Apple fig-leaf security patch causes dismay

Mac OS X 'extremely critical' hole remains open despite company assertions.

By Matthew Broersma, Techworld | Techworld
Published: 00:00 GMT, 24 May 04

A critical patch for Mac OS X issued on Friday leaves Mac users as vulnerable to attacks as they were before the fix, according to a security company.

Last week researchers warned of two serious vulnerabilities in Apple's Unix-based operating system, both allowing a malicious Web page to send code to a Mac and execute it. One problem was in the way Mac browsers handle addresses using the "help" protocol, ordinarily used for locating content for the Mac's Help Viewer application. The other problem was with handling of the "disk" protocol, used for downloading the disk images, such as DMG files, that the Mac uses for transferring compressed executable files and installers. Both flaws use default settings in browsers such as Safari and Internet Explorer to make Macs automatically download and execute any code the attacker chooses.

Apple issued a patch for the "help" flaw on Friday, but the fix leaves the "disk" problem unpatched, experts said. "Mac users are as vulnerable now, as before the patch was released," Niels Henrik Rasmussen, chief executive of security firm Secunia told us. Secunia and other security bodies, including the US government, classified the bugs as serious because the problems are easy to exploit and working exploits are available.

Once a disk image containing malicious code is downloaded the code can be executed via other networking protocols, such as FTP and AFP, according to Secunia. A temporary fix is to modify the Mac's Internet preferences, turning off the option to open "safe" files after downloading and adding a helper application for the "disk" and "disks" protocols, the company said in its advisory. That still won't help however if a user already has downloaded code on their system. Fortunately, there have been no reported abuses of the hole - yet.

Apple went out of its way to downplay the seriousness of the problem on Friday, to the dismay - though not the surprise - of security professionals. The company referred to the "help" issue as a "theoretical vulnerability" and argued customers were not in danger. "Apple takes security very seriously and works quickly to address potential threats as we learn of them - in this case, before there was any actual risk to our customers," said Philip Schiller, Apple’s VP of worldwide product marketing, in a statement.

Critics pointed out that Apple was warned of the hole in February, but did not issue a patch until the problem began to be widely discussed on Internet forums last week.

The information accompanying the Help Viewer patch states only that it ensures "HelpViewer will only process scripts that it initiated", failing to clarify the problem's seriousness, Secunia said.

"Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue," said Rasmussen*. "This is not possible when reading an Apple update."

Mac OS X has become more of a focus for malicious exploits recently, partly as a result of Apple's success at marketing the Mac, according to industry analysts. In the meantime, the company's way of handling security issues remains inadequate, and risks putting users in danger, security researchers say. For example, the company downplayed the seriousness of a recent security hole that was already exploited by a "proof-of-concept" Trojan horse available online.

"Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software," said security firm eEye.

Earlier this month, a series of serious security bugs were identified in Mac OS X and were met with what critics called an insufficient effort to make users aware of the problems. Apple released a string of critical patches early in May.

* - Please note, this quote was wrongly attributed to Philip Schiller in the original version of this story.

What are your views on this subject? Use the form below to post a comment on this article up to 500 characters.

Characters remaining: 500

Related Security news

Microsoft denies building security 'backdoor' in Windows 7

Privacy organisations shouldn't read too much into NSA involvement it says

20 November 2009

Pentagon expands exclusive deal with McAfee

Department of Defense uses McAfee products

Police arrest pair over global banking web scam

Man and woman arrested in Manchester for using notorious Zeus Trojan

Security star Fortinet sets price for IPO

Investors still have taste for tech.

Related Security reviews

Lumension application control review

Bit9 Parity Suite

BitDefender Total Security 2008

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Database security: Preventing enterprise data leaks at the source

IDC discusses the growing internal threats to business information, the impact of government regulations on the protection of data, and how enterprises must adopt database security best practices...

Download Whitepaper

Service-oriented security

SOA has become an integral part of enterprise software by providing a framework to efficiently develop software as services that is easily sharable, reusable, and integrated. No where is the need more apparent than in the Identity Management space. Welcome to the age of Service-Oriented Security (SOS).

Download Whitepaper

Data protection prospective vendor checklist

Organisations need a way to map business needs against all these challenges in procuring a technical solution. To help, SANS has developed the following Prospective Vendor Checklist.

Download Whitepaper

Unlock the power of the mainframe

This whitepaper presents the notion of CICS as an integration hub based on a component-based, service-oriented architecture supporting Web services. Highlights will review the challenges and contrasted support for Web services natively in CICS.

Download Whitepaper

Techworld UK - Technology - Business

COLT White Paper

Are all VoIP services the same?

Questions to ask your service provider to ensure you get the VoIP service you need
With careful choice of partner, your business can have all the advantages of VoIP access - reduced costs, flexibility and simplicity - without the drawbacks.
This white paper is your guide to ensure you get right the VoIP service and details the pitfalls which businesses would do well to avoid.

Download white paper
BMC

Ride the express lane in the journey to speed ITIL adoption

Explore the challenges in making the journey to ITIL and the criteria for selecting consulting services
By following ITIL practices, your IT organisation will become more closely integrated with the business. We recommend making the journey to ITIL in a sequence of six incremental steps, the phases of which are driven through execution of a strategic transformational roadmap.

Download white paper

Webcast: IT Financial Management: Cost Optimisation for Efficiency and Agility.
On Demand Webcast
Join this webcast to learn about the techniques and technologies that can help you prove the value of IT to the business by understanding the true cost of today's IT services and those that will be necessary to deliver future success.

Register Today

Site Map

IDG Network

* *