The Mac Observer

Skip navigational links

Featured Article: Editorial - Mac's Market Share and the Cascade Failure of Windows

MacNewsWorld Interviews Discoverer of OS X Browser Flaw

by , 8:00 AM EDT, May 20th, 2004

MacNewsWorld has posted an interview with the discoverer of the recently publicized OS X browser flaw. According to the discoverer of the flaw, "lixlpixel," Apple was informed of the flaw back in February 2004, but has done nothing about it as of yet. After waiting for two months, he says he decided to post information about the flaw to a Swiss Web site, which was then picked up by security firm Secunia. From MacNewsWorld:

In an exclusive interview Wednesday, lixlpixel told MacNewsWorld that, after waiting on Apple's reply, he finally posted the advisory to a Swiss Macintosh Web site.

"This is how Secunia picked up on the vulnerability," lixlpixel said, adding he had not contacted Secunia directly.

"Just by the nature of the Internet, this post took off," he continued.

"I was building a site where PHP and AppleScript work together to achieve what I wanted. That's when I discovered that you could start applications on the Mac via [a] URL," lixlpixel said.

"Of course that's no big deal, but then I realized that if you knew the location of the downloaded program on the user's machine, it gets more dangerous. That's why I notified Apple."

You can read the full article at MacNewsWorld's Web site, and we recommend it as a very interesting article.

The Mac Observer Spin:

A number of Observers had questions about how and why this flaw was made public, and this interview answers most of those questions.

More importantly, we are concerned about Apple's alleged lack of response to lixlpixel, though we obviously don't know Apple's side of things. If true, however, it brings up ugly comparisons to Microsoft, a company long known for ignoring similar security notifications until public pressure and the massive Windows virus/worm problem forced the company to pay attention.

Certainly Apple's record is far, far better than Microsoft's, but it may take a bit of public pressure from the Mac installed-base to keep it that way.

Observer Comments

Show: Subjects Only | Full Comments
Close Name:a_blasiman Posts: 24 Joined: 08 Mar 2004
Subject: Come on Apple

Usually I have nothing but good things to say about Apple, but as of late they seem to be dropping the ball when it comes to a few different things. This security hole is a huge deal. I don't need somebody comandeering my machine. Apple's hardware line has also seen some negativity in regard to quality. iBook recalls are no fun. Last but not least, everybody knows about Apple's crappy advertisement campaign for their beautiful OS. If Apple could pick up the pace on these things and not get negative press for them, I think they could increase huge in market share and installed user base.

View Name:RealityCheck -   Troll Posts: 392 Joined: 06 May 2004
Subject: Yet Another Apple Bad News Story - See A Trend
Close Name:jfbiii Posts: 109 Joined: 06 May 2004
Subject: Thing is, they could have done this really quickly

Sure, they would have broken the integration of their help system, but the actual security concern could have been addressed very very quickly simply by pushing out a security update that did what every responsible user has already done: assign a harmless default application to the help protocol Even better, it would trigger an alert with the option to open help viewer and run the script, open help viewer but not run the script, or not open help viewer at all. They could have protected everyone in late February and looked really responsible in the process. It was a win-win.

Close Name:John F. Braun -   TMO Staff Posts: 227 Joined: 11 Jun 2001
Subject: Fixing One Problem But Creating Another

Although it seems like introducing a quick fix would have been the right way to go, I've too often seen a Microsoft security patch break an otherwise working system.

Fortunately, thanks to the responsiveness of the Mac community, information on how to protect one's system against this exploit has been spread almost as quickly as the news itself.

Close Name:Brutno Posts: 195 Joined: 28 Aug 2002
Subject: Notifying Apple

There is considerable discussion on this over at Macintosh News Network, with lixlpixel joining the discussion. What is NOT clear, however, is just HOW lixlpixel notified Apple. There is a specific location on Apple's website for contacting Apple about security issues, but as of yesterday AM lixlpixel has not acknowledged using that method. As such, a normal email to Apple may go unoticed by Apple for quite a while, thus explaining the delay.

I'm not an Apple apologist, but one would think that when finding a flaw this dangerous, one would at least navigate the Apple web site.

From the second page:

quote:
Originally posted by lixlpixel:
do you really believe i would make that public without telling Apple ?
I LOVE APPLE
i can't sleep since i did it - i only did it because of so many "new" (more or less serious) exploits for the Mac surfaced.
(and because Apple didn't respond on my bug report for over two months)


Excuse me, but you sent a BUG REPORT??? That bug report is probably buried deep in some developer's to do list and haven't been read by the right people yet.

Contact Apple directly at product-security@apple.com

NOW!!!!

Next time someone feels they have to make a security hole public because Apple didn't respond to your e-mail, bug report or something like that, please read this page first:

http://www.info.apple.com/usen/security/index.html

-End quote-

Now please excuse me while I read the rest of the discussion.

Close Name:jfbiii Posts: 109 Joined: 06 May 2004
Subject: Quick fix, no. Quick intervention, yes.

John, I'm not advocating that they offer up a quick fix, I'm saying they should have deliberately assigned a harmless default application to the help protocol. Which is the "fix" that everyone is employing. By deliberately breaking some of the system's interoperability without actually changing the functionality of the system, they would have short-circuited the negative publicity and protected their users.

Every once in awhile, the best temporary fix is to just unplug what's broken, fix it, then plug it back in.

Good point, though, Brutno, about what constitutes notification.

View Name:Guest
Subject: Question for Brutno
Close Name:Brutno Posts: 195 Joined: 28 Aug 2002
Subject: How to contact Apple

Good question, Dave.

Use this path:

Apple(home):Support(tab at top of page):MoreResources(bottom left of page):Contacting Apple About Product Security Issues.... yields this page:

http://www.info.apple.com/usen/security/index.html

You are correct - it is NOT easy to find, took me about three minutes, but certainly worth the effort.

Thanks for asking!

View Name:Guest
Subject: Answer for Dave
View Name:Guest
Subject: Further question for Brutno
View Name:Guest
Subject: Idea for Bryan
Close Name:zpok Posts: 80 Joined: 06 May 2004
Subject: RC: your god has spoken

Quote
RealityCheck wrote:
now that Apple's market share is less than 2%, the death spiral is tightening


MS just commented they have a user base of 7 million for Mac Office. That's paying customers. Most people I know just copy the CD's from their friends.

About half of the 70 million iTMS sales are done by mac users.

Apple virtually controls the video/movie market on the software/hardware side. It brings in a $#!% heap of money and prestige. The same goes for the professional music market.

The majority of the DTP market still relies on Apple.

And the percentage of home users is way beyond 2% "market share". In fact, when you factor in the fact that most "non creative" offices don't have macs, the 2% becomes a very respectable figure for the home market.

I know, feeding the ugly, stupid troll...

Close Name:Bryan -   TMO Staff Posts: 7329 Joined: 11 Jun 2001
Subject:

Remember: Do NOT feed the trolls.

View Name:Guest
Subject: Re: Bryan
Close Name:Brutno Posts: 195 Joined: 28 Aug 2002
Subject: How to Contact Apple - Updated

Dave, (and anyone else...)

Oops! Missed a few links. Here is the revised path:

Apple(home):Support(tab at top of page):Support Site Map (very bottom of page in small print):AppleProduct Security(far right under Site Tools & Services):

Above path yields this page where you will find the link:
http://www.info.apple.com/usen/security/index.html

Sorry about the miscue!

Again, difficult to find - you would think there would be a "Security" link on the Home page, but then again I am sure many people would submit items that were not *really* security issues. This is four steps, better than some sites, however.

Hope this helps, and I hope the website voodoo priests don't mess it up again!

View Name:Guest
Subject: Brutno - Thanks
Close Name:Brutno Posts: 195 Joined: 28 Aug 2002
Subject: to Dave

Happy to help!

Close Name:John F. Braun -   TMO Staff Posts: 227 Joined: 11 Jun 2001
Subject: Another Fix

Here's another goodie called Paranoid Android that can help guard against URL-based attacks. Once Apple does repair the exploit, this may be something you'd still like to keep around, just to know what is going on with your system:

http://www.unsanity.com/haxies/pa

Comment on this Article


You cannot edit your comments.   You cannot delete your comments.
Log in | Register | Having Problems? Reset TMO Cookies & Try Again
Username:   Password:   Log me on automatically each visit   

You are not logged in, and this post will appear as "Guest." Log in with your username and password from the TMO forums. If you do not have a username, you can register here.
Please note that guests are limited to including a maximum of two URLs per post.


Post A Comment
  Subject


  Your Comments



Please enter the word exactly as you see it in the image above. Registered users aren't prompted for this. Having trouble reading the image get a new one.


Recent Headlines - Updated Tuesday, July 8th, 2008

Tue., 6:55 PM
User Friendly Blog by Ted Landau - Why User Interface Design Matters
4:30 PM
Apple Trackpad Secrets and Technical History
4:05 PM
iPodObserver - Apple: What to Bring When Buying iPhone 3G
3:35 PM
Microsoft: We Have a Noisy Competitor
2:50 PM
Columnist: Safari Security Fails to Learn from Past
2:20 PM
iPodObserver - Services to Unlock Mobile Phones Gaining Momentum
1:00 PM
Daylite 3.7.4 Adds iWork 08, Dialectic Integration
12:20 PM
FoneLink 2.1 Adds Support for More Cell Phones
11:25 AM
Freeway 5.1.3 Adds Chinese Support
11:10 AM
iPodObserver - Rumor: Canadian Apple Stores Won't Sell iPhone 3G
10:35 AM
Microsoft Aligns with Icahn for Yahoo Takeover
10:00 AM
Hot Forum Topic - Is Internet Killing the Video Star?
8:20 AM
iPodObserver - MobileMe Launches on July 10
7:55 AM
iPodObserver - Apple: iPhone 3G Launches at 8AM Friday
6:00 AM
iPO Review - BudFits
 

The Mac Observer Reader Specials

  • Special Report: WWDC 2008
  • Special Report: iPhone
  • __________
  • Help TMO Grow
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!
  • New Media Expo 2008

Apple Stock Quote

  • AAPL: $179.55. Change Today: +4.39.
  • (Prices delayed up to 20 minutes.)
  • Discuss in our Apple Finance Board

Hot Topics

Top Deals From DealsOnTheWeb