Minor security flaws found in Mac OS X

“Security-Protocols has discovered a few more minor security issues in Mac OS X that mainly pertain to how the OS and a few of its apps handle images and opening zip archives,” David Chartier writes for TUAW. “Apple has been notified of the issues and will apparently be fixing them in the next security update. As Tim Gaden at Hawk Wings (where I found this) says: the classic advice of being careful about what attachments and links you open and click on should keep your Mac humming along just fine.”

Full article with more info and links here.

Advertisements:
Get the new iMac with Intel Core Duo for as low as $31 A MONTH with Free shipping!
Get the MacBook Pro with Intel Core Duo for as low as $47 A MONTH with Free Shipping!
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.

43 Comments

  1. Flaws? All that Tim Gaden “reported” was not to open any unsolicited or suspicious files. I suppose that if intelligence or common sense cannot be your web guide then at least activate a little paranoia or cynicism regarding files that were not requested or are suspect.

  2. Oh my, how the number of “exploits” in OSX continues to grow. Whatever shall I do? Will Vista save me from this unsecured morrass of code-slop Apple has foisted upon me, the gullible Macolyte cult member? Fool that I was to open my wallet whilst bedazzled by the pretty white plastics and Steve Jobs’ RDF! Mayhaps Norton or Macaffee can rescue my delicate heinie from the perils sent me by mal-code-tents? Tell me secundia, what must I do to be safe?

    Hope that was half as fun for you to read as it was for me to write. Weeks of reading idiotic posts finally got the better of me.

  3. “Five of the flaws identified by Ferris relate to how Mac OS handles various image file formats–including BMP, TIFF and GIF, according to his security advisories. Another flaw involves the way OS X decompresses Zip archives. Additionally, Ferris claims to have found several bugs in Apple’s Safari browser.”

    “The image flaws are the scariest ones, giving an attacker multiple methods of compromising a host,” Ferris said. “They can be exploited to execute arbitrary code very easily and were not hard to find.”

    A flaw that can execute arbitrary code very easily is considered a MINOR flaw?

    I love the 30,000 RPM spin of MDN. The story has been out now for days and posts that referenced it were deleted off MDN. Finally, some goofy little blog posted a suitably downplayed headline that MDN could use without getting knocked off the “invincible” throne.

    Pathetic.

  4. These assholes are doing everthing in their power to create a ‘threat parity’ with that of Windows XP. Reporting threats for OS X is now chic, its ‘the story’ for technology journalists, its the new challenge to see who can out dramatize who, to see who can wordsmith perfectly an article that creates unwarranted attention to sell whatever it is this assholes are trying to sell.

    These people MUST BE HELD ACCOUNTABLE for this chicken shit journalism. They are lying ass dogs, and getting away with it.

  5. I’ll tell you what’s pathetic. The friggin virus writers, even the ones that work for the anti-virus companies. Surely, they could have by now inflicted some “Blaster, I love You, Zotob, Botox” like virus on the Mac. It’s been what, 5 years since Mac OS X has been released. Still, nothing.

    Yeah, some vulnerabilities are found but you have to ask yourself, “why haven’t they been successful in exploiting the OS”. Hmmmm, could it be that the design of OS X actually takes someone with true skills to attack it. Not something your average script kiddie can do.

    Go ahead Wintrolls, tell me how the low market share is the reason that no one has successfully attacked the OS. Believe me now and listen to me later, the one virus writer that is successful would garner huge fame from the virus writing community. Don’t you think?

    It could be another 5 years before something happens on a large scale that would harm the OS. On the other hand it may never happen because Apple is very proactive with security.

    Good try “Wooooo”.

  6. This “report” is less about an inherent flaw of OS X than realization that security is a constantly moving target that requires due diligence. Until operating systems can identify all malware and destroy it before you are aware of its existence, we will have to exercise common sense and prudence concerning unsolicited or suspicious files, or visiting websites that you cannot guarantee are benign.

    Ideally, Apple would be able to prospectively consider all forms of malicious code and develop the means to identify it, isolate it, and neutralize it. However, this is a daunting and time-consuming task. Realistically, it is best for Apple to consider how malware is used to cause harm and strengthen security where the greatest danger exists. This is essentially triaging real and potential attacks and organizing time and resources appropriately. With each bit of malware, released Apple has the opportunity and responsibility to develop and enhance countermeasures.

    Still, one has to draw the line between poorly written code that can be repeatedly and successfully attacked, and the foolishness of the user on the keyboard. Apple’s most profound efforts to provide a secure environment are futile if the user is irresponsible.

    Wooo, love the spin:

    Is it known that arbitrary code sequestered in an ostensibly benign file can be installed externally on a machine without the user or administrator first giving permission? Wouldn’t deleting all unsolicited and suspicious files also delete arbitrary code?

  7. theMacDude:

    Maybe “Wooo’s” concerns and comments are based on his experience with the average Wind-blows user. This will Microsoft’s message when or if Vista is released, “Security? It’s not our problem, it’s your gullibility.”

  8. I agree that the weakest link in security is the user, BUT, buffer overflows that can cause arbitrary code execution is quite serious considering the amount of images we all deal with on a day to day basis.

    I don’t think this one can totally be considered “becareful where you get those images from”, because as stated – we ALL deal with tons of images day in and day out (i.e. Web Pages). I don’t dismiss the concept of “becareful where you get those images from”, because that is all part of safe computing practices, but this issue needs to (and hopefully will) be fixed ASAP. As far as getting unsolicited images in email – I ALWAYS keep the preference pane turned off (I hate it anyway). If the message isn’t from somone I know, it is instantly deleted – attachment or not.

    Now, as far as the Safari exploits with which he had the sense not to disclose to the public at large, I can’t comment on as I don’t know what they are. Still ANY browser exploit is a serious issue (think IE6 for Windows – STILL to this day being patched!). I’ve started using Camino (not out of fear of Safari exploits) but because it’s fast and it’s really, really good – renders twice as fast as Safari (un-scientific claim, but it is faster) and has some cool features that I like. It’s Open Source so it is an ongoing project, but it is based on the Gecko rendering engine that is also found in Firefox. No RSS – yet. It’s also made from the ground up to be first and foremost a Mac app (unlike a Firefox “port”), so it integrates well and is native Cocoa. Anyway………..

  9. Amazing how Apple will patch things ASAP and Microsoft takes FOREVER to fix them. Wonder if it is perhaps OS X’s source code is nice, and readable, and not some kludge like Window’s code most likely is……

  10. “Apple will fix it pronto, unlike some companies that take WEEKS or MONTHS to even acknowledge they have a bad issue.”

    Uh, read the links. These problems were reported to Apple around the beginning of the year–four months ago. Only one was fixed.

  11. What is the purpose of these so-called security companies broadcasting flaws in software? These people seem less concerned about the end user and more interested in making it more effortless for crackers to make life more difficult for the rest of us.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.