Critical Mac OS X Security Issues Remain?

MacRumors

macrumors bot
Original poster
Apr 12, 2001
47,143
9,158


Macworld UK reports claims by security researcher Tom Ferris that last Thursday's Security Update 2006-003 did not correct several "critical" security flaws in Safari, QuickTime, and iTunes that he reported to Apple in January 2006. The article says that Ferris considered publicly releasing the details of these flaws yesterday in his blog at security-protocols.com, but he has not done so as of today.

Since Apple does not identify its criteria or schedule for dealing with reported vulnerabilities, it is not clear whether serious known Mac OS X security issues remain uncorrected or when further security updates may be issued.

Debate continues over the question of whether vulnerabilities should be disclosed to the public when they are first discovered, to warn users and to spur software vendors into action, or whether details should be kept private to give software vendors more time to study security flaws and take preventative measures before knowledge of the details becomes widespread.

This story is on Page 2 because these security issues have not been confirmed by another source.
 

Queso

Suspended
Mar 4, 2006
11,824
7
This sounds like someone going "Look at me!! Look at me!!!" more than anything else.

Even with all the developers Apple has, it can't write and test patches for everything at once. I'm sure these flaws will be fixed at some point in the near future. Until then, Mr. Ferris would do well to keep his mouth shut.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
37,563
3,642
Los Angeles
It's a challenging problem. Will disclosing the details cause a flood of hackers to take advantage of it before a patch can be issued? If you know of a security flaw and you tell only the vendor, will they react as swiftly as if there is public pressure? If you don't report the details to the public, how likely is it that malware authors will discover it too, and be the only ones to pass the details around the Internet?

Perhaps a compromise would be to publish workarounds that users can use without telling what they are being protected from, but that solution has its own problems, including whether to trust the source (they might say "Whatever you do, don't use a web browser!" and leave us all wondering) and whether identifying a workaround would immediately lead people to know the vulnerability anyway.

Vendors of security products and watchdogs and bloggers who follow the topic have another inherent conflict of interest. Helping solve security issues serves the public good, but they may also be tempted to call attention to security issues because of their own involvement, to promote a business or website.
 

snkTab

macrumors 6502a
Nov 13, 2004
579
0
Cincinnati, OH
Security Researchers have a monetary interest in saying that OSes are insecure. After all, McAfee is shouting how Macs are so insecure they need an add on security package... say McAfee for instance.

Saying there are vulnerabilities without having exploitations of them is just another way of saying "buy my product"

... granted their are problems, it just bothers me that the people who are making products to make OS X more secure are actually undermining OS X for their own advantage.
 

longofest

Editor emeritus
Jul 10, 2003
2,818
1,324
Falls Church, VA
For the record, these issues that Tom is referring to are issues that were first brought up in JANUARY to Apple. He disclosed them to the public in April when he felt that Apple was not being very quick in addressing them. If Ferris is correct and these latest releases did not patch us, we are looking at a 5 month delay in patching critical vulnerabilities and STILL COUNTING, and it truly is only our marketshare that has caused us to not be exploited in that timeframe.
 

simie

macrumors 6502a
Aug 26, 2004
995
1
Sitting
Companies that write virus protection software need viruses in the computer world else they themselves make no money.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
37,563
3,642
Los Angeles
snkTab said:
Security Researchers have a monetary interest in saying that OSes are insecure. After all, McAfee is shouting how Macs are so insecure they need an add on security package... say McAfee for instance.
That seems to be the case with the The New Apple of Malware's Eye PDF isssued by McAfee, which others have said overstates the case.
 

JoshH

macrumors member
Apr 29, 2005
69
0
ero87 said:
why do people write viruses? Do they get paid somehow? Does it give people pride?
I don't know, really... but it reminded me of a quote from the movie Signs:

Merrill: Morgan, this crop stuff is just about a bunch of nerds who never had a girlfriend their whole lives. They're like thirty now. They make up secret codes and analyze Greek mythology and make secret societies where other guys who never had girlfriends can join in. They do stupid crap like this to feel special. It's a scam. Nerds were doin' it twenty five years ago and new nerds are doing it again.

Bo: Why can't they get girlfriends?
 

Analog Kid

macrumors 601
Mar 4, 2003
4,895
2,981
dynamicv said:
This sounds like someone going "Look at me!! Look at me!!!" more than anything else.

Even with all the developers Apple has, it can't write and test patches for everything at once. I'm sure these flaws will be fixed at some point in the near future. Until then, Mr. Ferris would do well to keep his mouth shut.
Remember there are two ways of boosting your ego when a vulnerability is found-- one is to do what Ferris is doing and shout "I'm so smart, I found this months ago and Apple won't listen t me". The other is write an exploit that signed with "haxored by EvilGuy".

Given the choice, I'm much happier with the first brand of showboater... He's doing a service for all of us and actually deserves getting his name around a bit-- it's not necessarily easy to figure these things out when you don't have the source.
 

k0t1k968

macrumors newbie
May 15, 2006
2
0
Have no one actually went to that web site?

This is what it says about the patch:
...
Apple has released Security Update 2006-003 which patches a whopping 31 flaws.
Most of these flaws as Apple has stated "may lead to arbitrary code execution". This patch fixes almost all of the issues I previously reported on April 19th. Thanks Apple!
...
Sounds quite Apple friendly. InfoWorld was the one who puts "skies are falling" spin on it couple days ago. But it is sort of expected from InfoWorld.

What makes me wonder is why anyone will event consider to treat it as a news? Some security wholes are easy to fix and some are not. Kudos to Apple that it fix 31 important ones. Too bad that they were not able to fix all known ones in time for this update to go out of the door. it is just business as usual, not a news material by a long shot.
 

nagromme

macrumors G5
May 2, 2002
12,546
1,195
I care mainly that flaws are discovered and brought to Apple's attention, than about HOW they are brought to Apple's attention. And I care that they are fixed before they affect me :)

But I certainly have no problem with Apple releasing a security update for SOME issues, while continuing to work on OTHER issues. Should all the fixes that are done sit and wait for the ones that are taking longer?

And is Apple stupid or incompetent for not fixing them sooner? Maybe. Or maybe the fixes affect enough other things that doing it right without consequences takes more time. (I am reminded of all the stories of Windows security updates that break OTHER things in the process.)

I'm also all in favor of giving Apple incentive, in case they "forgot." But the RIGHT time to release an exploit to the public and crackers is the time when it will do some GOOD. Which is probably never.

So by all means, holler if your pet bug is unpatched--we all benefit! Holler loud. But don't share your info with crackers.
 

longofest

Editor emeritus
Jul 10, 2003
2,818
1,324
Falls Church, VA
k0t1k968 said:
This is what it says about the patch:
...
Apple has released Security Update 2006-003 which patches a whopping 31 flaws.
Most of these flaws as Apple has stated "may lead to arbitrary code execution". This patch fixes almost all of the issues I previously reported on April 19th. Thanks Apple!
...
Sounds quite Apple friendly....
You read the rest of his post?

Well, now its time to see if all of these issues were properly fixed.... As always, I will report my findings here..
Apparently, he found that not all of the updates were fixed, and reported the findings to Macworld before he updated his website. The part of his initial post that you quoted was his knee-jerk reaction to Apple apparently patching the vulnerabilities on a first-glance.
 

shamino

macrumors 68040
Jan 7, 2004
3,387
136
Purcellville, VA
Does anyone know if the Mozilla suite (Gecko engine) has its own GIF/JPG/PNG decoder? Or does it use the OS-provided one?

If it uses its own decoder, then it won't be vulnerable to OS-level bugs (like the one that's been plaguing Windows recently or the ones in QT that Apple recently fixed). If it uses the OS's decoder, then we'll need a plugin to replace the rendering code in order to work around an OS-level bug.

In other words, if there is a bug in QT that can allow malformed images to hack a Mac, can I be protected by using Firefox instead of Safari? Does anyone know? (Of course, Firefox has its own security bugs, but they seem to get fixed pretty quickly.)
 

bok

macrumors newbie
May 15, 2006
1
0
The problem with this article is that its Tom Ferris. He's not exactly trustworthy when it comes to "vulnerabilities".

https://bugzilla.mozilla.org/show_bug.cgi?id=307259

For example, he doesn't know the difference between a buffer overflow (exploitable) and an integer overflow (not exploitable) and posts a "security vulnerability" for something that is just a coding mistake, not a threat at all.

-bok
 

space1nvaders

macrumors regular
Jan 20, 2004
132
3
UNIX security flaws are not Apple security flaws

Keep in mind that security issues can be inherited from FreeBSD. As Apple fixes these problems, many times they are helping the Open Source Community at the same time.

Some people want to point the finger at Apple. More focus should be on how fast the Open Source Community responds to security problems (which is usually very fast - almost immediate).

Many times all Apple has to do is include the latest version of the Open Source.

Safari and Quicktime are Apple Applications (not the Operating System), but the general public doesn't understand that. When looking at security problems on Mac OS X, people need to look more at the unsecure applications rather than the OS. I am sure if you looked at applications you would find security problems in almost all - especially those written by individuals rather than programming teams.

With Windows it is a different story because the design of the Windows OS (shared DLL's, registry, etc) allow Application security problems to infect the entire system.

People can say that Mac doesn't have viruses because of market share and it sounds like it makes sense, but in reality it is very difficult for an Application like Safari or Quicktime to take down the entire system. On Windows, all you need is a few changes to the Windows registry and you have to reinstall.
 

javierbds

macrumors regular
Sep 12, 2005
158
0
Madrid, Spain
With Secrecy There Is False Security

The 'bad' guys can always get the info they want , that's what they live for OK?
Shutting up hoping the bad guys won't notice is a BAD POLICY (but it is the cheapest one ...).
If, in the future, OS X gets security attacks it will be, in part, due to market share. But then, Apple will be bigger and will have more resources devoted to security patches ...
We may all want possible holes to be covered instantly, but the only safe computer is the one turned off, in a vault ... and that all people who knew about it are dead (and the computer too).
I think Apple is doing a good job, one of the reasons I have abandoned Win is because keeping up with malware not only consumes your mental resources and your time but also a significant % of the computer power on your machine, at all times ...
To the 'bad' guys: destruction is easy, any toddler can do it ... Now creation, that takes women (and real men) to get to it ...
Doing crapware for OS X is waaay UNCOOL ...
 

shamino

macrumors 68040
Jan 7, 2004
3,387
136
Purcellville, VA
javierbds said:
We may all want possible holes to be covered instantly, but the only safe computer is the one turned off, in a vault ... and that all people who knew about it are dead (and the computer too).
Well, disconnecting from the internet also works pretty well.

The days of virusses spreading through infected floppies is long since gone. And infected product installation CDs are extremely rare (I can only think of one instance, and that was many years ago.)