Security Update 2004-09-30 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components: AFP Server, CUPS, NetInfoManager, postfix and QuickTime.
Security Update 2004-09-30 for Mac OS X Released
About The Author
Eugenia Loli
Ex-programmer, ex-editor in chief at OSNews.com, now a visual artist/filmmaker.
Follow me on Twitter @EugeniaLoli
Reading the comments within the link; It certainly sounds like some of early installers of this “enhancement”, are having problems with system stability. Sounds very similar to another recent “update”.
Odd how they use the term “enhancements” when it comes to security patching in OS X.
The media is just in over their head on this stuff.
It certainly sounds like some of early installers of this “enhancement”, are having problems with system stability.
Thanks for pointing that out; I’d have missed it. I always wait a couple of days before updating for just this reason; I remember one or two years ago Apple actually withdrew one of their upgrades fora few days to fix something.
I really like how Apple releases security updates on a frequent basis on discovery rather than waiting for masses of people to be affected by problems before doing anything. Poor security practices? I’ve been very happy with running a Mac so far and have yet to experience any compromises in security. Much less can be said for my Windows 2003 Server box which I had to re-install yesterday as a virus managed to slip past my antivirus program. I have yet to deal with any viral problems in OS X and I really like Filevault and the added benefits of encryption at work on my home folder.
If you read the release notes you’ll find that this patch corrects a QuickTime buffer overflow vulnerability that allows malformed .bmp files to execute arbitrary code on your machine. I don’t know if Safari uses QT to render images, but feeding an evil image to any program that does could spell disaster.
Odd how they use the term “enhancements” when it comes to security patching in OS X.
I’d consider fixing several buffer overflows to be a patch. But adding a Stackguard to proactively thwart overflows would be an enhancement. Thus something like XP SP2 is legitimately a security enhancement (for several reasons). I agree the term is being overused for marketing reasons.
Odd how they use the term “enhancements” when it comes to security patching in OS X. The media is just in over their head on this stuff.
Arguing semantics is the least productive exercise in the history of mankind.
Well some of the patches like libpng apply to most unices and winbloz too, the only readon why osX gets media bashing is ‘cos there not M$ (every one knows M$ products are broken so there no more fun in bashing them) and every one knows Linux is secure *cough* so we’re left with osX to bash. I mean it so userfriendly, how can it be secure! :-p
All and all I think apple it doing well, it keeps the updates coming, (along with some enhancemnts, but hey I don’t mind being apple’s lab rat, I’m a lab rat for many OSS projects including Linux and FreeBSD) The updates are decent quality and they have some nice looking stuff in the works which other desktops and OS are being inspired by. So Good work Apple, and keep the good work up. Just keep the law suits a bit down would you?
It certainly sounds like some of early installers of this “enhancement”, are having problems with system stability.
Thanks for pointing that out; I’d have missed it. I always wait a couple of days before updating for just this reason; I remember one or two years ago Apple actually withdrew one of their upgrades fora few days to fix something.
I’ve had no issues thus far…
I’ve installed it on my 12″ Powerbook and no problems yet. I’ll find out what it does on my G5 tower tomorrow.
Haven’t had any problems so far.
I confirmed this with 3 other folks but it was actually the previous security patch that broke Sherlock.
Good to see that UNIX heritage shining through in Mac OS X.
Everytime an “Apple Security Fix” shows up on MacNews, I think “Apple is really keeping on top of security! Good for them!” and I gleefully run and install it. But that’s because I don’t feel MacOS X is an unsafe and inherantly insecure OS to begin with.
I can browse the Internet, happily knowing my browsing experience is unlikely to result in virii, worms, trojan horses, or other mal-ware crashing down upon me. Pop-ups? What’re those? Spyware? Never heard of it.
I will gladly sit in the throne of the marketshare minority, so long as I know that doing so keeps me safer, and therefore, more content as a computer user, in the long run.
I may never have Half-Life 2 (though I *think* DOOM3 is coming!) or every slew of games, utilities, benchmarks, and other assorted apps available for Windows 9x/XP, but…
I also know I don’t have to run an anti-virus program and Spybot killer program every night because I casually browsed the Internet with impunity, unlike my wife, who is quite familiar with that “sacred ritual” on her Dell laptop.
And she *admitted* my 466MHz Digital Audio with 512Mb of RAM, running MacOS X 10.3.5 felt as fast as her 1.7GHz P4 with 768Mb of RAM, running Windows XP, at the GUI level! Now, THAT’S gotta hurt!
“You can love MacOS X because it’s better than Windows
You can hate MacOS X because it’s better than Windows
But MacOS X is still better than Windows.”
Latre!
Luposian
Of course the MS drones will always say something negative. After all, misery loves company!
The update works fine for me. And this is just another reason to love Apple. They don’t generally wait around for their customers to find the flaws in their OS, they actively seek them out, and repair them ASAP.
//Much less can be said for my Windows 2003 Server box which I had to re-install yesterday as a virus managed to slip past my antivirus program.//
Well, that proves …. that you’ve got a suck-a$$ antivirus program, or that you don’t know to have it automatically update itself.
We have 180+ Windows 2000/2003/XP systems. Virii *do* come in every day. They also get caught. All of them. Every day.
Plus, what does that have to do with the article?
“Well, that proves …. that you’ve got a suck-a$$ antivirus program, or that you don’t know to have it automatically update itself.
We have 180+ Windows 2000/2003/XP systems. Virii *do* come in every day. They also get caught. All of them. Every day.”
But isn’t it ironic that you can install a 75 mb SP2, and still need anti virus software? Oh, but at least SP2 is nice enough to remind you need anti virus software, since it apparently doesn’t do much else.
Arguing semantics is the least productive exercise in the history of mankind.
Visiting OSNews is far less productive IMO! ;^)
“We have 180+ Windows 2000/2003/XP systems. Virii *do* come in every day. They also get caught. All of them. Every day.”
IF in actuality “all of them. Every day” have been stopped, you’re running on borrowed time. And if you really do have a good understanding of how viruses are created and how they propogate, you might realize that is an innacurate comment.
Also, I’m sure you’re aware of this basic flaw (feature) in Windows OS. But just as a refresher, this is an excerpt from a security listing about the latest tactic for using a long existing Windows OS vulnerability. This has been around since NT4 and the behemoth of a software monopoly still hasn’t fixed it, even after issuing SP2. (Because it’s a feature!!)
A nasty variation of an ad-ware product called CoolWebSearch, can take advantage of a specific registry key in machines that run either NT4, W2K, XP:
HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_Dlls
Any dll file that is listed in this registry key is loaded by each Windows-based application running within the current logon session. In other words, any ad-ware found here runs concurrently with ANY program that is launched. It is truly astonishing that such a registry location exists.
This particular variation of ad-ware involves two components: a shield-DLL and a BHO (Browser Helper Object).
The shield-DLL installs itself to the already mentioned registry value and performs the following tasks:
1. It prevents almost all registry editors from displaying it as an AppInit_Dlls value. This list includes, but is not limited to: Regedit.exe, Regedt32.exe, Reg.exe, Autoruns, HijackThis. The only program known to display it, for unknown reasons, is the freeware Registrar Lite 2.0, available at http://www.resplendence.com/reglite/
2. It prevents all GUI and command line tools from listing it or deleting it. This list includes, but is not limited to: Windows Explorer, DIR, ATTRIB, CACLS, and DEL.
3. The .DLL file has eccentric security permissions (SYNCHRONIZE and FILE_EXECUTE) and is READ-ONLY. Once the shield-DLL is removed from memory, an Admin must reset security to delete the file.
4. It has a unique name on every system it infects.
5. It ensures that a BHO starts up with IE at every boot.
6. If the BHO is deleted, it restores the BHO under a new name at the next boot.
The BHO DLL component installs itself as a subkey of the following key:
HKLMSoftwareMicrosoftWindowsCurrentVersionExplorerBrowser Helper Objects
The BHO is responsible for ad-ware symptoms including change of home page, profusion of popups, etc, etc. The BHO registry key and the file are not protected and can be deleted. But the BHO will simply be reloaded under a new name at the next boot.
AppInit_Dlls is a gaping security hole. Unfettered access to this value should be removed by Microsoft from NT4/W2K/WXP. But again, from their perspective, this is a FEATURE!! What does that tell you about their programming prowness and the relative stability of their OS?
Besides, who’s got time to keep cleaning up after this type of junk! I guess for a Windows IT guy it can be considered job security.
Thank goodness I run Mac and Linux on my home network.
But isn’t it ironic that you can install a 75 mb SP2, and still need anti virus software? Oh, but at least SP2 is nice enough to remind you need anti virus software, since it apparently doesn’t do much else.
You appear to have a deep misunderstanding of what viruses are and how they work if you think SP2 – or any other software for that matter – could somehow stop them categorically.
Any dll file that is listed in this registry key is loaded by each Windows-based application running within the current logon session. In other words, any ad-ware found here runs concurrently with ANY program that is launched. It is truly astonishing that such a registry location exists.
This article explains one reason why “such a registry location exists”:
http://msdn.microsoft.com/msdnmag/issues/1000/VTrace/default.aspx
AppInit_Dlls is a gaping security hole. Unfettered access to this value should be removed by Microsoft from NT4/W2K/WXP.
Kind of hard to remove something that doesn’t exist – there isn’t “unfettered access” to this registry key:
http://support.microsoft.com/default.aspx?scid=kb;en-us;197571
“Normally, only the Administrators group and the LocalSystem account have write access to the key containing the AppInit_DLLs value.”
This is no more a “fundamental flaw” or “vulnerability” than a privileged user being able to replace any system library under any operating system.
—“This article explains one reason why “such a registry location exists”:—
The article merely confirms that this registry value does in fact exist. Does the reason that Microsoft provides make it right to have such a vulnerability in place?
—” Kind of hard to remove something that doesn’t exist – there isn’t “unfettered access” to this registry key:—
How can you say it doesn’t exist if the previous link just confirmed it? More to the point, if a spam or spyware application can gain access to this key from the simple act of a user merely accessing web sites, I’d say that validates the fact that it does exist and IS in fact accessible.
If you’re going to respond by saying the machine needs to be locked down with restricted user rights, try doing so in a Microsoft environment when there is a plethora of applications that fail to run properly when the system is locked down to the levels required to make a poorly designed OS safe from these types of vulnerabilities.
The article merely confirms that this registry value does in fact exist. Does the reason that Microsoft provides make it right to have such a vulnerability in place?
The article outlines how that registry key is used to load a DLL to intercept and monitor system calls. In other words, it provides a practical example of useful functionality to justify the purpose of that registry key.
Here’s another one that explains legitimate usage:
http://www.internals.com/articles/apispy/apispy.htm
Does the reason that Microsoft provides make it right to have such a vulnerability in place?
It’s no more a “vulnerability” that root being able to replace system libraries on a unix box is.
How can you say it doesn’t exist if the previous link just confirmed it?
Your claim is “unfettered access” to that registry key existed. Your claim is wrong – such access does not exist.
More to the point, if a spam or spyware application can gain access to this key from the simple act of a user merely accessing web sites, I’d say that validates the fact that it does exist and IS in fact accessible.
It’s only accessible like that if the user a) is running as a highly privileged user and b) has their web browser exploited. I challenge you to find *any* mainstream OS that isn’t “vulnerable” to the same sort of exploit in the same circumstances.
If you’re going to respond by saying the machine needs to be locked down with restricted user rights, try doing so in a Microsoft environment when there is a plethora of applications that fail to run properly when the system is locked down to the levels required to make a poorly designed OS safe from these types of vulnerabilities.
Firstly, it is not Microsoft’s fault if developers write their applications in such a way as to needlessly require Administrative rights. There is nothing they can do to prevent it, there is nothing they can do to fix it.
Secondly, an OS that “requires” users to be “locked down” so they don’t cause damage is not “poorly designed”, it’s “completely normal”. Let fifty people logon to a unix box as root all the time and see how long it lasts.
Thirdly, for people who are constrained by requiring poorly written applications that don’t work with the default restricted users, this does *not* necessarily require giving full Administrative access to machines. It may be as simple as granting write permissions to a single file or registry key.
Fourthly, if it transpires that an application will only run in a full Administrator-user context, that does not mean you allow the user to run as an Administrator all the time. It means you use the “Run As” facility to run only the necessary applications as a user in the Administrators group (and *not* the Administrator user itself).
Fundamentally, it’s the *software developer’s* fault. However, even if you are unlucky enough to require some software that only runs as an Administrator, it’s a long way from there to the foolish conclusion of running users as Administrators *all the time*.
As usual, I am frustrated – albeit unsurprised – by the hypocrisy of people who refuse to practice basic secure computing methodologies and then blame their problems on Microsoft. If you want to walk around with a loaded gun in your pocket and the safety off, that’s your choice – but blaming the gun manufacturer because someone jostles you in a crowd and you blow your dick off is a bit rich.
Also, FYI I *do* work in an environment where we have quite a few applications that require Administrative access – even one on (*shudder*) a Terminal Server. One of the first things I did when I was hired was crack down on users running as Administrator. So, believe me, I *know* it can be a pain getting shitty apps to work properly – particularly homegrown apps – but it *is* possible in nearly all cases without giving users full time, full blown Administrative access.