Apple patch tackles two dozen Mac OS vulnerabilities
Apple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks.
For Mac OS X 10.4.9
A version of the software update for systems running Mac OS X 10.4.9 -- labeled Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.
The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS.
For Mac OS X 10.3.9
Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.
Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart.
The culprits
For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.
The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."
For Mac OS X 10.4.9
A version of the software update for systems running Mac OS X 10.4.9 -- labeled Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.
The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS.
For Mac OS X 10.3.9
Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.
Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart.
The culprits
For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.
The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."
Comments
Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!
Not daily actually, more like monthly (which is worse because malware comes out daily).
Not daily actually, more like monthly (which is worse because malware comes out daily).
Umm... I'm kind of confused. You're not being sarcastic are you?
Umm... I'm kind of confused. You're not being sarcastic are you?
Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.
Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?
Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.
Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?
The occasional proof of concept comes out, but I don't remember one "in the wild" for quite some time, if ever. If the hackers are as ego-driven as I think they are, I'd be surprised if there aren't any that aren't trying their darndest to make them.
I think one problem is that there's more money per unit effort in attacking Windows. Let's say it takes half the work, but there are 20x as many attackable machines, that's a 40:1 difference. If you are trying to make money doing nefarious deeds, then you are better off attacking Windows computers. Recognition from the hacker community might only give you 15 minutes of fame.
It's also true that MacOS X, because of its default of fewer servers and non-administrator rights, tends to be more secure despite the vulnerabilities. But as soon as you start getting the big businesses using Macintoshes and there's money to be made, there will be malware.
I work for a ~10,000 person company, and we've gone from 0 to 10-20 Macs over the last couple years. It's a start, and a lot of people are determined to get them the next hardware upgrade cycle (which around here is every 2.5 years or so). I fear the day the Mac becomes a target for malware because of its popularity in companies like mine.
I would attribute the security of the Mac firstly to it's good security principles, and secondly to it's lack of money to be made from.
Having gone through University on a Unix system I can state that getting a virus onto a *nix based system is a LOT harder than it is for a Windows based system. In its original iterations Unix was designed to be a multiuser collabaritive environment and as such had a very sophisticated user control system, however there were some gigantic security holes present in the form of open ports (one of the larger ones was exploitable through SendMail). The later releases of *nix based systems started to close those ports that were normally open by default which improved the level of security. Most of the 'security vulnerabilities' involve direct access to the hardware (in other words you must be physically at the computer) in order to be able to 'break'/'hack' the computer. Closing the open ports has all but eliminated the risk of an outside remote attack from occurring. The risk of importing and activating (without your knowledge and express permission) a virus, is virtually nil as a virus must have been given permission by yourself to run and then on top of that a virus would also have to have gained the root password in order to do any system damage.
While going through University I met a number of extremely talented individuals who had written Trojans and various other annoyances. In every case in order to 'infect' somebody elses account they needed direct access to a terminal in order to install a Trojan. Some of the brainier types wrote fairly sophisticated fake front ends that would mimic the login process and thus they would be able to gain a persons user name and password and then they could access that individuals account and cause damage. Without direct access these hackers were completely harmless.
Sopranino
None here - had a funky double-boot, but after that, all was good.
The double-boot seems to be universal. Occasionally an update will require that--and/or an unusually slow reboot the first time.
(Yeah, I verbose boot after updates just to see what all it is doing...)
It is good to see Apple getting out security updates within a decent timeframe (considering all of the other issues that they are dealing with.......you know, Leopard<-->iPhone.....)
*snip*
Sopranino
Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.
That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.
Any attempt to show the dock or change the preferences has no effect.
Also, the 'About this Mac' option from the Apple menu no longer displays.
Anyone have any ideas?
Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.
That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.
Very valid statement regarding the shortage of qualified key engineers. There is a recent article (on Mac Rumors I think) that indicates that 50 of Apples software engineers have been flown out to the Asian plant that is putting the iPhone together.
Sopranino
The occasional proof of concept comes out, but I don't remember one "in the wild" for quite some time, if ever. If the hackers are as ego-driven as I think they are, I'd be surprised if there aren't any that aren't trying their darndest to make them.
I think one problem is that there's more money per unit effort in attacking Windows. Let's say it takes half the work, but there are 20x as many attackable machines, that's a 40:1 difference. If you are trying to make money doing nefarious deeds, then you are better off attacking Windows computers. Recognition from the hacker community might only give you 15 minutes of fame.
Ya think a brand new MacBook Pro and TEN THOUSAND DOLLARS would interest a hacker? There is a contest going on at ConSecWest conference for any hacker who can break into either of 2 Macs to win that prize. That sure is motivation if you ask me. And, when the conference is over, the sponsors will be taking their Macs back home and keeping their 10 grand. Count on it.
Here's the link:
http://news.com.com/8301-10784_3-9710845-7.html
I agree. For all the blustering of the security researchers, the TV commercials that tout OS X security, the "outrage" of the various Apple bashing websites you'd think SOMEBODY would develop a real nasty varmint just to take the platform down a notch. At this point in time the "not enough market share to matter" argument doesn't hold water anymore. There's something about OS X that makes it real hard to attack successfully.