April 21, 2006 4:35 PM PDT

Unpatched Mac flaws may put users at risk

Apple Computer is investigating several unpatched and potentially serious security flaws in Mac OS X that have been publicly disclosed, the company said Friday.

Tom Ferris, a security researcher in Mission Viejo, Calif., published late on Thursday information on seven flaws in Apple's operating system that potentially put Mac users at risk of a cyberattack. The most serious of the flaws could let attackers surreptitiously run malicious code on users' PCs, Ferris said in an interview via instant messaging.

"We're in the process of investigating and addressing them," Bud Tribble, Apple's vice president of software technology, told CNET News.com. "I think it is important to note that although these are potential vulnerabilities, there are no known exploits to them and they are not affecting customers today."

Five of the flaws identified by Ferris relate to how Mac OS handles various image file formats--including BMP, TIFF and GIF, according to his security advisories. Another flaw involves the way OS X decompresses Zip archives. Additionally, Ferris claims to have found several bugs in Apple's Safari browser.

"The image flaws are the scariest ones, giving an attacker multiple methods of compromising a host," Ferris said. "They can be exploited to execute arbitrary code very easily and were not hard to find."

Apple silently fixed one of the flaws related to the handling of TIFF image files in update 10.4.6, Ferris said. The other bugs remain unpatched, he said, adding that he reported the issues to Apple earlier this year.

Apple believes the public disclosure of security flaws doesn't help anyone, a position shared by most software makers. "We don't feel that our customers are better served by public disclosure of potential issues," Tribble said. "We think that in the general case, people who need to know about issues are the ones that can actually fix the bugs."

Ferris in the past has released information on flaws in several Apple products, including iTunes and QuickTime, as well as the Firefox Web browser, before an official patch was made available.

Security monitoring companies Secunia and the French Security Incident Response Team, or FrSIRT, deem the latest Mac OS X issues "highly critical" and "critical," respectively.

"Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by attackers to execute arbitrary commands or cause a denial of service," Secunia said in an advisory. To protect against attacks, the company recommends not surfing to untrusted Web sites and not opening suspect Zip archives or images.

Apple expects to address the issues in an upcoming security update but could not say when that fix might be released. "Our target is to do it promptly," Tribble said. "How quickly that can be done depends on a lot of variables, in terms of how much information we get and how complex the things are to address."

See more CNET content tagged:
flaw, Apple Computer, attacker, Apple Mac OS X, TIFF

36 comments

Join the conversation!
Add your comment
Courtesy
They report to Apple about the flaws. Under Windows, they'd
program malware and exploit it.

Still, the results are clear.

Using a Mac for my financial business since Pather's release, I've
had no strange transactions show up on my bank accounts or
credit cards.

When I was using Windows XP with all kinds of security
programs, I was still getting strange transactions.

Two years, and I feel safe.

Furthermore, the security holes that needs to be addresses are
for Tiger mainly, not Panther, Jaguar, or below. Those are, in my
opinion, more secure in the Windows 95 sense . . . just be old, is
all.
Posted by fakespam (239 comments )
Reply Link Flag
OS is a complex thing
OS is a complex thing. It is all about how rapidly a company can identify and rectify the problem

I hope Mac Maniacs/bigots understand this.
Posted by Tanjore (322 comments )
Link Flag
false sense of secuity is not good
Don't dilude yourself into thinking the MAC will always be safe. These expliots were "easy to find" according to the person who found them and haven't been fixed for months. The higher the market share apple aquires, the higher the chance that virus writers will be targeting it. The move to the intel chip has already made it easier for virus writers to exploit holes as they are already familiar with the assembly language for the processor. No operating system is 100% safe and you should take steps to improve your security through firewalls and virus protection. Just remember, it only takes one virus on your computer to destroy what's on the hard drive. I don't want this post to look like "the sky is falling", I simply want to remind everyone that simple measures are available and should be taken to improve security.
Posted by Seaspray0 (9714 comments )
Link Flag
No matter where you turn are flaws.
Its starting to feel like that both sides of political divide are equally bad, no one choice is much better than the other.
As a windows user i really wish that OSX is really that good and sets a standard that windows can meet w/o paying more for a Mac. Now maybe the cliche about no OS is flawless is true, hoping for one is really a hope.
Posted by pjianwei (206 comments )
Reply Link Flag
Yes, all OS have flaws
You just have to pick an OS that fits your comfort level. On the
one hand you have Windows, the target of over 150,000 active
viruses and worms, and the easiest operating system to exploit
in wide use today.

On the other hand you have OS X and the other Unix operating
systems. Despite all the retoric about vulnerabilities there has
not been a single successful OS X exploit to date. The Army's
website is attacked "hundreds of times" each day but has not
been breached since they switched from Windows to Mac five
years ago. And while the various Unix OS power the vast
majority of sites on the Internet today, the overwhelming
majority of successful attacks are against Windows servers.

If you want to be totally secure, unplug your computer from the
Internet, turn it off and put it back in the box. Otherwise look at
the statistics and make an informed choice.
Posted by rcrusoe (1305 comments )
Link Flag
Generalizations don't help.
To conclude both OSes are "equally bad" from articles like this is
akin to believing a Mercedes and a Kia Rio are equally bad
because both can crash.

Unless MS has its feet continually held to the fire, it will not
satisfy your daily need for security. To shrug and say security
exploits are simply a fact of computing life is to surrender your
influence as a consumer. If more people vote with their wallets
and migrate to Macs, Microsoft will be much more responsive.

It's why we embrace competition and avoid monopolies
whenever possible. Justifying poor security in Windows by
believing OSX will prove itself equally vulnerable "any day now"
should be cold comfort to those who daily are stomping out
attacks.
Posted by Knute Neely (3 comments )
Link Flag
I like how they try to keep these things secret..
I like how he says that making these things public doesn't help
anyone. What he really meant to say is that it now forces Apple to
fix exploits because the public is now aware of them.
Posted by kfsutops (6 comments )
Reply Link Flag
Secret Probably Helps
There is 2 ways to look at this:

1. The Conspiracy Theory: If the news is kept secret then Apple can avoid having to do some work and they can keep getting fat on their profits while their customers continue to be exposed to potential danger.

2. Don't Give Crackers A Menu: If the news is made public then you're effectively giving Joe Cracker a menu of vulnerabilities that he can now write code to exploit.

It's a hard one to call. Putting public pressure on Apple to fix these vulnerabilities in a timely manner is good and we should all be aware of the risks that we may be exposing ourselves to. However, I really don't think that publishing details of the vulnerabilities is good as it does provide a list of unfixed vulnerabilities that crackers can develop exploitation code for.

I'd suggest that making these announcements is good and should continue but that the detail should be stripped from them except to those who need it (i.e. Apple and anyone else in a trusted position to do something about it). Certainly we should not be making life easier for the crackers, although I suspect that they make their own vulnerability discoveries without security researchers and that undocumented vulnerabilities make for more successful malware.

Anyway, I'm not in the Conspiracy Theory camp and I don't believe that Apple is trying to cover up their mistakes.
Posted by kelmon (1445 comments )
Link Flag
Message has been deleted.
Posted by timeforhell666 (27 comments )
Reply Link Flag
Somebody explain this to me...
I followed the link to the page where Tom Ferris describes these
security flaws, and every single one of them involves a heap
overflow/crash, which allows an attacker to run arbitrary code.
Two things I need explained: Number one, is that the new Intel
chips include the "NX" memory flag that makes certain regions
of memory nonexecutable. This flag was implemented espressly
by Intel to address exactly this type of security exploit, and I am
99% sure that I've read that Apple OS X takes advantage of it.
So, does this flaw only affect PowerPC macs? The descriptions
don't say, but it would seem to me that it does. Number two:
the default way that things are set up on OS X, users don't run
with root privilege. If an attacker actually were able to take
control, would he be running at the same privilege level as the
user who was compromised? I segregate my accounts so that
files in one cannot be accessed from another. Would an attacker
only be able to diddle with one account, since I make sure I run
in limited privilege mode whenever possible? If the answers to
these questions are what I think they are, I don't think I have
anything to worry about.
Posted by cubicleslave1 (27 comments )
Reply Link Flag
Pretty much right
You're correct. Running artbitrary code on OS X means just that -
executing. There's less chance of it installing something that will
autoboot next time.

Of course, it's always feasible to chain exploits; there have been
known priveledge escalation exploits on OS X.
Posted by JulesLt (110 comments )
Link Flag
A few lessons to be learned here..
Lesson 1)Your right, public disclosures do not help anybody but
the criminals.

Lesson 2)If software providers would listen to the people that
create number 1 than there wouldn't be a number 1.

Lesson 3)It's a sure sign that your company is in control of it's
issues when it proceeds to proclaim that we will take care of this
issue promptly and "not next Tuesday of Next Month".

Fixing something after it has been found to be broke is one
thing. Fixing something that is found to be broke 2, 3, 4 weeks
later is just INSANE!


~Justin
www.TechViewsToday.US
www.Tech01.net
Posted by OneWithTech (196 comments )
Reply Link Flag
3 MONTHS
These flaws were sent to Apple 3 MONTHS ago.
Posted by Ilgaz (573 comments )
Link Flag
It looks like the holes ae filled......
... before anyone knew they were there. I can't see how any users
were at risk at all. More CNET FUD??????
Posted by Earl Benser (4310 comments )
Reply Link Flag
not all
THe story stated that Apple only fixed one in the last update. THe others still remain.
Posted by techguy83 (295 comments )
Link Flag
Real problem is community
Read the "comments" about any security alert, exploit or whatever
sounds "bad" for Mac.

You will understand the real problem and the huge security risk is
the mac community itself. Or: the "loud" portion of it.
Posted by Ilgaz (573 comments )
Reply Link Flag
Real Problem is Speculation
Either OSX is more secure by design than WXP or it isn't.

It's that simple.

Yes, "potential threat" stories raise the hackles of the Mac
community, because, when carelessly written, they feed the
"securty through obscurity" argument of Windows apologists.
And, considering that to date no actual attacks have occured, no
data has been lost, no legion of zombie Macs have been
unleashed by Russian hackers, etc., these stories make the Mac
appear equally sloppy go a Windows box, where only time will
bring about a reckoning for us lazy, deluded Mac users.

The delusion is in users accepting the lost time, data and added
fear and frustration with 90% of today's PCs. Hoping for some
moment of shadenfreude when OSX is "exposed" as equally
vulnerable is what I think some of these articles exploit.

Yet in the mean time, no Mac user has reported a problem. Go
figure.
Posted by Knute Neely (3 comments )
Link Flag
Joris the Town Crier
Thanks for telling us about more non-threatening Mac OS bugs Joris. Your plan to panic people and make news where there is none is working!
Posted by kylegas (81 comments )
Reply Link Flag
Another misleading headline puts writer at risk
I wish this were true.
One day one of these might actually affect a single Mac user. Until
then....SHUT UP!!!!!
Posted by (2 comments )
Reply Link Flag
What is misleading?
It is not misleading. It clearly says "may put apple users at risk" and that's strictly true and clear as water. It MAY put them at risk, if someone develops an exploit. Ant that's not a far fetched proposition. It is reasonably lilkely.
So you think it's better to hide this sort of info so Apple users are unaware that they SHOULD be using an antivirus product and patching their machines?
Posted by Hernys (744 comments )
Link Flag
I love you guys!
I just love clicking on every C|Net article that mentions a Mac flaw just to see how the Mac fanatics are going to rationalize it away. And you guys never disappoint. Another classic, Bobby, and first post, too! Bravo.
Posted by Neo Con (428 comments )
Link Flag
MAC more vulnerable than Windows
More proof that the MAC is more vulnerable than Windows. MAC
hacked in under 30 minutes. MAC viruses attack MACS everywhere.
More MAC vulnerabilities.
Windows is the more secure and more superiorer operating system
because it has more markert share. That prooves that Windows is a
much better os.

I love Bill Gates.
Posted by X=0 (52 comments )
Reply Link Flag
stop the bs.
I want to report this post as offensive to the moderator as being
offensive to the senses.
Posted by Chandwaq (6 comments )
Link Flag
LOL
F'ing Great Post ___ Love it


I love Bill G...HAHAHAHAHAHAHAH!!!!!

Classic.
Posted by SystemsJunky (409 comments )
Link Flag
Why is it that every story
that comes out about OS X or Windows whether related to security or not becomes a pissing match between users..I've never seen so many queers trying to verbally beat each other to a pulp over a damn OS..Who really gives a ****.?

Read the Article, gather your thoughts, post your input, leave your DAMN OPINIONS where they suit you best...in your MIND..

*** is this world coming to?
Posted by SystemsJunky (409 comments )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.