Apple patch tackles two dozen Mac OS vulnerabilities

Posted:
in macOS edited January 2014
Apple Inc. on Thursday plugged over two dozen security exploits within the client and server versions of its Mac OS X 10.3 "Panther" and Mac OS X 10.4 "Tiger" operating systems that could potentially expose Mac users to a variety of malicious attacks.



For Mac OS X 10.4.9



A version of the software update for systems running Mac OS X 10.4.9 -- labeled Security Update 2007-004 -- does away with vulnerabilities affecting AFP Client, AirPort, CarbonCore, diskdev_cmds, fetchmail, ftpd, gnutar, Help Viewer, HID Family, Installer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference and WebDAV.



The patch is available as a 16.1MB download for Macs running the Intel version of Mac OS X 10.4.9 client version and as a 9.3MB download for those machines running the PowerPC version of the OS.



For Mac OS X 10.3.9



Apple has also made a version of the security update available for systems running the most recent point release of its previous-generation Mac OS X 10.3 "Panther" software. That release dismantles exploits in AFP Client, AirPort, diskdev_cmds, fetchmail, ftpd, Help Viewer, Kerberos, Libinfo, Login Window, network_cmds, SMB, System Configuration, URLMount, Video Conference, WebDAV and WebFoundation.



Users of 10.3.9 can download a 37.6MB updater for the client version of the software or a 54.1MB updater for its server counterpart.



The culprits



For the most part, the vulnerabilities addressed by the Mac maker's latest security update could translate into denial of service attack, unexpected application termination, or arbitrary code execution. However, Apple made note of several more critical issues that could allow malicious users to gain elevated system privileges through AFP Client, Airport, CarbonCore, Kerberos, WebDav and the Mac OS X Login Window.



The Cupertino-based company also addressed two other significant shortcomings of the Login Window. The first, resulting from insufficient checks of environmental variables, could allow local user to obtain system privileges and execute arbitrary code. The other, meanwhile, would at times allow the screen saver authentication dialog to be bypassed without entering a password even when a user had set his or her preference to "require a password to wake the computer from sleep."
«13

Comments

  • Reply 1 of 42
    MacProMacPro Posts: 19,697member
    Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!
  • Reply 2 of 42
    Quote:
    Originally Posted by digitalclips View Post


    Excellent work Apple. Down loaded in seconds. Not like the daily XP updates!



    Not daily actually, more like monthly (which is worse because malware comes out daily).
  • Reply 3 of 42
    mactelmactel Posts: 1,275member
    Quote:
    Originally Posted by pazimzadeh View Post


    Not daily actually, more like monthly (which is worse because malware comes out daily).



    It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.
  • Reply 4 of 42
    Quote:
    Originally Posted by MacTel View Post


    It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.



    Umm... I'm kind of confused. You're not being sarcastic are you?
  • Reply 5 of 42
    mactelmactel Posts: 1,275member
    Quote:
    Originally Posted by pazimzadeh View Post


    Umm... I'm kind of confused. You're not being sarcastic are you?



    Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.



    Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?
  • Reply 6 of 42
    jeffdmjeffdm Posts: 12,951member
    Quote:
    Originally Posted by MacTel View Post


    Not at all sarcastic. I haven't heard of any malware released on OSX. Yet, even with 3-levels of defense we still have malware trickling in on our work's Windows XP computers. It is usually keyloggers that get in.



    Does anyone know of any for OSX? Trojans, keyloggers, rootkits, adware, or etc?



    The occasional proof of concept comes out, but I don't remember one "in the wild" for quite some time, if ever. If the hackers are as ego-driven as I think they are, I'd be surprised if there aren't any that aren't trying their darndest to make them.



    I think one problem is that there's more money per unit effort in attacking Windows. Let's say it takes half the work, but there are 20x as many attackable machines, that's a 40:1 difference. If you are trying to make money doing nefarious deeds, then you are better off attacking Windows computers. Recognition from the hacker community might only give you 15 minutes of fame.
  • Reply 7 of 42
    boogabooga Posts: 1,082member
    A lot of the malware for Windows is no longer ego-driven. It's a business. Spam distribution, adware click-generation, corporate spying, and other things actually generate revenue. Right now, even the strictest financial penalties one can practically expect to receive pale in comparison to the money some of these asshats make. You just can't make the same money writing malware for MacOS X.



    It's also true that MacOS X, because of its default of fewer servers and non-administrator rights, tends to be more secure despite the vulnerabilities. But as soon as you start getting the big businesses using Macintoshes and there's money to be made, there will be malware.



    I work for a ~10,000 person company, and we've gone from 0 to 10-20 Macs over the last couple years. It's a start, and a lot of people are determined to get them the next hardware upgrade cycle (which around here is every 2.5 years or so). I fear the day the Mac becomes a target for malware because of its popularity in companies like mine.
  • Reply 8 of 42
    Yes, Apple will probably get more attention from Hackers... But there are plenty out there that would LOVE to hack Apple for the fame... Come on, that would get some serious recognistion. Not many people can say they owned NASA.



    I would attribute the security of the Mac firstly to it's good security principles, and secondly to it's lack of money to be made from.
  • Reply 9 of 42
    It is good to see Apple getting out security updates within a decent timeframe (considering all of the other issues that they are dealing with.......you know, Leopard<-->iPhone.....)



    Having gone through University on a Unix system I can state that getting a virus onto a *nix based system is a LOT harder than it is for a Windows based system. In its original iterations Unix was designed to be a multiuser collabaritive environment and as such had a very sophisticated user control system, however there were some gigantic security holes present in the form of open ports (one of the larger ones was exploitable through SendMail). The later releases of *nix based systems started to close those ports that were normally open by default which improved the level of security. Most of the 'security vulnerabilities' involve direct access to the hardware (in other words you must be physically at the computer) in order to be able to 'break'/'hack' the computer. Closing the open ports has all but eliminated the risk of an outside remote attack from occurring. The risk of importing and activating (without your knowledge and express permission) a virus, is virtually nil as a virus must have been given permission by yourself to run and then on top of that a virus would also have to have gained the root password in order to do any system damage.



    While going through University I met a number of extremely talented individuals who had written Trojans and various other annoyances. In every case in order to 'infect' somebody elses account they needed direct access to a terminal in order to install a Trojan. Some of the brainier types wrote fairly sophisticated fake front ends that would mimic the login process and thus they would be able to gain a persons user name and password and then they could access that individuals account and cause damage. Without direct access these hackers were completely harmless.



    Sopranino
  • Reply 10 of 42
    gdoggdog Posts: 224member
    any issues with update?
  • Reply 11 of 42
    kickahakickaha Posts: 8,760member
    None here - had a funky double-boot, but after that, all was good.
  • Reply 12 of 42
    nagrommenagromme Posts: 2,834member
    Quote:
    Originally Posted by Kickaha View Post


    None here - had a funky double-boot, but after that, all was good.



    The double-boot seems to be universal. Occasionally an update will require that--and/or an unusually slow reboot the first time.
  • Reply 13 of 42
    kickahakickaha Posts: 8,760member
    While true, this is the first time I've seen it get caught in a loop waiting for the diskarb to come up... took a couple of *minutes*. Ah well, looks okay now.



    (Yeah, I verbose boot after updates just to see what all it is doing...)
  • Reply 14 of 42
    Quote:
    Originally Posted by Sopranino View Post


    It is good to see Apple getting out security updates within a decent timeframe (considering all of the other issues that they are dealing with.......you know, Leopard<-->iPhone.....)



    *snip*



    Sopranino



    Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.

    That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.
  • Reply 15 of 42
    grebogrebo Posts: 20member
    Since installing the update, and rebooting (twice - to see if it made any difference) -- my Dock has disappeared.



    Any attempt to show the dock or change the preferences has no effect.



    Also, the 'About this Mac' option from the Apple menu no longer displays.



    Anyone have any ideas?



  • Reply 16 of 42
    No problems with update here. Installed and everything running smooth.
  • Reply 17 of 42
    Quote:
    Originally Posted by HiddenWolf View Post


    Any company worth it's salt has a different product development and security department. This is not good news, this is expected performance. It would be shocking if it came out that Apple had drawn engineers away from the security group to work on products. We would all love to see leopard, but for Apple to gain any inroads in the market it is absolutely essential to be _and stay_ the safest commercial OS out there.

    That said, the recent delays point out a shortage of qualified key engineers, so Apple had better start hiring actively and buff up its labour pool. It's been said that Apple is quite slow with security updates already compared to Microsoft and competing Linux vendors.



    Very valid statement regarding the shortage of qualified key engineers. There is a recent article (on Mac Rumors I think) that indicates that 50 of Apples software engineers have been flown out to the Asian plant that is putting the iPhone together.



    Sopranino
  • Reply 18 of 42
    wingswings Posts: 261member
    Quote:
    Originally Posted by JeffDM View Post


    The occasional proof of concept comes out, but I don't remember one "in the wild" for quite some time, if ever. If the hackers are as ego-driven as I think they are, I'd be surprised if there aren't any that aren't trying their darndest to make them.



    I think one problem is that there's more money per unit effort in attacking Windows. Let's say it takes half the work, but there are 20x as many attackable machines, that's a 40:1 difference. If you are trying to make money doing nefarious deeds, then you are better off attacking Windows computers. Recognition from the hacker community might only give you 15 minutes of fame.



    Ya think a brand new MacBook Pro and TEN THOUSAND DOLLARS would interest a hacker? There is a contest going on at ConSecWest conference for any hacker who can break into either of 2 Macs to win that prize. That sure is motivation if you ask me. And, when the conference is over, the sponsors will be taking their Macs back home and keeping their 10 grand. Count on it.



    Here's the link:

    http://news.com.com/8301-10784_3-9710845-7.html
  • Reply 19 of 42
    gazonkgazonk Posts: 7member
    Mine double-booted too, but the screen stayed white (no apple logo appearing) after the second reboot - so I used the power button after several minutes of white screen. HOWEVER, I had forgotten to disconnect my iPod nano, I'm pretty sure that explains it. Everything seems fine now.
  • Reply 20 of 42
    lkrupplkrupp Posts: 10,557member
    Quote:
    Originally Posted by MacTel View Post


    It is just amazing that no malware has been released in the wild for Apple systems. Well, at least that we know of.



    I agree. For all the blustering of the security researchers, the TV commercials that tout OS X security, the "outrage" of the various Apple bashing websites you'd think SOMEBODY would develop a real nasty varmint just to take the platform down a notch. At this point in time the "not enough market share to matter" argument doesn't hold water anymore. There's something about OS X that makes it real hard to attack successfully.
Sign In or Register to comment.