NEWS
Serious flaws in Mac OS X and QuickTime software could put Macintosh and Windows systems at risk of cyber attack, Apple has warned.
In a pair of security alerts released on Thursday, Apple outlined 31 flaws that affect various versions of the operating system and a dozen vulnerabilities in its QuickTime media player software. Security experts have deemed the issues "critical" but Apple does not provide a severity rating. Fixes are available.
The Mac OS X vulnerabilities lie in various components of the operating system and affect both the server and client versions, Apple said in an advisory. An attack could be launched using some of the bugs by creating a malformed file, or by building a malicious website and enticing someone to visit it, the company said.
The French Security Incident Response Team, a security-monitoring company, said in an advisory: "These flaws could be exploited by attackers to execute arbitrary commands, bypass security restrictions, disclose sensitive information or cause a denial of service."
The patches indicate Apple is having a hard time completely resolving a security flaw that surfaced earlier this year. They fix an issue in the "download validation" function, a feature designed to protect Mac users from installing harmful code from a malicious website or email - a risk more familiar to Windows users.
Apple added the function in a security update released in early March. Two weeks later, it issued another update to fix some problems with the feature. Thursday's fix tackles another issue: the download validation may be bypassed if a file has a long name, Apple said.
Critics have argued the download validation function is not enough to address the installation risk, and that Apple needs to correct the problem at a lower level in the operating system.
The QuickTime flaws put both Mac OS X and Windows computers at risk of compromise. All of the vulnerabilities exist because of errors in the way the media player software handles certain files. Specially crafted files in certain media formats - including AVI, Flash, JPEG, MPEG4 and QuickTime - could allow an intruder to hijack a vulnerable system, Apple said in an advisory.
Apple's security update 2006-003 for Mac OS X and the QuickTime patch can be downloaded and installed via Software Update preferences or from the Apple Downloads website.
Joris Evers writes for CNET News.com
Comments
There are 4 comments. Join the discussion
1. Julian Nicholls
Ahem, so Mac software and OSes are entirely immune to viruses and exploits.
Sorry, I must have been watching the condescending adverts again.
2. Matt Brown
I have now been a Mac owner for 3 years since converting from PC. I have never looked back, no blue screens, rebuiliding the OS when it gives up - nah these are headaches I can live without.
The risks to Mac are minimal and I am happy to take a 'this risk' posed to Mac's as I am not the sort of user who gets enticed to click on a pishing email or virus attachment, most of the web based threats usually hijack Internet Explorer and not Firefox or Safari anyhow :-)
3. Dru Richman
Walt Mossberg, one of the world's most respected technology writers wrote -
There is no sudden security crisis on the Apple Macintosh platform. In fact, for average Mac users, there isn't a security threat of any significance, at least not yet. It is laughable to compare the real, massive and burdensome security problems on Windows with the largely theoretical security problem on the Mac.
As I have said in the past, no operating system is invulnerable to attack, including Apple's Mac OS X operating system, which powers Macintosh computers. It is possible to write malicious software for the Mac, including viruses and spyware, and it is possible for this software to spread in the wild, infecting many Macs.
However, despite what you may have heard, this hasn't happened to any degree that matters, yet. As of today, there have been exactly two documented, successful pieces of malicious software -- viruses, trojan horses, worms -- that affected users of the Mac OS X operating system, since it was released in 2001. And these two failed to spread much, affecting probably a few dozen people, and doing no harm. I expect there to be a small number of additional Mac viruses this year.
By contrast, there are over 100,000 reported viruses for Windows, some of which have affected millions of people and have done significant economic damage. As for spyware, I know of no documented cases on Mac OS X, while there are certainly thousands on Windows. These Windows viruses and spyware can't run on the Mac operating system, even on Macs powered by the same Intel processors used by Windows PCs.
The recent publicity concerns theoretical vulnerabilities that security firms have identified in Apple's operating system. These vulnerabilities, like similar vulnerabilities in Windows, aren't necessarily being exploited. Like Microsoft, Apple fixes vulnerabilities as they are identified. But some critics say Apple does this too slowly.
Security firms are saying that the discovery of these vulnerabilities in the Mac has increased sharply lately. They say that based on past patterns, this should yield a sharp increase in the number of Mac viruses in coming years. But even a "sharp" increase could well mean under 50 viruses by 2008.
So my advice to Mac users is that at the moment, I see no reason to buy and run security software, which is in itself costly and can degrade your computing experience. But you should make up your own mind, based on your tolerance for risk.
Here's a test you can use. Imagine you live in a neighborhood that has suffered only a couple of ambiguous, harmless burglaries over five years, even though the neighborhood is surrounded by much higher-crime areas. If you would buy a burglar alarm in such a neighborhood, then buy Mac security software. Otherwise, don't. Just turn on Apple's built-in firewall and relax.
There is one exception: If you are running Windows on one of the new Intel Macs, you are just like a Windows user, and you must run Windows security programs when using Windows.
4. Norman J Cesar
Good to see Matt Brown perpetuating silly myths about PCs... My current desktop is running Windows 2000, has been since July 2001. In that time I have had only one blue screen of death incident, when I added a new second hard-drive. This quickly resolved however by setting the new hard-drive to be a slave.
I wonder what Mr Brown had been doing to his PC to keep getting these problems because with simple care, and quite often just reading the screen a user can avoid these problems.