March 10, 2006 1:41 PM PST
This week in Apple
The Mac maker released a security update for its operating system on Wednesday to plug 20 holes. The patch arrived after two weeks of intense scrutiny of the safety of OS X, prompted by the discovery of two worms and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia.
The update added a function called "download validation" to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac.
However, experts say the patch doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks. Apple failed to address a key part of the problem: The fix should be at a lower, operating-system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, said Kevin Long, an analyst at security specialist Cybertrust.
Meanwhile, a Mac hacking contest is raising the hackles of many Mac fans. An individual who won such a contest last month by gaining root control of a machine using an unpublished security vulnerability called it "easy pickings."
On Feb. 22, a Sweden-based Mac enthusiast set up his Mac Mini as a server and invited hackers to break through the computer's security and gain root control, which would allow the attacker to take charge of the computer and delete files and folders or install applications.
Within hours of going live, the "rm-my-mac" competition was over. The challenger posted this message on his Web site: "This sucks. Six hours later, this poor little Mac was owned, and this page got defaced."
However, many observers criticized the validity of the competition because participants were given local client access to the target computer.
The contest raised the ire of a university systems engineer in Wisconsin, who invited hackers to break into his Mac. Dave Schroeder asked hackers to alter the home page hosted on a Mac Mini that is running Mac OS X 10.4.5 with the latest security updates.
The system has two local accounts, and has SHH and HTTP open--"a lot more than most Mac OS X machines will ever have open," Schroeder said on his Web site.
But the event ended early after information emerged that the contest had drawn the scrutiny of the chief information officer at the University of Wisconsin-Madison, whose network Schroeder's Mac Mini was on.
"The Mac OS X 'challenge' was not an activity authorized by the UW-Madison," Brian Rust, a university spokesman, said in an e-mailed statement. "Once the test came to the attention of our CIO, she ended it...Our primary concern is for security and network access for UW services."
24 commentsJoin the conversation! Add your comment