crsud process with security update 2013-001

Indeed, I've already left a request.

https://ssl.apple.com/support/feedback/

Cowicide Moo wrote:

Just like you I feel like I'm put into a bad position by Apple. If I enable "Automatically install important security updates" in Security preferences, I fear I could destabalize my production machine at any random moment and not know why/how it happened.

But if I leave the same option unchecked, I fear that "important" security updates won't come to my machine anymore will now have a more vulnerable system.

I really doubt that last scenario. We won't really know until there a critical update actually appears, but in my mind Apple is just offering an enhancement to the current update process, so that the average user doesn't need to be concerned that they will skip such an update when they don't feel like checking Software Update... or dismiss an alert because they feel they don't have time at the moment. I know my daughter often doesn't update her MBP because it isn't plugged in at the time she gets an alert. Then she forgets all about it when she eventually plugs the charger in.

But then, according to that reasoning, if it installs a full security update--which I'm not at all certain is its function and doubt it is--but if it does, then we have no say in the matter and it might really be a turkey, as a few of them turned out to be.

Or do you mean crsud would provide only the "critical" elements of such a full update?

Message was edited by: WZZZ

WZZZ wrote:

But then, according to that reasoning, if it installs a full security update--which I'm not at all certain is its function and doubt it is--but if it does, then we have no say in the matter and it might really be a turkey, as a few of them turned out to be.

Not in my experience, but then I've been running way behind with OS X versions until now.

Or do you mean crsud would provide only the "critical" elements of such a full update?

Just another question we don't know the answer to. All I can say is that the last Java update wasn't considered to be critical, but it was only to correct "vulnerabilities", not threats at the time.

There were a few in Snow. This one was particularly memorable. Apple issued a fix some days after, but you can imagine the havoc it caused. I generally don't update until I see what happens here first. For that reason, that one didn't catch me. That's why I'm not crazy about this silent updating, whatever it may be for.

http://reviews.cnet.com/8301-13727_7-57370890-263/rosetta-broken-in-os-x-10.6.8- after-security-update/

And there was a really strange one for the 10.5.8 Combo. If after running that you repaired Permissions, that produced a real Permissions errror which didn't exist before. The only fix was to run the Combo twice back to back.

Apple just announced OS X Mountain Lion v10.8.4 and Security Update 2013-002 which I'm guessing will qualify as a critical update, but we'll just have to wait and see.

crsud ran this morning. Just checked the install log and there was nothing except the usual starting/exiting. Will keep looking after it runs. But SU is showing Security Update 2013-002.

Thanks for the heads up.

WZZZ wrote:

crsud ran this morning. Just checked the install log and there was nothing except the usual starting/exiting.

Yes, I'm sure that was too early. The e-mail announcement is one of the first things that shows up and it takes them about 24-hours to get all the pieces and parts posted, so I would not have expected to see anything earlier today.

If they've just put out a Sec Update, don't think they'll need to put anything else out through crsud.

WZZZ wrote:

If they've just put out a Sec Update, don't think they'll need to put anything else out through crsud.

My impression is it's the same update, except that if you have elected automatic updates you won't have to check Software Updates and approve anything in order for it to be installed.

Well, in that case, since I want to install this manually and only when I know there are no widespread problems with it, I won't let crsud run.

Where's your sense of adventure? Somebody has to go first....

In case you all did not get the announcement, here are the updates that impact OS X 10.6.8 Snow Leopard:

Security Update 2013-002 is now available and addresses the following:

Directory Service

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

Impact: A remote attacker may execute arbitrary code with system

privileges on systems with Directory Service enabled

Description: An issue existed in the directory server's handling of

messages from the network. By sending a maliciously crafted message,

a remote attacker could cause the directory server to terminate or

execute arbitrary code with system privileges. This issue was

addressed through improved bounds checking. This issue does not

affect OS X Lion or OS X Mountain Lion systems.

CVE-ID

CVE-2013-0984 : Nicolas Economou of Core Security

OpenSSL

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,

OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

OS X Mountain Lion v10.8 to v10.8.3

Impact: An attacker may be able to decrypt data protected by SSL

Description: There were known attacks on the confidentiality of TLS

1.0 when compression was enabled. This issue was addressed by

disabling compression in OpenSSL.

CVE-ID

CVE-2012-4929 : Juliano Rizzo and Thai Duong

OpenSSL

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,

OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

OS X Mountain Lion v10.8 to v10.8.3

Impact: Multiple vulnerabilities in OpenSSL

Description: OpenSSL was updated to version 0.9.8x to address

multiple vulnerabilities, which may lead to denial of service or

disclosure of a private key. Further information is available via the

OpenSSL website at http://www.openssl.org/news/

CVE-ID

CVE-2011-1945

CVE-2011-3207

CVE-2011-3210

CVE-2011-4108

CVE-2011-4109

CVE-2011-4576

CVE-2011-4577

CVE-2011-4619

CVE-2012-0050

CVE-2012-2110

CVE-2012-2131

CVE-2012-2333

QuickTime

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,

OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

OS X Mountain Lion v10.8 to v10.8.3

Impact: Viewing a maliciously crafted movie file may lead to an

unexpected application termination or arbitrary code execution

Description: A buffer overflow existed in the handling of 'enof'

atoms. This issue was addressed through improved bounds checking.

CVE-ID

CVE-2013-0986 : Tom Gallagher (Microsoft) & Paul Bates (Microsoft)

working with HP's Zero Day Initiative

QuickTime

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8,

OS X Lion v10.7 to v10.7.5, OS X Lion Server v10.7 to v10.7.5,

OS X Mountain Lion v10.8 to v10.8.3

Impact: Viewing a maliciously crafted QTIF file may lead to an

unexpected application termination or arbitrary code execution

Description: A memory corruption issue existed in the handling of

QTIF files. This issue was addressed through improved bounds

checking.

CVE-ID

CVE-2013-0987 : roob working with iDefense VCP

Ruby

Available for: Mac OS X 10.6.8, Mac OS X Server 10.6.8

Impact: Multiple vulnerabilities in Ruby on Rails

Description: Multiple vulnerabilities existed in Ruby on Rails, the

most serious of which may lead to arbitrary code execution on systems

running Ruby on Rails applications. These issues were addressed by

updating Ruby on Rails to version 2.3.18. This issue may affect OS X

Lion or OS X Mountain Lion systems that were upgraded from Mac OS X

10.6.8 or earlier. Users can update affected gems on such systems by

using the /usr/bin/gem utility.

CVE-ID

CVE-2013-0155

CVE-2013-0276

CVE-2013-0277

CVE-2013-0333

CVE-2013-1854

CVE-2013-1855

CVE-2013-1856

CVE-2013-1857

maybe this new SL automatic install is simplier than we think. In SU, you have the option to automatically download and be NOTIFIED when updates are ready to install. Maybe this new feature being turned ON just goes ahead and installs it instead of notifying you.

I think the key question we all have is what constitutes "Critical?" Each user will need to make their own decision about this once it's clear, as we all have our own pain threshold.

If I were totally paranoid or had a production machine, no automatic update would be acceptable and if I were a new or maybe even an average user, I'd rather all updates happened without my having to do anything rather than try to figure all this out.

For me I would probably have wanted the XProtect capability and Java fix for Flashback to have happened immediately, but not a standard security update where no "threat" was known to exist and certainly not a routine update to an app.

Well, I left "automatically install critical security updates" checked in my Security preferences and it didn't install the Mac OS 10.6.8 security update 2013-002 that came out yesterday. It shows up in Software Update, but it's optional for me to install it manually.

I really wish Apple would explain what the **** the option is and put it to rest.

Why can't someone from Apple just finally come here and answer this simple question?