Mac OS X patch faces scrutiny

An Apple Computer patch released last week doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said.

The Mac maker released a security update for its operating system on Wednesday to plug 20 holes. The patch arrived after two weeks of intense scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia.

The update added a function called "download validation" to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac.

But Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said.

"While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."

After installing the Apple patch, Safari, Mail and iChat in most cases will display a warning when downloading a potentially malicious file. However, the same is not true for other applications that let users receive files, such as the Firefox Web browser, Thunderbird e-mail client, Yahoo Messenger and LimeWire file-sharing tool. Apple does not offer safeguards for those applications.

Also, Safari won't display an alert for users who have disabled the "Open safe files after downloading" option in the Web browsers. Security experts urged users to disable this setting after initial details of the flaw were disclosed since it made users more vulnerable.

CNET News.com was alerted to the limitations of the patch by readers, who described themselves as "concerned Apple fans." Security experts confirmed the existence of an issue.

Apple acknowledged that, despite its patch, it is still possible to make a malicious file look innocent.

"It is definitely possible on the Mac and on any platform to create an application and try to pretend that it is something that its not. That's the definition of Trojans," Philip Schiller, Apple's senior vice president of worldwide product marketing, said in an interview. "There are Trojans in the world, I have yet to see a successful one on the Mac, but there are such things in the world as Trojans."

However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. "The tools most people use (now) have built-in validation for things before they even get to the desktop," Schiller said. "The point of where people get the file is often through the browser and mail and instant messaging."

Apple's security fix is an important first step, said Michael Lehn, doctoral candidate and research assistant at the University of Ulm in Germany.

"I think Apple did the right thing," said Lehn, who first disclosed the Mac OS X vulnerability. "The fact that a script gets executed automatically had to be fixed immediately. They just have to go further."

Related coverage
Is Mac OS as safe as ever?

Trio of problems turn the spotlight on Apple security.

Microsoft Windows users have grown accustomed to a seemingly incessant stream of computer worms, viruses and security vulnerabilities. The same is not true for Mac owners. Going by fan forum postings, many Apple customers believe their systems are impervious to cyberattacks.

Lehn said it was good that Apple made the fix it did, even though it wasn't complete. "In my opinion, it is better to release several security updates," he said. "Apple fixed the serious part very quick and that's good."

The unresolved vulnerability is due to a problem with the Mac OS Finder, the component of the operating system used to view and organize files, Lehn said. The operating system assigns an identifying image, or icon, for a file based on the file extension. However, it decides which application will handle the file based on information that is stored separately from the file, called metadata.

[Macsaresafer]

FUD

So it's still possible to trick a user? I'm shocked and amazed. Be
serious c/net, human engineering will always be possible on any
platform, since the weakness isn't in the computer.

Well i am not a mac user

But from reading this small piece

Quoting : "By pulling this Trojan horse-style trick, a user might believe he is getting a movie or an image, but running it could wipe all user data on the hard drive, for example. "

only frustrates me. I know Unix based OSes enough to understand that this venerability would not be able to clean out your entire hard drive due to strict file permissions. Unless this venerability elevates the scripts privileges to a system wide level.
However i know there are many readers out there that will equate this to the easily achievable situation on Windows system.

[beamer86]

it happened to me...

unfortunately, that exact thing happened to me...i was downloading what i thought was a patch for one of my games ( a stupid thing to do, not downloading it directly from the game developers web site), and when i to installed it i browsed to the drive io had my games on to find i thad been wiped completely clean. all i can say is...be careful.

[bitjunky]

look for news elsewhere

This is my last post at CNet.com, as well as my last visit. While
I've never thought their 'journalism' to be based on fact, reason,
and the desire to fully inform their readership, I've often visited
the site to see the topical headlines for the day - mostly as a
jumping off point. Well, no more. It has become painfully clear
over the last few weeks that CNet will publish anything that can
increase their web traffic (ad hits), regardless of the quality of
the story. They have realized that by printing negative articles
about Apple/Mac, that they can draw the fanboys out of the
closet to battle on the 'Talkback'. Since everyone (mostly) who
visits the site either use macs or pcs - they know that the
everyone will have an opinion. It is obvious that they
intentionally publish articles just to flame the fire of the Mac vs.
PC crowd, getting them irrate enough to post Talkback. I can
almost picture them now, huddled around a screen watching the
traffic on this article and cheering as the page view meter climbs
on ad impressions. If you agree with me that this is the case, I
suggest the following.

Do not post to the Talkback regardless of how 'incorrect' the
published article is. Just don't. The PC trolls are just waiting for
your response, and they will be sure to reply. You should even
reconsider reading any and all stories regarding Apple (don't
worry, you won't miss anything).

Without the 'bait' of Apple fans to ratchet up discussion (and
rekindle the OS war), CNet will lose the incentive to write such
garbage. Just realize that by voicing your opinion on Talkback,
you are justifying CNet's modus operandi to increase their
advertising revenue, and rewarding them for a job poorly done.

As I said, I'll never be seen here again - so good luck with my
advice. To the writers at CNet: Hope you never lose your job,
because you won't pass muster in any publishing company that
values integrity and reputation.

[brian g--2008]

bye

excuses vs. excuses

[lesfilip]

Keep reading and responding

I agree with Mr. Rogers that cnet appears to be generating page
hits by using sensational headlines. However, it makes no sense
to NOT respond to these articles with facts and corrections. If BS
gets spread without someone setting the record straight, it just
grows. Best practice is to nip it in the bud right there in the
comments. Then everyone who cares to do so can read it and
make up their own minds what to believe.

It is also a gret idea to let cnet know when they are being sloppy.
It can't be good for the site's reputation for a large percentage of
the comments to continually point out their sloppiness.

Have a nice day!

[Richard G.]

Windows FUD is OK; Mac FUD not OK?

Just so I understand...C|Net was a nice "jumping off point" for stories and headlines as long as the sensational FUD was focused on Windows. Now that Apple is receiving that same sensational FUD, suddenly C|Net is a festering pit of fraud and libel. That about sum it up?

Your contempt for truth and integrity is your problem.

As for me, I'm loving the irony of it all. But you left these talkback forums so I guess my reply is lost.

[kamwmail-cnet1]

You've been saying "bye" under different handles

Typical *******, always yapping, never DOING.

[John B. Kendrick]

Is there another site like this for Apple news?

I agree. It sure looks like cnet is just flaming the fire. But what
else is there out there where you can find the technology news of
the day like on cnet? I do like reading the responses and
occassionaly responding.

[New2Mac]

Fascinating....

I'm a windows not by choice (workplace is a windows house) and its fasinating to see how all of a sudden all of these "news stories" are coming out around the same time as Vista beta releases....I'm not a conspiracy theorist or anything but the timing is just too weird to ignore.

As for the security risks, there isn't an OS out there that can't be hacked. Coming from a windows world, you just learn to live with these security threats and keep them in mind. Same goes for Macs. The article isn't shocking news in terms security threats so I don't know why they're making a big deal out of it...Users wheither it be Apple, Windows, or Linux must be aware of what's out there and to do simple things to protect themselves end of story.

BTW, I am switching to a MacBook Pro for my work machine, although there are security threats, they less frequent on a mac than they are on windows machines. As for CNET, stop making a big deal out of the obvious; security threats are a concern no matter WHAT OS you use. Whether the companies patch them or not. PERIOD.

[Sboston]

Interesting..

I read through the entire article and did not notice any doom and gloom about Apple. What I read is while Apple was quick to patch the issue they didn't go far enough.
This is understandable as Apple has not had to deal with these types of issues with the level of scrutiny before.
As for CNET making a big deal about it... This is no different from they way they report MS issues.
All OS's should be treated equal in that reguard be it MS, Apple or Linux.

[aabcdefghij987654321]

Looking under the wrong rock

You're trying to make a simple co-incidence into a seeming conspiricy by implying that someone working on Vista is trying to tear down the MacOS. It just doesn't fly though, there have been several "Vista Beta" releases and there will be more yet to come. Also MS has always been one of the most stalwart boosters of the Mac, taking down the Mac would only result in the loss of one of their markets for MS Office.

The rest of your arguments are a simple regurgitation of what we've been telling the OSX zealots for a very long time, arguments that fell on deaf ears because those zealots were perfectly sure there wasn't a chance in the world that OSX was vulnerable. Now that their house of cards is tumbling down their tune is changing and there are those who can't resist the urge to tweak those zealots for their previous intransigance.

Now the true learning from this particular article is that it's easy to patch symptoms and miss the actual underlying problem, this is something MS did many times especially in regard to the ActiveX controls running in IE.

Apple is going to find out just like Oracle recently did that it's not a good idea to wait for people to tell you what's broken, you need to actively search for these problems yourself. MS has a leg up on it's competitors in that regard since it's been forced into that hunt already.

[kamwmail-cnet1]

Denial, Denial, Denial

Already, one *******'s posting threats of "boycott". Many more will start posting threads of Denial.

And much like any other junky on bad dope, they'll continue to suffer until they wake up to reality and recognize they have a problem.

Problem is not with the Mac OS itself. All OS's have holes. The problem is with Apple for not fixing these holes or just burying their heads in the sand until the holes get really big. And the flip side of the problem is the stupid ******* who lets Apple get away with this idiocy through their blind "loyalty".

Mac used to be good. Now, I trust Linux more.

[City_Of_LA]

nicely put

couldn't have said it better myself.

[J.G.]

Message has been deleted.

[titanium667]

I'm switching to Windows Vista!

I'm annoyed by all these reports of the vulnerability of
Mac OS X and yet I still don't have any viruses or spyware
on my mac! This is unfair! I'm switching to Windows Vista!
At least then I'll have the viruses and spyware to back up
cnet's constant warnings and claims.

[Xpheyel]

Great Plan

Since the only piece of malware I ever got was a deliberate, if mistaken, download on my part that was trapped by my firewall... I guess I can conclude there are no viruses and one piece of spyware for Windows!

[sanenazok]

Welcome to affordable computing

I'm annoyed by all these reports of the vulnerability of Windows and yet I still don't have any viruses or spyware on my peecee! This is unfair! I'm switching to an overpriced platform with little third party support!
At least then I'll have no money for a home network connection and so no viruses and spyware.

[djemerson]

What We Need Is a Patriot Act For Computers!

That way we won't have to make any decisions about keeping
ourselves safe on the machine. You can just have someone
hang out over your shoulder and say, "don't click that".

[Llib Setag]

C|NOT MAC FUD = MS PAYOFF

Mac OSX & Apple are on the rise recently & with Intel Chips on board too.

OSX Security warnings by C|NOT along side of MS VISTA is a comming, hang on people our Lord & Savor is rushing in to rescue us from all of our problems with SIX versions of AstalaVista OS ( aka Longhorn-Longshot)...

Coincidense?

Windows has 90% of the worldwide market with 99% of the virus/trojan horse/worms/malware/crashes/hackers too.

Follow the money my friend, for the proof is in all the MS banner ads & "rumors, MS PR leaks about Origami"...

FUD PDQ CNOT!

[aabcdefghij987654321]

Incoherent

Your post is almost completely incoherent but it seems the gist is you think (and I use the word "think" lightly) that MS is behind these stories.

Your actual thoughts must be as incoherent as your message since you conveniently forget that MS is and always has been one of the biggest boosters of the Mac and is still it's largest software vendor. MS has money invested in Apple and the Mac so your "follow the money" theory falls flat on it's ignorant face.

[kylegas]

CNet and Joris, your journalistic integrity is suspect

It's amazing to me that time and time again, CNet and the author (Joris) keep dredging up potential threats against a platform that, frankly, no virus writer really cares about. This is scare-news, not real news.

All computer platforms are insecure, and the Mac has flown under the radar due to it's numbers. Now that you're screaming it's doom from the rooftops, I'm sure it's only a matter of time.

You claim to be doing it for the benefit of the public, but from the consistent lack of real information in these articles, like, how does one secure themselves from these vulnerabilities? How great a threat is it, really? Who authored the exploit? Has it spread? It's obvious you're just trolling for news.

You are not impartial, and your journalistic integrity is suspect.

[Norseman]

For a company that's going out of business soon...

...(and has been for 30 years) there sure seems to be a lot of interest in how secure/unsecure their OS is.

[MidniteRaider]

Are you serious..

They are having some of their best quarters now more than ever.
The only way Apple is going anywhere, is if you get rid of Steve
Jobs, once he is gone, Apple will follow. Even then Apple would die
a slow death of a few years. So I don't know how soon you are
talking about, what the next 5-10 years, after Jobs is gone "some
day"?

[rslavelle]

Mac "hackers": want a REAL challenge?

By Jim Dalrymple

Claims of Mac OS X being hacked in under 30 minutes are not
quite what they seem, according to Dave Schroeder, Senior
Systems Engineer at the University of Wisconsin - Madison.

A recent ZDNet article told the story of a Swedish man who
setup his Mac mini as a server and invited people to try to break
into the system and gain root control. Having root control of a
computer allows you do install applications, move or delete files.

Anyone that wanted to hack the machine was given access to the
machine through a local account (which could be accessed via
SSH), so the Mac mini wasn?t hacked from outside ? root access
was actually gained from a local user account.

?That is a huge distinction,? said Schroeder.

Schroeder points out that, by default, Mac OS X machines will
not give any external entities local account access; not have any
ports open; and most consumer machines will also be behind
personal router/firewall devices, further reducing exposure.

?Mac OS X is not invulnerable,? said Schroeder. It, like any other
operating system, has security deficiencies in various aspects of
the software. Some are technical in nature, and others lend
themselves to social engineering trickery. However, the general
architecture and design philosophy of Mac OS X, in addition to
usage of open source components for most network-accessible
services that receive intense peer scrutiny from the community,
make Mac OS X a very secure operating system.?

Schroeder is so sure of the Macs security if setup properly that
he is having his own security challenge. According to his Web
site, the challenge is as follows: simply alter the web page on
this machine, test.doit.wisc.edu. The machine is a Mac mini
(PowerPC) running Mac OS X 10.4.5 with Security Update
2006-001, has two local accounts, and has ssh and http open -
a lot more than most Mac OS X machines will ever have open.
Email das@doit.wisc.edu if you feel you have met the
requirements, along with the mechanism used. The mechanism
will then be reported to Apple and/or the entities responsible for
the component(s). Going after other hosts/devices on the
network is out of bounds.

Schroeder told Macworld by email that the challenge will be
open until Friday, March 10, 2006.

[aabcdefghij987654321]

And what does this have to do with the price of tea in China?

You're off subject.

[kiltbear--2008]

2nd paragraph totally erroneous

This article totally mis-reports the facts of the original problem.

Ultimately, the only way to stop someone from doing something
stupid, like double clicking on an file of which they don't know its
provenance, is to unplug the !@#$ computer.

[J.G.]

Five C/Net articles for $100?

A Wall Street Journal columnist recently wrote that online
'reporters' are being paid a little as $100 to write five 500-word
articles. Perhaps that explains the extremely poor quality of
articles like this one. The basics of journalism -- who, what,
when, where, how and why -- are mainly absent. My first
career was as a journalist for two highly respected newspapers.
I would not refer to drudges who grind out material like this by
that title.

Other commenters have addressed some of the numerous flaws
in this article. Still, let's clarify a few:

? The patch is not meant to prevent people from opening files
of their choice, but to warn them of the possibility the files
contain malicious code. After being warned, the user can either
proceed to open the file or check its information profile in Get
Info. If he is really concerned, he can confirm the nature of the
file in an application such as DataViz' MacLink. The article is
written as if Apple has a duty to prevent users from ever
downloading a file with malicious code. It does not. Such a
requirement would be an impossible burden.

? The patch is for Safari because it is an Apple progam. Apple
cannot realistically be held responsible for foreseeing exploits of
every third-party program a user might install.

? Mac users generally do not say their computers are
impregnable, as the article implied. They say their computers
are much more secure than Windows-compatible computers,
which is true.

Five C/Net articles for $100? C/Net gets what it pays for.

[aabcdefghij987654321]

Another one misses the point

The patch was a band-aid which only covers a subset of the problem. The basic problem itself is deeper in the architecture and only taking away one route for the problem to occur doesn't fix it. The warning is only provided if the file is downloaded using a specific application while the underlying ability for a file to masquerade as something it isn't remains intact and examples were given of other applications which could result in unsafe files being executed simply because they look "safe". How hard is that for you to understand?

Suppose I used the built in FTP program to retreive the file instead of Safari? Should Apple also add that patch to the FTP program? How many other built-in programs can be used to get files from remote sites? Should they all be patched? Or perhaps Apple should examine the underlying problem and see if there's something they can do to prevent themselves from having to work on each and every individual program that could download a file.

And you've not been following these boards long if you think that Mac Users haven't been saying their computers are impregnable because there have been a lot of posts implying exactly that posted on these boards.

Also how much someone gets paid per article is between them and their publisher, your attitude is nothing more than snobbishness.

[open-mind]

Time to Take Away Custom Icons?

It seems like that's the only fix to this Mac "vulnerability" that's been around for what, 15+ years?

[aabcdefghij987654321]

Possibly but...

Possibly but give Apple some time to think about it. Perhaps they can come up with something innovative that'll solve the problem without have to take that kind of step.

[rfordtech]

Will it ever end...

You know, I don't wish Apple users any ill will, but all of this media attention is going to result in a nasty zero-hour exploit from someone just itching to prove that it can be done. Nothing is perfect, and I think Apple is in for some rough times security-wise in the very near future.

[M C]

CNet should interview an expert on the Law of Diminishing Returns

You can only pump the "Mac security flaw" page-view machine so much, and interview so many random "experts," before people just ignore fluff like this.

By the time there IS a legitimate security flaw or REAL experts to interview, no one may care.

Exploits

I have to point that all OS may be cracked, last year an official pactch (yes a patch) opened an exploit on Solaris 9. And this exploit needed an internal acount to be used.

The default security of Mac OS is tuned for convenience not for security. It's a personal workstation.

And no amount anti-* software will prevent careless users to get infected. That's why secure PC's in business enviroments don't let users to install anything.

In my last work, a windows machine got infected with a trojan. That's not a result of a windows flaw, but a careless operator that used the server for personal tasks.

Even the best security is useless without correct procedures (humans included).

If you try to tighten security, then usability and convenience goes trough de window. Just try to enable full selinux.

[Michael Lehn]

This is not an Apple Only Problem!

Social engineering is a problem that has to be faced on every
system as well as in real life.

I also pointed that out in the email interview:

----------
[http://....|http://....]
This later issue is known as "Social engineering" (http://
en.wikipedia.org/wiki/Social_engineering_%28computer_security
%29). A hacker does not exploit a security flaw. Instead he/she
exploits the user. There is no way to completely prevent this.
So at least it should be made as hard as possible. In this case a
hint that a file is an executable and not a movie would help. But
still, if a user downloads some file from the internet and really,
really wants to execute it you can't stop the user. You only can
decrease the possibility the user is doing something he/she
doesn't actually want to do.

So it's right at the moment is seams suddenly more dangerous
to disable the "automatic open" option. If it's on and the
security update is installed you now get a warning. If the option
is disabled files are downloaded without warning. If you extract
the file there is no warning. After that it might look like a movie
with a tempting name. If you double-click it, it gets started
without warning.

Finally a computer is only safe if you turn it off. Making a
system secure is always finding the right mix. It has to be
usable, but transparent, but not too complicated,.... (no warning
-> obviously bad; too many warnings -> the user will ignore
them; a too restrictive firewall -> the user turns it off; ...). In
this respect it I just trust that Apple will find the right mix. If
not them who else?
[http://...|http://...]
------

[J.G.]

Warning meets diligence standard

I found the article unrealistic partly because Joris is missing the
point, on which both you and I are focusing: The point of
Apple's patch IS NOT to prevent a user from ever installing
malware. The point IS to warn the user and make such an
installation less likely. The ignorant or indifferent user of any
product may find a way to do harm with it. In the law, we use
the 'reasonable man' standard to analyze issues of culpability. I
believe that a reasonably prudent person would be aware of the
possibility a file is malware, and, as a result, confirm that it is
what it says it is based on the warning when downloading a file
in Safari. The demand that Apple make downloading foolproof
that some of the sources have is unrealistic and unreasonable.

[lkrupp]

Proof of CNet biased reporting...

"News.context

What's new:
Experts say Apple's most recent patch doesn't completely fix a
high-profile flaw, leaving a toehold for more cyberattacks.
Bottom line:
It's another ding in the reputation of the Mac maker, which has
previously stood on the sidelines of the security fray."

The "High Impact" box says it all. This is biased "gotcha"
journalism in its purest form. Dan Rather couldn't have done any
better.

[Stan Johnson]

Every OS is vulnerable

even OSX