May 25, 2004 2:14 PM PDT

Mac OS fix fails to plug security hole

By Robert Lemos
Staff Writer, CNET News

Share
- Digg
- Del.icio.us
- Reddit
- Facebook
Email
Print

Related Stories: Apple issues Mac OS X security patch
May 21, 2004; Mac OS X vulnerable to one-two combo attack
May 18, 2004; Apple criticized for security advisories
May 4, 2004

A security hole still threatens Mac OS X users after a patch issued by Apple Computer last week failed to fix the underlying problem, security experts said on Tuesday.

The security issue could allow an attacker to transfer and then run a malicious program on a Mac, if the Mac's user can be enticed to go to a fake Web page on which the program has been placed.

"This, in my mind, is the first critical vulnerability on OS X," said Richard Forno, a security researcher and the former chief of security for domain registrar Network Solutions. "Downloading the patch and seeing that there were some things that were fixed and some things that weren't, tells me that there is more work to be done."



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Two other software companies have confirmed the issue. Security information company Secunia raised its rating of the potential risk to "extremely critical" after determining that the vulnerability is more widespread than Apple apparently first thought. Independent software maker Unsanity released a tool this week to work around the problem and put out a white paper describing the issue.

Apple would not comment. The company released the original patch Friday after news of the vulnerability appeared on the Internet.

The vulnerability actually involves two flaws. One allows a Web site to place a file on the Mac's hard drive when a user clicks on a uniform resource locator, or URL, specifically designed to bypass Mac OS X's security. The other gives an attacker the ability to run a file on another user's computer, provided the location of the file is known. Used together, the flaws constitute a major security hole that could result in a potential instant-messaging or e-mail virus.

Perhaps the biggest problem is that there seems to be no easy solution, Jason Harris, a programmer for Unsanity, wrote in the company's white paper.

"There's lots of overlap between useful applications of this functionality and malicious ones, meaning that Apple can't easily fix this without removing useful features from its operating system and from existing apps," he wrote.

The issue is the first major security problem for Mac OS X that has not been caused by the operating system's underlying Unix roots. Previously, Mac OS X has mainly had to patch problems that affected FreeBSD, the Unix-like operating system on which it is based. However, the current issue is in the code that the company built on top of that software.

Forno maintains that the Mac is more secure than Windows but stressed that this problem should have been caught in testing before the operating system had shipped. Moreover, in light of the goofed patch and previous issues with Apple downplaying security problems, he said the company needs to start being more proactive about security.

"Apple is coming to terms with dealing with these types of issues, "Forno said.

See more CNET content tagged:
security hole, Apple Mac OS, Apple Mac OS X, Apple Computer, Apple Macintosh

Add a Comment (Log in or register) 2 comments

Apple Security
by May 26, 2004 8:17 PM PDT: Apple released a total update. OS X 10.3.4 no doubt has all
issues handled.; Reply to this comment

In reply to Mac security.
by louisgreco June 3, 2004 5:49 AM PDT: Thank you for the perspective on Mac issues.
My ISP, Videotron is promising upgrades in security but for now
continues to be a target for harvesters and saboteurs. Your
article compels me to be even more careful on the web.
Louis Greco,Montreal,Canada.; Reply to this comment

Latest tech news headlines

What you can--and can't--find about Palin on the Internet
Posted in News - Politics and Law by Stephanie Condon

September 4, 2008 10:20 PM PDT
Michael Moore plans Net-only film premiere
Posted in News - Digital Media by Steven Musil

September 4, 2008 9:20 PM PDT
McCain talks up oil drilling, green energy
Posted in News - Politics and Law by Declan McCullagh

September 4, 2008 9:11 PM PDT

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.

More feeds available in our RSS feed index.

Inside CNET News

Scroll Left Scroll Right

Nanotech: The Circuits Blog
Timing rumors surface for AMD plant spin-off
Rumors persist that Advanced Micro Devices is planning to spin off all or part of its manufacturing operations.
Gallery
Photos: Ron Paul's RNC alternative
As the Republican convention took place just miles away, a crowd rallied for the former presidential candidate and his message of limited government, ensured civil liberties, lower taxes, and peace.
Digital Noise: Music and Tech
Was 1980s music that bad?
NPR asks listeners which year featured the best music, and the 1980s emerge as a bleak era. Personally, the '80s figure prominently in my collection, but well behind the 1970s.
Beyond Binary
Microsoft begins big ad push
Microsoft's multi-year push, estimated at $300 million, begins with a spot featuring Bill Gates and Jerry Seinfeld aired during Thursday's NFL game.
Video
YouTube plays party politics
During the presidential campaigning four years ago, YouTube didn't even exist. Now it's a tool candidates must master to get their message across. CNET's Kara Tsuboi stops by the YouTube upload booths at the Democratic and Republican conventions to find out why Google's video site has such a big presence in Denver and St. Paul, Minn.
News - Digital Media
Michael Moore plans Net-only film premiere
Filmmaker plans to premiere his latest documentary exclusively on the Internet for free, forgoing the traditional theatrical release.
Video
Political party playlists
We know the Democrats and Republicans are split over policy issues, but does their musical taste fall down party lines too? And what kind of gadgets did they bring to the conventions to listen to their music? CNET reporter Kara Tsuboi finds out.
News - Politics and Law
What you can--and can't--find about Palin on the Internet
John McCain's choice of Sarah Palin as a running mate has inspired a wealth of creativity on the Internet.
News - Cutting Edge
Execs predict next Google-like tech
On eve of company's 10-year anniversary, researchers and business pundits speculate about what technologies might someday have as much impact as Google.
Gallery
Photos: The brains behind Google Chrome
Here's a look at some of the engineers and executives who took the stage at the company's headquarters as they unveiled the new browser.
Crossfade
Ying Yang Twins, 'Look Back At It': Free MP3 of the Day
This amped-up duo gets the party started with a mix of crisp, Southern hip-hop beats and shout-along rhymes. Download a free MP3 of "Look Back At It" courtesy of CNET Download Music.
Green Tech
Clean-tech group forms to support Obama
"Clean Tech and Green Business for Obama" aims to raise $1 million for the Democratic presidential nominee while elevating issues of climate change and alternative energy.