More minor security flaws in Mac OS X
Security-Protocols has
discovered a few more minor security issues in Mac OS X that mainly pertain to how the OS and a few of its apps handle
images and opening zip archives. From a quick glance through the listed errors, they pretty much amount to crashing an
app, though a couple of the Safari issues cause "the application to crash, and or may allow for an attacker to
execute arbitrary code."Apple has been notified of the issues and will apparently be fixing them in the next security update. As Tim Gaden at Hawk Wings (where I found this) says: the classic advice of being careful about what attachments and links you open and click on should keep your Mac humming along just fine.
Share
Categories
Security-Protocols has discovered a few more minor security issues in Mac OS X that mainly pertain to how the OS and a few of its apps...
Add a Comment
In comment to Jeremy Wright's post regarding the serious nature of recently published exploits for OS-X, I want to say I fully agree and am happy someone else sees the big picture.
In Jeremy's words, "We're just really lucky they're figuring them out [i.e., the exploits] before they get public."
But much as I hate to reveal it, Jeremy, they're already about as "public" as it gets.
My G5 was hit by the BOMArchiveHelper exploit several days ago while attempting to download Windows freeware from MajorGeeks dot com.
My new, 'improved' Firefox browser v1.5.0.2, which had just been installed, was hacked so badly that Java rendering and draw had gone woebegone... stringing web pages out horizontally rather than vertically and the auto-update function was locked into always-on mode.
Safari crashed completely.
Later I discovered that during the episode a hacker had been able to penetrate NetBarrier's defenses and tamper with several of my stored documents, so that I was unable to open them by any means.
As well, it was impossible thereafter to decompress Stuffit hqx archives. After two successive formats/reinstalls of OS-X v10.3.9 I've come to suspect that a firmware-targeted rootkit may have been deployed against me. It's the 'gift that keeps giving,' you know.
Several anomalies surfaced during the first format... glitchy little things I'd never seen before; afterwards, with the new system laid in I was still unable to decompress archives.
During the second format/install, after DiskUtility had completed the zeroing-out process, I got the dreaded RED ARROW on the disk image, and an advisory to the effect that "I could not install OS-X to this disk because OS-X could not boot from this disk," etc. Scary stuff.
I figured my goose was fully cooked and my wabbit woasted; but after a forced shutdown and subsequent reboot with CD the OS-X installer ran okay. Phew!
So I suspect a firmware anomaly in the shape of a partial rootkit file, which may have (hopefully) consisted of faulty code. At any rate, the BOMArchiveHelper anomaly still exists, particularly when attempting to decompress Stuffit-wrapped installer packages from mizog dot com (SecretShredder).
All PowerPC Macs use a type of CMOS flash technology which tends to become evident after a reinstall job, when some of my old settings preferences re-emerge. That ain't just by chance, sportsfans.
Going through the full plethora of 10.3.9 updates, which I keep stored on media, there were no problems in decompressing Apple .dmg packages. So I don't know what's going on; only that Stuffit hqx archives are off limits for now... whereas other zipped and compressed packages open fine.
10.
Hypocrites? We don't have time for that. We're too busy buying our subscriptions and updating and running Norton, McAfee, Panda, Spybot, Ad aware, Microsoft AntiSpam, Grissoft, etc. etc. etc....
How is "Don't open an attachment from someone you don't know or trust" a security flaw?
April 23 2006 at 6:35 PM Report abuse Permalink rate up rate down ReplyEspecially when the two security companies who *have* rated this issue rated it "extremely critical" and "critical".
April 23 2006 at 3:53 PM Report abuse Permalink rate up rate down ReplyI love how every time Microsoft issues a patch the snark flows like lava from Krakatoa, but when it's on the Mac it's "minor".
What a bunch of hypocrites.
It's irresponsible to call these "minor" security flaws. Let's be clear: by opening an image, an attacker can execute any code he damned well wants on your machine, with root privileges.
Apple's response of taking this seriously is appropriate (as per the article linked). Calling this minor is downright foolhardy. Apple'll fix it soon enough, all the flaws are fairly fundamental (which make them, in some respects alarming), but none are complex.
You'll be "safe" again. But, as per Brent, "safe" is relative. Apple patches roughly 100 security issues per .x release, according to release notes. We're just really lucky they're figuring them out before they get public.
This notion that Macs ship "safe and sound" is a myth. It's a shame the Apple community can't acknowlege this. For something that doesn't have "regular security updates" I get them on at least a monthly basis. Actually, their frequency outpaces that of my Windows machine.
Since January, I have received 10 updates. That's more than 2 per month. Each update normally has 15 or so specific fixes. Again, this outpaces what I've experienced with my Windows machine. I also count 24 iTunes-related updates since this time last year. Such frustration is compounded by the requirement to by a new license for QuickTime Pro each time they update that product to a new version.
I'd heard so much hype about Macs before I purchased mine. Sadly, little of if has proved to be true. As time goes by, I get the feeling this is a company that ships slow and shoddy hardware with software that's not quite ready for market, hence the steady barrage of updates. This doesn't make them the exception, however - it's a company that operates like any other.
I don't have a problem with receiving updates for either OS, but I wish people would be a bit more honest about what might be expected with a purchase from Apple. You can expect the same number of annoyances as with a Windows machine, only in different areas...
MacOS doesn't have so much bugs as Windows, so it doesn't require regular security update
April 23 2006 at 8:45 AM Report abuse Permalink rate up rate down ReplyFrom what I've noticed they only seem to do security updates on Mac OS X 10.3.9 and Tiger. I think they've stopped supporting Panther in that respect.
April 22 2006 at 10:19 PM Report abuse Permalink rate up rate down ReplyKevin, that's a good question. I know there have been a couple of updates in the past two months. If you didn't get them, you might want to ask Apple directly. Of course, I think one was a problem with Widgets, which wouldn't effect you.
April 22 2006 at 10:16 PM Report abuse Permalink rate up rate down ReplyHot Apps on TUAW
Deals of the Day
more deals- Refurb Apple MacBook Air Laptops: 12" 64GB SSD for $699 + free shipping
- JVC Motion Sensing Clock Radio with Dual iPod Docks for $55 + free shipping
- Apple iPhone Headset with Mic for $4 + $2 s&h
- miFrame Picture Frame Dock for iPad for $64 + $8 s&h
- Refurb Apple iPod nano 8GB MP3 Player for $99 + free shipping, 16GB for $119
- Hannspree Apple-Shaped 28" 1080p LCD HDTV for $270 + free shipping
Software Updates
more updates- EFI Firmware Update brings Lion Internet Recovery to 2010-model Macs
- OS X Lion 10.7.3 released with Safari 5.1.3, Wi-Fi bug fix
- Aperture updated to 3.2.2, addresses Photo Stream issue
- Apple updates Keynote to address Lion issues
- Google Search app gets new look on iPad
- Apple releases Apple TV Software Update 4.4.3



14 Comments