Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

Unpatched Mac OS X/Safari Security Flaws

MacRumors

macrumors bot
Original poster
Apr 12, 2001
51,581
13,195
https://www.macrumors.com/images/macrumorsthreadlogodarkd.png

CNet News.com reports on recent unpatched security vulnerabilities in Apple's Mac OS X and Safari web browser. The vulnerabilities, the most severe of which could let a would-be attacker run malicious code on a user's Mac, are under investigation by Apple.

Reported security vulnerabilities, even unpatched ones, are nothing new. What may be of interest, however, is that five of the flaws identified were associated with the way OS X handles image data. Image handling appears to be a recurring security issue for Apple, as 10.4.6 recently patched an issue where a malformed .tiff image file could crash applications like Preview, Finder, QuickTime, and Safari.

Update: Many users have pointed out a new CNN article describing the state of Macintosh security. Despite its high profile, the article offers little new information and simply discusses the above information and the Leap.A virus which was released earlier this year (via MacForums).

One note of interest is that apparently the above security vulnerabilities were first reported to Apple by Tom Ferris in January and Febuary of this year.
Ferris said he warned Apple of the vulnerabilities in January and February and that the company has yet to patch the holes, prompting him to compare the Cupertino-based computer maker to Microsoft three years ago, when the world's largest software company was criticized for being slow to respond to weaknesses in its products.

"They didn't know how to deal with security, and I think Apple is in the same situation now," said Ferris, himself a Mac user.
 

Doctor Q

Administrator
Staff member
Sep 19, 2002
38,448
4,957
Los Angeles
Look for a Security Update soon! Apple seems to do a good job keeping up with these problems. Ideally, they wouldn't happen in the first place, but a prompt response is the next best thing.

In the meantime, workarounds would be nice to know, other than general advice not to click to view a .mov file unless you trust the source.
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
I'm glad people are digging up issues that need to be brought to Apple's attention.

Some perspective:

Windows XP Home:
http://secunia.com/product/16
23 out of 116 advisories, rated up to Highly Critical, are marked as unpatched by Secunia.

XP Professional:
http://secunia.com/product/22
27 out of 131 advisories, rated up to Highly Critical, are marked as unpatched.

Internet Explorer 6.x:
http://secunia.com/product/11
19 out of 99 advisories, rated up to Moderately Critical, are marked as unpatched.

Safari 2.x:
http://secunia.com/product/5289
1 out of 3 advisories, rated up to Not Critical, are marked as unpatched.

Mac OS X:
http://secunia.com/product/96
1 out of 69 advisories, rated up to Highly Critical, are marked as unpatched.

Let's get that zero back ASAP! :)
 
Comment

peharri

macrumors 6502a
Dec 22, 2003
744
0
This may sound awful, but I hope at some point a major Mac virus does happen, just so that those who current do not take the issue seriously largely because it hasn't happened yet start taking it seriously.

The Mac's major reason for it not getting many virusses and worms is that the low marketshare means that any "Mac-only" malware of this type would end up hitting 20 times as many Windows PCs as it would Macs, and that would raise flags before the virus could do any significant damage, especially as those Windows PCs wouldn't pass the virus on.

There have been security holes in Mac OS X in the past, and there no doubt will be more in the future. Unless they want to rewrite OS X in Java or managed .NET, I don't see how they can avoid the obvious ones, and there are the subtle higher-level ones too that a Java rewrite wouldn't fix, such as the whole "If you send Safari a .zip, it'll download and extract, implicitly installing any application in the .zip, without the user being involved at all" thing. And, as a million email worms testify, or unsigned ActiveX malware installers also point out, social engineering will defeat virtually every technical measure.

Vigilance people, it's needed on the Mac as it is everywhere else.
 
Comment

SiliconAddict

macrumors 603
Jun 19, 2003
5,889
0
Chicago, IL
peharri said:
This may sound awful, but I hope at some point a major Mac virus does happen, just so that those who current do not take the issue seriously largely because it hasn't happened yet start taking it seriously.

I agree. I'd like to think of it as inoculating Mac users to the idea that safe computing extends beyond just what OS you run.
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
peharri said:
The Mac's major reason for it not getting many virusses and worms is that the low marketshare means that any "Mac-only" malware of this type would end up hitting 20 times as many Windows PCs as it would Macs, and that would raise flags before the virus could do any significant damage, especially as those Windows PCs wouldn't pass the virus on.
You can define "major" any way you want, but what you say is a big and VERY helpful factor, in addition to the other big factor: better (and less bloated) OS design vs. Windows.

And neither of these factors is going to change in the foreseeable future :) The reasons for our safety run deep.

Anyway, I can't go along with "there's never been a fire, but I hope there IS one and people get hurt, so that people learn to fear fire! Otherwise people might get hurt in fires!"
 
Comment

dagger01

macrumors regular
Jan 14, 2004
121
4
USA
Odds and ends ...

I will agree to the previous comments regarding the naiveté of most Mac OS users when it comes to the prospect of trojans, malware, and viruses. A good, healthy wake up call would certainly snap most into reality, and humble the zeal a little. Don't get me wrong. I love the fact that my Mac has little threat at the moment and will revel in it for as long as it lasts. But, I also know that any system, ANY SYSTEM, attached to the network is vulnerable to compromise. A good bit of preparedness, i.e., back your data up regularly, use the firewall, etc., will keep you out of a horrible situation.

The particular post about the malformed TIFF issue is really a bit silly. I wouldn't call it a security concern, more of a bug. I can think of several malformed file formats that can cause application crashes. I wouldn't categorize an application crash as a security threat unless it opened a back door of some kind into the system, like a buffer overflow can create a vulnerability. Just seems a bit alarmist to me having read the information about it.
 
Comment

rebirth83

macrumors member
Apr 27, 2006
45
6
Portland,Oregon
Does anybody else but me, sometimes have pop-up block malfunctions? Like certain websites have ads that will always pop-up even though the block
pop-up window option is clicked
 
Comment

nagromme

macrumors G5
May 2, 2002
12,546
1,196
rebirth83 said:
Does anybody else but me, sometimes have pop-up block malfunctions? Like certain websites have ads that will always pop-up even though the block
pop-up window option is clicked
Yes, ad companies will always be looking for ways around the blockers :eek:

Re people who want a Mac virus "for a good cause"... here are two scenarios:

1. There is one day a big Mac virus attack, as you wish.

2. There never is.

If the only reason to wish for #1 is... to be prepared for #1, then that's circular reasoning. Better to hope for #2.

People are free to want #1 for emotional reasons though :)
 
Comment

Dr. No

macrumors regular
Sep 13, 2003
193
0
Just wondering-

Does this also indicate a similar flaw in Konqueror on Linux?

:confused:
 
Comment

nomad2006

macrumors newbie
Apr 28, 2006
1
0
just stupid...

Why would I want a major virus on my mac? I can see no reason. Remember that once the viruses start spreading it will be very difficult to get rid of them. So I prefer not to get infected. And I hope apple/OSx will stay one step ahead of the mallicious.
wanting a major virus to hit the mac is like wanting AIDS so jou would start using condoms. But then it's too late, isn't it?
:rolleyes:
 
Comment

Analog Kid

macrumors 603
Mar 4, 2003
5,687
4,279
peharri said:
This may sound awful, but I hope at some point a major Mac virus does happen, just so that those who current do not take the issue seriously largely because it hasn't happened yet start taking it seriously.
As Nagromme points out, this makes no sense... Things only get worse after the first one-- in particular because of the need to run all the security software needed to protect the machine which introduce their own problems and vulnerabilities.

I'll leave the argument about market share, other than to say that Macs have no major viruses and it has a small market share-- which is different than having no viruses because it has a small market share. I haven't seen a good causal argument yet...

The little stuff we've seen so far, I hope, will get people to start behaving more intelligently and help forestall a major attack. Wishing for a major attack just means pain and suffering for everyone.

Me? I'm happy in Eden. Leave me alone...
 
Comment

Analog Kid

macrumors 603
Mar 4, 2003
5,687
4,279
peharri said:
The Mac's major reason for it not getting many virusses and worms is that the low marketshare means that any "Mac-only" malware of this type would end up hitting 20 times as many Windows PCs as it would Macs, and that would raise flags before the virus could do any significant damage, especially as those Windows PCs wouldn't pass the virus on.
Ok, I won't leave it...

There are vectors that would have a higher probability of hitting Macs-- iChat, .Mac accounts, LAN attacks, apache announces its host type I think, etc, etc...

The last attempt tried to seed itself through this portal and use iChat as a vector. That one failed largely because of shoddy coding.

Timely updates lead to better security. Fast OS revisions lead to a diverse platform set that's harder to target. Clean OS design leads to fewer vulnerabilities and the ability to patch cleanly. Smart OS design means bad code is less likely to execute. These are some of the reasons OS X is more secure.
 
Comment

dagger01

macrumors regular
Jan 14, 2004
121
4
USA
nagromme said:
Yes, ad companies will always be looking for ways around the blockers :eek:

Re people who want a Mac virus "for a good cause"... here are two scenarios:

1. There is one day a big Mac virus attack, as you wish.

2. There never is.

If the only reason to wish for #1 is... to be prepared for #1, then that's circular reasoning. Better to hope for #2.

People are free to want #1 for emotional reasons though :)

First and foremost let me say that I'm not wishing for a major virus, worm, trojan, or the like to strike the Mac OS community. I am, however, very concerned over the cavalier attitude toward computer and network security that a large number of Mac enthusiasts maintain. I think that is really what some folks here are trying to address with their comments. It's not a wishing for number one for the sake of being prepared for number one, but more of a desire to get Mac users used to the idea that they are not impervious to malicious computer and network activity.

I also want to say that Apple continues to do a tremendous job in addressing security issues in a timely fashion. I know a lot of the guys on the WWDR team, and within various OS and applications development groups within Apple. They are extremely diligent (on the whole) with making sure that their code is as secure as they can make it.

I would say that to think that there will never be a major virus threat to OS X is also being a bit naive. I'm not saying go over the edge and be über paranoid about things, but be smart and patch as often as you can, keep some good backup and security practices, and don't get caught with your pants down.
 
Comment

(L)

macrumors 6502
Nov 12, 2005
482
0
No
nagromme said:
You can define "major" any way you want, but what you say is a big and VERY helpful factor, in addition to the other big factor: better (and less bloated) OS design vs. Windows.

And neither of these factors is going to change in the foreseeable future :) The reasons for our safety run deep.

Anyway, I can't go along with "there's never been a fire, but I hope there IS one and people get hurt, so that people learn to fear fire! Otherwise people might get hurt in fires!"


Well, yeah, and from the beginning the logic made no sense on that one. One major virus exploits what, a few loopholes at best? Apple is fairly on top of fixing stuff, but there are probably some really simple ones left yet to be fixed. The best thing to do is to hire hackers to engineer the security of the operating system beyond belief. Set up a competitive hacker environment, where you have one guy build the security and another guy try to hack it, with rewards to whoever succeeds more. That'd tighten it up pretty quickly, whereas one exploit isn't going to cause anything more than initial shock.

rebirth83 said:
Does anybody else but me, sometimes have pop-up block malfunctions? Like certain websites have ads that will always pop-up even though the block
pop-up window option is clicked

My simpleton guess is that not all pop-ups have been considered by the blocker-building folks. Plus, some ads are not actually pop ups but some other thingamajiggers that look like pop ups (Java? I dunno what it is, but it's not like a forced opening of a browser window.)

Azerty said:
Wait, your perspective is limited to Microsoft? :D

FreeBSD 6.x: 12 advisories, unpatched zero

Ubuntu 5.0.4: 137 advisories, unpatched zero

Ubuntu 5.10: 42 advisories, unpatched zero

Suse 9.3: 85 advisories, unpatched zero

RedHat 9: 99 advisories, unpatched one (rated not critical)

Is Linux that secure? Ultimately, though, that's not a huge difference from the Mac stuff. Windows must suck for not using UNIX, I guess. Whatever the heck that means.
 
Comment

nickms777

macrumors newbie
Feb 24, 2006
5
2
leap.A requires you to enter your root user password. I think this is definitely a wake up call to naive Mac users everywhere. Further more when I go to the ATM and some stranger asks me for my PIN code, from now on I might just think twice about giving it to them.
 
Comment

Applespider

macrumors G4
nickms777 said:
leap.A requires you to enter your root user password.

Common misconception but it only asked you for a password if you were running as a non-admin users. The standard admin account setup (which owns the apps in the Applications folder) didn't request any password. Hence why there was a sudden flurry of threads from people creating standard accounts to use on a day to day basis.
 
Comment

longofest

Editor emeritus
Jul 10, 2003
2,863
1,469
Falls Church, VA
nickms777 said:
leap.A requires you to enter your root user password. I think this is definitely a wake up call to naive Mac users everywhere. Further more when I go to the ATM and some stranger asks me for my PIN code, from now on I might just think twice about giving it to them.

Applespider said:
Common misconception but it only asked you for a password if you were running as a non-admin users. The standard admin account setup (which owns the apps in the Applications folder) didn't request any password. Hence why there was a sudden flurry of threads from people creating standard accounts to use on a day to day basis.

I will also add that it did NOT ask for the "root" password, if it asked at all. It asked for an Administrator password. Big difference, as having "root" priviledges will even let you delete such files as the System folder, etc...
 
Comment

Billdavis

macrumors newbie
May 4, 2006
1
0
These issues are getting way too much press lately. While I'm glad Mac users, as a community, are starting to "wake up" to security...and embrace awareness...most of these articles in the press are the same AP articles...syndicated over, and over, and over, and over.....

I pretty much just keep and eye on Mac Security News, milw0rm..and a few others....

-bD
 
Comment

whooleytoo

macrumors 604
Aug 2, 2002
6,585
674
Cork, Ireland.
nagromme said:
Yes, ad companies will always be looking for ways around the blockers :eek:

Re people who want a Mac virus "for a good cause"... here are two scenarios:

1. There is one day a big Mac virus attack, as you wish.

2. There never is.

If the only reason to wish for #1 is... to be prepared for #1, then that's circular reasoning. Better to hope for #2.

People are free to want #1 for emotional reasons though :)

What I think (hope) they mean, is that they would like to see a widespread, but benign virus on the Mac, to demonstrate it isn't inherently all that much more secure than Windows.

Far better for it to happen that way, than with a prevalent and malevolent virus/trojan.

Then again, for all we know there could be spyware running on our Macs right now..
 
Comment
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.