SANS Institute Report Highlights iTunes, Tiger Exploits

The SANS (SysAdmin, Audit, Network, Security) Institute has issued its latest quarterly report of the top vulnerabilities found in the computer world. The company documented more than 422 security issues total, up 11% from the first quarter and up almost 20% from the second quarter of 2004. In addition to problems reported with Microsoftis operating system and Web browser, as well as Real Networkis RealPlayer and other popular applications, the top security issues included exploits against Appleis iTunes and Mac OS X v10.4 "Tiger" operating system.

Chief Research Officer Johannes Ullrich told The Mac Observer that while Apple issues security updates for its operating systems on a regular basis, the ones released in May and June were particularly troublesome and merited the SANS Instituteis attention. While the holes in the OS were fixed, Mr. Ullrich said that he is seeing more exploits exposed in it, most likely because Appleis rising market share makes its computers more attractive targets to hackers. This wasnit a surprise, since he has also seen attacks against the Firefox Web browser rising as it increases in popularity.

iTunes runs on both Mac OS X and Windows, but Mr. Ullrich said that he did see exploits that only affected the Mac version. "They were isolated cases," he explained, "but I did see examples of situations where users were offered an iTunes playlist that then executed malicious code and allowed access to the system. There were a couple different versions of it."

While OS X has an advantage over Windows because it doesnit set up a user as an administrator by default, Mr. Ullrich noted that it still suffers from the same vulnerabilities as Windows and Linux. "Out of the box, OS X still has services enabled by default that shouldnit be," he said. As with users of other operating systems, Mr. Ullrich recommends that Mac OS X users turn on their firewalls and use anti-virus software. "They shouldnit be less diligent than Windows users," he commented.