
That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.

grebo · 04-20-2007, 03:37 AM

Since installing the update, and rebooting (twice - to see if it made any difference) -- my Dock has disappeared.

Any attempt to show the dock or change the preferences has no effect.

Also, the 'About this Mac' option from the Apple menu no longer displays.

Anyone have any ideas?

matracer · 04-20-2007, 04:55 AM

No problems with update here. Installed and everything running smooth.

Sopranino · 04-20-2007, 06:32 AM

Quote:

Originally Posted by HiddenWolf

Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.
That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.

Very valid statement regarding the shortage of qualified key engineers. There is a recent article (on Mac Rumors I think) that indicates that 50 of Apples software engineers have been flown out to the Asian plant that is putting the iPhone together.

Sopranino

Wings · 04-20-2007, 06:37 AM

Quote:

Originally Posted by JeffDM

The occasional proof of concept comes out, but I don't remember one "in the wild" for quite some time, if ever. If the hackers are as ego-driven as I think they are, I'd be surprised if there aren't any that aren't trying their darndest to make them.

I think one problem is that there's more money per unit effort in attacking Windows. Let's say it takes half the work, but there are 20x as many attackable machines, that's a 40:1 difference. If you are trying to make money doing nefarious deeds, then you are better off attacking Windows computers. Recognition from the hacker community might only give you 15 minutes of fame.

Ya think a brand new MacBook Pro and TEN THOUSAND DOLLARS would interest a hacker? There is a contest going on at ConSecWest conference for any hacker who can break into either of 2 Macs to win that prize. That sure is motivation if you ask me. And, when the conference is over, the sponsors will be taking their Macs back home and keeping their 10 grand. Count on it.

Here's the link:
http://news.com.com/8301-10784_3-9710845-7.html

gazonk · 04-20-2007, 07:03 AM

Mine double-booted too, but the screen stayed white (no apple logo appearing) after the second reboot - so I used the power button after several minutes of white screen. HOWEVER, I had forgotten to disconnect my iPod nano, I'm pretty sure that explains it. Everything seems fine now.

lkrupp · 04-20-2007, 08:19 AM

Quote:

Originally Posted by MacTel

It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.

I agree. For all the blustering of the security researchers, the TV commercials that tout OS X security, the "outrage" of the various Apple bashing websites you'd think SOMEBODY would develop a real nasty varmint just to take the platform down a notch. At this point in time the "not enough market share to matter" argument doesn't hold water anymore. There's something about OS X that makes it real hard to attack successfully.

franksargent · 04-20-2007, 09:12 AM

Quote:

Originally Posted by lkrupp

I agree. For all the blustering of the security researchers, the TV commercials that tout OS X security, the "outrage" of the various Apple bashing websites you'd think SOMEBODY would develop a real nasty varmint just to take the platform down a notch. At this point in time the "not enough market share to matter" argument doesn't hold water anymore. There's something about OS X that makes it real hard to attack successfully.

There a reason for that.

Basically, Mac OS X is *NIX under the hood, with most (if not all) security features turned on in the typical user's (OS X default) installation.

Go ahead and turn off most (or all) of these defaults, surf the net a few days, buy some stuff online, and see what happens!

mariofreak85 · 04-20-2007, 12:50 PM

hmmm, now my function keys on my powerbook don't work

EDIT: Ah ha, com.apple.systempreferences.plist was the culprit

digitalclips · 04-20-2007, 01:27 PM

Quote:

Originally Posted by mariofreak85

hmmm, now my function keys on my powerbook don't work

EDIT: Ah ha, com.apple.systempreferences.plist was the culprit

Glad I didn't have that problem! ... One of my Macs was done using Apple Desktop Remote and it is at a colocation site on a T1 and a long drive away. That would have been very nasty for me.

I am happy to report all 7 Macs ranging from G4s, iBooks, MacBooks, Duel G5s and Intel Macs including Server went flawlessly.

Heck of a long shut down during restart procedure I must admit, danger here that some folk panic, fail to wait and force a restart resulting in corrupt files. I very nearly did the first machine I updated.

Abster2core · 04-20-2007, 02:24 PM

Quote:

Originally Posted by HiddenWolf

Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.
That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.

Let's see. Nobody has been able to hack the system. Little if any evidence of security breeches. But boy should Apple get faster updating security problems that don't seem to be happening. Wonder why Microsoft has to do security updates so often. Is it because they are getting issues faster on their Windows that we never get on Macs. Perhaps Apple should restructure OS X like Windows so that they can show how much faster they are at finding security problems.

And "Apple had better start hiring actively and buff up its labour pool." For what? To increase overhead so that they can up their prices to offset the additional cost?

Love the had better attitude.

HiddenWolf · 04-20-2007, 03:03 PM

Quote:

Originally Posted by Abster2core

Let's see. Nobody has been able to hack the system. Little if any evidence of security breeches. But boy should Apple get faster updating security problems that don't seem to be happening. Wonder why Microsoft has to do security updates so often. Is it because they are getting issues faster on their Windows that we never get on Macs. Perhaps Apple should restructure OS X like Windows so that they can show how much faster they are at finding security problems.

And "Apple had better start hiring actively and buff up its labour pool." For what? To increase overhead so that they can up their prices to offset the additional cost?

Love the had better attitude.

The mac is not getting hacked at the moment due to a combination of *nix roots and financial motives. It is far, far more profitable to hack a windows ecosystem.
However, mac sales are growing 30% year on year, and we've seen a plethora of stories lately about businesses considering the switch to mac.
If this trend materialises, it is absolutely essential that Apple keep on top of security, since the commercial viability of hacking a mac system will increase along with business uptake of the mac.

I am well aware that there are no current known and/or widespread hacks out there, but the system is not invulnerable, and the appearance of (ahum) invulnerability and hassle-free-maintenance is one of the driving forces between Apple's appeal to the market.
This means strong QA and security departments are a must.

just my opinion.

Abster2core · 04-20-2007, 03:35 PM

Quote:

Originally Posted by Kickaha

None here - had a funky double-boot, but after that, all was good.

Not sure if this helps.

1. Ran the Update on first Mac (A). Had to double boot. Ran Disk Utility. Ran Verify Disk Permissions. One showed up. Repaired it.

2. Ran Disk Utility on a second Mac (B). Ran Disk Utility. Ran Verify Disk Permissions. One showed up. (Same one as found on Mac (A). Repaired it. Ran the Update. Relaunch quick. No double boot. Reran Disk Verify Disk Permissions. Volume ok.

3. Ran Disk Utility on a third Mac (C). Ran Disk Utility. Ran Verify Disk Permissions. None showed up. Ran the Update. Relaunched quickly. No double boot. Reran Disk Verify Disk Permissions. Volume ok.

Unfortunately, I didn't write down the incorrect permission message.

Abster2core · 04-20-2007, 03:42 PM

Quote:

Originally Posted by HiddenWolf

The mac is not getting hacked at the moment due to a combination of *nix roots and financial motives. It is far, far more profitable to hack a windows ecosystem.
However, mac sales are growing 30% year on year, and we've seen a plethora of stories lately about businesses considering the switch to mac.
If this trend materialises, it is absolutely essential that Apple keep on top of security, since the commercial viability of hacking a mac system will increase along with business uptake of the mac.

I am well aware that there are no current known and/or widespread hacks out there, but the system is not invulnerable, and the appearance of (ahum) invulnerability and hassle-free-maintenance is one of the driving forces between Apple's appeal to the market.
This means strong QA and security departments are a must.

just my opinion.

It has been tried. There is even a reward if somebody can do it. I would imagine that a thousand or so have or are attempting to produce the first one right now.

And if you don't think that Apple is working on security issues 24/7 you are in the wrong forum.

99bottles · 04-20-2007, 05:02 PM

Quote:

Originally Posted by MacTel

Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?

There are about 30 known bits of malware for OS X that actually appear in the wild, most of which are keyloggers, rootkits, or backdoor/remote control setups. Some of the items have valid uses as well as uses as malware.
Take a look at:
http://macscan.securemac.com/list.php
...for a list of about 20. They are not, however, widely distributed or well known. In general, they occur only as the result of a manual attack, and if you're specifically being targeted by someone with some expertise, OS X is really not the best solution. It is better than Windows and on par with the average Linux distribution. To stop a determined expert, you really should be running a hardened SELinux setup or OpenBSD or the like.

sc_markt · 04-20-2007, 05:24 PM

Quote:

Originally Posted by nagromme

The double-boot seems to be universal. Occasionally an update will require that--and/or an unusually slow reboot the first time.

I didn't have a double-boot. In fact, I haven't had one for probably the last 7 or 8 updates. (I've had them before though).

I wonder if I should be worried?

- Mark

HiddenWolf · 04-20-2007, 05:46 PM

Quote:

Originally Posted by Abster2core

And if you don't think that Apple is working on security issues 24/7 you are in the wrong forum.

I expressly stated that _I believe_ the mac is safe at the moment, I commented on the fact that it is to be expected that security updates keep coming even in the iphone-era where key engineers are pulled off osX.

What I am saying is that I hope that Apple will learn from the leopard/iphone setback and start recruiting new engineers, because with a 30% annual growth rate the time will come that the mac will be a target. I'd rather see they're ready for that, since their current security bulletins are rather sketchy, and their patches take quite a while to come out.

I say this because I believe that security and ease of maintenance are two of the key succes factors and advantages that Apple has over Microsoft, and these need to be maintained actively.

Chucker · 04-20-2007, 06:25 PM

Quote:

Originally Posted by HiddenWolf

What I am saying is that I hope that Apple will learn from the leopard/iphone setback and start recruiting new engineers

http://en.wikipedia.org/wiki/The_Mythical_Man-Month

Abster2core · 04-20-2007, 07:26 PM

Quote:

Originally Posted by Chucker

http://en.wikipedia.org/wiki/The_Mythical_Man-Month

Thanks for the link. I have or had that book and somehow it has disappeared from my library. No truer words were spoken.

Incidently, it just doesn't apply to software development. All we have to do is look at government.

Timmmy · 04-20-2007, 09:20 PM

Does 2007-4 address this Safari exploit?

franksargent · 04-20-2007, 10:07 PM

Quote:

Originally Posted by Timmmy

Does 2007-4 address this Safari exploit?

Don't know, but if you read the rather short article you link to, you'll see that they relaxed the security on the 2nd day after failing the first day!

We'll probably know soon what the relaxed conditions were, I'd expect Apple to respond in either case.

When? Who knows!

Edit - They may have done it wirelessly, using something called KARMA.

Quote:

Dino A. Dai Zovi is a computer security consultant and developer for Matasano Security. Author of numerous papers and presentations on exploitation techniques, 802.11 wireless attacks, and OS kernel security, Dino comes to Matasano from the Attack and Exploitation Team at Bloomberg. Dino's career spans over 7 years and includes key roles at @stake, and the IDART Red Team at Sandia Labs. He has spoken at security conferences including IEEE, DEFCON, CanSecWest, and PACSEC.

franksargent · 04-21-2007, 11:13 AM

Hacker breaks into Mac at security conference

Quote:

Initially, contestants were invited to try to access one of two Macs through a wireless access point while the Macs had no programs running. No attackers managed to do so, and so conference organizers allowed participants to try to get in through the browser by sending URLs via e-mail.

Quote:

According to the security blog Matasano Chargen, Shane Macaulay and Dino Dai Zovi won the contest by gaining shell access to a Mac by pointing the Mac’s Safari browser at a specially-constructed Web page.

Quote:

The prize for the contest was originally one of the Macs. But on Thursday evening, TippingPoint put up the cash award, which may have spurred a wider interest in the contest. According to Matasano Chargen, Macaulay will keep the MacBook while Dai Zovi will pocket the cash prize.

Quote:

The vulnerability won’t be published. 3Com Corp.’s TippingPoint division, which put up the cash prize, will handle disclosing it to Apple.

Personally, I've NEVER opened a email from anyone that, either 1) I don't know directly, or 2) from anyone where I didn't initiate the received email to begin with.

Kickaha · 04-21-2007, 01:24 PM

While not quite a non-event, (nasty hole in Safari there), the fact that it required a user to visit a malicious website puts this in an entirely different class of exploit than, say, plugging a pre-SP2 XP box into the LAN and having it compromised in less than 15 minutes just sitting there. (cf, my landlord's PC)

Can't wait for the ill-informed smugness on the intarwebs to start though. Where's Thurrot?

Still, this is bad enough hole that it need plugging ASAP.

Hiro · 04-21-2007, 01:57 PM

Quote:

Originally Posted by Kickaha

While not quite a non-event, (nasty hole in Safari there), the fact that it required a user to visit a malicious website puts this in an entirely different class of exploit than, say, plugging a pre-SP2 XP box into the LAN and having it compromised in less than 15 minutes just sitting there. (cf, my landlord's PC)

Can't wait for the ill-informed smugness on the intarwebs to start though. Where's Thurrot?

Still, this is bad enough hole that it need plugging ASAP.

Yes. The really good news though is no root exploits.

Mr. Me · 04-21-2007, 02:16 PM

Quote:

Originally Posted by franksargent

Don't know, but if you read the rather short article you link to, you'll see that they relaxed the security on the 2nd day after failing the first day!

Let us not forget that the attackers were able to concentrate on a specific target which the owners knew was under attack. In spite of the fact that the administrators knew their machine was under attack, they lowered its defenses to make it easier for the attack to succeed. This is the opposite of real life. Hackers generally don't have the luxury of knowing that their efforts can be concentrated on a single target. Instead, they scan the 'Net for all machines hoping to compromise any that they can. Also in real life, administrators don't lower their defenses following a known attack. They raise their defenses. In the worse case, they do nothing. If they had done nothing in this case, then the machine would not have been compromised.

Quote:

Originally Posted by franksargent

We'll probably know soon what the relaxed conditions were, I'd expect Apple to respond in either case.

...

You make an extremely important point. For all we know, they enabled root and gave it an easily obtainable password.

1337_5L4Xx0R · 04-21-2007, 07:35 PM

the fact that an exploited mac at a security conference (resulting in free macbooks and $$$) is gaining notoriety tells you something. That something is that it is not easy to do.

04-19-2007, 04:53 PM	#1
*AppleInsider* Kasper's Automated Slave Join Date: Nov 1997 Posts: 6,167	Apple patch tackles two dozen Mac OS vulnerabilities Apple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks. For Mac OS X 10.4.9 A version of the software update for systems running Mac OS X 10.4.9 -- labeled Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV. The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS. For Mac OS X 10.3.9 Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation. Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart. The culprits For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window. The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep." [ View this article at AppleInsider.com ] [ Digg this story ]

04-20-2007, 12:16 AM	#12
Kickaha Really Fast Typing Member Join Date: Nov 2001 Location: Ossining, NY Posts: 8,575	None here - had a funky double-boot, but after that, all was good. My brain is hung like a HORSE!

04-20-2007, 12:49 AM	#14
Kickaha Really Fast Typing Member Join Date: Nov 2001 Location: Ossining, NY Posts: 8,575	While true, this is the first time I've seen it get caught in a loop waiting for the diskarb to come up... took a couple of minutes. Ah well, looks okay now. (Yeah, I verbose boot after updates just to see what all it is doing...) My brain is hung like a HORSE!

04-20-2007, 03:37 AM	#16
grebo Registered User Join Date: Jul 2004 Posts: 10	My DOCK has disappeared Since installing the update, and rebooting (twice - to see if it made any difference) -- my Dock has disappeared. Any attempt to show the dock or change the preferences has no effect. Also, the 'About this Mac' option from the Apple menu no longer displays. Anyone have any ideas?

04-20-2007, 12:50 PM	#23
mariofreak85 Registered User Join Date: Jan 2006 Posts: 180	hmmm, now my function keys on my powerbook don't work EDIT: Ah ha, com.apple.systempreferences.plist was the culprit Last edited by mariofreak85; 04-20-2007 at 01:13 PM..

04-19-2007, 05:09 PM	#2
digitalclips Registered User Join Date: Jun 2006 Location: South West Florida Posts: 1,588	Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!

04-19-2007, 06:44 PM	#8
Booga Registered User Join Date: Jun 2003 Location: Tinton Falls, NJ Posts: 702	A lot of the malware for Windows is no longer ego-driven. It's a business. Spam distribution, adware click-generation, corporate spying, and other things actually generate revenue. Right now, even the strictest financial penalties one can practically expect to receive pale in comparison to the money some of these asshats make. You just can't make the same money writing malware for MacOS X. It's also true that MacOS X, because of its default of fewer servers and non-administrator rights, tends to be more secure despite the vulnerabilities. But as soon as you start getting the big businesses using Macintoshes and there's money to be made, there will be malware. I work for a ~10,000 person company, and we've gone from 0 to 10-20 Macs over the last couple years. It's a start, and a lot of people are determined to get them the next hardware upgrade cycle (which around here is every 2.5 years or so). I fear the day the Mac becomes a target for malware because of its popularity in companies like mine.

04-19-2007, 06:49 PM	#9
EruIthildur Registered User Join Date: Nov 2006 Posts: 165	Yes, Apple will probably get more attention from Hackers... But there are plenty out there that would LOVE to hack Apple for the fame... Come on, that would get some serious recognistion. Not many people can say they owned NASA. I would attribute the security of the Mac firstly to it's good security principles, and secondly to it's lack of money to be made from.

04-19-2007, 09:51 PM	#10
Sopranino Registered User Join Date: Aug 2006 Posts: 28	It is good to see Apple getting out security updates within a decent timeframe (considering all of the other issues that they are dealing with.......you know, Leopard<-->iPhone.....) Having gone through University on a Unix system I can state that getting a virus onto a nix based system is a LOT harder than it is for a Windows based system. In its original iterations Unix was designed to be a multiuser collabaritive environment and as such had a very sophisticated user control system, however there were some gigantic security holes present in the form of open ports (one of the larger ones was exploitable through SendMail). The later releases of nix based systems started to close those ports that were normally open by default which improved the level of security. Most of the 'security vulnerabilities' involve direct access to the hardware (in other words you must be physically at the computer) in order to be able to 'break'/'hack' the computer. Closing the open ports has all but eliminated the risk of an outside remote attack from occurring. The risk of importing and activating (without your knowledge and express permission) a virus, is virtually nil as a virus must have been given permission by yourself to run and then on top of that a virus would also have to have gained the root password in order to do any system damage. While going through University I met a number of extremely talented individuals who had written Trojans and various other annoyances. In every case in order to 'infect' somebody elses account they needed direct access to a terminal in order to install a Trojan. Some of the brainier types wrote fairly sophisticated fake front ends that would mimic the login process and thus they would be able to gain a persons user name and password and then they could access that individuals account and cause damage. Without direct access these hackers were completely harmless. Sopranino

04-19-2007, 11:30 PM	#11
gdog Registered User Join Date: Sep 2006 Posts: 139	any issues with update?

04-20-2007, 04:55 AM	#17
matracer Registered User Join Date: Feb 2005 Posts: 91	No problems with update here. Installed and everything running smooth.

04-20-2007, 07:03 AM	#20
gazonk Registered User Join Date: Dec 2006 Posts: 7	Mine double-booted too, but the screen stayed white (no apple logo appearing) after the second reboot - so I used the power button after several minutes of white screen. HOWEVER, I had forgotten to disconnect my iPod nano, I'm pretty sure that explains it. Everything seems fine now.

04-20-2007, 09:20 PM	#34
Timmmy Registered User Join Date: Dec 2004 Posts: 50	Does 2007-4 address this Safari exploit?

04-21-2007, 01:24 PM	#37
Kickaha Really Fast Typing Member Join Date: Nov 2001 Location: Ossining, NY Posts: 8,575	While not quite a non-event, (nasty hole in Safari there), the fact that it required a user to visit a malicious website puts this in an entirely different class of exploit than, say, plugging a pre-SP2 XP box into the LAN and having it compromised in less than 15 minutes just sitting there. (cf, my landlord's PC) Can't wait for the ill-informed smugness on the intarwebs to start though. Where's Thurrot? Still, this is bad enough hole that it need plugging ASAP. My brain is hung like a HORSE!

04-21-2007, 07:35 PM	#40
1337_5L4Xx0R Registered User Join Date: Dec 2002 Location: the misty climes of the west coast Posts: 1,328	the fact that an exploited mac at a security conference (resulting in free macbooks and $$$) is gaining notoriety tells you something. That something is that it is not easy to do. stimuli.ca \| freshtunes.ca

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode