Mac Safari has critical vulnerability

Written by Brett Thomas

January 12, 2007 | 15:59

Tags: #mac #safari

Companies: #secunia

OSX has often been touted by Apple as the world's most secure operating system. Though there are clearly reasons far beyond just good design to explain this anomaly, it has so far been pretty true. Since Macs comprise a small part of the computer market as a whole, it's been largely untested - but now advisories released by security firms are proving otherwise.

Secunia has announced a critical flaw in the Mac Safari browser. The "Open Safe" technology, which is enabled by default, can be easily exploited to run malicious code that would allow a hacker to hijack the system. For those unfamiliar with the tech, Open Safe is designed to automatically execute 'trusted' bits of code that are downloaded - but it's easy to spoof the trusted certificate, meaning the browser will automatically download and execute anything that the writer decides to include.

Fixing the problem is pretty simple for now, as one just has to turn off Open Safe. However, this is just one out of a growing number of easily exploited and highly dangerous flaws in the OS. Since Apple has never really concerned itself with patching the way that Microsoft has, there is no framework in place to easily correct the bugs, either. This means that millions of Mac users, many who don't believe they need security measures to begin with, could remain unprotected and vulnerable.

The bug was discovered by a security researcher using the handle LMH. It takes advantage of an integer overflow error when using Open Safe that causes the certificate check to crash and therefore be assumed safe. LMH discovered the bug in his "Month of Apple Bugs" hunt, which he is undertaking to beat up the myth that Apple users don't need security.

To be fair, OSX isn't the only OS that has this trouble - the bug will also affect FreeBSD 6.1 users, which shares much of the same technology. The bug is actually a secondary finding of a kernel flaw that LMH discovered in November. However, unlike FreeBSD (which releases regular updates), OSX 10.4.8 isn't due for a change for a little while - and if Leopard exibits the same problems, it could be quite some time before it gets fixed.

Do you have a comment on the bug? Let us know in our forums.
Discuss this in the forums
YouTube logo
MSI MPG Velox 100R Chassis Review

October 14 2021 | 15:04