March 1, 2006 6:15 PM PST

Apple patches serious Mac OS flaws

Related Stories

Is Mac OS as safe as ever?

February 27, 2006

Mac OS flaw exposes Apple users

February 21, 2006

Bluetooth worm targets Mac OS X

February 17, 2006

New worm targets Apple chat users

February 16, 2006
Apple Computer on Wednesday released a security update for Mac OS X that fixes 20 vulnerabilities, including a high-profile Web browser and Mail flaw disclosed last week.

The set of patches addresses a variety of security flaws, including several that could let an attacker gain control over a computer running the operating system software. The patch arrives after two weeks of intense scrutiny for Apple Mac OS X safety, prompted by the discovery of two worms and the disclosure of two security flaws in that period.

The Apple security update addresses those flaws, which affect the Safari Web browser and Apple Mail client. The vulnerabilities expose Mac users to risks that are more familiar to Windows owners: the installation of malicious code through a bad Web site or e-mail because of improper validation of downloads.

Related news
Is Mac OS as safe as ever?
Trio of threats suggest hackers are eyeing the previously ignored software. Should fans worry?

The update also changes iChat, Apple's instant messaging application, to thwart instant message threats such as the Leap.A pest, which was detected recently and attacked some Apple users.

"iChat now uses Download Validation to warn of unknown or unsafe file types during file transfers," Apple said.

Aside from the previously disclosed vulnerability in Safari, the Apple patch fixes four additional security bugs. These could result in code being executed on the user's machine after viewing a malicious Web site or allow JavaScript to execute in the local domain, Apple said in its update.

Other flaws fixed in the update include four issues related to the PHP scripted programming language, two problems related to Apple's Directory Services, a problem with mounting of file servers and a bug in FileVault secure storage, which was found to be insecure in the way a FileVault image is created.

Security Update 2006-001 can be downloaded and installed via the Software Update feature in Mac OS X or from Apple Downloads.

"Apple advises Mac OS X users to keep their system current by installing this and all Mac OS X software updates," the representative said.

See more CNET content tagged:
flaw, Apple Computer, Apple Mac OS, Apple Safari, Apple iChat

59 comments

Join the conversation!
Add your comment
Two weeks huh?
Well in two weeks I haven't heard of a single case of anyone being
affected by these "serious" flaws. That's not to underplay the fact
that there were flaws, it's just that no one seems to have been able
or willing to exploit it. Start your "security through obscurity" and
"AV company conspiracy" debates here.

(Note though that these flaws were given a pretty high profile -
surely a tempting target?)
Posted by privatec (75 comments )
Reply Link Flag
The only problem is...
Just like average Windows users, average Mac users tend not to
update their systems on a regular basis. I personally know
dozens of users of both platforms that have NEVER updated
their systems, EVER. They are still using the OS version that
shipped with the machine when they purchased it. A news report
last night estimated that one recently convicted cyber-criminal
had amassed an army of 750,000 zombie machines to do his
bidding. How did that happen? Unpatched machines, of course.

Visit either a Windows or Mac user discussion forum and just
look at all the reasons people come up with as to why they're
not going to install some patch or update because it might hurt
their system.

So the bottom line is, if some criminal decides to implement one
of the exploits, he/she will have thousands of victims to choose
from even if the flaw has been patched. A local radio personality
in my area has a really good signature line, "You can't fix
stupid."
Posted by lkrupp (1608 comments )
Link Flag
And along those lines...
I've never heard of nor had any of the supposedly serious Windows flaws, leaks, viruses, or nasties that eveyone seems to think comes standard on every Windows PC.
Posted by Christopher Hall (1205 comments )
Link Flag
Secure system and lazy hackers?
I agree with other commenters that most Mac users will run the
update immediately. Since most of us are automatically informed
of updates, that's easy. As I said on another thread, many, if not
most Mac users, will have turned off the automatically open
downloads preference in Safari as soon as the flaw became known.

If there are heavy breathing hackers eager to conquer the Mac OS, I
don't understand why they ignored a two-week window of
(seeming) opportunity either.
Posted by J.G. (837 comments )
Reply Link Flag
I know why
In your case, they didnt bother hacking into your system because:

1) You have no money, so nothing to steal
2) You have no ideas or thoughts, so nothing to borrow
3) Your hard drive is full of beastiality pics

Cheers!

Mister Winky
Posted by Mister Winky (301 comments )
Link Flag
CAN'T CRASH OR GET VIRUSES-RIGHT?
::LAUGHING::
Posted by NRecob (78 comments )
Reply Link Flag
Not Crying Either
Let's be honest here:

Mac's crash

Mac's get viruses (apparently)

Mac's crash less than Windows

I've never seen a Mac virus

I am unsure as to why you are laughing. Personally, I just got
very angry with Microsoft and left their platform after 15-years
support and bought a Mac. I have never regretted this decision
and I wonder why people will mock others who have actually
voted with their wallet. Seriously, are you really that happy with
Windows or Linux? If so then I'm really very happy for you but I
wasn't and I made a change. Is there really anything funny
about that?
Posted by kelmon (1445 comments )
Link Flag
Unsecure. Get Windows
So with a Mac you get.

1. an unsecure system.
2. Little and expensive software
3. Get to annoy people with your constant "get a Mac" fits

with windows you get

1. an unsecure system
2. Tons of software
3. Get to make Mac fanboys whimmer and cry with the truth
Posted by City_Of_LA (118 comments )
Reply Link Flag
hackz0r noob
Unsecure? wow it only took apple one week to address nearly
twenty security issues. Correcting you, apple updates its source
reguarly so a similar blue screen fiasco doesn't happen.
Unsecure system how so? reported, two malwares which
"I" have to agree and type in "my" system password so "it" can
install... what a joke this isnt a virus its a novelty... Which great
software do you mean? Final Cut Pro? Soundtrack Pro?
Aperture... even adobe is fully transitioning using apple core
base coming to the white side in 2007... this just leaves maya to
transition to the white side... Paying a lot when?? i can just use
bit torrent and have it for free/ Install/ Works no problem... Still
b!tching about the prices of quality industry leading software?
Well its a tax right off if you know what your doing... Pc are great
for iPhoto, Imovie Hd, Idvd, Garageband oh wait all your pc
comes with is windows media player im sorry... you dont need
3rd party software if your os manufacturer makes perfectly
functioning products ^^;
Posted by mzima (7 comments )
Link Flag
Dont forget
The unprecidented amount of hardware that is more than capable of raosting any mac on the price, performance, watt and usability factors.

There isnt even a f'ing preference pane to control the damn Video settings (ie: ATI Catalyst Control Panel)
Posted by SystemsJunky (409 comments )
Link Flag
Virtual PC anyone?
For those of you wanting to spawn demons in your basement, its
no suprise but you can port windows onto you mac for awhile
now.... i still yet to witness the trolls that may purchase this
program... Must be a very solid system :D but slow as fudge...
*mixes ammonia and bleach togethers.... (laughs hysterically)*
Posted by mzima (7 comments )
Reply Link Flag
Virtual PC? No thanks
For those very rare occasions when I need to run a program that is
not available on Mac or Linux I run an old P400 Windows 98
computer that I picked up at a yard sale for $25.

It sets on a shelf in the closet, sans keyboard and monitor, and is
controlled via VNC (remote control software).
Posted by rcrusoe (1305 comments )
Link Flag
Ebonies meets apple script
Yeah not a chance, i love hackers.... 1) Expose Flaws... 2)Do as
(much) little damage possible....3) Patches up the ass.... thanks for
making my system more secure!!!!
Posted by mzima (7 comments )
Reply Link Flag
4 or 5 Flaws!?
...in 5 years of running this system, I think I better switch to
Windows it has 150,000 to wich I`ll get used to in no time.

Man! I`m getting wiser, thanks for show me the light... I don`t
know how I have being so blind all this 20 years using Macs.
Posted by rleon (111 comments )
Reply Link Flag
That's GREAT!
What's great?

The update? No, that's just really good.

The fact that the Apple-haters in this forum now have one less
thing to whine about? That's GREAT!
Posted by open-mind (1027 comments )
Reply Link Flag
The Funniest Thing ...
... is that most Windows users won't even read this article to
discover what a tiny blip it is for Mac users. Instead, they'll just
read the over-inflated headline and go "See? See? We were right
all along!" Then they'll go back to their world where unknown
causes of data corruption and system crashes are the norm and
the next attack gets to happen and wreak havoc before it might
be patched weeks later. Mac users meanwhile will keep getting
their work done and sleeping quite soundly. - which is
something you can only truly know and appreciate once you've
actually switched away from the Windows nightmare at long last
as I did.
Posted by GatesOfHell (210 comments )
Reply Link Flag
Security Updates are News?
Mac users get security updates about every 3 or 4 months.
Nobody's surprised. Ongoing security updates are part of
creating a secure system.

I'm not saying Macs aren't hackable, but one has to at least
admit that Apple is more proactive with their updates and less
reactive.
Posted by djemerson (64 comments )
Reply Link Flag
Read the fine print
The "serious flaws" are not considered high risk by the security
industry. They require a user to acknowledge the download and in
some cases type in their admin password.

I recommend people read the details of flaws at a security web site.
I am not a MAC bigot highlighting security is good. Microsoft is
leading the way in this area. We should all show people the
published security threat levels however...
Posted by peterdevcollins (1 comment )
Reply Link Flag
To put this in perspective
No OS is totally secure, so things could change tomorrow.

But in the grand scheme of things, comparing the Mac problems in the news lately vs the ongoing problems Windows users have to live with every day, is like comparing a broken finger to cancer.
Posted by rcrusoe (1305 comments )
Reply Link Flag
Broken finger to cancer?
I thought it was Ferrari to Chevrolet? ::laughing::
Posted by NRecob (78 comments )
Link Flag
Editor: you forgot to put "serious" in quotation marks.
These "flaws" were only "serious" according to companies who have a vested interest in the seriousness of the "flaws."

But you already know and ignore that fact, right?
Posted by M C (598 comments )
Reply Link Flag
It kind of makes sense to hit Macs...
The amount of Mac users are rising thanks in part to their affordable Macs and iPods. It's basically a virgin target and it's safe to say that most Mac users are well to do. Not many lower and working class people purchase a Mac because they're dazzled by the lower prices of PCs. It's these facts that could be catching the attention of the likes of identity thieves and such to start looking at Macs as a viable target now. It was even suggested to me once that these malicious hackers are bored punching holes at Windows and needed a new "challenge" to over come.
Just my opinion.
Posted by Laserdisc (79 comments )
Reply Link Flag
Just note that these
"malicious hackers" you mention were security researchers who
pointed out vulnerabilities in a proof-of-concept form. No actual
malware based on these vulnerabilities has yet been seen.
Posted by Thrudheim (306 comments )
Link Flag
About hackers...
See here's the thing about hackers. There's two kinds of them:

1) Foriegn spies or mofia who have financial and criminal motivations to steal "data" from corporations and governments. These types of criminals are not concerned with a home user and his ONE credit card number sitting in a web browser cache. Instead, they're targeting corporate enterprise servers in an attempt to steal THOUSANDS of credit card numbers in one fell swoop.

Business and Government house information that has real financial value to these criminals. Where is Apple in the Business and Government world? Well unless you're an advertising firm or a magazine publisher, chances are high there's no Mac in sight. And what "valuable" information can be stolen from advertising firms and magazines? It doesn't pay to worry about expoiting OS X, when there is no valuable information being stored on OS X.

The only EXCEPTION to this class of hackers would be those who need an army of zombies to send spam emails or act as illegal porn servers. These guys just want your computer to do their dirty work so the cops can't trace it back to them. This would be the only kind of hacker I could see caring to exploit OS X. But then, the dreaded "market share" argument comes up. If 90%+ of home users are on Windows...where do you think that criminal will spend his energies?

2) Script Kiddies looking for notoriety and ego boots. This kind is harder to describe, but they tend to be youngish men who know a little something about computer technology and find simple ways to misuse a platform. The most recent OS X flaw (the one where a user had to type in root password from a website) wasn't so much a virus as just a misuse of an application to do harmful acts, assuming the user was dumb enough to type the admin password. These guys prey on home and business users who misconfigure (or fail to properly configure) applications. (Applications! Rarely is it kernel exploits.) Seeing how there are many more Windows apps around (some good, most bad,) there are more Windows targets to expoit.

It also needs to be said that there are a LOT more technical literature available for the PC platform. Both the criminal and the script kiddie can easily learn how to program and use a PC system, because PCs are by design more open and have more books available. (Not just Windows, but Linux as well.)

So when you say "It kind of makes sense to hit macs", I have to disagree. If I were either of the two hackers, I would have no reason whatsoever to care what Mac users were doing.
Posted by Richard G. (137 comments )
Link Flag
For Macatics....
Read EARL, are you listening?
post 30.
Posted by thedevilbegone (139 comments )
Reply Link Flag
Beloved Mac vs. Windows users....FIGHT!
What many Mac users always seem to conviently forget is the fact that many Windows users typically logon to their machine with an Administrator account. Why is it any surprise that malware infects their machine? If the Windows users were to login using just a regular non-administrative user account(eg. no ability to install software, remove software, blah blah), hardly any of these problems would exist at all. This is nothing new. The user can logon and use the machine with the crippled user account, and when they want to install any software, Shift-right-click and left click "Run As".

Windows is inherently "too trusting" of the user, which is responsible for 90% of it's problems, yet the fix is so easy to implement. Just train your users to login with a crippled user account for everyday tasks, and issue the "Run As' command for anything that requires Admin privileges. Done, and done.
Posted by (4 comments )
Reply Link Flag
That's correct.
In fact there was a patch for this issue released last year on windows. It is very likely that the hackers realised that it would be possible on a Mac also with the same lines.. They got it right the first time.
Posted by thedevilbegone (139 comments )
Link Flag
Likewise...
What you seem to conviently (sic) forget is the fact that many
Mac users typically logon to their machine with an Administrator
account. In fact, a brand spankin' new Mac takes the user
through a quick setup process that creates their admin account.

The difference is that OS X continually makes you prove your
administrator credentials by requesting a password to install
new software, whether your already logged in as the admin or
not.
Posted by djemerson (64 comments )
Link Flag
New iMac
I think that anyone who thinks that anything new from apple is
irrelevant should crawl back under their simple narrow-minded
microsoft rock. Yes i love the new imac, but i also like many
aspects of microsoft windows, thats why i have xp on my
macbook pro and think that people should try to be less bias
and close-minded about the whole mac v pc thing, that goes for
both sides of the os! Who cares if you think that macs are better
than pcs and vice versa, a mac is a pc now with intel x86. I
don't dislike any of the platforms, both have their strengths and
weaknesses.
Posted by Blackleopard66 (1 comment )
Link Flag
It's Amazing...
As a user of Windows XP and OSX...

It's amazing how I can type this response using either system..

Amazing how I was able to follow and watch the winter olympics on both systems.

Amazing how I checked my bank account at home with my Mac then at work on my PC.

Amazing how I downloaded songs to my iPod on my Windows XP machine and went for a jog.

Amazing how I can watch a DVD on my Mac while on my ATI dual monitor PC, I surf the internet, burn a CD and check my email.

Amazing how I can hook up my guitar to my Mac and record and edit a quick tune.

Amazing how both systems have security flaws and need patches to fix.

Amazing how both OS's have flaws that are located between the chair and the keyboard!
Posted by Whisperingrathe (3 comments )
Reply Link Flag
Then why did you buy a Mac?
True to an extent. But, one has more flaws than the other. If the
Mac were not better in some ways, you would not have bought it.
Claims of false equality are poor reasoning.
Posted by J.G. (837 comments )
Link Flag
not amazing at all.....
... you listed mostly quite simple functions requiring nothing more
than a browser, plus DVD and CD software, plus Itunes from Apple.
There was no sense spending any serious money for that
performance - the cheapest PC would have been quite adequate.

The guitar recording may have needed a quality application, but
they work on the cheap PC's.

Nothing amazing about that.
Posted by Earl Benser (4310 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.