The Mac Observer

Skip navigational links

Choose text size: Select small text. Select medium text. Select large text.

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Apple Security Patch No Cure All, Secunia Says

TMO Reports - Apple Security Patch No Cure All, Secunia Says

by , 4:45 PM EDT, May 24th, 2004

Security firm Secunia said Monday that Apple Computer's Security Update released last Friday does not fully protect Mac users and that the company doesn't understand the seriousness of the issue.

"It is still possible to execute arbitrary code on a vulnerable user's system, just as easy as before Apple issued Friday's security update for Mac OS X," Niels Henrik Rasmussen, CEO of Secunia, said in an e-mail to The Mac Observer.

Apple released a patch late Friday that fixed a hole in HelpViewer, preventing it from using scripts unless they are written by HelpViewer. The vulnerability made it possible to place arbitrary files, including script files, on a user's Mac if a browser had been configured to open files that appeared 'safe'.

Mr. Rasmussen said many problems still remain, however.

"What is really critical is the fact that Apple did not address the "disk" URI vulnerability, which allows malicious Web sites to silently place code on a user's system," said Mr. Rasmussen. "Everything should be OK, after the "help" vulnerability has been fixed, but another very unfortunate feature has been revealed in Mac OS X disk image and volume handling, allowing a disk image to register a new URI handler and associate an application with this - obviously this application can be located on the disk image or volume."

The result of this exploit, according to Secunia, is that malicious Web sites can exploit the "disk" vulnerability in the same way as the "help" URI handler, "still leaving all Mac OS X systems wide open for attacks," he said. "In other words, Mac users are as vulnerable now, as before the patch was released."

Secunia chastised Apple on two others fronts, saying the company has ignored the security breaches it addressed last Friday since February and that Apple isn't explaining to users through its updates just what the problem is and how serious it could be.

"Unfortunately, Apple once again fails to describe the severity of the issues fixed by the latest security update," said Rasmussen. "Apple states that the update 'Fixes CAN-2004-0486 to ensure that HelpViewer will only process scripts that it initiated.'. This does not clarify how important this update really is. Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue. This is not possible when reading an Apple update." Representatives from Apple were not immediately available to comment for this story.

The description of the update, which is called Security Update 2004-05-24, is sparse on details, merely saying that it updates HelpViewer, one of the weak links in the vulnerability. The update is available via the Software Update control panel of Mac OS X.

Secunia

Observer Comments

Show: Subjects Only | Full Comments
Close Name:ld Posts: 9 Joined: 20 Mar 2004
Mon May 24, 2004 6:41 pm Subject: Sucunia advice

Sucunia's advice (for best practice) is
- not surfing the web as a privileged user.
- not visiting untrusted sites

The first of these relates to my query...
I was initially thinking along the lines of, "Is it possible to force any such uri's, when activated, to be assigned an unprivileged (maybe even temporary) user for its task, so that any operations must be given the OK by the user?"

Then I was thinking, maybe the best way forward (for the mean time) is to create a new user (who doesn't have admin privileges) and whose sole purpose in life is for browsing websites and/or email. I could create a script which would synchronise the prefs for safari and mail so that everything is still available to the primary user (especially for archiving)....

But what a hassle
I think the second of these two advisories is the easiest :-/ Plus keeping a regular backup around...


 Reply | Quote
Close Name:Guest
Tue May 25, 2004 2:43 am Subject: Most every thing that Apple releases is . . . .

under described. Severely.


 Reply | Quote
Close Name:Guest
Wed May 26, 2004 2:11 am Subject: Apple Just Doesn't Get IT

I'm convinced the reason Apple abandoned Mac OS and moved to UNIX is because they had hit their level of incompetence. They took it as far as they could take it, and they STILL couldn't get it right. Now they're well on their way to fouling the security of a previously (relatively) secure operating system. Do they think this problem will just magically go away? I love Macs, but I'm thinking maybe I've bought my last...


 Reply | Quote
Close Name:Bryan -   TMO Staff Posts: 7340 Joined: 11 Jun 2001
Wed May 26, 2004 4:13 am Subject:

Guest, what on earth would be your alternative? Mac OS X, despite having these new security flaws that have been discovered, still has a tiny, tiny, tiny fraction of the number of flaws that Windows has. Linux also has more than its fair share of flaws that are discovered (and quickly get fixed by the open source community).

Apple needs to understand that we, as Mac users, want them to fix these problems quickly, but being on a Mac is still far more secure than the alternative.

I just wanted to offer a bit of perspective for your frustration.


Reply | Quote
Close Name:Guest
Wed May 26, 2004 9:47 am Subject: It's all about protocols...

Fixing Help Viewer won't work as Safari has an unexpected "feature" to run protocols specified by the OS itself. So far here are the ones that can launch a remote attack on your system...

afp
cifs
disk
disks
file
finger
ftp
ftps
gopher
nfs
smb
ssh
telnet
tn3270
webdav

MisFox is a better choice in changing the protocols(self-contained app) and make sure to direct them all to Stickies as its the fastest launching app plus it can display a message like "A potential attack has been averted on my system".

Edward Lopez


 Reply | Quote
Comment on this Article


Guest Posts Visible. Hide Them.
Back to top  Page 1 of 1    

You cannot edit your comments.   You cannot delete your comments.

Comments are currently closed. Please email the author instead.


Recent Headlines - Updated November 22nd

Fri, 7:07 PM
Games - Soccer Sim Championship Manager 2010 Released for Mac
6:47 PM
Games - EA Publishes Original Monopoly for iPhone
6:15 PM
News - Original Apple I on Ebay for $50K, w/Letter from Steve Jobs
6:11 PM
Games - New iPhone Games: Secret of the Lost Cavern Ep 1, New DJ Nights, More
5:47 PM
Games - Star Trek D-A-C Game Headed to the Mac Next Month
4:57 PM
Product News - TidBITS Releases “Take Control of Syncing Data in Snow Leopard”
4:26 PM
John Martellaro's Blog - Particle Debris (week ending 11/20) Stationery Pads Go Poof
2:59 PM
Free on iTunes - Musée du Louvre, Art Lite, SketchBook Mobile X and More.
1:50 PM
Deal Brothers - Acer P215H bmid 21.5” Widescreen LCD Monitor:  $139.99
11:24 AM
TMO Appearances - Jeff Gamet Shares More Holiday Gift Ideas on MacJury
10:43 AM
Product News - Cocktail 4.5 for Leopard Adds QuickLook Cache Clearing
10:06 AM
News - Hack Enables Mac OS X 10.6.2 on Netbooks

The Mac Observer Reader Specials
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!