A serious security flaw in Mac OS X opens machines with Apple's Safari Web browser to hijack by outsiders, Secunia has warned.
The vulnerability and "proof of concept" code to exploit it were released on Wednesday as part of the Month of Apple Bugs project. It affects Mac OS X 10.4.8, the most recent version of Apple's operating system and, possibly, previous versions, security researcher LMH said in the posting on MOAB's Web site.
The flaw can be exploited if the Mac user has enabled an option in Safari to "open safe files after downloading," Secunia said in an advisory Thursday. The security company has rated the problem "highly critical."
"It is never good to have something open automatically when you download it, so users should disable this automatic feature in Safari," said Thomas Kristensen, Secunia's chief technology officer.
Over the past year, security experts have scrutinized the "open safe" feature in Apple's code, and have said that the company hasn't completely closed up the security holes. The feature automatically opens files that are deemed to be safe. In March, Apple added a "download validation" function to the tool to warn people when they may be downloading a malicious file or disk image.
However, security experts have noted that malicious attackers could create a file that appears to be safe, such as a movie or image file, but is actually an application that gets loaded onto a user's system.
Security researchers are advising users to disable the "open safe" feature in Safari.
In response to the news, an Apple representative said: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."
...old news. Though I'm not happy that Apple has yet to solve it, I've had this function off for a while, pending an update. Please do not report on stuff that everyone knows already, just to get the public's attention.
...an unpatched high-risk Mac security vulnerability. Just because Mr. OmniGeno has this function off it doesn't mean the flaw is not there still and ready to be exploited. Please do not give lame excuses on Macs' bugs, just so you don't have to admit Macs are, afterall, not that secure.
WADR, this doesn't have to do with an individual intentionally downloading "dodgy" software. The flaw allows for concealment of malicious code under a disguise as a (usually) benign file, such as video, PDF, etc. That's what makes it a security flaw--and rightly mentioned as an issue, since Apple's not fixed it yet. (Though they have come out with the over-hyped Apple TV and iPhone.)
CNET continues the pattern of "reporting" negatively on Apple. Go back over the last year and look at how many pot-shots they've taken at Apple vs say Microsoft. It's not that Apple does everything right, but CNET would serve it's readers better by being more even handed. It's too bad that the editors have taken this approach as the site could be a great source for news and product reviews. Have you noticed how companies that advertise heavy with CNET get better ratings?
Some other folks have decided to devote January to the disclosure of a bug-a-day in Mac Land; it's news. Not the biggest, but worth spending a few bytes and electrons on.
Your the one driveling. The top 10 news articles are about apple's wonderful, truely innovative, re-invented iPhone...And the lawsuits associated with it..LOL
. . . freak, that is. I own--if you count those owned by my daughter and wife--four lovely Macs of various species. And i've not yet freaked over them or any announcements about them. Now, about the iPhone, OTOH, I think Apple freaked a fair number of folks by tying the product to Cingular and it's freaking failure of a data service, EDGE.
Any company being Apple or other is going to tell you there product is the greatest thing since fire; that's not surprise by any means.
The surprise is how Cult of Mac (not regular Apple computer owners but, the fanatics) believers continue to loose it any time something like reality threatens to shatter the delusions they've developed based purely on Apples ad campains.
"Hi, I'm a PC." 'And I'm a Mac; impervious to viruses, bugs, hardware falures and solar flares.'
My comments are not targeted to the regular computer owners who chose to buy an Apple; only the Blindly Brand Loyal who disregard facts about whatever there prefered system is unless the facts fit there pre-determined perceptions.
I'm shocked just about every day when I read an article or two and hear how biased this site is. If it's so entirely biased, why do you continue to read articles?!?!? It's time to step back, read an article for what it's worth, if you agree great, if you disagree, than equally great. But for crying out loud, please refrain from saying how biased these reports are. Is it wrong for a reviewer to use a Mac when writing a story about a Mac? How about using a PC to write about a Mac? How about using a Mac to write about a PC? Get over it....my favorite color is gray, yours is pink, his is red and hers green.
Who wants to spend their time bashing product reviews anyways???? Get a life!!!!!
... for a web site that expresses opinions. But CNet claims to be a NEWS site. To be an acceptable news site it should be unbiased. I'm afraid that it is only too easy to find both positively and negatively biased articles on CNet masquerading as news. Apple's OS X appears to me to be on the receiving end of many negative articles while MS's OSes enjoy the opposite.
Despite this I still read CNet but treat it more as a blogg than as a reputable source of news.
Look, from time to time, CNET is a little balanced. But that is not the norm. For those of you not understanding this, you simply need to go to just ONE page.
OSX has continued to evolve, and has yet to receive this kind of treatment. To top it off, since CNET is supposed to be reporting, you would think they would do actual, fair comparisons. This rarely happens. Yes there are reporters in CNET that strive to do a better job. I won't mention their names because that would alienate them from the rest.
So go to that page, and read all about the innovations etc. We have been getting a stream of Longhorn/Vista (I've forgotten the other code names) for longer than I can remember accurately.
A lot of windows developers are still running windows for development (gotta make a living) but they are using OSX, as well.
The bottom-line, for years to come, Windows is entrenched, and as long as they can strong arm vendors into shipping it, entice and bribe people into using it. Its coming. But quit with all the complete nonsense about how great it is.
Look at the market share of Windows vs. OSX and that's all you need to know. CNET is a business, and they're going to write articles that will attract the most readers, and by extension, advertisers. There are plenty of other places to get Applecentric coverage if that's what you need.
All this talk reminds me of my college days working in a mall software store. We had a small shelf of Mac software in the back of the store, and at least once a day, some indignant Mac owner would complain that we didn't stock enough titles. As gently as possible, we tried to explain to them that no one bought the few titles that we did carry, so it would be bad business to stock any more. We'd usually get some comment about how Windows sucks, and they'd leave without buying anything. Which was the whole problem to begin with.
Thank you for alerting us to the security risk. In this, CNet News is doing a great service. But ... to avoid pushing people's sensitivity buttons, a little more accuracy in the title of articles, or a little more clarity or less journalism in the subtitles would be suitable. For example : Mac Flaw Puts Safari Surfers At Risk could be more accurately and fairly reported as : Simple Workaround Till Safari Security Hole Closed. Not only would this more accurately reflect the content of the article, but it is significantly less enflamatory and 'journalistic'. We computer affictionados do not need shock and awe. We'll read atricles of obviously significant content without the fireworks in the titles.
1. If a Mac runs a program that it has never run before = IT ASKS YOU FIRST. It tells you that you are running a new program and asks for permission to proceed.
2. If a Mac runs a software installer = it not only asks you for permission + it asks for an administrator's password.
You might feel more secure behind a thousand firewalls - but being able to work online without worrying about the threat of viruses or spyware is priceless. I'm in 100% production while most users spend time downloading updates, scanning files, and clicking through confirmation pop-ups. While firewalling them out, you've walled yourselves in.
No one has ever said OSX is flawless, that is just made up drivel.
"Proof of concept" is miles away from an actual exploit. There have been a few proof of concept released for issues with OSX. To date, there has been exactly zero successful attempts to exploit OSX in the wild. At worst, an attacker could affect 1 machine, but even that takes a lot of work. Compare that to the extreme ease of exploiting windows on any given day.
If you had any knowledge of software, much less software security you would know this. No non-trivial software is flawless, and no one has ever claimed it. OSX is more secure and its users don't really have to worry about things like viruses. Not because of market share but because of solid software engineering.
So what, they found this secuirty flaw. The only reason it's up here is because it's only one of the operating systems FEW. They don't put these at the top for windows because there are so many more holes and viruses that can get into a PC without an anti-virus. Mac OS X is so much more secure than Windows. I'm confident that Apple will fix this is no time.
So what? So Macs are not that much more secure than Windows, afterall. The reason it's "up here" it's because Apple fanboys like you like to publicize to the world how secure their Macs are and I wouldn't consider the operating system to have just a "few" security flaws when Month of Apple Bugs is making public a Mac bug everyday for a month. Actually they *do* put these at the top for Windows too and the sole reason there are so many more viruses (not holes, nope) that can get into a PC without an anti-virus is because Windows is used by more than 90% of people who use computers, just in case you don't know. Mac OS X is in no way more secure than Windows (more secure *to use* yes, not more secure, no) - and Month of Apple Bugs is proving exactly that - Mac OS X is simply insignificant to hackers, with just around 5% OS share. I wouldn't be that confident that Apple will fix this in no time, given they took around 3 months to fix those Apple AirPort Wi-Fi holes they denied to exist to begin with.
Apple says it's got a third-party group looking for issues at manufacturing partners it uses. Read CNET's FAQ to find out how we got here, and what the next steps are.
Tommy Jordan, the man who shot his daughter's laptop for YouTube, gets a visit from police and child protection services. Oh, and Good Morning America.
Along with green-lighting Google's buy of Motorola, the Justice Department today OKs an Apple-Microsoft-RIM partnership deal to buy Nortel patents, and Apple's plan to acquire Novell patents.
Chamtech's spray-on antenna uses a nano material to provide a low-power boost to antenna range. The wireless-in-a-can product may some day bring an end to unsightly cell towers.
There are a lot of things that AT&T's humongous Samsung Galaxy Note smartphone is, like a digital memo pad, a medium-size-reader, and a great photo companion.
EnerG2 opens a plant to make an engineered carbon that will improve performance of energy storage devices and make storage for start-stop hybrid cars less expensive.
I've had this function off for a while, pending an update. Please do
not report on stuff that everyone knows already, just to get the
public's attention.
operator's error. Nothing whatsoever to do with Apple.
downloading "dodgy" software. The flaw allows for concealment of
malicious code under a disguise as a (usually) benign file, such as
video, PDF, etc. That's what makes it a security flaw--and rightly
mentioned as an issue, since Apple's not fixed it yet. (Though they
have come out with the over-hyped Apple TV and iPhone.)
back over the last year and look at how many pot-shots they've
taken at Apple vs say Microsoft. It's not that Apple does everything
right, but CNET would serve it's readers better by being more even
handed. It's too bad that the editors have taken this approach as
the site could be a great source for news and product reviews. Have
you noticed how companies that advertise heavy with CNET get
better ratings?
;)
of a bug-a-day in Mac Land; it's news. Not the biggest, but worth
spending a few bytes and electrons on.
and wife--four lovely Macs of various species. And i've not yet
freaked over them or any announcements about them. Now, about
the iPhone, OTOH, I think Apple freaked a fair number of folks by
tying the product to Cingular and it's freaking failure of a data
service, EDGE.
The surprise is how Cult of Mac (not regular Apple computer owners but, the fanatics) believers continue to loose it any time something like reality threatens to shatter the delusions they've developed based purely on Apples ad campains.
"Hi, I'm a PC."
'And I'm a Mac; impervious to viruses, bugs, hardware falures and solar flares.'
My comments are not targeted to the regular computer owners who chose to buy an Apple; only the Blindly Brand Loyal who disregard facts about whatever there prefered system is unless the facts fit there pre-determined perceptions.
It's time to step back, read an article for what it's worth, if you agree great, if you disagree, than equally great.
But for crying out loud, please refrain from saying how biased these reports are.
Is it wrong for a reviewer to use a Mac when writing a story about a Mac? How about using a PC to write about a Mac? How about using a Mac to write about a PC? Get over it....my favorite color is gray, yours is pink, his is red and hers green.
Who wants to spend their time bashing product reviews anyways???? Get a life!!!!!
Despite this I still read CNet but treat it more as a blogg than as a reputable source of news.
not the norm. For those of you not understanding this, you
simply need to go to just ONE page.
<a class="jive-link-external" href="http://news.com.com/The+dawn+of+Vista/" target="_newWindow">http://news.com.com/The+dawn+of+Vista/</a>
2009-1016_3-6132982.html?tag=nefd.lede
OSX has continued to evolve, and has yet to receive this kind of
treatment. To top it off, since CNET is supposed to be
reporting, you would think they would do actual, fair
comparisons. This rarely happens. Yes there are reporters in
CNET that strive to do a better job. I won't mention their names
because that would alienate them from the rest.
So go to that page, and read all about the innovations etc. We
have been getting a stream of Longhorn/Vista (I've forgotten the
other code names) for longer than I can remember accurately.
A lot of windows developers are still running windows for
development (gotta make a living) but they are using OSX, as
well.
The bottom-line, for years to come, Windows is entrenched, and
as long as they can strong arm vendors into shipping it, entice
and bribe people into using it. Its coming. But quit with all the
complete nonsense about how great it is.
All this talk reminds me of my college days working in a mall software store. We had a small shelf of Mac software in the back of the store, and at least once a day, some indignant Mac owner would complain that we didn't stock enough titles. As gently as possible, we tried to explain to them that no one bought the few titles that we did carry, so it would be bad business to stock any more. We'd usually get some comment about how Windows sucks, and they'd leave without buying anything. Which was the whole problem to begin with.
is doing a great service.
But ... to avoid pushing people's sensitivity buttons, a little more
accuracy in the title of articles, or a little more clarity or less
journalism in the subtitles would be suitable.
For example : Mac Flaw Puts Safari Surfers At Risk could be more
accurately and fairly reported as : Simple Workaround Till Safari
Security Hole Closed.
Not only would this more accurately reflect the content of the
article, but it is significantly less enflamatory and 'journalistic'.
We computer affictionados do not need shock and awe. We'll
read atricles of obviously significant content without the
fireworks in the titles.
1. If a Mac runs a program that it has never run before = IT
ASKS YOU FIRST. It tells you that you are running a new program
and asks for permission to proceed.
2. If a Mac runs a software installer = it not only asks you for
permission + it asks for an administrator's password.
You might feel more secure behind a thousand firewalls - but
being able to work online without worrying about the threat of
viruses or spyware is priceless. I'm in 100% production while
most users spend time downloading updates, scanning files, and
clicking through confirmation pop-ups. While firewalling them
out, you've walled yourselves in.
"Proof of concept" is miles away from an actual exploit. There have been a few proof of concept released for issues with OSX. To date, there has been exactly zero successful attempts to exploit OSX in the wild. At worst, an attacker could affect 1 machine, but even that takes a lot of work. Compare that to the extreme ease of exploiting windows on any given day.
If you had any knowledge of software, much less software security you would know this. No non-trivial software is flawless, and no one has ever claimed it. OSX is more secure and its users don't really have to worry about things like viruses. Not because of market share but because of solid software engineering.
make accurate comparisons versus ranting.
is because it's only one of the operating systems FEW. They don't
put these at the top for windows because there are so many more
holes and viruses that can get into a PC without an anti-virus. Mac
OS X is so much more secure than Windows. I'm confident that
Apple will fix this is no time.
I wouldn't be that confident that Apple will fix this in no time, given they took around 3 months to fix those Apple AirPort Wi-Fi holes they denied to exist to begin with.