Mac flaw puts Safari surfers at risk

A serious security flaw in Mac OS X opens machines with Apple's Safari Web browser to hijack by outsiders, Secunia has warned.

The vulnerability and "proof of concept" code to exploit it were released on Wednesday as part of the Month of Apple Bugs project. It affects Mac OS X 10.4.8, the most recent version of Apple's operating system and, possibly, previous versions, security researcher LMH said in the posting on MOAB's Web site.

special coverage
Mac Views

Will bug campaign benefit Apple security?

The flaw can be exploited if the Mac user has enabled an option in Safari to "open safe files after downloading," Secunia said in an advisory Thursday. The security company has rated the problem "highly critical."

"It is never good to have something open automatically when you download it, so users should disable this automatic feature in Safari," said Thomas Kristensen, Secunia's chief technology officer.

Over the past year, security experts have scrutinized the "open safe" feature in Apple's code, and have said that the company hasn't completely closed up the security holes. The feature automatically opens files that are deemed to be safe. In March, Apple added a "download validation" function to the tool to warn people when they may be downloading a malicious file or disk image.

However, security experts have noted that malicious attackers could create a file that appears to be safe, such as a movie or image file, but is actually an application that gets loaded onto a user's system.

Security researchers are advising users to disable the "open safe" feature in Safari.

In response to the news, an Apple representative said: "Apple takes security very seriously and has a great track record of addressing potential vulnerabilities before they can affect users. We always welcome feedback on how to improve security on the Mac."

[OmniGeno]

This is...

...old news. Though I'm not happy that Apple has yet to solve it,
I've had this function off for a while, pending an update. Please do
not report on stuff that everyone knows already, just to get the
public's attention.

[gabegard]

You've been warned, CNET...

In the future, you must check with OmniGeno before posting anything potentially critical of Apple. He'll let you know if "everyone knows already".

[Cato42]

Okay, so I'm living under a rock . . .

. . . but I didn't know about it. I'm glad to now know. FWIW.

[SystemsJunky]

Uh

Didnt we turn off this feature like 3 years ago?

[Ryo Hazuki]

This is...

...an unpatched high-risk Mac security vulnerability. Just because Mr. OmniGeno has this function off it doesn't mean the flaw is not there still and ready to be exploited. Please do not give lame excuses on Macs' bugs, just so you don't have to admit Macs are, afterall, not that secure.

[Tui Pohutukawa]

This is not a security issue

If somebody downloads dodgy software, it is entirely a case of
operator's error. Nothing whatsoever to do with Apple.

[Cato42]

Nobody mentioned software

WADR, this doesn't have to do with an individual intentionally
downloading "dodgy" software. The flaw allows for concealment of
malicious code under a disguise as a (usually) benign file, such as
video, PDF, etc. That's what makes it a security flaw--and rightly
mentioned as an issue, since Apple's not fixed it yet. (Though they
have come out with the over-hyped Apple TV and iPhone.)

[SystemsJunky]

So I guess

That applies to Microsoft products too right? Im sure you'll answer with a big fat "NO".

[rgmenke]

Normal CNET drivel

CNET continues the pattern of "reporting" negatively on Apple. Go
back over the last year and look at how many pot-shots they've
taken at Apple vs say Microsoft. It's not that Apple does everything
right, but CNET would serve it's readers better by being more even
handed. It's too bad that the editors have taken this approach as
the site could be a great source for news and product reviews. Have
you noticed how companies that advertise heavy with CNET get
better ratings?

[Christopher Hall]

Advertise?

C|Net has ads?

;)

[Cato42]

I'd expect CNET to be reporting on it

Some other folks have decided to devote January to the disclosure
of a bug-a-day in Mac Land; it's news. Not the biggest, but worth
spending a few bytes and electrons on.

[SystemsJunky]

Whatever

Your the one driveling. The top 10 news articles are about apple's wonderful, truely innovative, re-invented iPhone...And the lawsuits associated with it..LOL

[zeeboid]

amazing

Amazing how Apple users freak whenever something negative comes out about their Macs.

[Cato42]

Well here's one who didn't . . .

. . . freak, that is. I own--if you count those owned by my daughter
and wife--four lovely Macs of various species. And i've not yet
freaked over them or any announcements about them. Now, about
the iPhone, OTOH, I think Apple freaked a fair number of folks by
tying the product to Cingular and it's freaking failure of a data
service, EDGE.

[jabbotts]

they believe the marketing rather than reality

Any company being Apple or other is going to tell you there product is the greatest thing since fire; that's not surprise by any means.

The surprise is how Cult of Mac (not regular Apple computer owners but, the fanatics) believers continue to loose it any time something like reality threatens to shatter the delusions they've developed based purely on Apples ad campains.

"Hi, I'm a PC."
'And I'm a Mac; impervious to viruses, bugs, hardware falures and solar flares.'

My comments are not targeted to the regular computer owners who chose to buy an Apple; only the Blindly Brand Loyal who disregard facts about whatever there prefered system is unless the facts fit there pre-determined perceptions.

[brilo]

Relentless

I'm shocked just about every day when I read an article or two and hear how biased this site is. If it's so entirely biased, why do you continue to read articles?!?!?
It's time to step back, read an article for what it's worth, if you agree great, if you disagree, than equally great.
But for crying out loud, please refrain from saying how biased these reports are.
Is it wrong for a reviewer to use a Mac when writing a story about a Mac? How about using a PC to write about a Mac? How about using a Mac to write about a PC? Get over it....my favorite color is gray, yours is pink, his is red and hers green.

Who wants to spend their time bashing product reviews anyways???? Get a life!!!!!

[MadKiwi]

Your comments are fine...

... for a web site that expresses opinions. But CNet claims to be a NEWS site. To be an acceptable news site it should be unbiased. I'm afraid that it is only too easy to find both positively and negatively biased articles on CNet masquerading as news. Apple's OS X appears to me to be on the receiving end of many negative articles while MS's OSes enjoy the opposite.

Despite this I still read CNet but treat it more as a blogg than as a reputable source of news.

[Thomas, David]

CNET bias justification

Look, from time to time, CNET is a little balanced. But that is
not the norm. For those of you not understanding this, you
simply need to go to just ONE page.

http://news.com.com/The+dawn+of+Vista/
2009-1016_3-6132982.html?tag=nefd.lede

OSX has continued to evolve, and has yet to receive this kind of
treatment. To top it off, since CNET is supposed to be
reporting, you would think they would do actual, fair
comparisons. This rarely happens. Yes there are reporters in
CNET that strive to do a better job. I won't mention their names
because that would alienate them from the rest.

So go to that page, and read all about the innovations etc. We
have been getting a stream of Longhorn/Vista (I've forgotten the
other code names) for longer than I can remember accurately.

A lot of windows developers are still running windows for
development (gotta make a living) but they are using OSX, as
well.

The bottom-line, for years to come, Windows is entrenched, and
as long as they can strong arm vendors into shipping it, entice
and bribe people into using it. Its coming. But quit with all the
complete nonsense about how great it is.

[gabegard]

Simple economics

Look at the market share of Windows vs. OSX and that's all you need to know. CNET is a business, and they're going to write articles that will attract the most readers, and by extension, advertisers. There are plenty of other places to get Applecentric coverage if that's what you need.

All this talk reminds me of my college days working in a mall software store. We had a small shelf of Mac software in the back of the store, and at least once a day, some indignant Mac owner would complain that we didn't stock enough titles. As gently as possible, we tried to explain to them that no one bought the few titles that we did carry, so it would be bad business to stock any more. We'd usually get some comment about how Windows sucks, and they'd leave without buying anything. Which was the whole problem to begin with.

[Riphly]

Thank you, but...

Thank you for alerting us to the security risk. In this, CNet News
is doing a great service.
But ... to avoid pushing people's sensitivity buttons, a little more
accuracy in the title of articles, or a little more clarity or less
journalism in the subtitles would be suitable.
For example : Mac Flaw Puts Safari Surfers At Risk could be more
accurately and fairly reported as : Simple Workaround Till Safari
Security Hole Closed.
Not only would this more accurately reflect the content of the
article, but it is significantly less enflamatory and 'journalistic'.
We computer affictionados do not need shock and awe. We'll
read atricles of obviously significant content without the
fireworks in the titles.

[SEOwebMarket.com]

Who's Flaw?

Macs are secure. Do you trust your computer?

1. If a Mac runs a program that it has never run before = IT
ASKS YOU FIRST. It tells you that you are running a new program
and asks for permission to proceed.

2. If a Mac runs a software installer = it not only asks you for
permission + it asks for an administrator's password.

You might feel more secure behind a thousand firewalls - but
being able to work online without worrying about the threat of
viruses or spyware is priceless. I'm in 100% production while
most users spend time downloading updates, scanning files, and
clicking through confirmation pop-ups. While firewalling them
out, you've walled yourselves in.

[NRecob]

SO MUCH FOR MAC "PERFECTION"

Yup, they CAN'T crash, they CAN'T get a virus, spyware is only a PC issue etc etc etc...

[qwerty75]

clueless

No one has ever said OSX is flawless, that is just made up drivel.

"Proof of concept" is miles away from an actual exploit. There have been a few proof of concept released for issues with OSX. To date, there has been exactly zero successful attempts to exploit OSX in the wild. At worst, an attacker could affect 1 machine, but even that takes a lot of work. Compare that to the extreme ease of exploiting windows on any given day.

If you had any knowledge of software, much less software security you would know this. No non-trivial software is flawless, and no one has ever claimed it. OSX is more secure and its users don't really have to worry about things like viruses. Not because of market share but because of solid software engineering.

[dansterpower]

Please educate yourself, don't spout sarcasam

Please, really, learn the facts about OSX, Unix, Linus, Windows and
make accurate comparisons versus ranting.

[dataset]

Windows has a ton more.

So what, they found this secuirty flaw. The only reason it's up here
is because it's only one of the operating systems FEW. They don't
put these at the top for windows because there are so many more
holes and viruses that can get into a PC without an anti-virus. Mac
OS X is so much more secure than Windows. I'm confident that
Apple will fix this is no time.

[Ryo Hazuki]

Market share too.

So what? So Macs are not that much more secure than Windows, afterall. The reason it's "up here" it's because Apple fanboys like you like to publicize to the world how secure their Macs are and I wouldn't consider the operating system to have just a "few" security flaws when Month of Apple Bugs is making public a Mac bug everyday for a month. Actually they *do* put these at the top for Windows too and the sole reason there are so many more viruses (not holes, nope) that can get into a PC without an anti-virus is because Windows is used by more than 90% of people who use computers, just in case you don't know. Mac OS X is in no way more secure than Windows (more secure *to use* yes, not more secure, no) - and Month of Apple Bugs is proving exactly that - Mac OS X is simply insignificant to hackers, with just around 5% OS share.
I wouldn't be that confident that Apple will fix this in no time, given they took around 3 months to fix those Apple AirPort Wi-Fi holes they denied to exist to begin with.

[Ryo Hazuki]

So much for Mac security

I wish I had a Mac so I didn't have to deal with these Windows-only problems.