Apple fig-leaf security patch causes dismay
Mac OS X 'extremely critical' hole remains open despite company assertions.
By Matthew Broersma | Techworld | Published: 00:00, 24 May 2004
A critical patch for Mac OS X issued on Friday leaves Mac users as vulnerable to attacks as they were before the fix, according to a security company.
Last week researchers warned of two serious vulnerabilities in Apple's Unix-based operating system, both allowing a malicious Web page to send code to a Mac and execute it. One problem was in the way Mac browsers handle addresses using the "help" protocol, ordinarily used for locating content for the Mac's Help Viewer application. The other problem was with handling of the "disk" protocol, used for downloading the disk images, such as DMG files, that the Mac uses for transferring compressed executable files and installers. Both flaws use default settings in browsers such as Safari and Internet Explorer to make Macs automatically download and execute any code the attacker chooses.
Apple issued a patch for the "help" flaw on Friday, but the fix leaves the "disk" problem unpatched, experts said. "Mac users are as vulnerable now, as before the patch was released," Niels Henrik Rasmussen, chief executive of security firm Secunia told us. Secunia and other security bodies, including the US government, classified the bugs as serious because the problems are easy to exploit and working exploits are available.
Once a disk image containing malicious code is downloaded the code can be executed via other networking protocols, such as FTP and AFP, according to Secunia. A temporary fix is to modify the Mac's Internet preferences, turning off the option to open "safe" files after downloading and adding a helper application for the "disk" and "disks" protocols, the company said in its advisory. That still won't help however if a user already has downloaded code on their system. Fortunately, there have been no reported abuses of the hole - yet.
Apple went out of its way to downplay the seriousness of the problem on Friday, to the dismay - though not the surprise - of security professionals. The company referred to the "help" issue as a "theoretical vulnerability" and argued customers were not in danger. "Apple takes security very seriously and works quickly to address potential threats as we learn of them - in this case, before there was any actual risk to our customers," said Philip Schiller, Apples VP of worldwide product marketing, in a statement.
Critics pointed out that Apple was warned of the hole in February, but did not issue a patch until the problem began to be widely discussed on Internet forums last week.
The information accompanying the Help Viewer patch states only that it ensures "HelpViewer will only process scripts that it initiated", failing to clarify the problem's seriousness, Secunia said.
"Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue," said Rasmussen*. "This is not possible when reading an Apple update."
Mac OS X has become more of a focus for malicious exploits recently, partly as a result of Apple's success at marketing the Mac, according to industry analysts. In the meantime, the company's way of handling security issues remains inadequate, and risks putting users in danger, security researchers say. For example, the company downplayed the seriousness of a recent security hole that was already exploited by a "proof-of-concept" Trojan horse available online.
"Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software," said security firm eEye.
Earlier this month, a series of serious security bugs were identified in Mac OS X and were met with what critics called an insufficient effort to make users aware of the problems. Apple released a string of critical patches early in May.
* - Please note, this quote was wrongly attributed to Philip Schiller in the original version of this story.