Independent security researcher says Apple’s latest Mac OS X fixes fall short

“Apple Computer released its third major patch this year for the OS X operating system on Thursday, fixing 31 software vulnerabilities in a range of products that could be used by remote attackers to compromise Mac OS systems,” Paul F. Roberts reports for InfoWorld. “But independent security researcher Tom Ferris told InfoWorld the latest patch doesn’t cover other critical holes he reported to Apple, and that he may soon publish the details of those flaws, too. Security Update 2006-003 was published on Apple’s Web site and includes software fixes for holes in OS X, the Safari Web browser, and Mac components for viewing image and video files. Included are fixes for a number of security flaws publicized by Ferris in April.”

“Ferris said there were still holes in Safari, QuickTime, and the iTunes application that he reported to Apple but were not patched in the latest release. He did not publish details of those holes on his Web site in April, but he described them as critical flaws that allow remote code execution,” Roberts reports. “Ferris said he is considering releasing the details of the unpatched holes on May 14 on his Web site. He also says he has found new holes in OS X affecting TIFF format files and BOMArchiver, an application used to compress files. He did not provide details about the flaws or proof of their existence… Officially, Apple downplays security holes in its products and new OS X attacks — which are still rare compared to those targeting Windows systems. But some security industry insiders have suggested that the company should appoint a chief security officer to coordinate the company’s response to security. An Apple spokesman did not immediately respond to a request for comment.”

Full article here.

Advertisements:
Get the new iMac with Intel Core Duo for as low as $31 A MONTH with Free shipping!
Get the MacBook Pro with Intel Core Duo for as low as $47 A MONTH with Free Shipping!
Apple’s new Mac mini. Intel Core, up to 4 times faster. Starting at just $599. Free shipping.
Apple’s brand new iPod Hi-Fi speaker system. Home stereo. Reinvented. Available now for $349 with free shipping.
iPod. 15,000 songs. 25,000 photos. 150 hours of video. The new iPod. 30GB and 60GB models start at just $299. Free shipping.
Connect iPod to your television set with the iPod AV Cable. Just $19.
iPod Radio Remote. Listen to FM radio on your iPod and control everything with a convenient wired remote. Just $49.

Related articles:
Apple releases Mac OS X Security Update 2006-003 – May 11, 2006
Mossberg: Is there a virus threat for Apple Macs? – May 11, 2006
‘Mac security’ garbage reports continue to proliferate – May 10, 2006
ZDNet: Reduce OS X security threats – ignore security software – May 05, 2006
McAfee announces virus protection for Intel-based Apple Macs – May 05, 2006
BusinessWeek: New Apple Mac ads stir up Mac security overreaction – May 04, 2006
Unix expert: Mac OS X much more secure than Windows; recent Mac OS X security stories are media hype – May 03, 2006
Macs and viruses: the true story – May 02, 2006
Anti-Mac FUD machine shifts into overdrive – May 01, 2006
FUD Alert: Viruses don’t catch up to the Mac – May 01, 2006
BusinessWeek: Apple should hire security czar to combat uninformed media FUD – March 09, 2006
Spate of recent Mac security stories signal that Microsoft, others getting nervous – March 06, 2006
Mafiasoft: Microsoft to charge $50 per year for security service to protect Windows – February 07, 2006
Why pay Symantec for flawed ‘security’ app designed to protect Apple Macs from nonexistent threats? – December 27, 2005
‘Highly critical’ flaw in discovered in Symantec AntiVirus for Mac OS X – December 21, 2005
Why Symantec’s ‘scare tactics’ don’t worry Mac users – September 28, 2005
Motley Fool writer: ‘I’d be surprised if Symantec ever sells a single product to a Mac user again’ – March 24, 2005
Symantec cries wolf with misplaced Mac OS X ‘security’ warning – March 23, 2005
Symantec’s Mac OS X claims dismissed as nonsense, FUD – March 22, 2005

55 Comments

  1. It would have been done by now. Would you Apple to have withheld all patches until all were ready? OS X computers range from most g3 models on PPC through all G4-5 desktops and laptops through new Intel CPU systems in a wide variety of configurations. Making sure that a software patch closes the hole without opening others, breaking functionality on multiple CPU, GPU & hardware combos is not as easy as finding them. If the guy is so smart, why doesn’t he sell a patch that is fully indemnified.

  2. I’ve taken the precaution of barricading my doors, hiding behind the sofa with shotgun ready, and wearing a colander on my head for extra protection (the holes keep my head cool in these scary times).

  3. Rick, do you not recognize the difference between patching holes before they get exploited and fixing them after they’ve been the cause of widespread damage?

    I don’t recall EVER hearing anyone say OS X is bulletproof. So far, though, it’s been damn tough. OS X versus Windows: security wasn’t an afterthought.

  4. Asking for trouble:
    “It is sad that Apple fixes published holes and chooses to ignore/postpone the reported but unpublished ones.”

    So…
    Of the 31 vulnerabilities patched/fixed in the latest security update how many were published before the update was issued? I’m not going to bother to search the ‘net to find out (but be my guest). I doubt the number of published vulnerabilities is more than a few out of the 31 total.

    I believe you will find the same thing with regard to other security updates issued by Apple. Only a small fraction of the patches/fixes are published before the update is issued — and sometimes the updates contain only fixes to unpublished vulnerabilities.

    Thus, to me, your statement is patently false.

  5. The guy is looking for hits on his website. He threatens Apple, not considering the possiblity that Apple hasn’t figured out how to patch those hose, or maybe Apple has plans for bigger patches later that will be more comprehensive, and to patch it now serves no purpose but to make this guy look like he knows what he’s doing so someone offers him a real job?

    Apple knows what it is doing. This guy is just promoting himself.

    Bozo

  6. Reading the article it seems the only flaws that have been fixed are those indicated by Ferry. Apple gives credit to people reporting security flaws and the update contains many fixes that have NOT been reported by Tom Ferry at all.

    I remember the last Secunia highly critical security flaw in OS X have been reported to having affected at least two (2) Mac users. TWO!

    Usually a critical flaw is less a problem than highly critical ones. I’ll shave my hair if from now to the next update remaining critical Tom Ferry’s reported flaws will have affected ONE user.

    OS X is based on FreeBSD and has additional security features. That alone (FreeBSD) is enough security.

    Once I read here a comparison between security problems in OS X and Windows. It pretty much describes the situation.

    It is like saying that two ER patients, one with a broken little finger suffers from same problems as an ER patient in because of a car crash: broken spine, exposed fractures for both legs, cracked skull and exploded collar bones. They both suffer from broken bones.

  7. It certainly screwed up my iTunes installation–either that or the QT update. Now iTunes can’t find any of the 60GB worth of music on my hard drives, and I’ll have to re-import the entire library. Not the end of the world, but certainly annoying.

  8. NO one has ever claimed Mac OS X is ‘bullet proof’. Can someone find me one documented case where they HAVE?! The truth is, it is TOUGHER to create viruses/worms/trojans for Mac OS X, than it is for Windows. The track record of Mac OS X is a HELL of a lot better than Windows. Mac OS X: 0 Viruses (and 2 barely successful trojans) vs Windows: 114,000 known viruses. Even if there are 50 viruses by 2008, that’s still 113,950 less than Windows in 2006! I’ll stick with Mac, even though it’s Not bullet proof, it is much safer.

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.