Thursday, February 12, 2009

Mac Security Update 2009-001, Java Updates and a Safari for Windows Update

If you'd like to read Apple's notes about Security Update 2009-001, you can click HERE.

Ahead is a quick analysis of what is covered in the update, along with comments.

This security update is specifically for computers updated to Mac OS X 10.4.11 and 10.5.6, both client and server. Presumably it will be integrated into 10.5.7 when it's available.

There are 28 specific security updates including fixes for 48 documented vulnerabilities, making this another whopper relative to the updates we used to get from Apple a couple years back. I like that. The updates cover some interesting aspects of the Mac OS X Apple have not previously addressed. This indicates to me that over time they are carefully combing through aspects of the OS rather than randomly poking around or only responding as they receive vulnerability reports from third parties.

As ever, there are several buffer overflow patches. Memory management remains one of the banes of contemporary coding. I'm getting the idea that this problem won't go away until we invent an AI that can self-analyze its own computer code. It could happen!

A surprising trend in this update is the patching of security problems introduced specifically in Mac OS X 10.5.6. Ahem Apple. Ahem beta testers.

Cookies: There are a couple repairs for cookie problems introduced into the CFNetwork process in Mac OS X 10.5.6.

Printing: Included is a CUPS update as well as a repair of an error in the csregprinter process that allowed system privileges escalation.

Scripting: There are several patches provided for python and one for perl.

Remote Apple Events: There are a couple buffer overflow / out-of-bounds memory access patches.

SMB: Apple themselves patched a couple buffer problems, which is interesting. It's good to see Apple serious about compatibility with Windows networks.

X11: There are a collection of patches regarding font handling, user privilege plundering and several other vulnerabilites in the X11 server.

JavaScript: Here's another bane of contemporary coding. This time the patch is to Safari's RSS handling of feed URLs.

Mail services: A pair of patches are made to fetchmail and another pair to SquirrelMail.

Video: Yet another problem with maliciously crafted media files. This time a patch is provided for the Pixlet codec.

Other patched services include:

AFP Server
CarbonCore's Resource Manager
Certificate Assistant
DS Tools: dscl
Folder Manager
FSEvents framework: fseventsd
Network Time
Server Manager: servermgrd

And included is a security updated version of ClamAV for both 10.4 and 10.5 Server.

There were also a few other security related updates released today. Here is a list with links provided to their individual security update description documents:

Safari 3.2.2 for Windows

Java for Mac OS X 10.4 Release 8

Java for Mac OS X 10.5 Update 3

The Java security vulnerabilities that were patched include maliciously written web page Java applets allowing user privilege plundering. These problems weren't in Apple's implementation but in Java itself. SOS: Java was supposed to be as safe as a sandbox. Yeah, a sandbox full of land sharks.

My recommendation for security fanatics, as per recommendations from security expert Steve Gibson: If you don't want to take chances with hacker perpetrated JavaScript and Java, use a browser that lets you turn on support for both protocols on a site by site basis. As with using Little Snitch, it can be a PITA dithering around with little stuff on the net. But the geek in me adjusted such that I use site by site service control all the time. The browser I use for this purpose is OmniWeb. It's the bells and whistles web browser for Mac OS X and is well worth paying for if you like its abundant added features. You can also rig FireFox to handle site by site services as well. Camino and Safari are sadly site specific clueless. I haven't tested other browsers.

BTW: Coming up is my long delayed discussion of Tracking Cookies.

Share and Enjoy!



  1. Curious why you state iCab is site-specific clueless.

    iCab's Filter Manager has 13 site-specific Java (in Multimedia tab) and Javascript options.

  2. You are correct! Sorry I missed that! I have removed it from my 'clueless' list. Those using iCab may find info below useful:

    The iCab method is remarkably clunky compared to schmantzy OmniWeb (which is my main browser). But I have been an iCab fan for a long time. It's a nice alternative to the big browsers. It's best feature, IMHO, has been it's determination to remain compatible with ALL the various additions inflicted into 'JavaScript'. If your browser can't run some Microsoft specific JScript rubbish, try iCab.

    To help overcome the clunkiness factor of iCab's method of site specific JavaScript and Java settings, here is a mini-primer to hopefully help:

    1) Turn both JavaScript and Java OFF in your iCab preferences. This should be your default setting. You will then set specific URLS in the Filter Manager to allow JavaScript and Java at your discretion.

    2) If you have a program to assign keystrokes to menu items, set one up for Tools/Filter Manager. I suggest Option-F.

    3) Check ON 'Enable Filters'.

    4) Create a Filter Collection if you haven't already. Just hit the '+' and give it a name and OK it.

    5) Highlight your filter's name.

    6) Add a 'Filter URL' by hitting its '+' button. It automatically fills in the current page. You can add in others as you wish.

    7) Highlight the Filter URL. (Getting that clunky feeling yet?)

    8) Hit the Multimedia tab and uncheck OFF "Use default preferences".

    9) Check ON 'Java Applets: Execute Java applets".

    10) Hit the JavaScript tab and uncheck OFF "Use default preferences"

    11) Check ON "General Setting: Enable JavaScript".

    12) Close the Filter Manager.

    That many steps is brutal by almost anyone's definition. That is per page, with a couple steps left out after your initial setup.

    However, there are further settings buried in Filter Manager that have remarkable refinement I haven't seen anywhere else. Bravo!

    Example: "Don't load JavaScript from foreign servers" Excellent. All the options for foreign servers are excellent!

    The cookie control is terrific, essentially no worse than the method in OmniWeb, which I consider clunky, but it works. I'll be writing up an article on the cookie issue in the near future.

    My conclusion: Omniweb's 'Get Info' method of controlling the settings for each specific website are streamlined. I very much prefer them over iCab. But iCab runs rings around OmniWeb regarding refined options. Well done! Both programs are shareware. I consider both well worth paying for. Try each one and see what you personally like. Hopefully iCab's page controls will improve with time.