[ISN] Mac OS fix fails to plug security hole

From: InfoSec News (isn@private)
Date: Wed May 26 2004 - 00:29:49 PDT

  • Next message: InfoSec News: "[ISN] Auditors warn of foreign risks to weapons software"

    http://news.com.com/Mac+OS+fix+fails+to+plug+security+hole/2100-1002_3-5220285.html
    
    By Robert Lemos 
    Staff Writer 
    CNET News.com
    May 25, 2004
    
    A security hole still threatens Mac OS X users after a patch issued by 
    Apple Computer last week failed to fix the underlying problem, 
    security experts said on Tuesday. 
    
    The security issue could allow an attacker to transfer and then run a 
    malicious program on a Mac, if the Mac's user can be enticed to go to 
    a fake Web page on which the program has been placed. 
    
    "This, in my mind, is the first critical vulnerability on OS X," said 
    Richard Forno, a security researcher and the former chief of security 
    for domain registrar Network Solutions. "Downloading the patch and 
    seeing that there were some things that were fixed and some things 
    that weren't, tells me that there is more work to be done." 
    
    Two other software companies have confirmed the issue. Security 
    information company Secunia raised its rating of the potential risk to 
    "extremely critical" after determining that the vulnerability is more 
    widespread than Apple apparently first thought. Independent software 
    maker Unsanity released a tool this week to work around the problem 
    and put out a white paper describing the issue. 
    
    Apple would not comment. The company released the original patch 
    Friday after news of the vulnerability appeared on the Internet. 
    
    The vulnerability actually involves two flaws. One allows a Web site 
    to place a file on the Mac's hard drive when a user clicks on a 
    uniform resource locator, or URL, specifically designed to bypass Mac 
    OS X's security. The other gives an attacker the ability to run a file 
    on another user's computer, provided the location of the file is 
    known. Used together, the flaws constitute a major security hole that 
    could result in a potential instant-messaging or e-mail virus. 
    
    Perhaps the biggest problem is that there seems to be no easy 
    solution, Jason Harris, a programmer for Unsanity, wrote in the 
    company's white paper. 
    
    "There's lots of overlap between useful applications of this 
    functionality and malicious ones, meaning that Apple can't easily fix 
    this without removing useful features from its operating system and 
    from existing apps," he wrote. 
    
    The issue is the first major security problem for Mac OS X that has 
    not been caused by the operating system's underlying Unix roots. 
    Previously, Mac OS X has mainly had to patch problems that affected 
    FreeBSD, the Unix-like operating system on which it is based. However, 
    the current issue is in the code that the company built on top of that 
    software. 
    
    Forno maintains that the Mac is more secure than Windows but stressed 
    that this problem should have been caught in testing before the 
    operating system had shipped. Moreover, in light of the goofed patch 
    and previous issues with Apple downplaying security problems, he said 
    the company needs to start being more proactive about security. 
    
    "Apple is coming to terms with dealing with these types of issues, 
    "Forno said. 
    
    
    
    _________________________________________
    ISN mailing list
    Sponsored by: OSVDB.org
    



    This archive was generated by hypermail 2b30 : Wed May 26 2004 - 03:49:13 PDT