 |
 |
Security Update Avail. via SW Update
|
|
|
|
|
Mac Enthusiast
Join Date: Feb 2001
Location: White Plains, NY
Status:
Offline
|
|
|
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: May 2001
Location: Boston, MA
Status:
Offline
|
|
and it requires a restart 
|
|
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 1999
Location: The Tollbooth Capital of the US
Status:
Offline
|
|
Originally posted by OpenStep:
and it requires a restart
What are you mad about? The Security updates always have required a restart.
|
|
"Evil is Powerless If the Good are Unafraid." -Ronald Reagan
Apple and Intel, the dawning of a NEW era.
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: May 2001
Location: Boston, MA
Status:
Offline
|
|
We're to the point where if this patches a window manager or something the system should be able to kill the process and reload it without restarting the entire system. I just updated my Debain box to unstable and a restart is only needed to use a new kernel. These software updates shouldn't technically need a restart.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by typoon:
What are you mad about? The Security updates always have required a restart.
True but...
I have installed the update on one machine and tested it. It appears to fix the problem of the screensaver crash. However...
I have about 250 more machines to update... AFTER I do a clean re-install/re-image of all OS and software. Also have to do a careful cleaning of ALL user home folders for any nastiness that may have arrived during the approximately 10 day window that this exploit has been well known. Also have to have ALL users change their passwords... approx 6000 of them at the college where I work.
For many people this may have appeared to have been a minor problem but for us where we have "public" Mac labs it is a major headache. The exploit only takes about 10-15 seconds to do and it affected all models of Macs running Mac OS X 10.2.x.
This is gonna take some amount of time to do. Good thing it is summer and not middle or end of semester during the regular school year.
|
|
-DU-...etc...
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Apr 1999
Location: Copenhagen, Denmark
Status:
Offline
|
|
Originally posted by utidjian:
The exploit only takes about 10-15 seconds to do and it affected all models of Macs running Mac OS X 10.2.x.
It takes 5 minutes AFAIK.
And I think you're overreacting with regards to what you're going to do.
How many of your users are Admins? Damage outside a user's homedir can only happen if someone was breaking into an Admin account.
Why should the users change passwords? The exploit doesn't show the password to anyone.
|
|
JLL
- My opinions may have changed, but not the fact that I am right.
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Dec 2000
Location: Germany
Status:
Offline
|
|
Originally posted by JLL:
It takes 5 minutes AFAIK.
No, it can be done in a few seconds. It's not about the time but about the number of characters you enter into the password field.
In the log in panel some (unix?) shortcuts for copy and past work. So just enter about 10 random characters then copy them end past them at the end of the line. Now copy all (now 20 characters) and past them ...
You will end up with really many characters in just a very short time and then hit return.
I tested it - took me about 5 seconds.
|
|
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Nov 2002
Location: Atlanta, GA
Status:
Offline
|
|
does this fix JUST screen effects, or the bug system wide? apparently this is a cocoa bug, not just screen effects.
|
|
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by JLL:
It takes 5 minutes AFAIK.
And I think you're overreacting with regards to what you're going to do.
How many of your users are Admins? Damage outside a user's homedir can only happen if someone was breaking into an Admin account.
Why should the users change passwords? The exploit doesn't show the password to anyone.
You can verify this yourself...
1. Start the screensaver
2. type anything in the password area
3. highlight it
4. Ctrl-K
5. Ctrl-Y until the password stops pasting (the screensaver has "crashed")
6. Click on [OK]
7. Yer in.
takes anywhere from 10 to 30 seconds on all machines I tested it on... most seem to take about 15 seconds.
I have 6 users that have Admin access to the lab machines and about 50 users that have Admin access on their desktop office machines (not my idea).
Do you know what a keystroke logger is? If not... it is a little prog that can be run quietly in the background and started as soon as a user logs in. Here is an example: http://keystroke-loggers.staticusers.net/mac.shtml
Now... the user say a regular user to Admin... the admins password is now known. As is typical of computer labs in schools we use the same password for a number of machines. That logfile can now be IRCed, ftped, scped, IMed to any number of places. Triggered by the user logging out. Now the cracker can own al my lab machines... all it takes is one. The cracker can now install their logger on ALL machines and log ALL user activity (webmail passwords, bank account passwords, etc...) basically it can and will log any other accounts and passwords the user accesses from the compromised Mac. Do you begin to see the problem?
That is why I have to re-install all OS and apps. I also have to try and clean all user accounts of anything that looks suspicious. Do you understand why?
All users will have to change ANY passwords they used while on these Macs. Do you understand why?
It may well be that I am over-reacting. Chances are that since we don't have as many users here (summer) that none of the machines or passwords were compromised. But as a responsible admin I can't take the chance that even one machine was compromised. Can you understand why?
|
|
-DU-...etc...
|
| |
|
|
|
|
|
|
|
Mac Enthusiast
Join Date: Nov 2002
Location: Atlanta, GA
Status:
Offline
|
|
i'd hate to have you as my admin on a network. re-installing every time there is a potential security threat?
doubt you sleep much, eh?
|
|
|
| |
|
|
|
|
|
|
|
Professional Poster
Join Date: Nov 2000
Location: Tasmania, Australia
Status:
Offline
|
|
Hey, can we re-start the argument regarding whether this security flaw is a "major" or a "minor" issue. That was fun! Can we please?
I vote major!
heheh.
|
|
|
| |
|
|
|
|
|
|
|
Moderator Emeritus  Join Date: Mar 2001
Location: Austin, MN, USA
Status:
Offline
|
|
As a system admin, how can you justify allowing people to leave the computer unmonitored while logged in? Does that even happen? People at my school are instructed to log in when they sit down and log out when they leave. If someone is just getting up to walk to the other side of the room, do you really think a hacker would have time to sit down, gain access, run the software (at the user level) and still go unnoticed?
Reinstalling and wiping everything is a complete waste of time for this bug...
|
|
|
| |
|
|
|
|
|
|
|
Mac Elite
Join Date: Oct 2000
Status:
Offline
|
|
Originally posted by utidjian:
True but...
I have installed the update on one machine and tested it. It appears to fix the problem of the screensaver crash. However...
I have about 250 more machines to update... AFTER I do a clean re-install/re-image of all OS and software. Also have to do a careful cleaning of ALL user home folders for any nastiness that may have arrived during the approximately 10 day window that this exploit has been well known. Also have to have ALL users change their passwords... approx 6000 of them at the college where I work.
For many people this may have appeared to have been a minor problem but for us where we have "public" Mac labs it is a major headache. The exploit only takes about 10-15 seconds to do and it affected all models of Macs running Mac OS X 10.2.x.
This is gonna take some amount of time to do. Good thing it is summer and not middle or end of semester during the regular school year.
Err...can't you do all this at once with Apple Remote Desktop? Do it from home even.
|
|
"It's about time trees did something good insted of just standing there LIKE JERKS!" :)
|
| |
|
|
|
|
|
|
|
Senior User
Join Date: Jan 2001
Location: Mahwah, NJ USA
Status:
Offline
|
|
Originally posted by wtmcgee:
i'd hate to have you as my admin on a network. re-installing every time there is a potential security threat?
doubt you sleep much, eh?
If I got my way you would hate me even more. I wanted to disconnect ALL Macs from the network entirely until the fix was out.
This wasn't a "potential security threat" it was a very simple and easy to reproduce bug that is widely known.
Who would you hate if your account got cracked? (and all that that implies).
I sleep quite well thank you because I have good backups.
|
|
-DU-...etc...
|
| |
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Oct 2001
Location: BFE
Status:
Offline
|
|
Now way! I'm not installing it! Last security update trashed internet access for my machine (everything would "just quit").
I don't need screen effects security at home. The bird can't type!
|
I'm a bird. I am the 1% (of pets).
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
 
|
|
|
Forum Rules
|
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|
|
Top
