Security Update 2014-005 Mavericks/Mountain Lion

Yeah, was just going to post about this as well. Appears to address the recently announced "POODLE" vulnerability. That was fast!

Thanks for the link! Couldn't find the download by searching Apple's site and I like to push these out through Casper.

Also these include the bash Update 1.0, as per https://support.apple.com/kb/HT6531 .

Still shows as vulnerable using www.poodlestest.com. ??

I am having the same results

Hmm, same here. And I cleared the cache from the browser and restarted and everything. Still shows me a silly poodle image. Not sure what's up with that. Going to ping my Apple rep on this, because I even verified with him yesterday that these updates were supposed to address this issue.

OK, looks like its only Safari for me at least. I just opened Firefox and went to http://poodletest.com and I see a terrier, not a poodle. This could just be Safari's ridiculously aggressive caching. I've run afoul of it not letting go of browser data and giving me bad results in the past.
More testing to be done obviously.

Looking again at the test site, I see this, which seems to indicate possible issues with Safari even with the patch applied-

Safari Apple stated that the Safari update released on Oct 17th no longer allows block ciphers via SSLv3. The test site (on purpose) only supports block ciphers as they are vulnerable to POODLE. However, my testing so far shows that Safari will still connect to the test site using ciphers like AES256. Safari should show up as not-vulnerable if it only supports stream ciphers over SSLv3.

So long 10.7 Support!

I can't find a reliable test that gives me a different response before and after the apple security update

so it seems the poodletest etc sites just check for continued SSL3 connections, but apple's security fix does not do that, instead it blocks SSL connections use of "CBC ciphers" which are the root of the vulnerability. (I am reading this off the internets)

so, still need a reliable check that the vulnerability is patched. has anyone managed to craft an extension attribute?

what are the right restart options for delivering this? the default is Current startup disk - that didn't work. I just tried the "(No Bless)" option, that didn't work either. both ways i get a regular reboot back to the login window :-/

(ie instead of a reboot, brief installer screen, reboot)

I just can't automate this. I even tried resorting to installing the PKG to /tmp and running

installer -pkg /tmp/SecUpd2014-005Mavericks.pkg -target /
reboot

but no. It only works if I run it interactively!

I totally should have said I'm trialling most of this on VMware boxes. I did try it on one real machine with the two main restart options (mentioned above), but that behaved the same.

you need a -target / as well

oh, its here in the web version, not the email version sorry.

why not just use casper to tell the computers to install all available software updates?

Thanks dude - cross edited there, as I did have a -target. Also added that I've been hitting this mostly on trialling VMs

hmm. i finally gave up on automating the real machine and ran it interactively on that and it didn't do the right thing either, so perhaps something was awry there (or it had taken earlier and I'd not noticed perhaps?!)

and i don't trust VMware to boot appropriately as the VM prefs take precedence

so perhaps I'll just try a few combos out on another physical machine now.

Cheers for advice though. I'll update this thread if I hit on anything

oh man, this is no fun AT all.

This time I tried an install on a real machine (MacBook Air), policy set to run at logout: install, restart immediately, selected restart disk (no bless). This time before the restart happened I got a dialog titled "Unapproved caller" saying "SecurityAgent may only be invoked by Apple software". And again, it just rebooted to the loginwindow as normal (after the filevault was unlocked)

Still elusive…

1 a reliable method to check that the security hole has been fixed (and an EA to record that)
2 a way to Casper automate delivery of the Apple pkg
3 why nobody else seems all that bothered by 1 and 2!

What's going on jamfnation?

Has anyone seen problems applying the 2014-005 update from an internal SUS?

Nope.

Does the update show as available if you run a "softwareupdate -l" command?

With the machine pointed to the internal SUS, have you tried running a "softwareupdate -i <nameofpackage>"?

Have you tried adding the package to Casper Admin and creating a policy to install it, with the checkbox to "Install Only If Available In Software Update" selected?