From: Aron Roberts (aron@socrates.berkeley.edu)
Date: Fri Oct 05 2001 - 15:15:19 PDT
A reminder: Apple Computer's "security-announce" mailing list,
listed in Kin Jung's posting yesterday to the MAGNet mailing list, is
one of a number of resources listed on Apple's primary Mac OS
security page.
"Apple Product Security"
http://www.apple.com/support/security/security.html
As noted on Apple's "Security Updates" page, which is referenced in
the announcement below and also linked from the Apple Product
Security page, above, the just-released Mac OS X 10.1 incorporates
many security related fixes:
http://www.apple.com/support/security/security_updates.html
Security issue with Microsoft Internet Explorer in Mac OS X 10.1
---------------------------------------------------------------
However, Mac OS X 10.1 also installs a new version of the Microsoft
Internet Explorer Web browser which introduces a potentially
significant security vulnerability: its "default setting ... is to
automatically execute downloaded software" under some circumstances.
To rectify this, << users will need to modify Internet Explorer's
Preferences settings >>, as described at:
"Mac OS X 10.1: Internet Explorer Executes Downloaded
Software Automatically"
http://docs.info.apple.com/article.html?artnum=106503
By disabling IE's own decoding of BinHex- and MacBinary-encoded
files, this will also effectively prevent Internet Explorer from
automatically opening such files after they are decoded.
Security issue with iDisk Mac OS X 10.1
---------------------------------------
In addition, OpenDoor Networks also claims that passwords may be
vulnerable to discovery under Mac OS X 10.1 when using the WebDAV
protocol to access iDisk, Apple's network disk service:
http://www.opendoor.com/macosxalert.html
They recommend using Apple's AFP protocol to access iDisk until
this issue is resolved.
Aron Roberts
Workstation Software Support Group
P.S. Internet Explorer for the Mac OS also offers many additional
features for finely customizing whether -- and if so, how --
downloaded files will be opened or otherwise handled. These settings
can be customized in the program's Preferences under (at least) the
following settings panels:
- "Security Zone" (by selecting one of the four zones
offered and clicking the "Custom" button, then scrolling
down to the settings which pertain to browser behaviors
such as "Launch applications and files" under "Miscellaneous");
- "Download Options"; and
- "File Helpers" (which permits extensive customization of how files
and data streams encountered on the Web are handled based on their MIME
types or filename extensions).
--Date: Thu, 04 Oct 2001 10:55:49 -0700 Subject: [MAGNet] FW: security-announce digest, Vol 1 #1 - 1 msg From: Kin Jung <kin@tsw.berkeley.edu> To: <lorca@uclink.berkeley.edu>, <magnet-list@uclink.berkeley.edu>
OS X users:
As this security list is pretty new-- you might want to check it out. Subscription information is included.
Kin
---------- From: security-announce-request@lists.apple.com Reply-To: security-announce@lists.apple.com Date: Wed, 3 Oct 2001 22:18:34 -0700 (PDT) To: security-announce@lists.apple.com Subject: security-announce digest, Vol 1 #1 - 1 msg
Send security-announce mailing list submissions to security-announce@lists.apple.com
To subscribe or unsubscribe via the World Wide Web, visit http://www.lists.apple.com/mailman/listinfo/security-announce or, via email, send a message with subject or body 'help' to security-announce-request@lists.apple.com
[...]
Today's Topics:
1. Security updates in Mac OS X v10.1 (Product Security)
--__--__--
Message: 1 Date: Wed, 3 Oct 2001 16:13:47 -0700 Subject: Security updates in Mac OS X v10.1 From: Product Security <product-security@apple.com> To: security-announce@lists.apple.com
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Valued Apple customers,
The Apple Product Security web site has been modified to include security updates included in Mac OS X v10.1 and Mac OS X Server v10.1. Details about the security updates can be found on the Apple Product Security Updates page at:
http://www.apple.com/support/security/security_updates.html
Thank you,
Apple Product Security Team product-security@apple.com
[...]
------------------------------------------------------------------------ The following was automatically added to this message by the list server:
For information about MAGNet, its meetings and events, and its mailing list, including information on subscribing and unsubscribing, see the MAGNet Web site at <http://mac.berkeley.edu/help/magnet/>.
This archive was generated by hypermail 2b29 : Fri Oct 05 2001 - 15:16:34 PDT