Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Apple Release Mega Patch to Fix 19 Flaws

CmdrTaco posted more than 9 years ago | from the i-got-yer-patch-right-here dept.

Security 554

maotx writes "Apple has released a mega-patch that fixes 19 flaws in Mac OS X v10.3.9. The updates include several fixes for remote and local root exploits. The change log can be found here. You can download the updates using the Software Update Program or directly from Apple Downloads."

cancel ×

554 comments

Sorry! There are no comments related to the filter you selected.

fpppp (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12444826)

FIRST POST!

10.3.10? (5, Funny)

avalys (221114) | more than 9 years ago | (#12444834)

Why not just call it 10.3.10?

Re:10.3.10? (4, Informative)

LEgregius (550408) | more than 9 years ago | (#12444870)

Apple has always separated security updates from OS updates. I guess it's just a matter habit.

Re:10.3.10? (5, Informative)

remahl (698283) | more than 9 years ago | (#12444910)

No, there is very solid reasoning behind doing so.

A security update should have a very low threshold for installation. An admin should be able to apply it feeling somewhat confident it is not going to break anything important. Of course, on critical systems "somewhat" is not enough so it may still require some testing.

Point being, a security update should be lightweight to encourage quick adoption.

As an aside, Apple "violated" this express policy and included a few security updates with 10.3.9. That update turned out to break things for a lot of people, therefore people held off installing it. During that time, they were subjected to published vulnerabilities.

Re:10.3.10? (1)

macaulay805 (823467) | more than 9 years ago | (#12444874)

Why not just call it 10.3.10?

Would someone please explain to me why this comment would be marked as "Flamebait"? Still trying to get a handle on this mod thing.

Re:10.3.10? (0)

Anonymous Coward | more than 9 years ago | (#12444897)

Judging from that UID I think the OP is serious.

Re:10.3.10? (1, Informative)

Experiment 626 (698257) | more than 9 years ago | (#12444968)

Would someone please explain to me why this comment would be marked as "Flamebait"? Still trying to get a handle on this mod thing.

I'm guessing it was some mod who doesn't get the concept that the segments in 10.3.9 are separate fields (like an IP address) rather than one big floating point decimal, thinks "10.310 < 10.39, OMG, this poster wants to make OS X go backwards!" and clicked the flamebait button.

Re:10.3.10? (1, Funny)

Anonymous Coward | more than 9 years ago | (#12445106)

I wish there were a 'stupid' mod.

silly taco (5, Informative)

Anonymous Coward | more than 9 years ago | (#12444835)

it was a 6 mb security release from 2 days ago.

Re:silly taco (0)

Anonymous Coward | more than 9 years ago | (#12444873)

And their are people 2 days late installing this because they weren't aware of it. Late news is better than no news...

Re:silly taco (0)

Anonymous Coward | more than 9 years ago | (#12444964)

Its not the size that matters! Its how you use it!

hehe (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12444837)

hehe

One assumes all of these are fixed in Tiger... (2, Insightful)

Cr0w T. Trollbot (848674) | more than 9 years ago | (#12444838)

But the linked article doesn't make that clear.

Crow T. Trollbot

mante o sorushiva? (-1, Offtopic)

ghingy (877502) | more than 9 years ago | (#12444839)

Kita apple sivanbo kes shuipe?

Palir kulup? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12444906)

Pergi bersunat.

Re:mante o sorushiva? (-1, Offtopic)

xeon4life (668430) | more than 9 years ago | (#12444930)

...What?

zubbak sghiir? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12444948)

:-)

Re:mante o sorushiva? (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12445023)

Interesting. Right. Why is that this gets modded up, when my german or french posts are consistently modded down? Look guys, Nazi germany happened a half-century ago, and you don't need to keep up the french-bashing because your fearless leaders tell you to. Use your BRAINS! Your delicious brains...

Several exploits (4, Insightful)

m50d (797211) | more than 9 years ago | (#12444849)

Firstly, remote root should never happen. Secondly, what were they doing leaving all these exploits open? I appreciate that a mega-patch may be easier to install, but vulnerabilities need to be patched immediately.

Re:Several exploits (1)

bryan986 (833912) | more than 9 years ago | (#12444885)

Apple only has so many veterinarians

Re:Several exploits (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12444926)

Conclusive proof that if Mac OS X were as popular as Windows, it would be rooted just as much - you only need one remote-root vulnerability to have your computer completely owned, and this one affected pretty much every Mac in existence. And a pre-emptive request for mods - instead of just modding me down into oblivion, why not respond to my points instead?

Re:Several exploits (3, Insightful)

coolgeek (140561) | more than 9 years ago | (#12445009)

Well, I'm not a mod, but here's your response. You cannot "prove" speculation.

Re:Several exploits (0)

Anonymous Coward | more than 9 years ago | (#12445052)

Why not?

Re:Several exploits (2, Interesting)

Anonymous Coward | more than 9 years ago | (#12445097)

How is it speculation? There was a remote root vulnerability present for more than long enough for someone to (if they could be bothered) exploit it on a wide range of machines. I'll try to dumb it down so that even a slashdot-eer can understand it:

1) Remote root vulnerability exists for a long time.

2) If there are a large number of machines with this vulnerability, then it is worth exploiting.

3) Most Macs have this vulnerability.

4) If Macs had a large marketshare, this "most" would correspond to (in absolute terms) a large amount of machines, and so something worth exploiting.

5) Huge bunch of Macs are rooted. Mac OS users have a false sense of security, so do not realise it.

6) ...

7) People who want botnets profit!

Re:Several exploits (2, Funny)

computerme (655703) | more than 9 years ago | (#12444995)

so would you rather have 19 single downloaded patches?

the time from discovery to fix was relativly short.

They decided to put them all in a single patch.

Re:Several exploits (0)

m50d (797211) | more than 9 years ago | (#12445067)

Yes, I would. When my system is vulnerable, I want the patch *right now*.

FP (-1, Offtopic)

Anonymous Coward | more than 9 years ago | (#12444850)

I'v ruined my life by reading slashdot, entertaining Linux, and leaving God.

10.3.9 is so 2005 (1, Funny)

yardbird (165009) | more than 9 years ago | (#12444851)

All right, I've waited long enough -- time to get off my ass and install Tiger.

While I think... (4, Interesting)

Landak (798221) | more than 9 years ago | (#12444852)

While it's certainly worthy of comment that there have been so many things requiring patches, I think it's also worthy of note that apple does actually patch them quite well. I hadn't come across any of these obscure vulnerabilities, but I'm sure they're there - I'm just glad to see apple fixing them - and, it has to be said, giving credit where it's due (Thanks to $NAME for bringing this to our attention, etc)

Re:While I think... (5, Insightful)

IamTheRealMike (537420) | more than 9 years ago | (#12444899)

It's worth noting that Microsoft does exactly the same thing. Presumably you find that worthy of note also?

Re:While I think... (1, Funny)

R.Mo_Robert (737913) | more than 9 years ago | (#12445061)

You must have missed the "patched it well" and "[not coming] across any of these ... vunerabilities" parts.

Re:While I think... (4, Interesting)

MobyDisk (75490) | more than 9 years ago | (#12445096)

You are right. And as far as I know, MS was one of the first.

I just wish Microsoft better documented what is in their patches. Sometimes they say that it fixes an exploit, but doesn't say which part of that 50MB download is for that exploit. Or exactly what the exploit was. If I recall, they've even sued people for publishing the exploit!

And if I may put on my tin foil hat here, I've noticed that some MS patches do surreptitious things. For example, several Win2k patches connected to a 3rd party server, by IP address since it had no DNS entry, and made and HTTP request. When my firewall denied the connection, the patch refused to install. No problem! I connected to that server myself to see what it is. As soon as I enter an HTTP GET, it immediately disconnects me. Hmmmmmmm!? Why does an MS patch connect to a mysterious server with no DNS record that goes to extra lengths to hide other connections?

Sometimes this hat feels kinda comfy.

Re:While I think... (4, Informative)

remahl (698283) | more than 9 years ago | (#12444958)

They could do a better job, I think. The product security team must be overworked. I was credited with discovery of four of the issues (more about those [remahl.se] ), and I reported them in mid-February. Almost three months later, the patch is out...

Re:While I think... (1)

swb (14022) | more than 9 years ago | (#12445062)

How do you run across a vulnerability? Unless you're an elbow-deep-in-the-OS hacker, I can't think of how I'd run across a vulnerability unless it manifested itself as an ordinary bug that caused a visible fault.

Tiger? (1, Funny)

DeathFlame (839265) | more than 9 years ago | (#12444853)


So since tiger* is 10.4, does it get these patches as well?

*TERMS OF USE

The reader of these terms of use agrees not to sue me for trademark infringement for the use of 'tiger'

Re:Tiger? (1)

Klar (522420) | more than 9 years ago | (#12444901)

ROTFL, that is the best disclaimer ever!

Re:Tiger? (1)

k96822 (838564) | more than 9 years ago | (#12444919)

I'll just wait the day before you release any product that uses the word "Tiger" in the title and sue you then.

Huh? (0)

Anonymous Coward | more than 9 years ago | (#12444855)

Apples have roots? I thought they only had cores...

har. I'll be here all week.

Marching orders? (3, Funny)

JPelorat (5320) | more than 9 years ago | (#12444856)

So are we supposed to like or dislike this so-called "mega-patch"?

Re:Marching orders? (3, Funny)

Anonymous Coward | more than 9 years ago | (#12444898)

Both.
Like because it is only 6MB to fix 19 holes.
Dislike because they released them all at once instead of releasing a fix as they were fixed.

Your welcome

Re:Marching orders? (0)

Anonymous Coward | more than 9 years ago | (#12444923)

Not sure. Apple shills are bitching about this even being posted on other sites and saying how its all a Microsoft paid attempt to make Apple look bad.

Imagine (1, Funny)

bryan986 (833912) | more than 9 years ago | (#12444858)

if a real panther had 19 flaws, it would eat your babies

First. Post. (0)

Anonymous Coward | more than 9 years ago | (#12444864)

Because everyone else is downloading the patch...

10.4.1 (2, Interesting)

DavidLeblond (267211) | more than 9 years ago | (#12444866)

Where's the patch that fixes all the stuff that is broken in Tiger. Quicktime beachballs anyone?

Re:10.4.1 (1)

k96822 (838564) | more than 9 years ago | (#12444969)

Aha, I thought there were going to be problems with Tiger. I'm one of those people who is thinking, "Well, okay; we're up to 10.3.9, which is Panther with everything super-solid and shaken out. I like my computer working. I'll wait on Tiger until at least 10.4.3."

'Cuz I really hate them beachballs too.

Re:10.4.1 (0)

Anonymous Coward | more than 9 years ago | (#12445084)

Not to mention...
  • Safari 2 rendering problems (e.g. Edmunds.com)
  • Not connecting to trusted wireless networks when waking from sleep
  • Starting up to Open Firmware when connected to random USB devices
  • Various Dashboard problems (incorrect widgit icons, displaying incorrect widgit after dragging, unnecessarily complicated installation process for new widgits)
  • Cutting system performance in half for some old functions
  • Expose's framerate drops significantly, even on G5s
  • Incompatibility with Virex and Norton Antivirus (not that they're needed anyway...)
  • Disappointing results while using 4-person iChat conferences
  • Spotlight search windows don't seem to be a part of the Finder or any other application, making it difficult to switch to a Spotlight window that's covered by other windows
Anyone have something else to add?

Re:10.4.1 (1)

Tanka Tennen (580318) | more than 9 years ago | (#12445090)

Expect Tiger 10.4.1 mid- to late-May [appleinsider.com]

A non-apple user has some questions: (2, Interesting)

Enigma_Man (756516) | more than 9 years ago | (#12444867)

How often does Apple release patches and the like? I'm just curious to see how it compares to say Windows.

Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?

Are there lots of little patches all the time, or just big lumps of patches like this one?

Thanks!
-Jesse

Re:A non-apple user has some questions: (2, Informative)

Enrique1218 (603187) | more than 9 years ago | (#12444904)

Once a month. This was a one alot bigger than average.

Re:A non-apple user has some questions: (1, Informative)

Anonymous Coward | more than 9 years ago | (#12444916)

They release patches when they need to. Easy peasy. :D

The interface is simple. I have it set to automatically let me know when there are updates available, but you can optionally pick "Software Update" from the Apple menu to see if there's anything new. Or, if you prefer (why, though?) you can download updates from the and install them yourself.

Little patches are rare, but not unheard of. Usually to fix emergency security bits.

Re:A non-apple user has some questions: (1, Informative)

Anonymous Coward | more than 9 years ago | (#12444921)

Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?

From the summary, You can download the updates using the Software Update Program or directly from Apple Downloads."

Re:A non-apple user has some questions: (4, Informative)

the_rev_matt (239420) | more than 9 years ago | (#12444924)

Software Update is a system tool. It can be set to check for updates daily, weekly, or monthly (IIRC).

They do a mix of patches depending on what's needed. If there's just a small hotfix, that's what's there. If there's several unrelated fixes, they're all there. Other times it's big fixes like this. Also note that every few months they'll roll up a bunch of fixes into one big one to make it easier on people.

Re:A non-apple user has some questions: (1)

the_rev_matt (239420) | more than 9 years ago | (#12445022)

A better description is here [apple.com] .

Re:A non-apple user has some questions: (0)

Anonymous Coward | more than 9 years ago | (#12444932)

1) They release when it's ready. Most of the time.
2) Self contained programme.
3) There are 4 categories:
a) Point releases - mostly big system bugfixes eg 10.3.9
b) Security Updates, like this patch, which can fix one or more security issues
c) Updates to major apple apps, such as iPhoto/iTunes
d) Firmware upgrades e.g. for the iPod/iSight

Re:A non-apple user has some questions: (0)

Anonymous Coward | more than 9 years ago | (#12444939)

I would imagine most people use Software Update, which is built in and can be set to automatically check for updates. If you do not want to use that, just head over to the Apple's download site.

Re:A non-apple user has some questions: (1)

sparkster812 (670872) | more than 9 years ago | (#12444941)

OS X has a "Software Update" application that runs on its own. It even offers an option to save downloaded packages for future installations.

Much nicer [and easier!] than being tied to using IE to update my 2K/XP boxes.

Re:A non-apple user has some questions: (1)

acvh (120205) | more than 9 years ago | (#12444946)

I run Software Update once a week and there's usually something getting updated.

Software Update can be set to check for updates on your schedule: it's a preference pane (think Control Panel).

You can also manually kick it off, or just go to apple.com and check for downloads there.

Most patches are small. This one is larger than most.

Re:A non-apple user has some questions: (1)

3nuff (824173) | more than 9 years ago | (#12444956)

There is a client tool that you can run from the desktop or schedule to run at any period you like. It updates most Apple software too, not just the OS, but things like iTunes, iPhoto, bluetooth firmware, etc... I've noticed that there is usually something every week, not necassrily security related...

Re:A non-apple user has some questions: (1)

CapnRob (137862) | more than 9 years ago | (#12444963)

The auto-update program lives in the control panel/system preferences. You can download patch installers from the Apple web site, if you prefer, but the auto-updater works fine for me.

So far, Apple's been pretty good about patches, as long as you keep in mind the fact that you're not going to need as many critical patches to keep a Unix box with user privileges locked down as you will with a Windows-style every-program-for-itself paradigm. That said, it's a mix. There're a few little patches every so often, interspersed with bigger patches.

Re:A non-apple user has some questions: (1)

rezac (733345) | more than 9 years ago | (#12444977)

They seem to come in random cycles, but usually 1 or 2 a month. Most are small patches.

To answer you 2d series of questions, Yes, yes and yes. Software Update, can be set to check, daily, weekly, or manually at your leisure. It can be set to download automatically in the background. You can pick and choose the updates you want to install. Also you can forego the SU application and instead, use your browser of choice to download the update, patch, whatever, directly.

Typically the patches are smaller. This was was unusually big. Biggest one I recall and I've been running X since the public beta.

Apple's security SUCKS (0)

Anonymous Coward | more than 9 years ago | (#12444978)

For security, Apple hasn't been so good. Use places like osvdb:
Apple [osvdb.org]
Debian [osvdb.org]
Openbsd [osvdb.org]

Re:A non-apple user has some questions: (1)

kannibal_klown (531544) | more than 9 years ago | (#12444979)

There's built-in application. It's very lite and is run from the top menu.

When it starts it checks for new updates and you can cherry-pick which ones you want. Some updates include drivers, security, or just basic software updates. It also doesn't just cover the core OS but applications that come with it too (iChat, Mail, etc).

Usually a bunch of things are bootstrapped into the same update though I don't recall this many being a common occurence. Usually the only big ones are the point updades (ie 10.3.8 to 10.3.9) and even those aren't that big.

I like it's method a lot more than Microsoft's method.

Re:A non-apple user has some questions: (1)

Marillion (33728) | more than 9 years ago | (#12444991)

It's very similar to Windows Update.

They have a little utility that contacts the apple update site about once a week. If it finds any, it gives you a list box that you can pick and choose which items to upgrade. I usually do them all.

Feature upgrades occur about monthly, not that I've really timed it. Security fixes are on a faster track.

Re:A non-apple user has some questions: (1)

big tex (15917) | more than 9 years ago | (#12444999)

There's an app called Software Update. [apple.com]

If you are online, it tells you that an update is available. The update runs in a self-contained application.

Re:A non-apple user has some questions: (4, Informative)

tomcio.s (455520) | more than 9 years ago | (#12445004)

How often does Apple release patches and the like? I'm just curious to see how it compares to say Windows.
-About once every 2 months we see security patch. They now name them 200x.00y (x - year, y - patch this year).
-Software updates for apple software (non-OS related) come in about the same frequency. I usually get bugged to install something once every 2 weeks or so.
-Software updates for apple OS (10.3.x, where x is the current update) come in about once a quarter, or so.

All of those are voulentary upgrades.

Do they have some sort of web-interface like Windows-update, or is it a self-contained program, or is it an open thing that you can use whatever browser/program you'd like to download?

-There is an automated, stand alone tool to deliver them.
-They get posted as downloads to their site (apple.com) with documentation, description, etc.
-Sometimes, multiple patches get rolled into an 'uber' patch, if you are installing (upgrading) from previous release of the os to current (not on the release day). Apple also re-issues their OS media w/ most patches as they get posted.

So you can use any number of ways to patch your system.

Are there lots of little patches all the time, or just big lumps of patches like this one?

See above. Small patches are released if they are important, as time progresses they get rolled into bigger, all inclusive patches (and still available as the small ones).

Note, Apple also uses this mechanism to install firmware for iPods, iSights and Airport Stations - which makes upgrading your kit really convinient.

You can set the stand alone utility to check daily/weekly, whatever, or disable it as well.

Re:A non-apple user has some questions: (1)

madmancarman (100642) | more than 9 years ago | (#12445026)

There's an application called Software Update that checks in the background at a schedule you set through the System Preferences application. Then, if there's an update, Software Update opens and shows you a dialog and a description of each patch or updated application, and can select or deselect updates via checkboxes. You can also disable updates so they never show up again (for example, I've disabled the iSight update because I don't have Apple's webcam).

Just click Install and it grabs and installs all the selected updates, but only after you enter the username of a user with root privileges (usually the first username added to the system) and the appropriate password.

The really nice thing about Software Update is that once you enter your username and password, it does everything else automatically, including restarting your system if necessary. That's a lot different from Microsoft's updaters, which often require separate EULAs and confirmations. Apple's EULAs are either shown before the downloading begins, or the first time you run the updated version of an application. Pretty slick!

As for patch frequency, it really depends - sometimes you have lots of little security updates, and once every month or two you get a big update that kicks the revision number up by one. Those revision updates usually require small patches, unfortunately.

Re:A non-apple user has some questions: (1)

ip_fired (730445) | more than 9 years ago | (#12445040)

How often does Apple release patches and the like?
Pretty often. But as with some other large companies, sometimes they drag their feet if they don't feel that it is a priority.

Do they have some sort of web-interface like Windows-update, or is it a self-contained program

It's a self-contained program run from the System Preferences page. It downloads, installed, optimizes and then, if necessary reboots. It runs automatically by default so you really don't need to worry about it. It checks once a week for updates.

Are there lots of little patches all the time, or just big lumps of patches like this one?

Usually they are just smaller patches. The big list of changes usually come in the form of a point release upgrade (for instance, going from 10.3.8 to 10.3.9). Apple had 9 upgrades during the past 15 months or so. The best thing about those is that not only do they fix potential problems, they also usually have optimizations and new software from Apple.

Re:A non-apple user has some questions: (1)

99BottlesOfBeerInMyF (813746) | more than 9 years ago | (#12445092)

How often does Apple release patches and the like?

Security patches are about one a month. They also issue other bugfixes every couple of months.

Do they have some sort of web-interface like Windows-update...

They have a Web page that lists all the updates as they are released and provides downloads. It works in every browser I have tried.

or is it a self-contained program

OS X also has an application that automatically checks for updates on whatever schedule you set and will download them automatically or just download critical fixes automatically. It also handles the install process.

Are there lots of little patches all the time, or just big lumps of patches like this one?

They come in lumps as Apple aggregates fixes from various locations and open source software projects that ship as part of OS X. They do testing in batches an release them as needed. So far they have been very timely. When someone made a demo exploit the turnaround on the update was about 48 hours. Most (like this last one) are just potential exploits that have not been seen in the wild, but could theoretically be exploited. They usually don't rush those and lump them into a monthly security update.

Patch (0)

Anonymous Coward | more than 9 years ago | (#12444869)

You mean they won't have to pay for that one?!

You call that a patch? (5, Funny)

aapold (753705) | more than 9 years ago | (#12444878)

Windows patches more stuff in a couple weeks than other OS's patch in an entire year!

Re:You call that a patch? (1)

PhreakinPenguin (454482) | more than 9 years ago | (#12444902)

Please correct me if I'm wrong as i'm an Apple idiot, but isn't this for the one that was just released?

Re:You call that a patch? (0)

Anonymous Coward | more than 9 years ago | (#12444925)

No, Tiger has just been released which is 10.4. These are patches for 10.3.9.

Re:You call that a patch? (1)

tomcio.s (455520) | more than 9 years ago | (#12445036)

That is correct. They have all those fixes in 10.4 already, and now they issued them for the previous release 10.3.

On behalf of MS & Linux I say, (5, Funny)

winkydink (650484) | more than 9 years ago | (#12444884)

Welcome to our world.

Re:On behalf of MS & Linux I say, (1)

thermal_noise (57351) | more than 9 years ago | (#12444994)

Who is number one?

Mac OS X has flaws and exploits! gasp! (0, Flamebait)

Anonymous Coward | more than 9 years ago | (#12444888)

Oy my god, the sky is falling, it's possible to exploit a system running a version of Mac OS X. That isn't supposed to be possible. Only Microsoft programs have exploits.

Poor mistakes (-1, Troll)

Anonymous Coward | more than 9 years ago | (#12444903)

Apple better get their act together and fast. They're making building some extremely ridiculous security vulnerabilities into their software.

I mean come on, the Apple Mac OS X Finder .DS_Store FIle Writing Local Vulnerability is someting I'd expect from my little sister. It's embarassing really.

GET IT TOGETHER BEFORE IT'S TOO LATE!

Re:Poor mistakes (0)

Anonymous Coward | more than 9 years ago | (#12445008)

What about the "at" vulnerability that let anyone read any file?
Boy _THAT_ was smart, Apple.

Re:Poor mistakes (4, Funny)

psbrogna (611644) | more than 9 years ago | (#12445093)

Your little sister develops operating systems? That's so cool. Mine works at a donut shop.

A patch by any name is fine with me (1)

amichalo (132545) | more than 9 years ago | (#12444911)

Though I support all software vendors issuing quality products the first go round, I recognize QA cannot catch ever issue and I find it cause for minor cellebration when Microsoft, Apple, the FOSS community, or any developer for that matter issues free patches for their work.

This is a wonderful benefit of the Internet. No waiting for CDs in the mail. No waiting until a new version hit store shelves. I remember running a BBS with WWIV and being mailed 5.25" floppies with the latest improved and patch source.

Three cheers for software vendors and the Internet for giving us multi-megabyte patches free and instantly!

Re:A patch by any name is fine with me (0)

Anonymous Coward | more than 9 years ago | (#12445063)

'course without the internet, many of these vulnerabilities wouldn't exist... : )

Apache Exploit (1)

110010001000 (697113) | more than 9 years ago | (#12444912)

Does the Apache exploit mentioned affect any other platforms that Apache runs on, or is it specific to OSX? Its a pretty severe one. I don't run closed source OSes (like OSX or Windows) but I would like to make sure that my Gentoo apache install is OK.

Re:Apache Exploit (5, Informative)

CausticPuppy (82139) | more than 9 years ago | (#12445024)

Does the Apache exploit mentioned affect any other platforms that Apache runs on, or is it specific to OSX? Its a pretty severe one. I don't run closed source OSes (like OSX or Windows) but I would like to make sure that my Gentoo apache install is OK.

I believe it's referring to this bug [debian.org] in htdigest that was reported a year ago. If so, it affects linux systems as well.

I wouldn't worry too much about it, it's not a remotely exploitable overflow... it could be exploited by somebody who was allowed to upload a malicious CGI script to your server, but it would have to be somebody who was allowed to deploy CGI scripts to your apache server to begin with.

Re:Apache Exploit (1)

110010001000 (697113) | more than 9 years ago | (#12445080)

But if any of the cgi scripts in my system use htdigest it is possible to exploit it remotely. I don't know if any of them do. I think I need to upgrade immediately.

Wow (0)

Anonymous Coward | more than 9 years ago | (#12444950)

Already like 20 comments, and no one has mentioned Apple's "partnership" (or lack there of) with the OSS community.

Beware (5, Funny)

Aenox (874907) | more than 9 years ago | (#12444961)

Downloading this patch is acceptance of remote exploits existing in our beloved Mac. I for one will not be updating. Stick to your principals everyone.

Re:Beware (5, Funny)

JLyle (267134) | more than 9 years ago | (#12445025)

Stick to your principals everyone.
Spend all day following them around the school if that's what it takes.

Re:Beware (1)

Aenox (874907) | more than 9 years ago | (#12445046)

Being a Mac user I refuse to accept that "principles" is correct.

Re:Beware (0)

Anonymous Coward | more than 9 years ago | (#12445051)

Stick to your principals everyone.
Why should I stick to a principal [reference.com] when I can stick to a principle [reference.com] instead?

Wouldn't a 'Mega-Patch' (5, Funny)

rsilvergun (571051) | more than 9 years ago | (#12444986)

...fix 1 million flaws?

Re:Wouldn't a 'Mega-Patch' (1)

JPelorat (5320) | more than 9 years ago | (#12445073)

Only if they were also a hard drive manufacturer.

Re:Wouldn't a 'Mega-Patch' (1)

Distinguished Hero (618385) | more than 9 years ago | (#12445108)

Or perhaps 1 048 576 flaws.

article missing (3, Funny)

deft (253558) | more than 9 years ago | (#12445006)

critical sidways remark about security of OS and said manufacturer.

Oh, my bad, not MS.

Imagine (0)

Anonymous Coward | more than 9 years ago | (#12445015)

A Beowolf clusters of these.
In soviet russia, a 10MB file patches 6 flaws.
GNAA @ HOT GRITS!

That's funny.. (0)

Anonymous Coward | more than 9 years ago | (#12445054)

I installed the patch on XP and now I get a whole bunch of popup IE windows telling me my computer might be infected with spyware. They also tell me I should buy all kinds of pills to lower my blood pressure, calm me down and give me a boner for a spyware cleaning utility. After that I should be all smiley faces for screensavers and wallpapers and for making a backup of all my dvd movies before I go on vacation to a tropical island somewhere. It also tells me that I'll be happier on vacation if I get weight loss pills and anti-aging cream to make me look prettier and sexier in lingere from victoria's secret or some such place. When I get back, I'm supposed to buy an immitation rolex watch and look at porn all day.

Well, except for the porn bit, that's the last time I'll install an appple mega patch. Now I'll have to reinstall the OS to get useless advice from clippy again.

Move along; nothing here to see. (0)

Anonymous Coward | more than 9 years ago | (#12445058)

This is a normal security updated -- not some new "megapatch" -- the Register should be ashamed for this complete failure of journalism. It's not a "service pack in all but name", it's yet another security update fixing potential vulnerabilities that there are no known exploits for.

Sheesh, duck to avoid the FUD.

good good (1)

FidelCatsro (861135) | more than 9 years ago | (#12445060)

Personly i have tiger on my mac that runs OS X , but its nice to know apple are on-top of the security updates.Well Its good to know they get them out before Ihad even heard of most of the security problems which gives me alot of faith in their development teams and Debugging systems.

Re:good good (1)

b3s (807077) | more than 9 years ago | (#12445072)

no, it could merely indicate a million fixes for the same problem.

What about *MY* Problem? (1)

ebooher (187230) | more than 9 years ago | (#12445091)

I skimmed through the change log but didn't see anything that addresses my problem. My B&W G3 will not boot by itself after the update two before this one.

Let me allow that to sink in for a moment ..... before I repeat myself. My Mac will not boot by itself after one of the last Panther updates.

If I have to reboot I have to hover over the keyboard and wait for the Startup "Pong" to do a PRAM flash, second "Pong" and the system starts just fine. If I don't do that the screen goes black and the system sits there, disk access etc even stops.

God Forbid I have to shutdown completely. Last time I did that I had to open the case and depress the CUDA button to get the system to even power on.

I happen to know it's something in one of the updates, because I simply assumed the B&W (being that it is several years old) was finally dying, and gearing up for a newer G4 replacement bought a new hard drive. My copy of Panther is original, so after installation, shutdowns, reboots, everything works fine. I finally let it start it's updates after setting up my mail, etc (No Apps installs, though) and wham. Same issue, have to PRAM zap to boot ... then it adds 10.3.9 and it eats the disk. Will not boot at all. Had to put the smaller disk back in ..... though once I did that, the other Panther was able to *mount* the disk that apparently no longer has a boot sector

Meh?

Has any other B&W users here on /. been victim to this? I've trolled a few Mac forums but haven't found anything like this, and I'm not sure how I should submit it to Apple for a fix if I'm the only one having the issue. Though again, I have to admit I haven't been looking too long, thought it was the Mac and not the software, silly me.

CAN-2005-1337 (5, Funny)

remahl (698283) | more than 9 years ago | (#12445111)

I'm just happy one of the issues I reported was assigned CVE "CAN-2005-1337" ;-). Must have been my lucky day.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>