macnn news
Text Size

'Old' security flaws persist in Mac OS X

updated 02:40 pm EST, Wed January 25, 2006

Security flaws in OS X

Apple could be leaving its Mac OS X users prone to attack if many newly and previously discovered bugs are not fixed. Software security specialists at Suresec recently dug through the coding of Mac OS X to find bugs that persist in current versions of both Intel- and PowerPC-based versions of Mac OS X--many of which were fixed in other companies' operating systems years ago, according to ZDnet Australia "The code that Apple uses in its applications and libraries is relatively under-audited, which leaves a lot of low hanging bugs... Some of the security vulnerabilities we've seen during research on OS X were fixed on most other operating systems 10 to 15 years ago," said Suresec's Neil Archibald. The company said that as Apple's marketshare grows, malicious users will find and exploit more of the underlying flaws. Apple is slow to fix them after they are found, and doesn't use the right software to preven them in each release, according to the firm.

Archibald believes opinions are "justifie[d] because Apple does not use software auditing tools to scan enough of its software," according to ZDNet Australia. This opinion echoes that of Bill Thomson, BBC correspondent, who surmises that Apple's image of a secure operating system is mostly due to a lack of users in comparison to the entire PC market. Microsoft has been using various software editing tools to enhance the security of the Windows operating system in order to seek out and correct coding errors that could allow disastrous effects.

"During the small time Suresec researchers spent auditing Mac OS X, many vulnerabilities like this turned up. Suresec is currently aware of many bugs which exist by default in the latest version of Mac OS X, on both the Intel and PPC Architecture," Archibald stated to ZDNet Australia.

"In my experience-- which is also the experience of some of my peers- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.

By MacNN Staff

Article Tags :

E-Mail
Print
Comments (13)
digg
buzz up
slashdot
del.icio.us
tweet

Related Articles

Recent Articles

 
Previous Comments

UB Virus

01/25, 03:44pm reply

Still waiting for the first Universal Binary virus, to infect at full speed!

*ducks*

Glasspusher

Fresh-Faced Recruit

Joined: Oct 2000

0

LOL

01/25, 03:49pm reply

What a ridiculous uninformed pantload of FUD.

porieux

Baninated

Joined: Mar 2001

0

zdnet virus!

01/25, 03:51pm reply

zdnet - infecting journalism worldwide at an accelerated pace!

Feathers

Forum Regular

Joined: Oct 1999

0

What Planet Is He From?

01/25, 04:18pm reply

This is almost like reading an article that says the sun rises in the west, that water flows uphill, and Carrie Underwood can't sing. It's totally contrary to everything I've been reading these past few years, especially the part about Apple taking their time to fix known security issues. And tell me how have most other Unixes fixed some of these problems 10+ years ago, but not Apple, when Apple adopted their BSD flavor of Unix only 5 years ago? What a dork.

wings_rfs

Fresh-Faced Recruit

Joined: Dec 2002

0

they could at least...

01/25, 04:23pm reply

... say what these bugs are! Are they remote exploits? Local exploits? Denial of Service (e.g. crashing)? What? They just seem to wave their hands at the "large number of remaining bugs" without saying how these bugs could actually be used. Without such information, I'm inclined to believe that most of the bugs are highly unexploitable.

Rincewind

Fresh-Faced Recruit

Joined: May 2000

0

"Dug" through the sourc

01/25, 04:28pm reply

...and how long did digging through every line of the source code take? And how, exactly, did he spot insecurities simply by READING the source code? Usually it takes a computer, a compiler, and a decent hacker to find security holes... this chump did it just by READING the source code? Damn!

ElDiabloConQueso

Fresh-Faced Recruit

Joined: Feb 2002

0

What code is he finding?

01/25, 04:36pm reply

Apple is using OSX not OS9. Two different worlds as far as security goes. OSX has been out for 5 years and not one OSX machine has been compromised. So if there is so many wholes where are they and why aren't these experts getting through? I tell you why, because they don't exist.

jhorvatic

Fresh-Faced Recruit

Joined: Apr 2005

0

Suresec's Neil Archibald

01/25, 05:01pm reply

He's just trying to peddle his goods....

iChick

Fresh-Faced Recruit

Joined: Sep 2001

0

There are real problems.

01/25, 05:47pm reply

There are some real security problems that Apple has addressed poorly if at all, and that have the potential of escalating to a remote attack (where someone on the internet gets into your computer) or making a social engineering attack far easier. The kinds of problems Archibald is talking about are serious, and would be a real concern for a timeshared system, but would only be useful in a second stage attack after a remote exploit was used.

So at the same time he's ignoring the real problems, and distracting attention towards secondary ones.

I talk about the primary problem at more length than I can fit here on my not-a-blog: http://wwww.scarydevil.com/~peter/io/ .

resuna

Fresh-Faced Recruit

Joined: Jan 2005

0

I know of one

01/25, 08:07pm reply

Whether this is total FUD or not, there is one bug that pops up when running rkhunter on my OS X 10.3.9 machine: openSSH is vulnerable. Anyone know if this bug is fixed in Tiger?

billbarstad

Fresh-Faced Recruit

Joined: Jan 2005

0

Popular News