Mavericks uses ambient light sensor for movement

[Gary]

10.9 uses changes in the ambiet light sensor in later iMacs and Mac books to monitor light changes and keep the Mac awake when it should sleep. It then resets the idle time. I wondred why my Mac took ages to sleep. If I cover the light sensor it goes to sleep as planned. Not sure if this can be turned off.

[Bill]

The more manifestations I see of Apple's "we know best" in Mavericks the more I'm persuaded that my next OS after Mountain Lion will be Linux...

[Gary]

The more manifestations I see of Apple's "we know best" in Mavericks the more I'm persuaded that my next OS after Mountain Lion will be Linux...

tbh it works quite well, if you are moving around your computer it will stay awake as needed, if you leave it alone it will go off, so instead of switching off at an hour for mine it will reset if I am in the same room which saves keep starting it up, but also means it goes off when left alone. Best of both worlds. Mavericks has now crashed 4 times well various system settings seem to have as well as stalling to shut down. ML had a clean console but its faster than ML except when scrolling freezes, and the cursor pinwheels  Its free for a reason folks.

ML needs a security patch this is the list of security fixes patched in Mavericks  10.9 over Mountain Lion 10.8.5 . No idea why ML was not patched at the same time.


    CVE-2013-5165 : socketfilterfw –blockApp may not block applications from receiving network connections. The socketfilterfw command line tool's –blockApp option did not properly block applications from receiving network connections. This issue was addressed through improved handling of the –blockApp options.
    CVE-2013-5179 : The App Sandbox may be bypassed. The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process. A compromised sandboxed application could abuse this to bypass the sandbox. This issue was addressed by disallowing sandboxed applications from specifying arguments.
    CVE-2013-5166 : A malicious local application could cause an unexpected system termination. The Bluetooth USB host controller deleted interfaces needed for later operations. This issue was addressed by retaining the interface until it is no longer needed.
    CVE-2013-5167 : Session cookies may persist even after resetting Safari. Resetting Safari did not always delete session cookies until Safari was closed. This issue was addressed through improved handling of session cookies.
    CVE-2011-3389 : The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.
    CVE-2013-5168 : Clicking on a malicious log entry may lead to unexpected application execution. This update modified the behavior of Console when clicking on a log entry with an attached URL. Rather than opening the URL, Console will now preview the URL with Quick Look.
    CVE-2013-5169 : Windows may be visible over the lock screen after display sleep. A logic issue existed in CoreGraphics's handling of display sleep mode, resulting in data corruption that could result in windows being visible over the lock screen. The issue is addressed through improved handling of display sleep.
    CVE-2013-5170 : Viewing a maliciously crafted PDF file may lead to an unexpected application termination or arbitrary code execution. A buffer underflow existed in the handling of PDF files. This issue was addressed through improved bounds checking.
    CVE-2013-5171 : An unprivileged application may be able to log keystrokes entered into other applications even when secure input mode is enabled. By registering for a hotkey event, an unprivileged application could log keystrokes entered into other applications even when secure input mode was enabled. This issue was addressed by additional validation of hotkey events.
    CVE-2013-0249 : Stack-based buffer overflow in the Curl_sasl_create_digest_md5_message function in lib/curl_sasl.c in curl and libcurl 7.26.0 through 7.28.1, when negotiating SASL DIGEST-MD5 authentication, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in the realm parameter in a (1) POP3, (2) SMTP or (3) IMAP message. These issues were addressed by updating curl to version 7.30.0.
    CVE-2013-1944 : The tailMatch function in cookie.c in cURL and libcurl before 7.30.0 does not properly match the path domain when sending cookies, which allows remote attackers to steal cookies via a matching suffix in the domain of a URL. These issues were addressed by updating curl to version 7.30.0.
    CVE-2013-3950 : Stack-based buffer overflow in the openSharedCacheFile function in dyld.cpp in dyld in Apple iOS 5.1.x and 6.x through 6.1.3 makes it easier for attackers to conduct untethering attacks via a long string in the DYLD_SHARED_CACHE_DIR environment variable. These issues were addressed through improved bounds checking.
    CVE-2013-5138 : A malicious local application could cause an unexpected system termination. A null pointer dereference existed in IOCatalogue. This issue was addressed through additional type checking.
    CVE-2013-5139 : Executing a malicious application may result in arbitrary code execution within the kernel. An out of bounds array access existed in the IOSerialFamily driver. This issue was addressed through improved bounds checking.
    CVE-2013-5172 : Use of SHA-2 digest functions in the kernel may result in an unexpected system termination. An incorrect output length was used for the SHA-2 family of digest functions, resulting in a kernel panic when these functions were used, primarily during IPSec connections. The issue was addressed through use of the expected output length.
    CVE-2013-5142 : Kernel stack memory may be disclosed to local users. An information disclosure issue existed in the msgctl and segctl APIs. This issue was addressed by initializing data structures returned from the kernel.
    CVE-2013-5173 : A local user may cause a denial of service. The kernel random number generator would hold a lock while satisfying a request from userspace, allowing a local user to make a large request and hold the lock for long periods of time, denying service to other users of the random number generator. This issue was addressed by releasing and reacquiring the lock for large requests more frequently.
    CVE-2013-5174 : A local, unprivileged user may be able to cause an unexpected system termination. An integer sign issue existed in the handling of tty reads. This issue was addressed through improved handling of tty reads.
    CVE-2013-5175 : A local user may be able to cause kernel memory information disclosure or an unexpected system termination. An out of bounds read issue existed in the handling of Mach-O files. This issue was addressed through improved bounds checking.
    CVE-2013-5176 : A local user may be able to cause a system hang. An integer truncation issue existed in the handling of tty devices. This issue was addressed through improved bounds checking.
    CVE-2013-5177 : A local user may be able to cause an unexpected system termination. The kernel would panic when an invalid user-supplied iovec structure was detected. This issue was addressed through improved validation of iovec structures.
    CVE-2013-3954 : Unprivileged processes may be able to cause an unexpected system termination or arbitrary code execution in the kernel. A memory corruption issue existed in the handling of arguments to the posix_spawn API. This issue was addressed through improved bounds checking.
    CVE-2013-5184 : Source specific multicast program may cause an unexpected system termination when using Wi-Fi network. An error checking issue existed in the handling of a multicast packets. This issue was addressed through improved handling of multicast packets.
    CVE-2011-2391 : An attacker on a local network can cause a denial of service. An attacker on a local network can send specially crafted IPv6 ICMP packets and cause high CPU load. The issue was addressed by rate limiting ICMP packets before verifying their checksum.
    CVE-2013-5141 : A malicious local application could cause a system hang. An integer truncation issue existed in the kernel socket interface, which could be leveraged to force the CPU into an infinite loop. The issue was addressed by using a larger sized variable.
    CVE-2013-5145 : An unauthorized process can disable some loaded kernel extensions. An issue existed in kext management's handling of IPC messages from unauthenticated senders. This issue was addressed by adding additional authorization checks.
    CVE-2013-5178 : A file could show the wrong extension. An issue exited in the handling of certain unicode characters that could allow filenames to show incorrect extensions. The issue was addressed by filtering unsafe unicode characters from display in filenames.
    CVE-2013-5180 : Under unusual circumstances some random numbers may be predictable. If the kernel random number generator was not accessible to srandomdev(), the function fell back to an alternative method which had been removed by optimization, leading to a lack of randomness. This issue was addressed by modifying the code to be correct under optimization.
    CVE-2013-5181 : Mail may not choose the most secure authentication method available. When auto-configuring a mail account on certain mailservers, the Mail app would choose plaintext authentication over CRAM-MD5 authentication. This issue was addressed through improved logic handling.
    CVE-2013-5182 : An unsigned message may appear to be validly signed. A logic issue existed in Mail's handling of unsigned messages that nevertheless contained a multipart/signed part. The issue was addressed through improved handling of unsigned messages.
    CVE-2013-5183 : Information may be briefly transferred in plain text when non-TLS encryption is configured. When Kerberos authentication was enabled and Transport Layer Security was disabled, Mail would send some unencrypted data to the mail server, leading to an unexpected termination of the connection. The issue was addressed through improved handling of this configuration.
    CVE-2013-5185 : The ldapsearch command line tool did not honor the minssf configuration. The ldapsearch command line tool did not honor the minssf configuration, which could lead to weak encryption being allowed unexpectedly. This issue was addressed through improved handling of the minssf configuration.
    CVE-2013-1667 : Perl scripts may be vulnerable to denial of service. The rehash mechanism in outdated versions of Perl may be vulnerable to denial of service in scripts that use untrusted input as hash keys. The issue is addressed by updating to Perl 5.16.2.
    CVE-2013-5186 : The screen lock may not engage after the specified time period. A locking issue existed in power assertion management. The issue was addressed through improved lock handling.
    CVE-2011-3389, CVE-2011-4944, CVE-2012-0845, CVE-2012-0876, CVE-2012-1150 : Multiple vulnerabilities in python 2.7. Multiple vulnerabilities existed in python 2.7.2, the most serious of which may lead to decryption of the content of a SSL connection. This update addresses the issues by updating python to version 2.7.5. Further information is available via the python site at http://www.python.org/download/releases/
    CVE-2011-3389, CVE-2011-4944, CVE-2012-0845, CVE-2012-0876, CVE-2012-1150 : Multiple vulnerabilities in python 2.6. Multiple vulnerabilities existed in python 2.6.7, the most serious of which may lead to decryption of the content of a SSL connection. This update addresses the issues by updating python to version 2.6.8 and applying the patch for CVE-2011-4944 from the Python project. Further information is available via the python site at http://www.python.org/download/releases/
    CVE-2013-4073 : An attacker with a privileged network position may intercept user credentials or other sensitive information. A hostname validation issue existed in Ruby's handling of SSL certificates. The OpenSSL::SSL.verify_certificate_identity function in lib/openssl/ssl.rb in Ruby 1.8 before 1.8.7-p374, 1.9 before 1.9.3-p448, and 2.0 before 2.0.0-p247 does not properly handle a '\0′ character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408. This issue was addressed by updating Ruby to version 2.0.0p247.
    CVE-2011-3427 : Support for X.509 certificates with MD5 hashes may expose users to spoofing and information disclosure as attacks improve. Certificates signed using the MD5 hash algorithm were accepted by OS X. This algorithm has known cryptographic weaknesses. Further research or a misconfigured certificate authority could have allowed the creation of X.509 certificates with attacker controlled values that would have been trusted by the system. This would have exposed X.509 based protocols to spoofing, man in the middle attacks, and information disclosure. This update disables support for an X.509 certificate with an MD5 hash for any use other than as a trusted root certificate.
    CVE-2013-5189 : An administrator's security preferences may not be respected. The "Require an administrator password to access system preferences with lock icons" setting allows administrators to add an additional layer of protection to sensitive system settings. In some cases where an administrator had enabled this setting, applying a software update or upgrade could have subsequently disabled the setting. This issue was addressed through improved handling of authorization rights.
    CVE-2013-5190 : Smart Card Services may be unavailable when certificate revocation checks are enabled. A logic issue existed in OS X's handling of Smart Card certificate revocation checks. The issue was addressed through improved certificate revocation support.
    CVE-2013-5187 : The "Lock Screen" command may not take effect immediately. The "Lock Screen" command in the Keychain Status menu bar item did not take effect until after the "Require password [amount of time] after sleep or screen saver begins" setting had elapsed.
    CVE-2013-5188 : A hibernated Mac with Autologin may not require a password to wake. A Mac with hibernation and autologin enabled may allow waking from hibernation without prompting for a password. This issue was addressed through improved lock handling.
    CVE-2013-5135 : A remote attacker may be able to cause arbitrary code execution. A format string vulnerability existed in Screen Sharing Server's handling of the VNC username.
    CVE-2013-5191 : A Guest user may be able to see log messages from previous Guests. The console log was visible to the Guest user and contained messages from previous Guest user sessions. This issue was addressed by making the console log for Guest users visible only to administrators.
    CVE-2013-5192 : A malicious local application could cause an unexpected system termination. The USB hub controller didn't check the port and port number of requests. The issue was addressed by adding checks of the port and port number.

[Bill]

First observation is that all operating systems need security patches all of the time, and always will

You have to weigh the seriousness of the hole against the likelihood that anybody will make the effort to exploit it on your particular machine (and whether there's anything on there worth getting access to), rather than take the easier course of trying to get you to make an ill-judged click on a link in an email for example. The weakest security link is the one between the user's brain and their hand, and that one can't be patched.

No idea why ML was not patched at the same time.

I have... Apple want me to move to Mavericks and further into their increasingly closed and inflexible systems. They may be able to persuade me away from Mountain Lion (although I'll admit that I like OS X a lot), but where I go after that is my decision not theirs

[Steve]

I thought Apple had always been closed and inflexible!

[Bill]

I thought Apple had always been closed and inflexible!

It's a matter of degree

Snow Leopard was tolerable in that regard, ML is borderline, Mavericks (and most of the latest hardware) is a step too far for me!

[Steve]

Certainly their philosophy is based around their product family and encouraging your or forcing you to stick to their product line. However I said somewhere else whilst my existing hardware keeps working they'll get no more money from me for my use for awhile. 

[Gary]

Apple unlike Microsoft may soon stop patching legacy operating systems so thats SL and Lion. I'm going to try in the week using Mint to see what thats like. I wont go back to windows and I wont buy another Mac...have to try new things out which tbh was the last thing I wanted to do since I want to step away from computers for a while, but thats getting harder and harder, so many forms now are online only from our lovely government, including HRMC's useless ESI tool for working out if my self employed carer is self employed even though you dont put your details in at all and the site crashes every 2 minutes but just in case HRMC visit I have to have a random meaningless number that anyone could have done on any computer, and five lines of info on a piece of A4

[Gary]

The weakest security link is the one between the user's brain and their hand, and that one can't be patched.

I dont think thats always the case anymore, all you need to to do is load a favourite website thats had code injected with exploits for a hole that no one tells anyone about (Apple being so open about security) and you have been snared without any interaction.

[Simon]

I dont think thats always the case anymore, all you need to to do is load a favourite website thats had code injected with exploits for a hole that no one tells anyone about (Apple being so open about security) and you have been snared without any interaction.

Isn't that where a decent anti-virus comes in handy though?  Most should block malicious website content, although, it has to be said, nothing is 100% foolproof.   

[Bill]

I dont think thats always the case anymore, all you need to to do is load a favourite website thats had code injected with exploits for a hole that no one tells anyone about (Apple being so open about security) and you have been snared without any interaction.

That's certainly true but only up to a point- leaving aside disgruntled employees and the like, it comes back to security holes in a server OS somewhere allowing unauthorised modification of the web pages... which will always exist but can be patched.

[Gary]

That's certainly true but only up to a point- leaving aside disgruntled employees and the like, it comes back to security holes in a server OS somewhere allowing unauthorised modification of the web pages... which will always exist but can be patched.

Very true bill, hence my trepidation with cloud services. Ah well.