The Mac Observer

Skip navigational links

You're viewing an article in TMO's historic archive vault. Here, we've preserved the comments and how the site looked along with the article. Use this link to view the article on our current site:
Apple Security Patch No Cure All, Secunia Says

TMO Reports - Apple Security Patch No Cure All, Secunia Says

by , 4:45 PM EDT, May 24th, 2004

Security firm Secunia said Monday that Apple Computer's Security Update released last Friday does not fully protect Mac users and that the company doesn't understand the seriousness of the issue.

"It is still possible to execute arbitrary code on a vulnerable user's system, just as easy as before Apple issued Friday's security update for Mac OS X," Niels Henrik Rasmussen, CEO of Secunia, said in an e-mail to The Mac Observer.

Apple released a patch late Friday that fixed a hole in HelpViewer, preventing it from using scripts unless they are written by HelpViewer. The vulnerability made it possible to place arbitrary files, including script files, on a user's Mac if a browser had been configured to open files that appeared 'safe'.

Mr. Rasmussen said many problems still remain, however.

"What is really critical is the fact that Apple did not address the "disk" URI vulnerability, which allows malicious Web sites to silently place code on a user's system," said Mr. Rasmussen. "Everything should be OK, after the "help" vulnerability has been fixed, but another very unfortunate feature has been revealed in Mac OS X disk image and volume handling, allowing a disk image to register a new URI handler and associate an application with this - obviously this application can be located on the disk image or volume."

The result of this exploit, according to Secunia, is that malicious Web sites can exploit the "disk" vulnerability in the same way as the "help" URI handler, "still leaving all Mac OS X systems wide open for attacks," he said. "In other words, Mac users are as vulnerable now, as before the patch was released."

Secunia chastised Apple on two others fronts, saying the company has ignored the security breaches it addressed last Friday since February and that Apple isn't explaining to users through its updates just what the problem is and how serious it could be.

"Unfortunately, Apple once again fails to describe the severity of the issues fixed by the latest security update," said Rasmussen. "Apple states that the update 'Fixes CAN-2004-0486 to ensure that HelpViewer will only process scripts that it initiated.'. This does not clarify how important this update really is. Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue. This is not possible when reading an Apple update." Representatives from Apple were not immediately available to comment for this story.

The description of the update, which is called Security Update 2004-05-24, is sparse on details, merely saying that it updates HelpViewer, one of the weak links in the vulnerability. The update is available via the Software Update control panel of Mac OS X.

Recent TMO Headlines - Updated May 28th

Sun, 11:36 AM
Secure Document Syncing, Splitting Audio & More – Mac Geek Gab 659
Sun, 5:30 AM
Get Free Bitcoins from 23 Faucets That Pay
Fri, 6:39 PM
Apple Could Own Device-Centric AI with Custom Chip
Fri, 5:03 PM
Here’s What Kik Users Need to Know About Kin Cryptocurrency
Fri, 4:48 PM
Sid Meier's Railroads for Mac Hits Steam Platform
Fri, 4:19 PM
The Touchbar MacBook Pro is a Disposable Embarrassment
Fri, 3:50 PM
The 5 Best PC Motherboards for Creating a Hackintosh
Fri, 3:42 PM
Leaked Memo Pegs iPhone 8 Launch After September 17
Fri, 2:15 PM
Apple Music Is Turning Apple into a Media Giant
Fri, 1:37 PM
Apple Watch Tops Heart Rate Monitor Study, Adam Curry's Podcaster Pro - TMO Daily Observations 2017-05-26
Fri, 11:21 AM
Adam Curry's Podcaster Pro Aims to be All-in-One Podcasting Solution
Fri, 11:17 AM
iPhone 8 Cases Already for Sale on Alibaba
  • __________
  • Buy Stuff, Support TMO!
  • Podcast: Mac Geek Gab
  • Podcast: Apple Weekly Report
  • TMO on Twitter!