Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Apple fig-leaf security patch causes dismay

Mac OS X 'extremely critical' hole remains open despite company assertions.

Article comments

A critical patch for Mac OS X issued on Friday leaves Mac users as vulnerable to attacks as they were before the fix, according to a security company.

Last week researchers warned of two serious vulnerabilities in Apple's Unix-based operating system, both allowing a malicious Web page to send code to a Mac and execute it. One problem was in the way Mac browsers handle addresses using the "help" protocol, ordinarily used for locating content for the Mac's Help Viewer application. The other problem was with handling of the "disk" protocol, used for downloading the disk images, such as DMG files, that the Mac uses for transferring compressed executable files and installers. Both flaws use default settings in browsers such as Safari and Internet Explorer to make Macs automatically download and execute any code the attacker chooses.

Apple issued a patch for the "help" flaw on Friday, but the fix leaves the "disk" problem unpatched, experts said. "Mac users are as vulnerable now, as before the patch was released," Niels Henrik Rasmussen, chief executive of security firm Secunia told us. Secunia and other security bodies, including the US government, classified the bugs as serious because the problems are easy to exploit and working exploits are available.

Once a disk image containing malicious code is downloaded the code can be executed via other networking protocols, such as FTP and AFP, according to Secunia. A temporary fix is to modify the Mac's Internet preferences, turning off the option to open "safe" files after downloading and adding a helper application for the "disk" and "disks" protocols, the company said in its advisory. That still won't help however if a user already has downloaded code on their system. Fortunately, there have been no reported abuses of the hole - yet.

Apple went out of its way to downplay the seriousness of the problem on Friday, to the dismay - though not the surprise - of security professionals. The company referred to the "help" issue as a "theoretical vulnerability" and argued customers were not in danger. "Apple takes security very seriously and works quickly to address potential threats as we learn of them - in this case, before there was any actual risk to our customers," said Philip Schiller, Apple’s VP of worldwide product marketing, in a statement.

Critics pointed out that Apple was warned of the hole in February, but did not issue a patch until the problem began to be widely discussed on Internet forums last week.

The information accompanying the Help Viewer patch states only that it ensures "HelpViewer will only process scripts that it initiated", failing to clarify the problem's seriousness, Secunia said.

"Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue," said Rasmussen*. "This is not possible when reading an Apple update."

Mac OS X has become more of a focus for malicious exploits recently, partly as a result of Apple's success at marketing the Mac, according to industry analysts. In the meantime, the company's way of handling security issues remains inadequate, and risks putting users in danger, security researchers say. For example, the company downplayed the seriousness of a recent security hole that was already exploited by a "proof-of-concept" Trojan horse available online.

"Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software," said security firm eEye.

Earlier this month, a series of serious security bugs were identified in Mac OS X and were met with what critics called an insufficient effort to make users aware of the problems. Apple released a string of critical patches early in May.

* - Please note, this quote was wrongly attributed to Philip Schiller in the original version of this story.



Share:

More from Techworld

More relevant IT news

Comments



Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *