|
|
Mac Safari has critical vulnerability
Author: Brett ThomasPublished: 12th January 2007
If you leave the safe open, someone will steal your stuff. Maybe it's not so safe after all.
Secunia has announced a critical flaw in the Mac Safari browser. The "Open Safe" technology, which is enabled by default, can be easily exploited to run malicious code that would allow a hacker to hijack the system. For those unfamiliar with the tech, Open Safe is designed to automatically execute 'trusted' bits of code that are downloaded - but it's easy to spoof the trusted certificate, meaning the browser will automatically download and execute anything that the writer decides to include.
Fixing the problem is pretty simple for now, as one just has to turn off Open Safe. However, this is just one out of a growing number of easily exploited and highly dangerous flaws in the OS. Since Apple has never really concerned itself with patching the way that Microsoft has, there is no framework in place to easily correct the bugs, either. This means that millions of Mac users, many who don't believe they need security measures to begin with, could remain unprotected and vulnerable.
The bug was discovered by a security researcher using the handle LMH. It takes advantage of an integer overflow error when using Open Safe that causes the certificate check to crash and therefore be assumed safe. LMH discovered the bug in his "Month of Apple Bugs" hunt, which he is undertaking to beat up the myth that Apple users don't need security.
To be fair, OSX isn't the only OS that has this trouble - the bug will also affect FreeBSD 6.1 users, which shares much of the same technology. The bug is actually a secondary finding of a kernel flaw that LMH discovered in November. However, unlike FreeBSD (which releases regular updates), OSX 10.4.8 isn't due for a change for a little while - and if Leopard exibits the same problems, it could be quite some time before it gets fixed.
Do you have a comment on the bug? Let us know in our forums.
Recent articles on bit-tech.net
Comments (6)Stats: 0.032 seconds
It's called Software Update. Broadband-connected Macs can set it to check for and download patches weekly (they're released on Tuesdays). Been in place as long as OS X.
haha. too true.
I thnk what they mean is Apple has no bug fixing/patch releaseing structure in place. All OS have an update service to some degree but they might not have a team of programmers/engineers who fix those bugs and release the patches.
Which is what Apple is lacking from the tune of the article, and they are probally right, Apple has been on its pedastool claiming to be prettiest/secure/everyone copies OS for a long time, but those times are chaging, Vista just round the corner is a pretty OS, I find it as stable ifnot more so than XP, and gives me better games performance due to the way DirectX works now.
Even when working in the publishing world for 3 years I grew to dislike the OS, and their hardware due to a certain degree. Took delivery of 10 brand new top range G5s had bits loose in the case, 3 had to go back for repair, its not somthing I would expect from the likes of Dell, HP but Apple seem to go for Form over Fucntion ethos, much like they have done with the iPhone. The other problem I dont like with teh OSX is when they went from 10.2 to 10.3 most of the scanners we used etc didnt work since the drivers werent 10.3 compatible. Granted I can understand them not working going from 9 - 10 or 10 - 11 but just form a point release isnt good.
Kimbie