Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Posts Security Update 2005-002

pudge posted more than 9 years ago | from the i-am-scared dept.

Security 84

thelemmings writes "Today, Apple released Security Update 2005-002 for Mac OS X. It fixes a bug in the Java 1.4.2 implementation where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary."

Sorry! There are no comments related to the filter you selected.

Safari Popup Fix (4, Informative)

nuxx (10153) | more than 9 years ago | (#11752943)

Also, it appears to contain a tweak to the Safari popup blocker, as it now seems to be blocking the new popunders that everyone has been clamoring about.

This seems like a really good thing to me...

Re:Safari Popup Fix (1, Funny)

Fo0eY (546716) | more than 9 years ago | (#11752954)

shhh, you'll wake up the ad guys =\

Yes, but... (0, Funny)

Anonymous Coward | more than 9 years ago | (#11752958)

What does Roland Piquepaille think about this?

Re:Safari Popup Fix (-1, Troll)

Defender of Property (861908) | more than 9 years ago | (#11753008)

In other words, it allows you to more effectively steal information and services from those who are kind enough to provide them for free, in exchange asking only for the opportunity to show you an easily ignored advertisement. Spoiled scum like you, with your obnoxiously oversized sense of entitlement, ought to be exiled to the desert, if you ask me. There you can establish your commune or whatever it is you hippies like to do, while we in civilized society will do our best to forget you.

I cannot imagine a more selfish attitude towards the world than that which the teabagging cocksmokers of Slashdot bring to light.

Re:Safari Popup Fix (4, Insightful)

caerwyn (38056) | more than 9 years ago | (#11753040)

Oooh, a troll! Well, maybe I'll feed it anyway.

Advertisers pay a certain fee to a website. That fee is either flat, or based on a count of click-throughs. If the fee is flat, then my blocking of the popup has no bearing on the website as a whole. If the fee is non-flat, and a large percentage of the website's visiting population objects to popups and uses software (browser or add-on) that blocks such, then the website will suffer and perhaps look for other adversting sources. Either way, I really have no bearing or guilt on the situation. I use the technology at hand to view the content I want. I signed no contract saying I must view pop-up ads- therefore, I don't at all feel bound to do so.

Websites will adapt to the changing pop-up blocking technology, or fail as a result. Either way, it is not my responsibility, as I don't manage the website.

Re:Safari Popup Fix (1)

gumbi west (610122) | more than 9 years ago | (#11753068)

I think the knock-down argument against your troll is that, just like on TV or the radio, if people flip away durring the ads then it isn't the people's fault. The ads and the service providers just have to try to live on what does get through.

Re:Safari Popup Fix (4, Insightful)

jcenters (570494) | more than 9 years ago | (#11753391)

I think the key issue here is that pop-ups (unders, overs, etc.) are just plain annoying.

This might be one of the reasons Google is so worshipped on here: They introduced a form of web advertising (Adsense) that is clean, simple, low-bandwidth, relevent, and most of all NOT ANNOYING.

The solution for advertisers is simple: If you want your ads to be seen, don't make the user WANT to block your ads.

Sure, pop-ups and spam might make a good deal of money, but I think it would be better for everyone if advertisers instead tried implementing solutions that don't put them at odds with the customers.

More people will click and buy the products, and the web will be an overall better place.

Re:Safari Popup Fix (5, Insightful)

Storlek (860226) | more than 9 years ago | (#11753551)

Excellent point; you hit the nail on the head.

Online advertisers are focusing too much on the short-term: get people to see the ad. Banners worked for a while, then everyone started ignoring them, so they went for more annoyingly sized and placed ads, popups, popunders, etc., which caught people's attention for a while. Then ad blockers came along, and suddenly online advertising came to a screeching halt as they tried to figure out how to get around them. Now they have, and look how quickly people are asking how to block the new popups.

Most banner ads are completely useless, and I'm not missing anything by blocking. I don't need faster downloads and more local access numbers, and I don't care that I could win a free iPod by guessing which disembodied head is Britney Spears. Maybe if I had been looking at the homepage of some well-known overpriced dialup ISP, I would have greater than zero chance of caring that some other ISP is cheaper and faster; if I were reading a website about Britney Spears, I might want to get that iPod. Okay, the last one still wouldn't apply, since I already have an iPod, and don't like Britney Spears anyway, but that's beside the point.

Other online advertisers should take a nice long look at AdSense, marvel in its simplicity and usefulness. I've seen online advertising grow up from the moderately tasteful small static banner image to the obnoxious beast that it's become and have never yet had any reason to click on a single one of them until AdSense came along and started providing relevant and interesting ads. In fact, oh-so-long ago, I didn't even know ad banners were clickable. I presume a lot of non-net-savvy people still don't realize it. This is another advantage of using text ads: people look at colored underlined text and equate it with "click this", whereas they see some out-of-place picture and mentally filter it out as irrelevant.

Re:Safari Popup Fix (1)

jbolden (176878) | more than 9 years ago | (#11754509)

I think banners still work. Do you have any evidence that new banners for products that people are otherwise interested in don't attrack clicks? For example /. uses banners to support the site (evidentally quite succesfully).

Re:Safari Popup Fix (1)

jellomizer (103300) | more than 9 years ago | (#11755306)

Slashdot has fairly well targeted add. Compared to other websites, that is the real key to sucessful online marketing. If you go to a site that descusses mostly higher end computer stuff and cool gadgets then it is a good place to advertise High End Computer Stuff and Cool Gadgets. If you are on a site that descusses Music then the adds should be music related (focused on the type of music the site is about). But most sites have this completely random Ads where what they are advertising has little to do about the site you are on. Why should I want stacking plastic plates when I am on a Music Website? I don't It is not the popups or how flashy the add is. It is just how relivlant the information is.

Re:Safari Popup Fix (1)

jbolden (176878) | more than 9 years ago | (#11760532)

Well sure. But that's the same problem all advertising (magazine, television, radio, movie previews, etc...) has. You have to target your adds well enough so you are hitting the right demographic.

Re:Safari Popup Fix (1)

walt-sjc (145127) | more than 9 years ago | (#11756641)

Yep. What made me resort to ad blocking is all the flashing, moving, and even noise generating ads. Popup blocking started first (X10 ads), and I think the last straw was an evil Macromedia flash ad that "zoomed" over the entire page. That was it. War. Total adblocking is now enabled.

In one of my past jobs, I worked for a very high-volume web site. We had a policy that we would not accept any flashing or Java ads. Unfortunately, doubleclick would often rotate in "pool" ads that violated our terms. This required manually blocking a particular ad from our site. Total PITA.

Advertizers have only themselves to blame. Just because technology allows you to do something does not mean that it's a good idea.

Adsense on google IS much better, although I find it annoying to see stupid stuff like "find the lowest price on apache httpd.conf on nextag!" (or ebay...)

Re:Safari Popup Fix (1)

MrLint (519792) | more than 9 years ago | (#11753082)

wow this guy sounds like the bastard child of Jack Valenti, when he claimed that you are stealing if you dont watch the ads because of the ficitious 'contract' that you get tv for 'free' that are paid for by the ads.

Re:Safari Popup Fix (1)

MacJedi (173) | more than 9 years ago | (#11753178)

To paraphrase Teen Girl Squad: Enemied!

Re:Safari Popup Fix (5, Funny)

Zhe Mappel (607548) | more than 9 years ago | (#11753260)

The Defender of Property blurted:

In other words, it allows you to more effectively steal information and services from those who are kind enough to provide them for free, in exchange asking only for the opportunity to show you an easily ignored advertisement. Spoiled scum like you, with your obnoxiously oversized sense of entitlement, ought to be exiled to the desert, if you ask me. There you can establish your commune or whatever it is you hippies like to do, while we in civilized society will do our best to forget you.

I cannot imagine a more selfish attitude towards the world than that which the teabagging cocksmokers of Slashdot bring to light.

LOL! My good man, can you have reached the ripe age of harrumphing without having seen "The Big Lebowski"? You really owe it to yourself to see David Huddleston's performance as the titular character; it will cure you forever of the urge to use mothballed expressions such as "whatever it is you hippies like to do" and "we in civilized society." Conscious self-parody is one thing, after all, but your sleepwalking has moved me to unexpected sympathy in a way I've not felt since the prez fell off a Segway.

Now, in any case, no one is under any obligation to view ads in any context. Nor should imposition, the sine qua non of advertising, be euphemized as "opportunity." It's your confusion of obedience with duty that has led to your arch and sniveling denigration of your ad-free fellow man. You, sir, are no advertisement for advertisements.

Re:Safari Popup Fix (1)

ecotax (303198) | more than 9 years ago | (#11753645)

Thanks for showing us the light. Unfortunately, there's no desert anywhere near where I live. Would it be acceptable if, in the interest of civilized society, I drowned myself in a nearby lake instead?

Re:Safari Popup Fix (1)

bw5353 (775333) | more than 9 years ago | (#11753742)

This guy is a poet! Read his other postings. They are all highly recommended for anyone looking for a good laugh.

Re:Safari Popup Fix (0)

CrackedButter (646746) | more than 9 years ago | (#11753889)

This guy is being modded unfairly for all his posts, he is a comic genius! Mod Grandfather Funny +5.

Re:Safari Popup Fix (-1, Flamebait)

Anonymous Coward | more than 9 years ago | (#11753876)

You sir are a fine peice of work, I applaud your efforts. I feel the same way as you do and am glad there is a similar voice to be found in this barren wasteland of theives. Hats off once again. I have changed my relationship towards you. See you around.

Re:Safari Popup Fix (0)

Anonymous Coward | more than 9 years ago | (#11754432)

Uh, like that's just your opinion, man!

Re:Safari Popup Fix (1)

tgibbs (83782) | more than 9 years ago | (#11763486)

In other words, it allows you to more effectively steal information and services from those who are kind enough to provide them for free, in exchange asking only for the opportunity to show you an easily ignored advertisement.

Sorry, no. It is not theft, because I never agreed to look at any advertisements, nor did I sign any kind of contract obligating me to do so. I choose to look at some advertisements out of the goodness of my heart and in the spirit of supporting sites that I like. If advertisers violate this implicit and nonbinding agreement by creating ads that are excessively obtrusive or that attempt to usurp my prerogative of deciding for myself which windows to open when, then I will respond by blocking all advertising. Unfortunately, this may result in some sites going out of business. The blame for this falls entirely upon those selfish advertisers who chose to poison the well in the pursuit of their personal profit.

Re:Safari Popup Fix (3, Interesting)

the pickle (261584) | more than 9 years ago | (#11753136)

Has it fixed the IDN vulnerability yet? 10.3.8 didn't...

p

Re:Safari Popup Fix (1)

RustNeverSleeps (846857) | more than 9 years ago | (#11755731)

Also, it appears to contain a tweak to the Safari popup blocker, as it now seems to be blocking the new popunders that everyone has been clamoring about.

I'm running 10.3.8 with this latest security update, and I'm still getting popunders in Safari at several websites, like http://www.snopes.com/ [snopes.com] and http://www.drudgereport.com/ [drudgereport.com] , so I guess it's not fixed afterall.

didnt show up in my software update (1)

muzik4machines (834892) | more than 9 years ago | (#11752973)

i wasnt ableto get it by the automatic software update on my mac

Re:didnt show up in my software update (3, Informative)

imac.usr (58845) | more than 9 years ago | (#11753152)

i wasnt ableto get it by the automatic software update on my mac

Are you running the latest Java updates for 10.3? IIRC, it'll only show up if you've installed the Java 1.4.2 update from last year, and it won't come up on 10.2 or lower at all.

O/T- Your home page (1)

FyreFiend (81607) | more than 9 years ago | (#11753198)

(sorry for posting off topic. there didn't seem to be any other way to reach the poster) I just wanted to let you know that your homepage link is broken.

Re:didnt show up in my software update (1)

Dylan Zimmerman (607218) | more than 9 years ago | (#11753304)

Taken from my PowerBook running 10.3.8:

Before update:
AlBook:~ zimmie$ java -showversion
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.3)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)

[snip]
After update:
AlBook:~ zimmie$ java -showversion
java version "1.4.2_05"
Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.4)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)

[snip]
I haven't rebooted yet, so I don't know what that'll change, but already, it's changed from version 1.4.2_05-141.3 to 141.4

Presumably, every 1.4.2_05-141.3 install can be updated with this, so just run
java -showversion
to see if it should apply and Software Update just isn't seeing it.

Re:didnt show up in my software update (1)

waffleman (697097) | more than 9 years ago | (#11753315)

That can't be right? I've got 10.3.8 with the Java 1.4.2 update, and this auto-update isn't detected for me either. Strange. If you can find out, what version of Java are/were you running? I currently have:

Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.2_05-141.3)
Java HotSpot(TM) Client VM (build 1.4.2-38, mixed mode)

thx

Re:didnt show up in my software update (1)

myov (177946) | more than 9 years ago | (#11763873)

Apple usually releases stand alone updaters. Download it and install the package.

Go Go Apple (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11753154)

This was fixed more than a month ago in Sun Java. Lame response time, Apple.

Re:Go Go Apple (1)

Brian Brian (849676) | more than 9 years ago | (#11753709)

Actually it is impressive they could get it out so soon. Why? Testing the patch/fix of course.

Re:Go Go Apple (3, Insightful)

@madeus (24818) | more than 9 years ago | (#11753942)

This was fixed more than a month ago in Sun Java. Lame response time, Apple.

A superior implimentation of a Java-like platform was delivered long before Oak, in NeXT's Objective-C. Lame implimentation, Sun.

Re:Go Go Apple (2, Interesting)

TheRaven64 (641858) | more than 9 years ago | (#11754054)

I don't think that's entirely fair. OpenStep / Objective-C were cross platform at a source level, but still required a recompile. Depressingly, a dynamic language such as Objective-C would actually benefit more from the kind of optimisations something like the HotPoint VM can make at runtime, so it's a real shame that Sun went the Java route instead of simply creating a bytecode interpreter for Objective-C / OpenStep (which is still a far nicer platform to develop for).

Re:Go Go Apple (1)

@madeus (24818) | more than 9 years ago | (#11764861)

I don't think that's entirely fair. OpenStep / Objective-C were cross platform at a source level, but still required a recompile.

True of course, and I didn't really intend for it to be anything other than humerous .:-)

.oO( Perhaps I should have said 'cross platform compatilbilty solution' rather than 'Java-like platform'. )

Re:Go Go Apple (1)

geoffspear (692508) | more than 9 years ago | (#11754752)

Objective C was invented long before NeXT existed. Hell, it was before the first Macintosh came out, when Steve Jobs would have thought you were crazy if you suggested someone could force him out of Apple so he'd found another computer company.

Re:Go Go Apple (3, Funny)

Carthag (643047) | more than 9 years ago | (#11754821)

I remember finding an amusing post on usenet from 1983 or 1984 discussing the possibilities of Apple adding Objective C libraries to the Macintosh. Took a while, but they did it! :D

Link to thread (1)

Carthag (643047) | more than 9 years ago | (#11754896)

Hopefully it works, otherwise the message IDs are: 1174@ames.UUCP, 19400003@datacube.UUCP, and 386@aurora.UUCP in reverse chronological order. The funniest being 1174@ames.UUCP

google groups [google.com] .

Re:Link to thread (2, Insightful)

geoffspear (692508) | more than 9 years ago | (#11754982)

Interesting. I imagine that if C++ had been the one with a $10,000 compiler, everyone today would be using Objective C.

Re:Go Go Apple (1)

@madeus (24818) | more than 9 years ago | (#11764900)

Objective C was invented long before NeXT existed. Hell, it was before the first Macintosh came out, when Steve Jobs would have thought you were crazy if you suggested someone could force him out of Apple so he'd found another computer company.

To be fair, an actual working compiler wasn't released till 86, after the debut of the Macintosh, and when it was it was licensed by NeXT shortly afterward. That, and I don't think many people would have gotten the joke if I'd said StepStone ;-).

Scary? Well... (4, Interesting)

JavaRob (28971) | more than 9 years ago | (#11753164)

This is an serious bug and an important security update, and I'm not blowing that off... but I gotta live up to my username and point out the other side of the coin.

So what happened is one version of the JVM, on OSX, has an exploitable flaw that still leaves it less dangerous than... well, Active-X, unflawed.

It's not as serious a problem as it looks, also. They can't install a rootkit or anything like that, just because of the way OSX is designed. Say you have a Mac, and browsed to a site hosting a malicious applet (it's not a virus, so you'd have to *go* there to be in danger, and the website creator is obviously easier to trace than a virus writer). That applet could overwrite your documents, and wreak a lot of havoc, but you're not going to get owned. The Mac will prompt you for a password before it lets any software touch the core software (even its own security update!).

So -- yes, get the fix if you've got a mac, but it's not "scary".

It's more scary then ActiveX (2, Interesting)

AnEmbodiedMind (612071) | more than 9 years ago | (#11753223)

This is far more scary then ActiveX as Safari will not prompt you to run an applet, it will just run it and then your os x account is compromised. ActiveX on the other hand prompts you before it is run.

This means that someone who knows what they are doing is at more risk on OS X then on Windows.

I'm not claiming that OS X is less secure (I'm running it right now), but this is scary (relatively).

Just miss-type a URL and your compromised.

Re:It's more scary then ActiveX (2, Informative)

GaryPatterson (852699) | more than 9 years ago | (#11753243)

... not quite.

Mis-type a URL when the new URL goes to a cleverly written piece of Java designed specifically to hack your OS X and you'll be compromised.

Mis-type the other 99.999999% (+/- 0.0000001% error) of URLs and you'll be fine.

Still, you're correct on the bit about Safari not prompting you to run a Java applet. I think you can turn Java off though (not in front of the iBook right now, can't recall). The update fixes a potentially big hole.

Re:It's more scary then ActiveX (2, Informative)

peragrin (659227) | more than 9 years ago | (#11755162)

>>ActiveX on the other hand prompts you before it is run.

Not as default you have to set it to do that.

So they aren't all that different except the Core of OS X will still be safe while Windows just became a spam zombie.

Both will destroy whatever personal data they can get ahold of.

Re:It's more scary then ActiveX (1)

White Roses (211207) | more than 9 years ago | (#11755281)

ActiveX exploits in the wild?

Java Applet exploits in the wild?

Tell me those two numbers and then we can talk about which is scarier.

Re:Scary? Well... (1)

xgamer04 (248962) | more than 9 years ago | (#11753264)

it's not a virus, so you'd have to *go* there to be in danger,

I don't think that word means what you think it means. A worm is self-replicating without needing any other assistance.

Re:Scary? Well... (1)

JavaRob (28971) | more than 9 years ago | (#11756516)

Yes, worm (somehow I had virus/worm/trojan mixed in my head last night).

Re:Scary? Well... (1)

xgamer04 (248962) | more than 9 years ago | (#11769108)

You had a virus! Ahh!

Re:Scary? Well... (1)

JavaRob (28971) | more than 9 years ago | (#11770730)

You had a virus! Ahh!

And worms! And... ew... trojans! Mixed in my head!
I'm all better now though. And there's, ah, no need to mention this to the wife, right?

Re:Scary? Well... (1, Informative)

Anonymous Coward | more than 9 years ago | (#11753316)

Most malicous websites don't care about deleting your documents or "owning" your machine -- they just want to turn you into a spam relay. Which OS X's user accounts do nothing to prevent.

Re:Scary? Well... (3, Interesting)

Anonymous Coward | more than 9 years ago | (#11754315)

Which OS X's user accounts do nothing to prevent.

You misspelled "allow." You also used a sentence fragment. It's a real mess. Here, let me help make your point a little more clear and accurate.

Most malicous websites are not trying to delete your documents or "own" your machine. Their purpose is to turn your computer into a spam relay, which OS X's user accounts do not allow.


That's much better.

Re:Scary? Well... (1)

geoffspear (692508) | more than 9 years ago | (#11754714)

All of the user accounts on my OS X machines are allowed to send as much email as they want. The OS does nothing at all to prevent my account or any other user's account from sending billions of pieces of spam. My ISP would probably cut off my DSL before I managed to send that much, but my Mac's happy to send it all.

How is this "informative"?

Re:Scary? Well... (1)

Random832 (694525) | more than 9 years ago | (#11757214)

the parent post probably thinks that you can't be a spam relay without listening on port 25 - which a mac os x user account can't do.

Details (1)

JavaRob (28971) | more than 9 years ago | (#11757743)

I googled for stats on open relays running on windows vs. linux vs. mac, etc. but couldn't find anything.

Obviously I've never tried to set up a hidden open relay on a Mac, so I don't know what would be involved. It would need to accept incoming connections (perhaps the built-in firewall stops that?), though you could use a custom configuration where it just checks an IRC channel or webpage for messages to send and delivery addresses, etc..

I don't know enough about Macs to say exactly what's possible and what's not... but I don't think it's happening now, anyway.

Re:Details (1)

geoffspear (692508) | more than 9 years ago | (#11757838)

It's not happening now because it's a lot harder to turn the Mac into a zombie in the first place. You're hardly going to build an efficient collection of spamming zombies by putting malicious Java applications on random websites that no one's likely to visit. But once you do manage to get control of a machine, it's just as easy to do bad stuff with it if it's a Mac as it is with a Windows machine. You might not be able to do bad stuff to the machine to the same extent, but anything a user can do, a compromised Mac can do, too.

Re:Scary? Well... (3, Insightful)

piltdownman84 (853358) | more than 9 years ago | (#11753350)

Can someone please explain to me something? I'm not trying to be a troll, but why is overwriting my documents/home/user directory seen as something minor?

I always see people claiming that on Linux, OS X, xyz you are safe because your system can't get hurt, only your personal data. I personally care alot more about what is in my user directory than my system. If my system gets hosed I loose maybe an Sunday afternoon installing everything again, but if my user director goes im going to cry. I have several backups of what I have deemed as important data, but thats not everything, maybe half of my data. My mp3 files aren't backed up for example. Much quicker to instal an os, and the maybe 15 apps I use, than to re-rip 400+ cds.

Am I missing something?

Re:Scary? Well... (1)

Anubis350 (772791) | more than 9 years ago | (#11753377)

backups. Most nerds on /. (myself included) take the time to back up their personal documents. OTOH we also spend a great deal of time tweaking our system. It would take me mayb 10 mins to restore my home directory were it to get hosed right now (due to access controls itd probably be hard for something to hose the rest of my nonbase sys data on other drives), it would probably take me a couple hours to get my system back up to my normal level of usefulness were the base system hosed right now.

Also, its a comparison thing, in (a standard install of) windows both your docs and the base system are vulnerable. in *nix only the user docs are vulnerable, your software and base system are protected.

Re:Scary? Well... (1)

m50d (797211) | more than 9 years ago | (#11754446)

"Real hackers" have spent years tweaking with their OS, getting it exactly how they like. What they've been working on is probably mostly new programs, which if they are complete, and even if they're not, are likely to be installed, so a virus can't touch them.

WRT your mp3s, make them so that you don't have access to write them - chmod 444 and chown root. Then chmod sticky but group-writeable your mp3 directory and chown that root as well. Same for anything you're not editing. Then a virus can't touch anything at all.

Re:Scary? Well... (1)

BMonger (68213) | more than 9 years ago | (#11755583)

I agree in part. My "works" that I make are not replaceable usually. The things I store on my machine are not easy to get back, if possible at all. I also back them up but some people don't. I would very much dislike a program that removes all of that from me.

But... if my system is compromised I very well might not know it at all. Then every time I type in a password, credit card number, anything... it's logged and sent out. This worries me equally if not more.

Either way I don't want it to happen I guess... but having your identity or such taken can arguably be worse than having your grandma's recipie for chicken soup deleted.

Re:Scary? Well... (1)

wkcole (644783) | more than 9 years ago | (#11756574)

The worst risk isn't erasure or other obvious damage to *data*, but directed modification of code and configuration that *isn't* readily detected.

Windows systems are so widely vulnerable to worms because most people running Windows work all the time as a user with full administrative rights. Anything program that can get itself launched by the user can do anything it likes to the entire system without the user noticing.

Unix-based systems like MacOS X are a mixed bag, but in general people do not routinely work as 'root' but rather as less powerful users. In MacOS the administrative rights flag for an account is not the same as it is in Windows. It is not an always-on permission to do anything, it is a group membership that says the user is allowed to interactively approve administrative changes by typing his password into an approval dialog. For example, if you want to apply a system update, modify OS config, install an application in the standard world-accessible location (/Applications) , or do anything else that requires 'root' privileges, the process seeking to switch temporarily to 'root' has to go through a mediating system service that presents the request to the user (if the user is in the admin group) and requires the user to type in his password to approve the change. There remain some risks, and MANY applications install themselves in ways that open gaping holes in their own security (which can in turn compromise the system itself) but the path from 'unknown Java Applet' to 'owned box being used by Russian gangsters' even with a hole like the one Apple has taken so long to repair is not a clear one.

Of course that's bad (1)

JavaRob (28971) | more than 9 years ago | (#11756670)

Even if you backed up all of your personal files daily, losing a full day's worth of work is still a Very Bad Thing that should be avoided at all costs.

Of course, it's much worse if your OS *and* your personal data are hosed, which was the point.

But my main point is that avoiding this attack vector doesn't take "all costs" -- there aren't any reports of this attack in the wild, and you'd have to actively visit a malicious site, before applying the patch, to be affected.

That's why it's nothing to shout about -- it's actively affecting (as far as we know) nobody, as opposed to buggy spyware installations that are going on constantly which are affecting quite a lot of people.

Re:Scary? Well... (1)

legirons (809082) | more than 9 years ago | (#11760521)

"Can someone please explain to me something? I'm not trying to be a troll, but why is overwriting my documents/home/user directory seen as something minor?"

Because it allows people on here to say that OSen with usernames (i.e. theirs) are inherantly more secure than OSen without usernames (i.e. Microsoft, ignoring obvious factual errors in that comparaison)

It's a nice simplification. Linux good, Windows bad. Conveniently Apple has usernames too now, which means we get support from the latte-sipping black-cloaked artists and webdesigners (very fashionable, you see) by including them in the list of "secure" operating systems. It's based on BSD, which has never had a remote bug in its 38 years of existance.

It also means that if anything bad happens to your files, people can chastise you about your lack of an hourly-backup, and spend the rest of the comment lecturing you on their own intricate backup scheme, firewall policy, or whatever.

You're such a lamer you see, storing files on your computer when you could SSH into a networked BSD box at home and store them on a battery-backed journaling deniable steganographic filesystem with a 48-character password and IDS. Of course, the person who told you that is a complete idiot who has never been in the corporate world of enterprise-class Business applications where my IIS server has to be running 24/7 and I always know there's a support telephone number and someone to sue if it goes wrong...

Were you expecting something different? Like people who start with facts and proceed logically to a conclusion?

Re:Scary? Well... (1)

BeepBeepBiloobop (850735) | more than 9 years ago | (#11761405)

One of the other responses (sorry, I'm too lazy to look it up right now) suggested changing file permissions to prevent the user account from overwriting your files. I would suggest something possibly more convenient in that if you know you're going to be 'wandering' the web, use a separate login id. I do this a bit on my home machine and for 80% of my web use, it works well and doesn't expose anything but a 'throw-away' account to the world. I'm sure somebody will come up with a reason that I'm a lamer (I never professed to be a hardcore geek) for doing this, but it seems that you could minimize the exposure of your personal files by not using your personal account for random browsing. For known websites that you use often, use any account. For looking up unknown info, use the web account and save what you need into a shared directory to be accessed by other accounts, if need be.

Mozilla/Camino vulnerable? (2, Interesting)

commodoresloat (172735) | more than 9 years ago | (#11753949)

Does Mozilla even use Java 1.4? According to this page [mozdev.org] , you need a special plugin to even use Java 1.4.1 or later on OSX under Mozilla. It's not clear to me whether that still applies to Camino .8.2.

Re:Mozilla/Camino vulnerable? (0)

Anonymous Coward | more than 9 years ago | (#11758074)

Yes, you need to use the Java Embedding Plugin [sourceforge.net] to use 1.4.x under any Mozilla based browser on OSX. Including Camino.

1.4.x is so much better than 1.3.x it is(was) worth the minimal risk.

Re:Scary? Well... (0)

Anonymous Coward | more than 9 years ago | (#11754241)

> It's not as serious a problem as it looks, also. They can't install
> a rootkit or anything like that, just because of the way OSX is
> designed.

The problem is it leaves a hole open to execute code on your own account.

That's fine, if you're OK with that - and if that's all it allows, then that would be all there is to it.

Problem is there is currently an exploit for OSX (been out a few months now) allowing local privilege escalation to root, from code run on a local account. google for the mrouter exploit for OS X.

So combined with that open hole which STILL isn't patched - it's as scary as complete 0wnz0rship, because that's what it allowed.

Re:Scary? Well... (1)

JavaRob (28971) | more than 9 years ago | (#11757585)

it leaves a hole open to execute code on your own account. That's fine, if you're OK with that - and if that's all it allows, then that would be all there is to it. Problem is there is currently an exploit...

You're missing the more important point -- that avoiding the problem is pretty darned easy. In fact, since this hasn't been reported in the wild, it's probably impossible to get exploited even if you wanted to. Some of this is due to the smaller user base of OSX, plus with this particular version of the JVM. But a lot of it is because the Mac user would have to actively browse to a malicious site to be affected.

So combined with that open hole which STILL isn't patched - it's as scary as complete 0wnz0rship, because that's what it allowed.

I'd say it's not as scary, because you have to account for the actual chances of it happening. Someone technically *could* break into my house and "0wnz0r" my computers with a 20 lb sledge, but I worry much more about worms or possible vulns in my router/firewall.

Re:Scary? Well... (0)

Anonymous Coward | more than 9 years ago | (#11764201)

You fucking mac users amaze me. Any old webpage could have r00ted your mac, and you shrug it off as not scary, yet will jump on microsoft for the tiniest bug.

None so blind...

No (1)

JavaRob (28971) | more than 9 years ago | (#11768403)

I'm not a mac user. I have too many tools and so on that are Windows-only, and my main userbase is Windows users.

I bought one for my wife, though, because she's a "normal" computer user, and I was constantly cleaning out spyware, viruses, etc. when she was sharing my PC.

She's been using the Mac for 2-3 years now and I haven't had to do a single thing except help her with application-file associations, once.

I'm not pretending this wouldn't change (to some degree at least) if Mac OS X became the #1 targetted system... but the fact remains that it *isn't*, and the greater safety is real. Open your eyes. I don't panic at every single Windows hole either -- but when the exploits are showing up in my email on a daily basic, I notice.

I tried it; it works! (2, Funny)

Anonymous Coward | more than 9 years ago | (#11753168)

I installed it, and it works just f$#!@^*NO CARRIER

Java 1.4.2 Sucks (3, Funny)

Anonymous Coward | more than 9 years ago | (#11753201)

I don't want to start a holy war here, but what is the deal with you Java 1.4.2 fanatics? I've been sitting here at my freelance gig in front of a Java 1.4.2 rig (a 8600/300 w/64 Megs of RAM) for about 20 minutes now while it attempts to byte-compile a 17 meg file. 20 minutes! At home, on my Pentium Pro 200 running Java 1.4.1, which by all standards should be a lot slower than this Java 1.4.2 machine, the same operation would take about 2 minutes. If that.

In addition, during this file transfer, HotJava will not work. And everything else has ground to a halt. Even my IDE is straining to keep up as I type this.

I won't bore you with the laundry list of other problems that I've encountered while working on various Java 1.4.2 machines, but suffice it to say there have been many, not the least of which is I've never seen a Java 1.4.2 system that has run faster than its Java 1.4.1 counterpart, despite Java 1.4.2's faster bytecode architecture. My 486/66 with 8 megs of ram runs faster with Java 1.4.1 than this 300 mhz machine at times. From a productivity standpoint, I don't get how people can claim that Java 1.4.2 is a superior virtual machine.

Java 1.4.2 addicts, flame me if you'd like, but I'd rather hear some intelligent reasons why anyone would choose to use a Java 1.4.2 over other faster, cheaper, more stable Java environments.

Description from the Apple web site (1)

ecotax (303198) | more than 9 years ago | (#11753474)

Impact: Updates Java to address an issue where an untrusted applet could gain elevated privileges and potentially execute arbitrary code.
Description: A vulnerability in the Java Plug-in may allow an untrusted applet to escalate privileges, through JavaScript calling into Java code, including reading and writing files with the privileges of the user running the applet. Releases prior to Java 1.4.2 on Mac OS X are not affected by this vulnerability. Further information is available in Document ID 57591 from Sun.

Apple Proactive? (4, Insightful)

Undefined Parameter (726857) | more than 9 years ago | (#11753684)

Is it just me, or does it seem like Apple has a team of people working on *finding* bugs and security holes in OS X? Maybe it's just me, but the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.

Or maybe I just need more sleep.

~UP

Re:Apple Proactive? (3, Interesting)

commodoresloat (172735) | more than 9 years ago | (#11753975)

the first I hear of a greater majority of problems with OS X is when Apple releases an update, which suggests that maybe Apple has something beyond a simple stress-testing beta team.

You seem surprised. That's only because so many other companies have trained us not to expect this. We would not expect less than this from other products; operating systems should be the same. Imagine if cars were sold without crash tests. Security in a commercial OS should undergo constant (and pro-active) testing by the company (you can certainly bet its enemies are doing that). The fact that we don't expect that kind of work, and are surprised when we see it, speaks volumes about the practices of the current leaders of the commercial OS industry.

Re:Apple Proactive? (3, Interesting)

TheRaven64 (641858) | more than 9 years ago | (#11754068)

Microsoft also do this. Part of the problem they have is that once a fix is released, it is relatively easy to diff the original and the fix and find the original flaw. This is why they tend to roll security updates up with other things whenever possible - so it takes more time for a black hat to find the actual security hole. The same thing happens with a lot of open source projects - particularly things like OpenBSD where all code is security audited within the project.

Re:Apple Proactive? (1)

myov (177946) | more than 9 years ago | (#11763861)

What about including dummy patches? Ones that have absolutely no effect but appear to patch things?

(seriously, no "I thought MS already did that" or similar comments)

Re:Apple Proactive? (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11755235)

Is it just me, or does it seem like Apple has a team of people working on *finding* bugs and security holes in OS X

Apple takes security very seriously. MS can afford the melt-down of the month. Apple can't.

nah... (-1, Troll)

Anonymous Coward | more than 9 years ago | (#11753737)

...where an untrusted applet could gain elevated privileges and potentially execute arbitrary code. Sounds scary.

Nah... this sort of vulnerability is only scary on Windows.

;)

ANOTHER Security Update? (5, Funny)

Anonymous Coward | more than 9 years ago | (#11754145)

geez Apple, it was barely a month since your last update. [apple.com] Not looking so good I gotta say.

I might have to "unswitch" to Windows, they hardly have as many security fixes. It's as rock solid as a Kryptonite lock. -gko

sounds scary? (-1, Flamebait)

Sick Talents (861820) | more than 9 years ago | (#11754157)

If you think Apple security updates are scary, you'll sure shit yourself if you see Debian's! [23 Feb 2005] DSA-688 squid - mising input sanitising [18 Feb 2005] DSA-687 bidwatcher - format string [17 Feb 2005] DSA-686 gftp - missing input sanitising [17 Feb 2005] DSA-685 emacs21 - format string [16 Feb 2005] DSA-684 typespeed - format string [15 Feb 2005] DSA-683 postgresql - buffer overflows [15 Feb 2005] DSA-682 awstats - missing input sanitising [14 Feb 2005] DSA-681 synaesthesia - privilege escalation [14 Feb 2005] DSA-680 htdig - unsanitised input [14 Feb 2005] DSA-679 toolchain-source - insecure temporary files [11 Feb 2005] DSA-678 netkit-rwho - missing input validation [11 Feb 2005] DSA-677 sympa - buffer overflow [11 Feb 2005] DSA-676 xpcd - buffer overflow [11 Feb 2005] DSA-674 mailman - cross-site scripting, directory traversal [10 Feb 2005] DSA-675 hztty - privilege escalation [10 Feb 2005] DSA-673 evolution - integer overflow [09 Feb 2005] DSA-672 xview - buffer overflows Do you read Linux? Do you like to look down on Apple because they brought UNIX to the desktop and Linux still sucks cock? If you answered "Yes" to all of these questions, you must be a slashdot poster!

Re:sounds scary? (0)

Anonymous Coward | more than 9 years ago | (#11754297)

Do I read Linux - huh? Do I like to look down on Apple because [...] - no, I look up to Apple from the land of the poor. Does Linux still suck cock - yes, and it feels damn good. Yes, I am a slashdot poster. And Robert's your father's brother.

Related News . . . (0, Offtopic)

Dausha (546002) | more than 9 years ago | (#11754677)

In a related press release, Microsoft announced security release 1998-0173, fixing problems associated with running Open Office or Word Perfect. The specific security threat would allow users to use other word processing software than MS Word. This security update will prevent these malware products from running.

Also released is Linux security (kernel) release 2.6.8. Not wanting to feel left out. This security release, when installed in place of MS Windows, will effectively block all Windows-based malware and viruses. Unless, you're one of those who are trying to get viruses to run on WINE. If you're one of those, aren't you really an MS mole trying to keep a brother down?

Secunia and Techworld Noise (1)

podperson (592944) | more than 9 years ago | (#11757405)

Techworld has hilariously biased coverage of this:

"Apple shames itself again over security: Critical hole in Mac OS X patched three months late." [techworld.com]

And it's interesting to look at Secunia's site (Secunia being the source of a lot of recent Microsoft apologism and Apple-bashing):

Macintosh OS X issues [secunia.com]

Windows XP Professional Issues [secunia.com]

(Microsoft is "Vendor 1" in their database, you'll be pleased and amused to learn.)

I'm guessing Secunia likes to drum up publicity for itself by making press releases that run counter to the general wisdom, but their conclusions and announcements don't actually match their data.

E.g. on the Windows XP page, they show a pie graph that states XP Pro as having 0% (out of 67) severe issues, but then list several severe issues immediately below, one of which ("Windows Explorer / Internet Explorer Long Share Name Buffer Overflow") has not been patched (by their reckoning) in nine months. Maybe their Excel graphing skills are lacking...

The only mention of ActiveX states that Microsoft has fixed a problem whereby web pages can install arbitrary ActiveX plugins. As far as I know, it simply requires the user to click the "OK" button, which they're quite likely to do, given that they may well have to click it for legitimate reasons in the course of their daily job.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?