“Security-Protocols has discovered a few more minor security issues in Mac OS X that mainly pertain to how the OS and a few of its apps handle images and opening zip archives,” David Chartier writes for TUAW. “Apple has been notified of the issues and will apparently be fixing them in the next security update. As Tim Gaden at Hawk Wings (where I found this) says: the classic advice of being careful about what attachments and links you open and click on should keep your Mac humming along just fine.”
Full article with more info and links here.
Advertisements:
• Get the new iMac with Intel Core Duo for as low as $31 A MONTH with Free shipping!
• Get the MacBook Pro with Intel Core Duo for as low as $47 A MONTH with Free Shipping!
• Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
• Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
• iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
• Connect iPod to your television set with the iPod AV Cable. Just $19.
• iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.
I have Intego’s NetBarrier and Virus Barrier installed on my computers.
I don’t open any attachment that I’m not expecting.
I’m wary, but not paranoid…if we start freaking out about our own computers being used as a botnet or some such, let’s just shut them all down and go back to the IBM Selectric days (wonder how my typing speed is on that old monster)…
No operating system is perfect (unless, maybe, Jesus went into programming or something), but I’ve had less than one-eighth of the headaches my father-in-law has had with his Windows computers.
I’m not a big Ronald Reagan fan, but he said one line that applies to many situations: “Trust, but verify.”
Andrew (MacDude),
Looks like you didn’t read the article carefully. The problem is not with OS X. It’s with PHP. Only if your running a server facing the internet with an outdated piece of PHP code would you be vulnerable. So, there was at least 1 Mac with outdated code and the author leads with it. Looks like he was looking for hits. What is 1 out of 12 million users? Very small, no?
Remember, Web sharing is off by default, and many, if not all Mac users don’t have it enabled and facing the internet.
Good try though.
Andrew, thanks for giving us something to laugh at.
Shit for brains!
Whoaa, Apple is quaking in their boots, Andrews not buying. Time to get busy and see if we can get his business back…..ahhhahhhahaahah
Pea head loser!
Why do you bother?
Do you think ANYBODY cares?
Your psycho pseudo techo ramblings are so lame-oh (I would have said “turd like” but I didn’t want to offend Turd Ferguson
” width=”19″ height=”19″ alt=”grin” style=”border:0;” />
MDN… I owe you an apology.
I’ve been one of the posters complaining about all of the boot camp articles…. but after today I’m gonna shut up about it.
My buddy came by today. A die hard windows user. You know the kind, takes every opportunity to email me any joke, article, or piece of negative Steve Jobs info he runs across on the net or about all things apple. A great guy, just miss-informed in the computer world.
Wellllll…. he came by today to watch the game. While he was here he complained about his nice and fairly new Dell Tower being dead, (and the horrible customer service he got on the phone last night), and his nice new Gateway laptop giving him trouble, (ditto on the bad customer service). He needed to finish a movie last night for his church to use this morning (using Vegas and Windows Movie Maker) and couldn’t get it done in time because of all of the struggles he was having.
Since we email windows/mac insults to each other back and forth, I send him references from MDN about all things Mac, recently about Boot Camp. He referenced this in our conversation about his troubles and what to do to fix it.
We took his data, imported it into iMovie 06 on my 20″ iMac G4, finished his project in just over an hour and burned his DVD. He can use it next week. In the course of our conversation I informed him about the speed increases in the new intel macs being 2 generations above the G4 performance he was seeing. He also asked me if the whole “xp on a mac thing” was for real.
We went to my business to check out the 20″ intel core duo, 2 gb ram, with windows xp loaded onto it.
.
.
.
.
.
.
He freaked…. seriously….. he absolutely freaked out.
Straight to the apple store, bought the 20″ iMac, his other computer stuff is going on ebay tomorrow. He’s buying 2 gig of ram from Memory to Go.com. This is the last person I would have EVER, EVER expected to switch. To put it mildly… Hell is seriously frozen over tonight. It was Boot Camp that did it.
Here’s a direct quote… “it’s not Windows I’m afraid of letting go of, it’s all of the windows software I’ve got that I don’t want to have to re-buy or convert over. I can’t afford to spend those kind of bucks at the same time I’m buying a new computer. Now I don’t have to do that.”
MDN… my apologies. Boot Camp me to death.
Nice story, Jim.
Artisticulated, yup. I had a good time reading it.
Justme2, I also use Intego’s stuff. In spite of Intego’s PR problem a while back, I think these two products are very good.
Guess that’s it.
So arbitrary code could be executed… and do WHAT exactly?? Keep in mind, such code would still be subject to normal privileges!
Uh, as long as there is a process running (and there is code that don’t even show up as a top process too!) that’s malicious, it WILL get root access eventually. Naturally I can’t state how, but it just takes longer that’s all.
I have Intego’s NetBarrier and Virus Barrier installed on my computers.
About the worst thing you can do is run/install a application to run as root, including anti-malware software. Why? the flaws the application and Apple makes changes to the OS all the time which exposes more flaws if the code is not what’s expected.
I give you three examples, McAfee “Virex”, Symantec “Norton AV” and the famous Sony cd rootkit.
ClamXav doesn’t require root access and flags malware just fine. Why? Because those “other” commercial software have a sinister side to them, or just plain incompetance.
I don’t open any attachment that I’m not expecting.
Good for you.
I’m wary, but not paranoid…if we start freaking out about our own computers being used as a botnet or some such, let’s just shut them all down and go back to the IBM Selectric days (wonder how my typing speed is on that old monster)…
Actually I hear the typing speed on some of those old electric typewritters is better than the squishy Apple keyboards.
I’m not a big Ronald Reagan fan, but he said one line that applies to many situations: “Trust, but verify.”
I like Little Snitch myself, try it, you’ll be shocked how many programs contact the internet regularly without permisssion.
Looks like you didn’t read the article carefully. The problem is not with OS X. It’s with PHP….
<i>Shadowserver founder Nicholas Albright said he and his crew have found at least 20 variants of the <b>same Perl script that can be used to open back doors on OS X systems</b> running vulnerable Web applications.</i>
http://secunia.com/advisories/17922/
Yea I RTFA, did you? It’s a combination of two flaws, 20 in Mac OS X “perl script” and any flaw in the web application used to get to it.
>Amazing how Apple will patch things ASAP and Microsoft takes FOREVER to fix them.
Well, these bugs were reported to Apple at the beginning of the year, and only one out of seven has so far been patched. Not exactly a lightening response. These vulnerabilities are as bad as they get, too – the ability to run arbitrary code is *not good*. The only thing protecting us at the moment is the famous “security by obscurity”…
>.So arbitrary code could be executed… and do WHAT exactly?? Keep in mind, such code would still be subject to normal privileges!
Use your imagination Lord Robin. Code with normal privileges can do all sorts of interesting things. Delete all your user files. Log your key strokes and password entries. Email information back to base. Harvest your address book for spam. Randomly corrupt your plist files so applications keep crashing. I don’t know, there’s a gazzillion things I can do that would render your machine unstable and insecure. Face reality – MacOS X is not invulnerable.
Here’s the details on these “minor flaws”:
When processing a malformed .tiff image file, the LZWDecodeVector() function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
– This issue was silently fixed by Apple in update 10.4.6.
BOMArchiveHelper is the default archive file handler in Mac OS X. It runs as a service that does not have a GUI interface. It is invoked when double clicking on a archived file. A heap overflow vulnerability exists within BOMArchiveHelper which allows for an attacker to cause the application to crash, and or to execute arbitrary code on a targeted host.
– This vulnerability was to Apple on 2/21/2006. No patch is available at this time.
Multiple vulnerabilities exist within Safari 2.0.3 (417.9.2) and all prior versions which causes the application to crash, and or may allow for an attacker to execute arbitrary code.
– Currently no patches have been released for these vulnerabilities.
A heap overflow vulnerability exists when processing .bmp files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.
– Currently no patches have been released for this vulnerability.
A heap overflow vulnerability exists when processing .gif files which causes the application to crash, and or may allow for an attacker to execute arbitrary code on the targted host.
– Currently no patches have been released for this vulnerability.
When processing a malformed .tiff image file, the _cg_TIFFSetField () function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
– Currently no patches have been released for this vulnerability.
When processing a malformed .tiff image file, the PredictorVSetField () function does not properly parse the malformed data causing the application which it was opened with to crash. This issue is within the core .tiff parsing engine making Preview, Finder, QuickTime, and Safari potential attack vectors for this issue.
– Currently no patches have been released for this vulnerability.
… and remember guys, every time you visit any web site, your computer is opening image files that could be installing arbitrary code on your computer. That includes the ad images on this page. Better pray that security by obscurity really does work, because it’s the only line of defence left until Apple get round to patching these.
Hey, I hope you guys would be as forgiving of Microsoft as you are of Apple, if Windows was reported as having seven vulnerabilities allowing arbitrary code execution.
It’s the same physcology at work, I hear it from Windows users all the time.
“No code is perfect”
“You just have to make sure you don’t do *list two dozen things here* and do this *list a dozen things here* when you get a new computer.
Lets see now what we have to do to make Mac OS X secure?
1: Software update immediatly upon hooking to the internet.
2: Don’t open any emails or attachments from unknown sources.
3: Don’t run any program from untraceable sources as it could install a malicious program seeking root entry or be a trojan and wipe your files.
4: Don’t download any files like zips, Quicktime files or what not because of the meta data exploit will run code.
5: Don’t visit any sites you can’t trust or click any links you don’t trust because a few dozen Safari exploits will run code.
6: Install and use a non-root enabled anti-malware program to clean/check the incoming files you get from others, especially PC users because their machines may instantly be *owned* and the files maliciously sent from their address book.
7: Enable Mac OS X firewall to maximum settings and watch the log files.
8: Run a port scan occassionally to see if your ports are open when System Preferences says their not.
9: Stay glued to the internet for the latest “bad news” and latest exploits so you can take correcttive action.
10: Stay on top of applications because they are full of exploits which in turn can take over your Mac.
11: Read “Securing Mac OS X” to learn how to keep your machine secure from physical as well as internet attacks.
Holly cow, it’s not that different from a Windows box, and they got more software!!!
I’ll part with this.
When people drive cars, do they need to be a mechanic to keep them running?
So why does Mac users have to be computer mechanics to keep their machines running?
This minor security flaw wouldn’t be the fact that half the Mac is now occupied by XP by any chance would it?
You know what I would do if I was Steve Jobs right now?
Everytime a exploit occurs and it was traced to a particular programmer, I would cut the persons toe off and feed it to them for lunch.
Then when there was no more toes I would start on the fingers and eventually they won’t be able to code for anyone and the world would be a better place.
Andrew (spelt “idiot”) and Head Check,
Take deep breaths and stop squeeling like 4 year old sheelas.
I have been using OSX for 5 years and never had a security issue of any sort. I am on the internet everday day, business and personal.
Prior to this I used PC’s and they made my life a living hell, as someone who works on a lot of documentation. To this day, my friends who are PC users, their lives still are a living hell. One has lost 3 HDD’s in 3 years. Then, he bought a new Dell 4 weeks ago and within one day it wouldn’t boot due to a nasty virus. He finally realized he should have bought a mac, but for him it was too late.
Apple will “get serious” on security when it becomes a problem. The stark, obvious, blazing, hell anybody can see it, REALITY is that security is NOT a problem – nill, zero, zilch, nothing, nada – for Macs.
So stop, halt, cease and desist from writing your hysterical, farcical, Bill Gates fan boy blather.
I’m sick of coming into a mac forum and having to read this sh*t.
My apologies to everyone else.
“So why does Mac users have to be computer mechanics to keep their machines running?”
Andrew, you are an orifice of vile spewage.
I have NEVER done anything to my PM G4 dual 867 except use it, no OS installs, nothing (yes, I’m still running Jaguar, don’t flame me please). Over four years, no problems yet.
If your paranoia helps you justify your existence, more power to ya.
You don’t know the history of security flaws. I do.
@LordRobin“I am so sick of Chicken Littles on this forum.”
I’m a little late getting back, so I doubt anyone will read this, but….
I was not “Chicken Littling” – just discussing an article that MDN thought was important enough to report. I am not paranoid, Mac OS X IS INHERENTLY more secure than Windows. It’s a good thing to report and discuss these topics, they are important and should not be dismissed out of hand. That’s all I am trying to say.
@Brad T “The stark, obvious, blazing, hell anybody can see it, REALITY is that security is NOT a problem – nill, zero, zilch, nothing, nada – for Macs……I’m sick of coming into a mac forum and having to read this sh*t.”
Brad – First, I’m not flaming ya here. I just want to say that – you are sick of coming to Mac forums and having to hear these kinds of things? MDN felt it worthy of a report, so people responded. It’s good to be notified and updated about security issues. I’m not running around saying the sky is falling, but I don’t want to ignore possible threats either. Mac users don’t have to take a bottle of Xanax each time they turn on their computers as do some Windows users, but we do need to stay informed. Apple has a procedure for submitting possible vulnerabilities in OS X directly to them – so this is obviously IMPORTANT TO APPLE AS WELL.
If the “The stark, obvious, blazing, hell anybody can see it, REALITY is that security is NOT a problem – nill, zero, zilch, nothing, nada – for Macs.”, Then Apple wouldn’t even bother to have a submission policy nor be concerned about it whatsoever. I’m gad they are………..
Ya know what I would do If I were bill gates right now?
Give all of my money away to charity as fast as possible with my darling wife Melinda trying to make a difference in the world…
… ’cause as soon as Vista finally rears it’s ugly head on the planet, Microsoft will become a giant black hole, sucking in upon itself until nothing in redmond exists, except maybe a Chuck-E-Cheese or two.
At that point, everyone and her brother is going to be so pissed at Bill Gates that they won’t even take a dime of his ‘Monopoly Money’ charity, cause they’re so pissed at him. (did I already say that?)…
… But it won’t matter by then ’cause young Ol’ Billy will have sown the seeds and things like the Gates Foundation Childrens Educational Awareness Intervention Centers, won’t have much association with the blood money spent to buy such pretty named things.
Really, I’m not kidding… this is what he’s doing RIGHT NOW. He’s not runing the helm over at Micro$haft, He’s pretty smart and knows when to leave the concert before the show ends and miss all of the bumper to bumper traffic heading out from FedEx Field in Washington.
I’m no Bono fan, but it must-a really sucked sharing the cover of time magazine with a bunch of geeks posing as people who care about something other than beating the piss out of any competitor that dares to offer a useful product that might be a good idea that wasn’t thought of in Redmond. </rant>