May 12, 2006 2:19 PM PDT
Apple flaws put both Macs and PCs at risk
- Related Stories
Unpatched Mac flaws may put users at riskApril 21, 2006
Apple issues Java security updateApril 19, 2006
One more update to Apple patchMarch 17, 2006
Tribble on Apple's security troublesMarch 15, 2006
Apple corrects patch troubleMarch 13, 2006
Another Mac OS X hack challenge launchedMarch 7, 2006
Mac OS X patch faces scrutinyMarch 7, 2006
Apple patches serious Mac OS flawsMarch 1, 2006
Mac OS flaw exposes Apple usersFebruary 21, 2006
In a pair of security alerts released Thursday, Apple outlined 31 flaws that affect various versions of the operating system and a dozen vulnerabilities in its QuickTime media player software. Security experts have deemed the issues "critical," but Apple does not provide a severity rating. Fixes are available.
The Mac OS X vulnerabilities lie in various components of the operating system and affect both the server and client versions, Apple said in an advisory. An attack could be launched using some of the bugs by creating a malformed file, or by building a malicious Web site and enticing someone to visit it, the company said.
"These flaws could be exploited by attackers to execute arbitrary commands, bypass security restrictions, disclose sensitive information or cause a denial of service," the French Security Incident Response Team, a security-monitoring company, said in an advisory.
The patches indicate that Apple is having a hard time completely resolving a security flaw that surfaced earlier this year. They fix an issue in the "download validation" function, a feature designed to protect Mac users from installing harmful code from a malicious Web site or e-mail--a risk more familiar to Windows users.
Apple added the function in a security update released in early March. Two weeks later, it issued another update to fix some problems with the feature. Thursday's fix tackles another issue: the download validation may be bypassed if a file has a long name, Apple said.
Critics have argued that the download validation function is not enough to address the installation risk, and that Apple needs to correct the problem at a lower level in the operating system.
The QuickTime flaws put both Mac OS X and Windows computers at risk of compromise. All of the vulnerabilities exist because of errors in the way the media player software handles certain files. Specially crafted files in certain media formats--including JPEG, QuickTime, Flash, MPEG4 and AVI--could allow an intruder to hijack a vulnerable system, Apple said in an advisory.
Apple's security update 2006-003 for Mac OS X and the QuickTime patch can be downloaded and installed via Software Update preferences or from the Apple Downloads Web site.
162 commentsJoin the conversation! Add your comment