Previous 1 2 3 4 Next 246 Replies Latest reply: Jan 6, 2010 10:05 AM by oldmacwoman Go to original post
  • schnaufifant Level 1 Level 1 (10 points)
    Same Probleme here- but only on my Power-PC Systems (iBook G4 and eMac).
    This issue is very annoying.

    Maybe that´s the reason:

    System Configuration

    CVE-ID: CVE-2008-2312

    Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11

    Impact: A local user may obtain the PPP password

    Description: Network Preferences stores PPP passwords unencrypted in a world readable file, accessible to any local user. This update addresses the issue by storing PPP passwords in the system keychain when the password is changed. This issue does not affect systems running Mac OS X v10.5 or later. Credit to Hernan Ochoa of Core Security Technologies, Tore Halset of pvv.org, and Matt Johnston of the University Computer Club for reporting this issue.


    Thank You, Apple

    Message was edited by: schnaufifant
  • Berardo Chiarini Level 1 Level 1 (20 points)
    Same here again. Actually I'm wondering why I resolved to apply this Security Update... If we get more and more maybe Apple takes a closer look at this problem (??)
  • boris39 Level 1 Level 1 (5 points)
    hi BDAqua

    I'm new to this forum, so pls excuse if I've misunderstood; I'm not sure if you're connected with Apple, or are just an incredibly helpful individual giving advice - but as you can see from posts this security update 2008-006 problem appears to be affecting a lot of people.

    Also I'm not very clued up about what the significnce of this problem with the network settings means, but I'm a bit worried that it might mean security of my machine is now compromised;- if I'm not able to access my own network settings, but 'another application' apparently is?

    Have you had any more thoughts on this issue?

    thanks

    Boris 39
  • tonza Level 2 Level 2 (480 points)
    The System Update has changed the NetworkConfig system program in /System/Library/PrivateFrameworks/NetworkConfig.framework, which I presume is now broken. However, I have discovered two things you can do to reduce the effects of the broken network configurator:

    1. configure your account as a Standard Account (rather than as an Administrator Account). This prevents you from making changes without authenticating for it first by clicking on the gold padlock in the System Preferences window. You can then go about editing your network settings, which will be accepted and force NetworkConfig to stop asking for the network settings again (until you close System Preferences).

    or,

    2. go to the Security preferences, and enable the option "Require password to unlock each secure system preference". This will do what will happen in the previous quasi-solution, requiring that you authenticate to System Preferences before changes can be made.

    These are the only two quasi-solutions I can come up with until you are either able to back-out the Security Update 2008-006, or Apple come up with a new update that resolves this issue.

    Kind regards,

    --tonza
  • tonza Level 2 Level 2 (480 points)
    This had better be worth it...

    ... wonder if Hernan also managed to find whether PPP Bluetooth, which doesn't get NetCfgTool to talk to the keychain, might also be storing its password in some world-readable file on a local system. I hate to think... !

    If he and Apple haven't done this, then this security issue has not been researched very well by both this whistleblower nor Apple engineering, since I would also expect that PPP Bluetooth passwords also ought to belong in the keychain! In the meantime, I'll be looking for what this so-called world-readable file is, and plugging the hole myself without this system update.


    Annoyed...

    --tonza
  • heinlein7 Level 1 Level 1 (0 points)
    I am glad I read the forums before applying any updates. There does seem to be a problem with this latest Security Update.

    How long does it take Apple to fix an update like this?
  • Ernie Stamper Level 8 Level 8 (37,555 points)
    Hi to you and others,

    Tiger on both my QS G4, and iBook G4 updated without issue. Repair Permissions on iBook did have several entries cited for internet utilities, which appeared related to iTunes, and the update to iTunes 8 was done in same pass. Access to System Preferences/Network has no issues, for me.

    Ernie
  • Berardo Chiarini Level 1 Level 1 (20 points)
    Huge thanks tonza! I simply chose your second option and it works fine. Apple should thank you too.

    BTW, I'm not pretty sure I understood the PPP Bluetooth thing, but it kept working fine for me, even though my administrator password was rejected every time I tried to modify Access Control for PPP Password in Keychain Access. In the same window, NetCfgTool and configd's versions were not recognized anymore.
  • Sergey Chalov Level 1 Level 1 (0 points)
    Dear Tonza,
    THANKS A LOT!!!! The second option is the way out. Everything works perfect after all. Finally, I have an access to AirPort. It was disable after installation and rebutting system.
    Sincerely, Sergey
  • tonza Level 2 Level 2 (480 points)
    Hi again,

    found that the private framework NetworkConfig.framework updated by SecUpdate 2008-006 is indeed the culprit to this issue, and I have successfully taken the older version of the framework from a backup and replaced the newly installed version with it.

    This resolves the problem.

    However, now that there are keychain entries associated with my PPP connections, I don't know what is to become of my older PPP configurations! I suppose all I'll lose is the login password, but I can replace that information anyway.

    Motto of this story... back up your boot volume before you install updates! The best tool for the job is Disk Utility (for 10.4.11 Tiger), since it can restore boot volumes from disk images, but if you have other tools you'd like to use, then it'd be a good idea to use them!

    If you do have a backup of your /System directory prior to the update, then here's instructions on how to get the older version of the framework.

    Important: you have to be root (superuser) to do this, and I take no responsibility if you damage your system using these instructions. If you are not confident using Terminal and the UNIX command-line prompt, then please resort to the earlier suggestions I have posted instead. Thanks!

    • Mount a disk image of a backup of the boot volume made prior to the installation of Security Update 2008-006.

    • Open Terminal, and enter all the text in bold:

    % *sudo tcsh*
    Password: +enter an admin password here+
    #

    • Enter the cd(1) command to change directory to:

    # *cd /Volumes/<TigerBootDiskBackup>*/System/Library/PrivateFrameworks/

    where <TigerBootDiskBackup> is the name of the disk image volume you have just mounted on your desktop.

    • Enter the tar(1) command to make an archive of the old NetworkConfig.framework directory:

    # *tar cvf /System/Library/PrivateFrameworks/NetworkConfig.framework.tar NetworkConfig.framework*

    This will get created at the right place in your current boot disk, but it won't be available for use by the system yet. You should see a list of files that have been created in the archive file. Make sure that the lines start with "NetworkConfig.framework/".

    • Change directory to:

    # *cd /System/Library/PrivateFrameworks*

    and move the old framework out of the system using the mv(1) command:

    # *mv NetworkConfig.framework /NetworkConfig-SecUpdate2008-006.framework*

    This will move it to the the top-level directory of your boot volume.

    • Expand the archive containing the old framework:

    # *tar xvf NetworkConfig.framework.tar*

    Again, the list of files contained in the archive will appear in the terminal window.

    • Log out of your terminal session:

    # exit
    % exit

    and log out of your desktop session, then log back in again. You should find that Network Preferences should return to its former behaviour.

    Important: before applying another system update, you should do the following before allowing Software Update to make further alterations to the system:

    % *sudo tcsh*
    # *mv /System/Library/PrivateFrameworks/NetworkConfig.framework /NetworkConfig-Former.framework*
    # *mv /NetworkConfig-SecUpdate2008-006.framework /System/Library/PrivateFrameworks/NetworkConfig.framework*

    so that Software Update does not have trouble updating what it thinks are the files present on your system.

    --tonza

    Message was edited by: tonza
  • Berardo Chiarini Level 1 Level 1 (20 points)
    You're the one, tonza. I must confess I do have a copy of my boot volume and I'll copy there the few changes I made in Documents, Pictures etc. and then clone it back to my internal drive. I prefer to have my System exactly as it was before this thoughtless updating.

    Nonetheless, I'm struck by the flood of problematic updates Apple released over, say, last 18 months. It's a very disappointing (and consolidated, imho) trend.

    Thanks again.
  • R_H_B Level 1 Level 1 (5 points)
    THANK YOU tonza. You just saved me from having to do a total system re-install. My wireless network is back to normal after following your detailed terminal session but I have a question about the old NetworkConfig file you moved. Do I really have to save it?

    I'm not a power terminal user and I'm not clear on what the last terminal commands you detail are actually doing. Are they moving the old "bad" files back to the System and overwriting the replaced "good" files?

    Anyway, Thanks again. I wasted an entire day trying to find a fix for this before I found your post.
  • erewash Level 1 Level 1 (0 points)
    Thank you Tonza! Your no.2 does the job nicely for me, at any rate...
  • William Kucharski Level 6 Level 6 (14,890 points)
    Just as an aside, be sure to keep the new copy of the framework around as future updates may check for its precise properties before finding or installing.

    Further, do be aware that this action likely negates the security fixes provided by 2008-006.

    Yes, I'm aware that usability is paramount, I'm just making sure the caveats are understood.
  • OSX Fan Level 1 Level 1 (10 points)
    I don't know how the rest of you guys have your system configured, but maybe that's part of the problem. The tonza solution worked for me, but being an old Unix guy I also have a root user enabled as well as several other users with Admin priv's.

    My system isn't set up to log in as a "dumb user" (no offense intended). I have several users configured because I develop software and each one has a different environment and Admin access as well as network access, and each MUST login before accessing the machine. FWIW I did the update and when I encoutered the problem I killed the process called "NetCfgTool"and it stopped the cycling but of course it also killed any network updating.

    My network is set up to use a local net to communicate with a host of other machines with mixed platforms via fixed IP addresses and then use PPPoE to talk to the internet with DHCP assigned addresses. It sounds like a lot of you guys may be set up in a similar manner, meaning we don't have a single IP address assigned to a users logged in.

    Hope they get this fixed soon. It's a PIA. Glad I configured a root user!!!!
Previous 1 2 3 4 Next