Skip navigation

crsud process with security update 2013-001

36967 Views 168 Replies Latest reply: Sep 8, 2013 9:10 AM by MadMacs0 RSS
  • Cowicide Moo Level 1 Level 1 (25 points)
    Currently Being Moderated
    Apr 27, 2013 4:15 PM (in response to WZZZ)

    Just like you I feel like I'm put into a bad position by Apple.  If I enable "Automatically install important security updates" in Security preferences, I fear I could destabalize my production machine at any random moment and not know why/how it happened.

     

    But if I leave the same option unchecked, I fear that "important" security updates won't come to my machine anymore will now have a more vulnerable system.

     

    The fact that this extensive thread exists should show anyone that Apple screwed up here by not properly documenting what this option does.  Really, Apple??

     

    Maybe if we all raise a stink with Apple they'll finally answer what the héll this thing really does?!

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 27, 2013 4:46 PM (in response to Cowicide Moo)

    Indeed, I've already left a request.

     

    https://ssl.apple.com/support/feedback/

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Apr 27, 2013 4:54 PM (in response to Cowicide Moo)

    Cowicide Moo wrote:

     

    Just like you I feel like I'm put into a bad position by Apple.  If I enable "Automatically install important security updates" in Security preferences, I fear I could destabalize my production machine at any random moment and not know why/how it happened.

     

    But if I leave the same option unchecked, I fear that "important" security updates won't come to my machine anymore will now have a more vulnerable system.

    I really doubt that last scenario. We won't really know until there a critical update actually appears, but in my mind Apple is just offering an enhancement to the current update process, so that the average user doesn't need to be concerned that they will skip such an update when they don't feel like checking Software Update... or dismiss an alert because they feel they don't have time at the moment. I know my daughter often doesn't update her MBP because it isn't plugged in at the time she gets an alert. Then she forgets all about it when she eventually plugs the charger in.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 27, 2013 5:19 PM (in response to MadMacs0)

    But then, according to that reasoning, if it installs a full security update--which I'm not at all certain is its function and doubt it is--but if it does, then we have no say in the matter and it might really be a turkey, as a few of them turned out to be.

     

    Or do you mean crsud would provide only the "critical" elements of such a full update?

     

    Message was edited by: WZZZ

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Apr 27, 2013 6:02 PM (in response to WZZZ)

    WZZZ wrote:

     

    But then, according to that reasoning, if it installs a full security update--which I'm not at all certain is its function and doubt it is--but if it does, then we have no say in the matter and it might really be a turkey, as a few of them turned out to be.

    Not in my experience, but then I've been running way behind with OS X versions until now.

    Or do you mean crsud would provide only the "critical" elements of such a full update?

    Just another question we don't know the answer to. All I can say is that the last Java update wasn't considered to be critical, but it was only to correct "vulnerabilities", not threats at the time.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 28, 2013 5:01 AM (in response to MadMacs0)

    There were a few in Snow. This one was particularly memorable. Apple issued a fix some days after, but you can imagine the havoc it caused. I generally don't update until I see what happens here first. For that reason, that one didn't catch me. That's why I'm not crazy about this silent updating, whatever it may be for.

     

    http://reviews.cnet.com/8301-13727_7-57370890-263/rosetta-broken-in-os-x-10.6.8- after-security-update/

     

    And there was a really strange one for the 10.5.8 Combo. If after running that you repaired Permissions, that produced a real Permissions errror which didn't exist before. The only fix was to run the Combo twice back to back.

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Jun 4, 2013 1:53 PM (in response to SaltySailor)

    Apple just announced OS X Mountain Lion v10.8.4 and Security Update 2013-002 which I'm guessing will qualify as a critical update, but we'll just have to wait and see.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Jun 4, 2013 2:06 PM (in response to MadMacs0)

    crsud ran this morning. Just checked the install log and there was nothing except the usual starting/exiting. Will keep looking after it runs. But SU is showing Security Update 2013-002.

     

    Thanks for the heads up.

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Jun 4, 2013 5:09 PM (in response to WZZZ)

    WZZZ wrote:

     

    crsud ran this morning. Just checked the install log and there was nothing except the usual starting/exiting.

    Yes, I'm sure that was too early. The e-mail announcement is one of the first things that shows up and it takes them about 24-hours to get all the pieces and parts posted, so I would not have expected to see anything earlier today.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Jun 4, 2013 5:14 PM (in response to MadMacs0)

    If they've just put out a Sec Update, don't think they'll need to put anything else out through crsud.

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Jun 4, 2013 5:33 PM (in response to WZZZ)

    WZZZ wrote:

     

    If they've just put out a Sec Update, don't think they'll need to put anything else out through crsud.

    My impression is it's the same update, except that if you have elected automatic updates you won't have to check Software Updates and approve anything in order for it to be installed.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Jun 4, 2013 5:45 PM (in response to MadMacs0)

    Well, in that case, since I want to install this manually and only when I know there are no widespread problems with it, I won't let crsud run.

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Jun 4, 2013 6:12 PM (in response to WZZZ)

    Where's your sense of adventure? Somebody has to go first....

     

    In case you all did not get the announcement, here are the updates that impact OS X 10.6.8 Snow Leopard:

     

    Security Update 2013-002 is now available and addresses the following:

     

    Directory Service

    Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8

    Impact:  A remote attacker may execute arbitrary code with system

    privileges on systems with Directory Service enabled

    Description:  An issue existed in the directory server's handling of

    messages from the network. By sending a maliciously crafted message,

    a remote attacker could cause the directory server to terminate or

    execute arbitrary code with system privileges. This issue was

    addressed through improved bounds checking. This issue does not

    affect OS X Lion or OS X Mountain Lion systems.

    CVE-ID

    CVE-2013-0984 : Nicolas Economou of Core Security

     

    OpenSSL

    Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,

    OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

    OS X Mountain Lion v10.8 to v10.8.3

    Impact:  An attacker may be able to decrypt data protected by SSL

    Description:  There were known attacks on the confidentiality of TLS

    1.0 when compression was enabled. This issue was addressed by

    disabling compression in OpenSSL.

    CVE-ID

    CVE-2012-4929 : Juliano Rizzo and Thai Duong

     

    OpenSSL

    Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,

    OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

    OS X Mountain Lion v10.8 to v10.8.3

    Impact:  Multiple vulnerabilities in OpenSSL

    Description:  OpenSSL was updated to version 0.9.8x to address

    multiple vulnerabilities, which may lead to denial of service or

    disclosure of a private key. Further information is available via the

    OpenSSL website at http://www.openssl.org/news/

    CVE-ID

    CVE-2011-1945

    CVE-2011-3207

    CVE-2011-3210

    CVE-2011-4108

    CVE-2011-4109

    CVE-2011-4576

    CVE-2011-4577

    CVE-2011-4619

    CVE-2012-0050

    CVE-2012-2110

    CVE-2012-2131

    CVE-2012-2333

     

    QuickTime

    Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,

    OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

    OS X Mountain Lion v10.8 to v10.8.3

    Impact:  Viewing a maliciously crafted movie file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A buffer overflow existed in the handling of 'enof'

    atoms. This issue was addressed through improved bounds checking.

    CVE-ID

    CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)

    working with HP's Zero Day Initiative

     

    QuickTime

    Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8,

    OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

    OS X Mountain Lion v10.8 to v10.8.3

    Impact:  Viewing a maliciously crafted QTIF file may lead to an

    unexpected application termination or arbitrary code execution

    Description:  A memory corruption issue existed in the handling of

    QTIF files. This issue was addressed through improved bounds

    checking.

    CVE-ID

    CVE-2013-0987 : roob working with iDefense VCP

     

    Ruby

    Available for:  Mac OS X 10.6.8, Mac OS X Server 10.6.8

    Impact:  Multiple vulnerabilities in Ruby on Rails

    Description:  Multiple vulnerabilities existed in Ruby on Rails, the

    most serious of which may lead to arbitrary code execution on systems

    running Ruby on Rails applications. These issues were addressed by

    updating Ruby on Rails to version 2.3.18. This issue may affect OS X

    Lion or OS X Mountain Lion systems that were upgraded from Mac OS X

    10.6.8 or earlier. Users can update affected gems on such systems by

    using the /usr/bin/gem utility.

    CVE-ID

    CVE-2013-0155

    CVE-2013-0276

    CVE-2013-0277

    CVE-2013-0333

    CVE-2013-1854

    CVE-2013-1855

    CVE-2013-1856

    CVE-2013-1857

  • powerbook1701 Level 3 Level 3 (545 points)
    Currently Being Moderated
    Jun 4, 2013 6:18 PM (in response to MadMacs0)

    maybe this new SL automatic install is simplier than we think. In SU, you have the option to automatically download and be NOTIFIED when updates are ready to install. Maybe this new feature being turned ON just goes ahead and installs it instead of notifying you.

  • MadMacs0 Level 4 Level 4 (3,360 points)
    Currently Being Moderated
    Jun 4, 2013 6:54 PM (in response to powerbook1701)

    I think the key question we all have is what constitutes "Critical?" Each user will need to make their own decision about this once it's clear, as we all have our own pain threshold.

     

    If I were totally paranoid or had a production machine, no automatic update would be acceptable and if I were a new or maybe even an average user, I'd rather all updates happened without my having to do anything rather than try to figure all this out.

     

    For me I would probably have wanted the XProtect capability and Java fix for Flashback to have happened immediately, but not a standard security update where no "threat" was known to exist and certainly not a routine update to an app.

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.