NEWS A security hole still threatens Mac OS X users after a patch issued last week by Apple failed to fix the underlying problem, according to security experts.
The security issue could allow an attacker to transfer and then run a malicious program on a Mac, if the Mac's user can be enticed to go to a fake web page on which the program has been placed.
Richard Forno, a security researcher and the former chief of security for domain registrar Network Solutions, said: "This, in my mind, is the first critical vulnerability on OS X. Downloading the patch and seeing that there were some things that were fixed and some things that weren't, tells me that there is more work to be done."
Two other software companies have confirmed the issue. Security information company Secunia raised its rating of the potential risk to "extremely critical" after determining that the vulnerability is more widespread than Apple apparently first thought. Independent software maker Unsanity released a tool this week to work around the problem and put out a white paper describing the issue.
Apple would not comment. The company released the original patch last Friday after news of the vulnerability appeared on the internet.
The vulnerability actually involves two flaws. One allows a website to place a file on the Mac's hard drive when a user clicks on a uniform resource locator, or URL, specifically designed to bypass Mac OS X's security. The other gives an attacker the ability to run a file on another user's computer, provided the location of the file is known. Used together, the flaws constitute a major security hole that could result in a potential instant-messaging or email virus.
Perhaps the biggest problem is that there seems to be no easy solution, Unsanity programmer Jason Harris wrote in the company's white paper.
He said: "There's lots of overlap between useful applications of this functionality and malicious ones, meaning that Apple can't easily fix this without removing useful features from its operating system and from existing apps."
The issue is the first major security problem for Mac OS X that has not been caused by the operating system's underlying Unix roots. Previously, Mac OS X has mainly had to patch problems that affected FreeBSD, the Unix-like operating system on which it is based. However, the current issue is in the code that the company built on top of that software.
Forno maintains that the Mac is more secure than Windows but stressed that this problem should have been caught in testing before the operating system had shipped. Moreover, in light of the goofed patch and previous issues with Apple downplaying security problems, he said the company needs to start being more proactive about security.
"Apple is coming to terms with dealing with these types of issues, " he said.
Robert Lemos writes for CNET News.com
Comments
There are 3 comments. Join the discussion
1. anonymous
Is this window of vulnerability available to a self perpetuating scheme?
2. Craig
The vulnerability which can place a file on your hard drive in no way by-passes OS X security. It can only operate within the permissions of the currently logged in user. Files can be overwritten, yes, but only if the user has write perimissions to those files. A user can loose files in their home folder, but files that they don't have write permisson on (the Mac OS X system files, for example) cannot be touched. With proper backups, this isn't half a bad as you make out.
More info on Unsanity's Paranoid Android is here: www.unsanity.com/haxies/pa. Free download, of course. Shouldn't this have been in your story Silicon?
There has yet to be a recorded example of a malicious implementation of this vulnerability and the 'trojan' programs that the press have made such a fuss about. Can this be because Mac users don't want to attack each other, despite how much other people want them to?
3. Rudi
I'm surprised to hear that MacOS is based in FreeBSD. I thought it was based on Darwin, which in turn is a BSD 4.4 layer running on top of a Mach Kernel.
Apple's Darwin web page (http://developer.apple.com/darwin/)
seems to agree with me ...