toggle

AAPL Stock: 570.56 ( 0 )

MacNN News

Apple investigating "extremely critical" flaw

updated 12:25 am EDT, Wed May 19, 2004

\"Extremely critical\" flaw

Apple says it is taking the . Secunia recommends that "Mac users avoid visiting untrusted Web sites and said Mac administrators and others avoid surfing the Internet while signed on to their networks as privileged users" according to CNET News.com, who also notes that "Apple has twice been criticized for its downplaying of security issues and its lack of response to the concerns of the security industry."

by MacNN Staff

(16)

TAGS :

troubleshooting

Share the Article

Facebook Twitter Delious Slash Dot Digg

toggle

Comments

benh57
Senior User

Joined: Aug 2001

0

05/19, 01:11am | report spam | close Reply |
According to who? You?

You have shown no link that says apple is investigating this. If you have been told by someone that Apple is investigating this issue, you need to state whether apple told you or some other third party did so. Otherwise this story is not 'news'.

benh57
Senior User

Joined: Aug 2001

0

05/19, 01:14am | report spam | close Reply |
Doh

Aha, i see apple's quote in the article now, though it does say they 'refused to comment on this issue' as well.

Cf
Fresh-Faced Recruit

Joined: Jan 2002

0

05/19, 02:54am | report spam | close Reply |
do it yourself fix?

after reading through the posts on the forum, can i conclude that if i change what handles help and disk urls, it won't execute the bad stuff? like someone said, change it so chess opens, so nothing happens. i used the rcdefaultapp prefpane to modify it. i never like using third party apps to change something unless i know i can change it back (ie: removing a line from opnapp.scpt).

ChrisD
Fresh-Faced Recruit

Joined: Mar 2004

0

05/19, 05:46am | report spam | close Reply |
Nice design

Off topic. The restyled comments section looks very nice. Well done, whoever's responsible.

the Rebel
Fresh-Faced Recruit

Joined: Jul 2000

0

05/19, 06:17am | report spam | close Reply |
fair comparison

"Apple has twice been criticized for its downplaying of security issues and its lack of response to the concerns of the security industry."

It seems to me that Apple has always been rather prompt about responding to the few security concerns that they have faced.

What did CNET News.com say about the fact that Microsoft did not release a patch until seven months after they were notified of the security flaw utilized by Sasser?

nat
Junior Member

Joined: Mar 2002

0

05/19, 08:03am | report spam | close Reply |
Camino

Firefox, Mozilla.

CNET? Amazes me how MS has the swiss cheese of OS's and people STILL give them credit, believe in them, use them. As I've said, if Yugo had had MS customers they'd still be making crappy cars and people would be buying them like hot cakes.

WICKEDfour
Forum Regular

Joined: Oct 2002

0

05/19, 08:07am | report spam | close Reply |
Re: do it yourself fix?

Yes, there is indeed a quick and easy fix for this:
http://homepage.mac.com/olliewagner/dgtgf.dmg

This little thing called Don't Go There, GURLfriend! patches the offending file in the system, problem solved. If you're that worried about it that much, just use this, you can even test to see what this tiny flaw can do.

This "flaw" exists in the first place because Apple commonly puts links to open something like System Preferences in their help files...really, this bug, like the last one, is completely overstated. Nevertheless, I hope Apple patches things up for their sake, which they of course will.

LouZer
Fresh-Faced Recruit

Joined: Nov 2000

0

05/19, 08:39am | report spam | close Reply |
Re: DIYF

From what I understand, hacking the openapp.scrpt files doesn't fix the vulnerability.

bizard
Fresh-Faced Recruit

Joined: Aug 2003

0

05/19, 09:33am | report spam | close Reply |
Flaw is Flaw

This "flaw" exists in the first place because Apple commonly puts links to open something like System Preferences in their help files...really, this bug, like the last one, is completely overstated.

I don't think we need to pound on Apple for making mistakes before they have a chance to respond. However, I don't think that it is a good habit to just gloss over real vulnerabilities. This is a remote exploit. It is possible to have the Help Viewer save a file for you, and then have it run that.

Part of the reason that Windows is so full of holes is that everyone uses the exact same set of applications and unfortunately, Mac OS X is becoming that way too. I don't begrudge Apple wanting to provide us with a consistent experience but if they are going to homoginize our machines, they need to pay extra careful attention to details.

bizard
Fresh-Faced Recruit

Joined: Aug 2003

0

05/19, 09:35am | report spam | close Reply |
a Flaw is a Flaw

This "flaw" exists in the first place because Apple commonly puts links to open something like System Preferences in their help files...really, this bug, like the last one, is completely overstated.

I don't think we need to pound on Apple for making mistakes before they have a chance to respond. However, I don't think that it is a good habit to just gloss over real vulnerabilities. This is a remote exploit. It is possible to have the Help Viewer save a file for you, and then have it run that.

Part of the reason that Windows is so full of holes is that everyone uses the exact same set of applications and unfortunately, Mac OS X is becoming that way too. I don't begrudge Apple wanting to provide us with a consistent experience but if they are going to homoginize our machines, they need to pay extra careful attention to details.

macwon
Fresh-Faced Recruit

Joined: May 2004

0

05/19, 09:42am | report spam | close Reply |
Cnet

Ok, CNet needs to turn their attack dogs away from Apple. When ever there is a security issue with Apple CNet is there to start bashing them, but when Microcrap doesn't do anything about a security flaw that they have known about for 6 months, does anyone say anything?

ecrelin
Junior Member

Joined: Oct 2000

0

05/19, 11:15am | report spam | close Reply |
no excuses

Apple was notified of this in February. No response until shamed in the media, absolutely unacceptable.
Besides shoddy code M$'s achilles heel is ActiveX that can execute machine code (like reformat the hard drive) and is accessible in nearly every application. Applescript, while not able to do as much regarding system level or machine level calls is still way too powerful to allow to be run remotely or at least without overt permission.
M$'s excuse for the ActiveX presence is that it enhances their application interoperabilty, that is the same reason Apple allowed this, for a better help system. Time for a review priorities and close doors left open for sheer convenience.
BTW, Cnet is bad but did you catch how InformationWeek (M$ cheerleader extraordinaire) positioned it as "yet another flaw" hee hee hee, they'll be cheering into the vacuum for Longshot for the next, what, four years?!? Still Apple pulls this ivory tower c*** often and they should be leading the efforts to find and quash bugs instead of ignoring them, leadership, we need leadership not status quo!

testudo
Fresh-Faced Recruit

Joined: Aug 2001

0

05/19, 12:24pm | report spam | close Reply |
Re: no excuses

M$'s excuse for the ActiveX presence is that it enhances their application interoperabilty, that is the same reason Apple allowed this, for a better help system. Time for a review priorities and close doors left open for sheer convenience.

Sorry, but to me, at least, the help system requires this usage. But its not a hole in the help system. And the user shouldn't need to be prompted every time you click on a 'show me how' or 'open this' link in help.

The problem, however, isn't in the help system. This would be solved completely if they didn't have the "help:" protocol set up. Why that's there is beyond me, but this is what's causing all the problems. This is the question about priority. Is it needed for some reason? Is it used by programs to launch the help viewer, or intended to be used by web sites to point to help pages? Is it in there because half of Apple's help system is on-line vs. local? These are the questions that need to be answered. All the pieces aren't the problem, its just why is one piece allowed to call another?

(BTW, technically you could have a trojan program which has a help file with a link to launch a malicious script, but technically why would anyone bother, as the program itself could launch the script).

Cf
Fresh-Faced Recruit

Joined: Jan 2002

0

05/19, 01:59pm | report spam | close Reply |
re: do it yourself

yes, i was aware of gurlfriend. that's why my last line was about the modification of the script. i didn't like that idea after reading the posts, so i figured default handling would be a better route. the author of rcdefaultapp has updated to 1.1 allowing to disable certain urls such as disk and help. that's what i want. to repeat my previous post, is this the best fix for us?

re: mozilla/firefox
security issue is in the mac os, so it affects all browsers, not just safari.

re: opnapp.scpt
the other thing you need to realize is that opnapp.scpt is included with other language localizations, not just english. i'm not sure if gulrfriend nips every one of em, but if you have more than just english installed (which is quite a lot of people on a standard mac os x install), you have a lot of opnapp.scpt files on your mac already.

keeping my eyes open for a security update really soon in software update.

ecrelin
Junior Member

Joined: Oct 2000

0

05/19, 03:56pm | report spam | close Reply |
not quite testudo

Closing this hole would in no way make you respond to a dialog every time you used help. This is a pretty specific scenario that would only affect a miniscule percentage of help instances if any in regular daily usage and doesn't undermine the quality of the help experience. Any program that can run code outside of itself should not be able to be controlled via url's. We like our safe macs but they are that way because the original system was not designed to be managed from the outside. UNIX always was and Apple has done an exemplary job buttoning it up, funny that it's a oversight in Apple's own stuff that allows for this. This will not be the last snafu but as long as the community is diligent hopefully issues will be preemptive or short lived as both of these have and Apple just needs to be more responsive and seem like they care.

klinux
Senior User

Joined: Jul 2002

0

05/19, 04:57pm | report spam | close Reply |
Attack dogs

Ok, CNet needs to turn their attack dogs away from Apple. When ever there is a security issue with Apple CNet is there to start bashing them, but when Microcrap doesn't do anything about a security flaw that they have known about for 6 months, does anyone say anything?

Uh, yes?

Don't be so thin skinned. Just because CNET wrote " "Apple has twice been criticized" you get all riled up? MS has been criticized a billion times for its security flaws - just because you do not read them does not mean it did not happen.

Show More Comments

Login Here

toggle

Network Headlines

05/24	Apple and Samsung mediation talks fail...
05/24	Apple airs two new Siri commercials...
05/23	Google launches redesigned Search app...
05/23	IBM blocking iPhone's Siri on internal...
05/22	Leaked next-gen iPod touch part hints...

Show All

05/24	Google�s 7-inch tablet ships next month...
05/24	Apple and Samsung mediation talks fail...
05/24	Apple airs two new Siri commercials...
05/23	Google launches redesigned Search app...
05/23	IBM blocking iPhone's Siri on internal...

Show All

05/23	Google launches redesigned Search app...
05/22	Leaked next-gen iPod touch part hints...
05/22	Hulu Plus updates with iPad Retina...
05/22	TiVo Stream to push TV to iPhones,...
05/22	Hands on: TouchType case for iPad,...

Show All

03/02	Save $330 on refurb. 15.4-inch, 2.4GHz...
03/01	Pre-owned 8GB iPod touch 2G, drops...
02/29	$150 off Nikon Coolpix S80 Compact...
02/28	Plantronics BackBeat 903 Bluetooth...
02/27	Refurb. Seagate 1.5TB GoFlex Portable...

Show All

toggle

Apple investigating "extremely critical" flaw

updated 12:25 am EDT, Wed May 19, 2004

\"Extremely critical\" flaw

According to who? You?

Doh

do it yourself fix?

Nice design

fair comparison

Camino

Re: do it yourself fix?

Re: DIYF

Flaw is Flaw

a Flaw is a Flaw

Cnet

no excuses

Re: no excuses

re: do it yourself

not quite testudo

Attack dogs

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace

Apple investigating "extremely critical" flaw

updated 12:25 am EDT, Wed May 19, 2004

\"Extremely critical\" flaw

Related Articles

Recent Articles

According to who? You?

Doh

do it yourself fix?

Nice design

fair comparison

Camino

Re: do it yourself fix?

Re: DIYF

Flaw is Flaw

a Flaw is a Flaw

Cnet

no excuses

Re: no excuses

re: do it yourself

not quite testudo

Attack dogs

Login Here

Register for our weekly email newsletter:

Connect tools:

Subscribe

to our RSS

Follow us

on Twitter

10 Most Read

10 Most Discussed

MacNN Marketplace