toggle

AAPL Stock: 111.78 ( -0.87 )

Printed from http://www.macnn.com

Apple details security fixes in Mac OS X 10.4.1

updated 10:00 pm EDT, Thu May 19, 2005

Mac OS X 10.4.1 security

Apple today ; a problem in the Bluetooth file and object exchange services that could be used to access files outside of the default directory; a problem where users could discover the names of files placed in normally unsearchable places; and a problem where users with physical access to a system with a locked screensaver could start background applications.




by MacNN Staff

POST TOOLS:

TAGS :

toggle

Comments

  1. james9490

    Joined: Dec 1969

    0

    Huge blow to Apple

    These security flaws are huge blow to Apple. Especially the problem where users with physical access to a system with a locked screensaver could start background applications makes OS X nearly as insecure as Windows. It is a dawn of the post OS 9 era in which viruses and worms previously found only on Windows migrate to the Mac platform. And it is extremely concerning since most anti-virus vendors are already tied up with Windows, and because the OS X market share is so insignificantly small that it makes much more sense for them to encourage users to migrate to Windows.

    Apple must address these issues very quickly. Competition is fierce.

  1. Seqiro

    Joined: Dec 1969

    0

    Uh.. they did.

    Um... they did address the issues, hence the 10.4.1 update and this KB article.

  1. MichaelNH

    Joined: Dec 1969

    0

    I hope you are joking....

    If you are expecting a "screensaver" to protect your files..... you deserve to have what is coming to you..... I view a screensaver with password protection to prevent the casual user from walking by and seeing what is on your screen..... try logging out of your machine if you feel your data warrants REAL protection..... I even have firmware password setup on my machine so it makes even a good casual user to take a lot more effort to get into my machine if it is out of my hands.

  1. resuna

    Joined: Dec 1969

    0

    Mixed blessings.

    Some of the problems in Mac OS X, particularly with Safari, are of the same nature as the ones that have bedevilled Microsoft for the past seven or eight years... but they are by no means as deeply embedded or hard to avoid. "Nearly as insecure as Windows" is definitely overstating the case.

    Unfortunately, this seems to be leading Apple to think that it's OK to use the same collection of inadequate patches on individual symptoms as Microsoft has. They really need to step back and reconsider some of the original design decisions in Safari and Webcore.

    1. Webcore shouldn't be using Launchservices as its database for "helper applications" - handlers for file types and URIs - because many applications (including Apple's) are using the same database for local applications, and many of the apps in that database were never designed to handle untrusted documents: both the "help:" hole last year and the "x-man-page:" hole this year are examples of this. There WILL be more.

    2. There's nothing wrong with the security of Dashboard, IF Dashboard is treated as a local application platform with plugins, like iTunes, the Scren Saver engine, Preferences, and so on. Trying to create a "partial sandbox", though, is doomed. Microsoft's long history of ActiveX exploits demonstrates this.

    3. Popping up a dialog every time you *might* be handing off an untrusted object to an unsandboxed application is not good enough. When these dialogs come up over and over again, people get used to clicking "OK", so when it really matters they tend to click "OK" again. You need to make this a deliberate action they can choose at their leisure, not something in their face that gives them a "hard sell" to "click something, NOW". The difference between "download a file and open it" and "open safe files after download, with a warning dialog" is like the difference between buying a product in a supermarket after comparison shopping, and buying it at an auction because you rubbed your nose at the wrong time.

    That really happens, by the way: the only reason I'm using a Mac now is that the room-mate of a friend of mine accidentally bought a pallet of old Macs at an auction, and I bought some of them for the cost of shipping... and got hooked.

  1. kw14

    Joined: Dec 1969

    0

    Hugh blow to Apple???

    Give me a break. You (james9490) are like Chicken Little screaming the sky is falling. I am surprise you didn't abandon the Mac platform already because we've had a number of security patches through all 10.x.x. I agree with 'resuna' that Apple need to tighten up their "sandbox" regarding untrusted objects. But I can hardly see this as the dawn of Windows insecurity on Mac.

  1. beeble

    Joined: Dec 1969

    0

    james9490

    Where did this looser come from? Every post he/she makes can be picked apart with incredible easy. The Xbox 360 using G5's for development is reason for Apple to go to AMD processors and Windows. Apple fixes some minor security problems and he/she predicts the imminent arrival or the virus horde and demands that Apple fix what they've just announced they've fixed.

    Sheesh! Sober up before you post man. Your friends probably find you simply weird (assuming you have some) but the grown-ups here just find your FUD annoying.

  1. skabaru

    Joined:

    0

    Huge blow to Apple!!!!!

    I sure hope someone tells apple about these problems. Then, armed with that knowledge, perhaps they could figure out how to fix the problems. THEN they might want to release an update.

    I only hope Apple figures it out in time. Competition is fierce.

  1. rtbarry

    Joined: Dec 1969

    0

    james = troll = ignore

    he festers in his basement.

  1. ecrelin

    Joined: Dec 1969

    0

    Users MUST get a clue

    resuna, no operating system can really determine if an application is "trusted". I have been teaching non users to become users for twenty years this year and everyone I've instructed has gotten the "you are responsible" lecture and most really do read the dialogs and respond accordingly. We all know that viruses and trojans are not the same, Windows is a crappy cludge but many of the horrific problems in the market are exascerbated by idiots who click the link in the email to see the naughty pictures or whatever. Just like the light on the dashboard that tells you that you are low on gas, ignore it at your own peril and if you do you deserve what you get. I have no problem with accountability and think that dialogs, like warning labels on products are a good as you can do and still provide a usable environment.

  1. resuna

    Joined: Dec 1969

    0

    dialogs don't work

    I have been teaching non users to become users for twenty years this year and everyone I've instructed has gotten the "you are responsible" lecture and most really do read the dialogs and respond accordingly.

    I've been supporting users for about that long, and you're right... most do read the dialogs almost all the time. Unfortunately, very few read them EVERY time and "reflex clicking" is hard to avoid. All it takes is a couple of percent of users to be careless, or for many users to be careless a few percent of the time, and everyone (including the careful clueful people) suffers.

    See, this isn't a matter of accountability. It's a matter of statistics. Statistically, popping up a dialog before doing something stupid is ineffective. Statistically, not doing the stupid thing at all works a lot better.

    And it's not a matter of user inconvenience. Just sticking the downloaded file into a list of downloaded files - a "download manager" - is at least as convenient as automatically downloading the file, and is so much less likely to lead to problems that it's incomprehensible that anyone would bother trying to secure the insecurable auto-open vulnerability.

Login Here

Not a member of the MacNN forums? Register now for free.

toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

Dell AD211 Bluetooth speaker

For all of the high-priced, over-engineered Bluetooth speakers in the electronics market, there is still room for mass-market solution ...

VisionTek 128GB USB Pocket SSD

USB flash drives dealt the death blow to both the floppy and Zip drives. While still faster than either of the old removable media, sp ...

Kodak PixPro SL10 Smart Lens Camera

Smartphone imagery still widely varies. Large Megapixel counts don't make for a good image, and the optics in some devices are lackin ...

toggle

Most Commented