updated 02:40 pm EST, Wed January 25, 2006
Security flaws in OS X
Apple could be leaving its Mac OS X users prone to attack if many newly and previously discovered bugs are not fixed. Software security specialists at Suresec recently dug through the coding of Mac OS X to find bugs that persist in current versions of both Intel- and PowerPC-based versions of Mac OS X--many of which were fixed in other companies' operating systems years ago, according to ZDnet Australia "The code that Apple uses in its applications and libraries is relatively under-audited, which leaves a lot of low hanging bugs... Some of the security vulnerabilities we've seen during research on OS X were fixed on most other operating systems 10 to 15 years ago," said Suresec's Neil Archibald. The company said that as Apple's marketshare grows, malicious users will find and exploit more of the underlying flaws. Apple is slow to fix them after they are found, and doesn't use the right software to preven them in each release, according to the firm.
Archibald believes opinions are "justifie[d] because Apple does not use software auditing tools to scan enough of its software," according to ZDNet Australia. This opinion echoes that of Bill Thomson, BBC correspondent, who surmises that Apple's image of a secure operating system is mostly due to a lack of users in comparison to the entire PC market. Microsoft has been using various software editing tools to enhance the security of the Windows operating system in order to seek out and correct coding errors that could allow disastrous effects.
"During the small time Suresec researchers spent auditing Mac OS X, many vulnerabilities like this turned up. Suresec is currently aware of many bugs which exist by default in the latest version of Mac OS X, on both the Intel and PPC Architecture," Archibald stated to ZDNet Australia.
"In my experience-- which is also the experience of some of my peers- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.