February 15, 2007 3:54 PM PST

Apple plugs four security holes

Apple issued four security updates Thursday to fix flaws in Mac OS X and iChat identified by the Month of Apple Bugs project.

Two of the flaws could allow an attacker to execute code on an unpatched system, Apple said. Patches are now available on Apple's Web site or through the Software Update selection under the Apple menu on a Mac.

Apple noted that proof-of-concepts for the flaws were posted on the Month of Apple Bugs Web site. But it doesn't appear that attack code has surfaced using the concepts outlined by the project. Apple has fixed several flaws identified during the course of January by the project, but some remain open.

The two flaws that could lead to arbitrary code execution are found in Finder and iChat. There's a buffer overflow flaw in Finder that could allow an attacker to take control of a system by "enticing a user into mounting a malicious disk image," or tricking someone into enabling local access of a file supposedly stored on a remote server. Apple credited Kevin Finisterre, one of the participants in the Month of Apple Bugs project, for reporting the issue, something it did not do on the three other flaws patched on Thursday.

The other patch, for iChat, fixes an issue in which a user could click on a malicious URL in a chat session and trigger an overflow, possibly opening the system to an attacker.

Two patches concern flaws that require a malicious local user. This includes another iChat flaw that could cause the application to crash as well as a fix for a UserNotification flaw that could allow system files to be overwritten.

See more CNET content tagged:
Apple iChat, flaw, Apple Computer, attacker, project

24 comments

Join the conversation!
Add your comment
Never assume you are 100 percent safe
Two of the flaws could allow an attacker to execute code on an unpatched system, Apple said.

This is reason enough you should take security seriously. Keep your computer patched and up to date and never assume your computer is invincible.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
Thanks dad! NT
NT
Posted by BlackMicro (118 comments )
Link Flag
Good Advise
I think most Apple users agree.. while we might tout the fact that
there are no viruses in the wild for the Mac OS.. must of us are
painfully familiar with what happens when a computer is
compromised (when using another OS).
Most computer users have a healthy appreciation for needing to
keep our computers secure.
Posted by Jesus#2 (127 comments )
Link Flag
not Apple
i think they were talking about happle
not apple
apple world is perfect.
if this was a microsoft, apple users would be bashing the hell out of microsoft
Posted by hoss805 (15 comments )
Reply Link Flag
Nobody said they were perfect.
There's a huge range of quality between zero potential
vulnerabilities and 118,000+ actual exploits for Apple to occupy. A
few potential vulnerabilities is about as close to perfection as
anyone can hope for, but you're probably too busy setting up
multple firewalls and antivirus screens to see that.
Posted by Macsaresafer (802 comments )
Link Flag
not Apple
i think they were talking about happle
not apple
apple world is perfect.
if this was a microsoft, apple users would be bashing the hell out of microsoft
Posted by hoss805 (15 comments )
Reply Link Flag
Nobody said they were perfect.
There's a huge range of quality between zero potential
vulnerabilities and 118,000+ actual exploits for Apple to occupy. A
few potential vulnerabilities is about as close to perfection as
anyone can hope for, but you're probably too busy setting up
multple firewalls and antivirus screens to see that.
Posted by Macsaresafer (802 comments )
Link Flag
Bootcamp and Parallels
If you are using the file sharing option in Parallels to allow the
Windows virtual machine to access files on your hard drive, a virus
could infect the files on the mac partition. If those files are later e-
mailed or transferred to another machine they could be spread.

Apple and Parallels both recommend using anti-virus software
when running Windows either via Bootcamp or Parallels and makes
good sense. Just because it's a virtual machine or a dual-boot
doesn't mean that it can't be compromised.
Posted by burgher (15 comments )
Reply Link Flag
True.
Anytime you run Windows you must use extra caution. Virtual or
not, it's still very vulnerable.
Posted by Macsaresafer (802 comments )
Link Flag
Bootcamp and Parallels
If you are using the file sharing option in Parallels to allow the
Windows virtual machine to access files on your hard drive, a virus
could infect the files on the mac partition. If those files are later e-
mailed or transferred to another machine they could be spread.

Apple and Parallels both recommend using anti-virus software
when running Windows either via Bootcamp or Parallels and makes
good sense. Just because it's a virtual machine or a dual-boot
doesn't mean that it can't be compromised.
Posted by burgher (15 comments )
Reply Link Flag
True.
Anytime you run Windows you must use extra caution. Virtual or
not, it's still very vulnerable.
Posted by Macsaresafer (802 comments )
Link Flag
I can't believe this article! (* WINK *)
This can't be right!!! (* GRIN *)

Apple's MAC OS is invincible to such security holes. (* ROFLOL *)

BOTTOM LINE: Any/All OS's have the possibility for a few vulnerabilities... there is no such thing as a vulnerable-proof Operating System... regardless of what anybody thinks.

The quickest way to find a flaw in anything is to boast it as impennetrable and offer anybody who penetrates it $1000!

Then you'll see just how vulnerable you are! (* GRIN *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
I can't believe this article! (* WINK *)
This can't be right!!! (* GRIN *)

Apple's MAC OS is invincible to such security holes. (* ROFLOL *)

BOTTOM LINE: Any/All OS's have the possibility for a few vulnerabilities... there is no such thing as a vulnerable-proof Operating System... regardless of what anybody thinks.

The quickest way to find a flaw in anything is to boast it as impennetrable and offer anybody who penetrates it $1000!

Then you'll see just how vulnerable you are! (* GRIN *)

Walt
Posted by wbenton (522 comments )
Reply Link Flag
Never assume you are 100 percent safe
Two of the flaws could allow an attacker to execute code on an unpatched system, Apple said.

This is reason enough you should take security seriously. Keep your computer patched and up to date and never assume your computer is invincible.
Posted by Seaspray0 (9714 comments )
Reply Link Flag
Thanks dad! NT
NT
Posted by BlackMicro (118 comments )
Link Flag
Good Advise
I think most Apple users agree.. while we might tout the fact that
there are no viruses in the wild for the Mac OS.. must of us are
painfully familiar with what happens when a computer is
compromised (when using another OS).
Most computer users have a healthy appreciation for needing to
keep our computers secure.
Posted by Jesus#2 (127 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.