Security Update 2004-09-07 Potentially Problematic
Apple last week released Security Update 2004-09-07 to address a slew of security-related issues. Updated components include Apache 2, CoreFoundation, FTP, IPSec, Kerberos, OpenLDAP, OpenSSH, PPPDialer, QuickTime Streaming Server, rsync, Safari, SquirrelMail, and tcpdump – see Apple’s site for details. Unfortunately, two of the changes may have negative consequences.
The changes to Safari resulted in rendering problems on a number of Web sites, though the trouble apparently originates with the Web sites themselves. Many sites detect browser versions and present slightly different versions of their pages to different browsers. It seems that some sites were accidentally identifying this new version of Safari as Netscape 4 and thus feeding it dynamic HTML that failed in a modern browser. In at least some of places suffering from this problem (including FedEx, CompUSA, and Best Buy) the problem stemmed from a product called QuickMenu Pro, from OpenCube. OpenCube has since fixed the problem, though it’s up to the sites to update their copies of QuickMenu Pro. Kudos to Jeff of the HyperJeff Network for tracking down the bug in QuickMenu Pro.
Also, to work around a security problem in the lukemftpd FTP server in the client version of Mac OS X, Apple replaced it with the tnftpd FTP server (Mac OS X Server uses xftp instead); unfortunately the change has caused login difficulties for some users when connecting to upgraded Macs via FTP. The Apple support forum discussion linked below offers some solutions, but perhaps the best one is to use this problem as an excuse to switch to SFTP, which eliminates long-standing security problems with FTP. Apple will likely release a fix for normal FTP in the near future.
<http://discussions.info.apple.com/webx? [email protected]@.689a720d>
The security update applies to the client and server versions of Mac OS X 10.2.8, Mac OS X 10.3.4, and Mac OS X 10.3.5. The easiest way to get Security Update 2004-09-07 is via Software Update; otherwise you’ll have to pick the correct version from the Apple Downloads page. The client downloads are 7.6 MB; the server downloads are 12.6 MB. [ACE]