Menu
Apple fig-leaf security patch causes dismay

Apple fig-leaf security patch causes dismay

A critical patch for Mac OS X issued on Friday leaves Mac users as vulnerable to attacks as they were before the fix, according to a security company.

Last week researchers warned of two serious vulnerabilities in Apple Computer Inc.'s Unix-based operating system, both allowing a malicious Web page to send code to a Mac and execute it. One problem was in the way Mac browsers handle addresses using the "help" protocol, ordinarily used for locating content for the Mac's Help Viewer application. The other problem was with handling of the "disk" protocol, used for downloading the disk images, such as DMG files, that the Mac uses for transferring compressed executable files and installers. Both flaws use default settings in browsers such as Safari and Internet Explorer to make Macs automatically download and execute any code the attacker chooses.

Apple issued a patch for the "help" flaw on Friday, but the fix leaves the "disk" problem unpatched, experts said. "Mac users are as vulnerable now, as before the patch was released," Niels Henrik Rasmussen, chief executive of security firm Secunia told us. Secunia and other security bodies, including the U.S. government, classified the bugs as serious because the problems are easy to exploit and working exploits are available.

Once a disk image containing malicious code is downloaded the code can be executed via other networking protocols, such as FTP and AFP, according to Secunia. A temporary fix is to modify the Mac's Internet preferences, turning off the option to open "safe" files after downloading and adding a helper application for the "disk" and "disks" protocols, the company said in its advisory.

Apple went out of its way to downplay the seriousness of the problem on Friday, to the dismay -- though not the surprise -- of security professionals. The company referred to the "help" issue as a "theoretical vulnerability" and argued customers were not in danger. "Apple takes security very seriously and works quickly to address potential threats as we learn of them - in this case, before there was any actual risk to our customers," said Philip Schiller, Apple's VP of worldwide product marketing, in a statement.

Critics pointed out that Apple was warned of the hole in February, but did not issue a patch until the problem began to be widely discussed on Internet forums last week.

The information accompanying the Help Viewer patch states only that it ensures "HelpViewer will only process scripts that it initiated", failing to clarify the problem's seriousness, Secunia said.

"Microsoft (Corp.) and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue," said Schiller. "This is not possible when reading an Apple update."

Mac OS X has become more of a focus for malicious exploits recently, partly as a result of Apple's success at marketing the Mac, according to industry analysts. In the meantime, the company's way of handling security issues remains inadequate, and risks putting users in danger, security researchers say. For example, the company downplayed the seriousness of a recent security hole that was already exploited by a "proof-of-concept" Trojan horse available online.

"Apple is doing a disservice to its customers by incorrectly labelling this vulnerability as a 'crash bug' rather than stating correctly that attackers can compromise systems running the affected Apple software," said security firm eEye Digital Security Inc.

Earlier this month, a series of serious security bugs were identified in Mac OS X with what critics called an insufficient effort to make users aware of the problems. Apple released a string of critical patches early in May.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments