AAPL Stock: 118.28 ( -0.6 )

Printed from

Unfixed Mac OS X security holes

updated 03:15 pm EDT, Thu April 20, 2006

Mac OS X security holes

A security professional says he has been dissecting various Mac OS X applications, and has submitted a slew of security vulnerabilities to Apple's product security team. The vulnerabilities, which were reportedly submitted to Apple at the beginning of 2006, afflict Mac OS X 10.4.5, BOM ArchiveHelper, Safari 2.0.3, and Mac OS X 10.4.6. Apple recently released a firmware update for Intel Macs that addressed a security vulnerability in Java for Tiger, and offered Java Standard Edition 5.0 the following day, which also repaired a number of security issues. The company to date has chosen not to repair the vulnerabilities discovered by, however, which has posted seven advisories for the weaknesses already discovered. "From what I have been told, they 'will be fixed in the next security release,'" Tom Ferris wrote, researcher for [corrected]

by MacNN Staff



  1. Feathers

    Joined: Dec 1969


    way to go!!!!

    So yet another "security" company finds some alleged holes, notifies Apple and then makes them public, with the purpose of what, informing the malevolent that a new door needs kicking? When are the activities of so-called "security companies" going to become a matter of oversight and regulation. Their activities, including the development of proof-of-concept malware which they judiciously don't release into the wild, is bordering on criminal!

  1. Rosyna

    Joined: Dec 1969


    Slightly huge problem

    CFAllocatorAllocate() has absolutely nothing to do with parsing GIFs at all. It's just there to allocate memory.

    These people wrote up all these security advisories yet clearly do not understand what is going on.

  1. philipm

    Joined: Dec 1969


    these people are idiots

    Having submitted a possible security hole to Apple for consideration, I can give you the wording that Apple puts in emails thanking for such notifications: -- Because of the potentially sensitive nature of security vulnerabilities, we ask that this information remain between you and Apple while we investigate it further. Our disclosure policy as stated on our web site is: "For the protection of our customers, Apple does not publicly disclose, discuss or confirm security issues until a full investigation has occurred and any necessary patches or releases are available." -- Which part of this did these clowns not understand?

  1. MacGeek50

    Joined: Dec 1969


    It's called extortion!

    The so-called security companies do it to Microsoft too. Unfortunately, when they do it to Microsoft and post zero-day exploits available for download they are doing all the legwork for cyber terrorists and criminals who use the information to infect, hose, or steal information from innocent computer users. Then the other effect of these companies is the sensationalism of E-Week, C-Net or ZD Net broadcasting the security problems as well as linking to exploits and a boatload of FUD to go with it. Personally these people should be shut down. If Tony Sopranno tells a businessman that his business could burn down when it's full of customers if he doesn't pay a certain amount of money, it's called extortion. If general motors has a problem with their Corvette engine that makes it easy to steal and you approach them with the threat that you will tell every car thief in the state if they don't pay you money it would be called blackmail and possibly extortion as well. Why is this legal for so-called security companies?

  1. technohedz

    Joined: Dec 1969


    and the good part

    There are issues with every operating system. Yes, you can find them if you look really hard. If you are the kind of person to look really hard then you have two options 1) keep it to yourself or 2) report it. Everyone is critical of HOW these issues are reported and some feel they aren't even worthwhile, but I would MUCH rather that bugs are at least reported. Apple security doesn't s**** around. I would be willing to be a lot of things are reported and they go unfixed for so long that people feel the need to publish. It's not that they get a 'works as intended' type of answer, merely that there's as workload and lines get crossed. These will be addressed, if not they are probably not security issues (not in the 'user stupidity so we won't even try' category). Keeping it to themselves is worse because someone else is gonna find it and not necessarily do something nice.

    Whimper about going public quickly, don't say anything if you have mail that it will be addressed in the next security update. If it is NOT and it's considered a security matter then publish. Just don't keep it to yourself. People know Mac OS X isn't windows. It's inherently more secure and one little dent here that gets buffed out is better than a major collapse.

  1. kw99

    Joined: Dec 1969


    what an idiot

    Assuming he actually knows what he is talking about, he just blogs to the whole world about it. Gee that's smart; I feel I can really trust this moron. My guess is that he doesn't have a clue and this is yet another covert attempt to make it appear that Mac OS X is not secure, when all real world evidence says the opposite.

    Remember, we've had (1) the so-called "concept" viruses that were harmless out in the real world, (2) the Apple doesn't care about security because it doesn't employee a "Security Czar" angle, (3) the let's call any bug we find safari a "security threat" ploy, and now (4) the unknown "security professional" declares that there are "a slew" of vulnerabilities that he personally reported to Apple story. Yet still no actual harm caused by ALL of these menacing threats. Makes me feel safer than ever to be a Mac user. And I'm starting to really enjoy these desperate ramblings about Mac OS X security issues as a source of daily humor.

  1. testudo

    Joined: Dec 1969


    technohedz is right

    Security vulnerabilities should NOT be kept private. That's just plain stupid and insecure. If one person finds a problem, who's to say others haven't already found it. I know most of you just assume "There's no problems because there's no viruses, ergo I'm 100% safe!".

    I guess all you idiots would have been much happier if you didn't know that safari had such a huge whole in it that you could click a link on a web page and see your entire user directory be deleted. Yeah, I'd much rather not know such problems exist.

    Of course, even if someone does release a virus or trojan for the mac, you all will just say its a blip, and no one's too stupid to do that, so it doesn't count and all that c***.

Login Here

Not a member of the MacNN forums? Register now for free.


Network Headlines

Follow us on Facebook


Most Popular


Recent Reviews

Ultimate Ears Megaboom Bluetooth Speaker

Ultimate Ears (now owned by Logitech) has found great success in the marketplace with its "Boom" series of Bluetooth speakers, a mod ...

Kinivo URBN Premium Bluetooth Headphones

We love music, and we're willing to bet that you do, too. If you're like us, you probably spend a good portion of your time wearing ...

Jamstik+ MIDI Controller

For a long time the MIDI world has been dominated by keyboard-inspired controllers. Times are changing however, and we are slowly star ...


Most Commented