• silicon.com
• Technology
• Software

By Patrick Gray, 27 November 2003 08:05

NEWS Details of an as-yet-unpatched security vulnerability in Apple's OS X software have been published on the web.

The researcher who found the vulnerability, William Carrel, claims he was forced to release his advisory to the public before the development of a patch, in the interests of Apple users -- users he says have been "left exposed" by the company's sluggish response in developing a fix. He said Apple reneged on an agreed patch release date, before stringing him along for weeks while he waited for the company to engineer an update.

"Meanwhile, users are left exposed and independent rediscovery [of the vulnerability] seemed fairly likely... maybe by someone less scrupulous than myself," he wrote in the advisory. "I felt I was being strung along and that the issue may never get properly addressed so I set a hard deadline at that point. They didn't meet it, and I issued my advisory."

Apple drew fire from the wider security community last month when it failed to provide a patch for its older 'Jaguar' versions of its OS X operating system, affectively forcing customers to buy an upgrade to the company's latest version of OS X, or 'Panther', to secure themselves against a series of security glitches discovered by US based security research firm @Stake.

While it has since been reported that Apple has issued a patch to correct the security defects in Jaguar discovered by @Stake, a close inspection of the recently released security update has revealed the Common Vulnerability and Exposure (CVE) candidate numbers listed for the patched vulnerabilities do not match the numbers assigned to the vulnerabilities discovered by @Stake - thus it would appear OS X Jaguar variants remain vulnerable to the older bugs.

The latest vulnerability exploits weaknesses in the way the operating system handles malicious responses from rogue DHCP servers - network servers which assign IP addresses to computers on a network.

Carrel published his advisory 48 days after initially notifying Apple Computer of the bug, he claimed in the advisory. "It would not be fair of me to let Mac users hang out in the breeze for more than two months on an issue of this magnitude. You may disagree but I have no regrets about my actions and feel that I was more than fair to Apple Computer and its users," he wrote.

One security researcher, who declined to be named, told silicon.com sister site ZDNet Australia the "news behind the news is that people are starting to poke at Mac OS X now. Apple finally has an OS that is fun for hackers to play with."

Apple has indicated it will release a patch in December, Carrel said. Workarounds for the vulnerability are detailed in the advisory.

A representative of Apple Computer was unavailable for comment at the time of writing.

Patrick Gray writes for ZDNet Australia.