PDA

View Full Version : Apple releases new security update


Defiant
2004-05-21, 19:02
It's the fix for the Help Viewer issue. Now in Software Update!

Paul
2004-05-21, 19:50
weighing in at 712k, not to shabby... here is the description:
Security Update 2004-05-24 delivers a number of security enhancements and is recommended for all Macintosh users. This update includes the following components:


HelpViewer


and it does NOT require a restart

http://homepage.mac.com/psantora/.Public/SU524.png

curiousuburb
2004-05-21, 20:01
patches are good.

don't know if it also addresses the Safari (webcore) side of the exploit,
but an official response is welcome

Chinney
2004-05-21, 23:14
Is this not two updates in the past few weeks? Just what operating system am I running here? :eek:

LudwigVan
2004-05-21, 23:29
Is this not two updates in the past few weeks? Just what operating system am I running here? :eek:

I doubt the sky is falling quite yet.

By the way, I read at the MacRumors forum that there is some kind of Terminal fix in this update for 10.2 users.

Ryan
2004-05-21, 23:46
Is this not two updates in the past few weeks? Just what operating system am I running here? :eek:


At least they addressed it quickly, and didn't take weeks or months.

torifile
2004-05-21, 23:52
At least they addressed it quickly, and didn't take weeks or months.

AFAIK, the vulnerability was reported to them a while ago. It only became public recently but they did know about it for a while.

Defiant
2004-05-22, 06:12
It was reported to them on the 23rd of February. Now we have 24th of May. That's not quick. But they had to do something after it became public, didn't they?

If anyone wants to test it again, here's the original proof of concept: http://www.insecure.ws/article.php?story=2004051612423136

Here's what I get in OmniWeb:

http://img19.imageshack.us/img19/8388/muahaha.png

It says: "Attention: The following DiskImages couldn't be activated, Reason: No such file or folder."

:)

Moogs
2004-05-22, 10:08
WARNING: Apple's fix DOES NOT address the serious security flaw in Safari that is described by Unsanity. (http://www.unsanity.com/haxies/pa/whitepaper) I just installed the patch last night and it does nothing to stop the behavior noted above. There have been some people online who think it does more than fix the Help Viewer thing; it doesn't AFAICT.

Even if the "Open Safe Files" is turned off in Safari (which mine always is), disk images can be mounted on your machine and launch code without you ever doing anything to specifically enable that behavior (such as downloading a suspicious file). This is some scary poop.