toggle

AAPL Stock: 562.29 ( -3.03 )

'Old' security flaws persist in Mac OS X

updated 02:40 pm EST, Wed January 25, 2006

Security flaws in OS X


Apple could be leaving its Mac OS X users prone to attack if many newly and previously discovered bugs are not fixed. Software security specialists at Suresec recently dug through the coding of Mac OS X to find bugs that persist in current versions of both Intel- and PowerPC-based versions of Mac OS X--many of which were fixed in other companies' operating systems years ago, according to ZDnet Australia "The code that Apple uses in its applications and libraries is relatively under-audited, which leaves a lot of low hanging bugs... Some of the security vulnerabilities we've seen during research on OS X were fixed on most other operating systems 10 to 15 years ago," said Suresec's Neil Archibald. The company said that as Apple's marketshare grows, malicious users will find and exploit more of the underlying flaws. Apple is slow to fix them after they are found, and doesn't use the right software to preven them in each release, according to the firm.

Archibald believes opinions are "justifie[d] because Apple does not use software auditing tools to scan enough of its software," according to ZDNet Australia. This opinion echoes that of Bill Thomson, BBC correspondent, who surmises that Apple's image of a secure operating system is mostly due to a lack of users in comparison to the entire PC market. Microsoft has been using various software editing tools to enhance the security of the Windows operating system in order to seek out and correct coding errors that could allow disastrous effects.

"During the small time Suresec researchers spent auditing Mac OS X, many vulnerabilities like this turned up. Suresec is currently aware of many bugs which exist by default in the latest version of Mac OS X, on both the Intel and PPC Architecture," Archibald stated to ZDNet Australia.

"In my experience-- which is also the experience of some of my peers- Apple has been very slow to respond to reported security vulnerabilities. It expects security researchers to wait indefinitely to release the vulnerabilities and offers no incentive for them to do so," said Archibald.


by MacNN Staff

print
email
(13)

TAGS :

 troubleshooting

Related Articles

Recent Articles

toggle

Comments

  1. Glasspusher

    Fresh-Faced Recruit

    Joined: Oct 2000

    0
    01/25, 03:44pm | report spam | Reply |

    UB Virus

    Still waiting for the first Universal Binary virus, to infect at full speed!

    *ducks*

  1. porieux

    Baninated

    Joined: Mar 2001

    0
    01/25, 03:49pm | report spam | Reply |

    LOL

    What a ridiculous uninformed pantload of FUD.

  1. Feathers

    Grizzled Veteran

    Joined: Oct 1999

    0
    01/25, 03:51pm | report spam | Reply |

    zdnet virus!

    zdnet - infecting journalism worldwide at an accelerated pace!

  1. wings_rfs

    Fresh-Faced Recruit

    Joined: Dec 2002

    0
    01/25, 04:18pm | report spam | Reply |

    What Planet Is He From?

    This is almost like reading an article that says the sun rises in the west, that water flows uphill, and Carrie Underwood can't sing. It's totally contrary to everything I've been reading these past few years, especially the part about Apple taking their time to fix known security issues. And tell me how have most other Unixes fixed some of these problems 10+ years ago, but not Apple, when Apple adopted their BSD flavor of Unix only 5 years ago? What a dork.

  1. Rincewind

    Fresh-Faced Recruit

    Joined: May 2000

    0
    01/25, 04:23pm | report spam | Reply |

    they could at least...

    ... say what these bugs are! Are they remote exploits? Local exploits? Denial of Service (e.g. crashing)? What? They just seem to wave their hands at the "large number of remaining bugs" without saying how these bugs could actually be used. Without such information, I'm inclined to believe that most of the bugs are highly unexploitable.

  1. ElDiabloConQueso

    Fresh-Faced Recruit

    Joined: Feb 2002

    0
    01/25, 04:28pm | report spam | Reply |

    "Dug" through the sourc

    ...and how long did digging through every line of the source code take? And how, exactly, did he spot insecurities simply by READING the source code? Usually it takes a computer, a compiler, and a decent hacker to find security holes... this chump did it just by READING the source code? Damn!

  1. jhorvatic

    Fresh-Faced Recruit

    Joined: Apr 2005

    0
    01/25, 04:36pm | report spam | Reply |

    What code is he finding?

    Apple is using OSX not OS9. Two different worlds as far as security goes. OSX has been out for 5 years and not one OSX machine has been compromised. So if there is so many wholes where are they and why aren't these experts getting through? I tell you why, because they don't exist.

  1. iChick

    Fresh-Faced Recruit

    Joined: Sep 2001

    0
    01/25, 05:01pm | report spam | Reply |

    Suresec's Neil Archibald

    He's just trying to peddle his goods....

  1. resuna

    Fresh-Faced Recruit

    Joined: Jan 2005

    0
    01/25, 05:47pm | report spam | Reply |

    There are real problems.

    There are some real security problems that Apple has addressed poorly if at all, and that have the potential of escalating to a remote attack (where someone on the internet gets into your computer) or making a social engineering attack far easier. The kinds of problems Archibald is talking about are serious, and would be a real concern for a timeshared system, but would only be useful in a second stage attack after a remote exploit was used.

    So at the same time he's ignoring the real problems, and distracting attention towards secondary ones.

    I talk about the primary problem at more length than I can fit here on my not-a-blog: http://wwww.scarydevil.com/~peter/io/ .

  1. billbarstad

    Fresh-Faced Recruit

    Joined: Jan 2005

    0
    01/25, 08:07pm | report spam | Reply |

    I know of one

    Whether this is total FUD or not, there is one bug that pops up when running rkhunter on my OS X 10.3.9 machine: openSSH is vulnerable. Anyone know if this bug is fixed in Tiger?

Show More Comments

Login Here

Not a member of the MacNN forums? Register now for free.

 
close
Photo
toggle

Network Headlines

toggle

Most Popular

MacNN Sponsor

Recent Reviews

iHome iW2 AirPlay speaker

iHome generally isn't known as a luxury brand when it comes to audio, but it is prolific -- the company's docks and speakers are every ...

Logitech Ultrathin Keyboard Cover

One of the iPad's main weaknesses has always been productivity. It's not a question of apps; while it has taken a little time for a na ...

Logitech UE Air Speaker

If maybe a little more slowly than Apple would like, AirPlay is becoming a staple of the wireless speaker market for iOS devices. The ...

toggle

Most Commented

 

Popular News