toggle

AAPL Stock: 446 ( + 6.34 )

http://www.macnn.com/articles/06/04/20/mac.os.x.security.holes/

Unfixed Mac OS X security holes

updated 03:15 pm EDT, Thu April 20, 2006

 

Mac OS X security holes


A security professional says he has been dissecting various Mac OS X applications, and has submitted a slew of security vulnerabilities to Apple's product security team. The vulnerabilities, which were reportedly submitted to Apple at the beginning of 2006, afflict Mac OS X 10.4.5, BOM ArchiveHelper, Safari 2.0.3, and Mac OS X 10.4.6. Apple recently released a firmware update for Intel Macs that addressed a security vulnerability in Java for Tiger, and offered Java Standard Edition 5.0 the following day, which also repaired a number of security issues. The company to date has chosen not to repair the vulnerabilities discovered by Security-Protocols.com, however, which has posted seven advisories for the weaknesses already discovered. "From what I have been told, they 'will be fixed in the next security release,'" Tom Ferris wrote, researcher for Security-Protocols.com. [corrected]


by MacNN Staff

Post tools:

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. Feathers

    Grizzled Veteran

    Joined: Oct 1999

    0
    04/20, 05:03pm | report spam | Reply |

    way to go!!!!

    So yet another "security" company finds some alleged holes, notifies Apple and then makes them public, with the purpose of what, informing the malevolent that a new door needs kicking? When are the activities of so-called "security companies" going to become a matter of oversight and regulation. Their activities, including the development of proof-of-concept malware which they judiciously don't release into the wild, is bordering on criminal!

  1. Rosyna

    Forum Regular

    Joined: Aug 2001

    0
    04/20, 08:17pm | report spam | Reply |

    Slightly huge problem

    CFAllocatorAllocate() has absolutely nothing to do with parsing GIFs at all. It's just there to allocate memory.

    These people wrote up all these security advisories yet clearly do not understand what is going on.

  1. philipm

    Fresh-Faced Recruit

    Joined: Feb 2006

    0
    04/20, 08:22pm | report spam | Reply |

    these people are idiots

    Having submitted a possible security hole to Apple for consideration, I can give you the wording that Apple puts in emails thanking for such notifications: -- Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further. Our disclosure policy as stated on our web site is: "For the protection of our customers, Apple does not publicly disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." -- Which part of this did these clowns not understand?

  1. MacGeek50

    Fresh-Faced Recruit

    Joined: Mar 2006

    0
    04/20, 09:36pm | report spam | Reply |

    It's called extortion!

    The so-called security companies do it to Microsoft too. Unfortunately, when they do it to Microsoft and post zero-day exploits available for download they are doing all the legwork for cyber terrorists and criminals who use the information to infect, hose, or steal information from innocent computer users. Then the other effect of these companies is the sensationalism of E-Week, C-Net or ZD Net broadcasting the security problems as well as linking to exploits and a boatload of FUD to go with it. Personally these people should be shut down. If Tony Sopranno tells a businessman that his business could burn down when it's full of customers if he doesn't pay a certain amount of money, it's called extortion. If general motors has a problem with their Corvette engine that makes it easy to steal and you approach them with the threat that you will tell every car thief in the state if they don't pay you money it would be called blackmail and possibly extortion as well. Why is this legal for so-called security companies?

  1. technohedz

    Fresh-Faced Recruit

    Joined: Jul 2000

    0
    04/20, 10:46pm | report spam | Reply |

    and the good part

    There are issues with every operating system. Yes, you can find them if you look really hard. If you are the kind of person to look really hard then you have two options 1) keep it to yourself or 2) report it. Everyone is critical of HOW these issues are reported and some feel they aren't even worthwhile, but I would MUCH rather that bugs are at least reported. Apple security doesn't s**** around. I would be willing to be a lot of things are reported and they go unfixed for so long that people feel the need to publish. It's not that they get a 'works as intended' type of answer, merely that there's as workload and lines get crossed. These will be addressed, if not they are probably not security issues (not in the 'user stupidity so we won't even try' category). Keeping it to themselves is worse because someone else is gonna find it and not necessarily do something nice.

    Whimper about going public quickly, don't say anything if you have mail that it will be addressed in the next security update. If it is NOT and it's considered a security matter then publish. Just don't keep it to yourself. People know Mac OS X isn't windows. It's inherently more secure and one little dent here that gets buffed out is better than a major collapse.

  1. kw99

    Fresh-Faced Recruit

    Joined: Nov 2001

    0
    04/21, 03:47am | report spam | Reply |

    what an idiot

    Assuming he actually knows what he is talking about, he just blogs to the whole world about it. Gee that's smart; I feel I can really trust this moron. My guess is that he doesn't have a clue and this is yet another covert attempt to make it appear that Mac OS X is not secure, when all real world evidence says the opposite.

    Remember, we've had (1) the so-called "concept" viruses that were harmless out in the real world, (2) the Apple doesn't care about security because it doesn't employee a "Security Czar" angle, (3) the let's call any bug we find safari a "security threat" ploy, and now (4) the unknown "security professional" declares that there are "a slew" of vulnerabilities that he personally reported to Apple story. Yet still no actual harm caused by ALL of these menacing threats. Makes me feel safer than ever to be a Mac user. And I'm starting to really enjoy these desperate ramblings about Mac OS X security issues as a source of daily humor.

  1. testudo

    Forum Regular

    Joined: Aug 2001

    0
    04/21, 10:59am | report spam | Reply |

    technohedz is right

    Security vulnerabilities should NOT be kept private. That's just plain stupid and insecure. If one person finds a problem, who's to say others haven't already found it. I know most of you just assume "There's no problems because there's no viruses, ergo I'm 100% safe!".

    I guess all you idiots would have been much happier if you didn't know that safari had such a huge whole in it that you could click a link on a web page and see your entire user directory be deleted. Yeah, I'd much rather not know such problems exist.

    Of course, even if someone does release a virus or trojan for the mac, you all will just say its a blip, and no one's too stupid to do that, so it doesn't count and all that c***.

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

MaxUpgrades MaxConnect for 2006-2008 Mac Pro

Nobody outside of Cupertino's privileged bunch knows the future of the Mac Pro line for sure. Despite Apple's reluctance to tell us wh ...

Brother HL-3170CDW LED Printer

We've mentioned before that we are far from a paperless society. For now, at least, there are tasks that require a piece of paper for ...

HTC One

It is hard to overstate just how critically important the HTC One is to the Taiwanese company’s fortunes. Despite its alarming decline ...

toggle

Most Commented

 

Popular News