Network News

X My Profile
View More Activity

Apple Update Patches 13 Flaws

Apple has issued a bundle of security fixes to mend 13 separate security flaws in several versions of its Mac OS X operating system, including quite a few holes that attackers could use to seize control over vulnerable machines.

Nine of the 13 vulnerabilities reside in various Web-facing applications, including the Apache Web server. Two other flaws were found in Apple programs that process secure sockets layer transactions, which are designed to provide communications privacy over the Internet, usually at sites that require sensitive information, such as credit card numbers, user names and passwords.

Another pair of vulnerabilities reside in Safari, Apple's default Web browser. Other flaws could be exploited by convincing the user to browse a site with a specially crafted domain name or an overly long Internet address.

Before I launch into what will certainly be a flame-inducing rant: The patches apply to versions 10.3.9 and 10.4.3 of Mac OS X and OS X Server. Mac users can download the fixes via Software Update or manually from Apple Downloads.

Each time Security Fix posts information about patches, we almost always hear from a bunch of Apple users who invariably leave comments like, "Buy a Mac, and get a life," or "Humbug! Nobody's attacking Macs, so it doesn't matter how many dang patches are issued." Well, maybe, maybe not.

But over the weekend I found myself stuck in a local mall with hordes of bargain-hunting shoppers, and noticed for the first time a truly massive new Apple store where an old clothier used to be.

There were so many people in that place that I thought the dozens of Mac machines whirring atop gleaming white towers throughout the store were going to melt or burst into flames -- the temperature in that place was easily 10 to 15 degrees warmer than any other store I'd been in. There could not have been enough machines in the stockroom to satisfy all the customers jostling for a chance to play with the computers.

Fact: Macs are coming down in price. Fact: More people are fed up with the incessant viruses, spyware etc. on Windows that switching to a Mac is more appealing than ever. My hunch: 2006 may turn out to be the year we start seeing a significant growth in the Mac user base, and with it, if not Mac viruses or worms, then at least some automated tools for attacking various Mac vulnerabilities.

I'm willing to bet that there are plenty of Mac users still running older or at least unpatched -- and unfirewalled -- versions of OS X (10.3.x). Take a growing user base and combine that with the complacency that comes with not having to fend off constant attacks, and it seems to me you have a fertile stomping ground for attackers.

For a long while, Firefox users touted their favorite browser as a more secure alternative to Internet Explorer. Now that Firefox has gained close to a 15 percent market share, we have started to see more and more security researchers and attackers focusing their attention on it.

At least two of the Mac vulnerabilities detailed today involve system processes that normally aren't allowed to modify settings -- but the programs, if tweaked the right way, could allow attackers to elevate their privileges on the affected machines. Combine those types of flaws with a slew of vulnerabilities that are exploitable via various Web applications and things could start to get nasty for Mac users.

Then again, I'm no Mac expert. Just go and download your patches already. And let the flame wars commence.

By Brian Krebs  |  November 30, 2005; 7:50 AM ET
Categories:  New Patches  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: November a Record Month for IM Worms
Next: Phishers Promise IRS Refund

Comments

I think your guess about all those mac users out there running unpatched system software is mistaken. If you're the kind of person who is insufficiently savvy to protect your computer properly, you are probably also the sort of person who is insufficiently savvy to turn off software update.

And you think there's a bunch of people out there writing code for a two year old version of the system software for a computer with still very minor market share?

Finally, seriously, you've never noticed an apple store before and you write a computer column? That's lame.

Posted by: Chris | November 30, 2005 8:47 AM | Report abuse

Well, seeing as this one -- at Pentagon City -- opened less than four months ago (http://www.ifoapplestore.com/stores/chronology.html) and I don't go shopping unless someone drags me to the mall, little surprise that I would have missed this one.

Posted by: Bk | November 30, 2005 8:58 AM | Report abuse

Any recommendations on how Mac users might run a system check to ensure nothing's gotten in there? I had some weirdness with my PowerBook lately which I expect is just a problem with the disk or user preferences, but it struck me that if I was on a Windows machine I'd go run SpyBot or something. I hate to just to go NOrton or Macafee and buy something as a security blanket.

Posted by: bobalu | November 30, 2005 9:21 AM | Report abuse

Security through obscurity can only protect you so far. It can reduce the likelihood of an infection, but it shouldn't take the place of an integrated protection scheme, including software and hardware elements. As a stop-gap measure, until the manufacturers actually come out with machines that are acceptably secure out of the box, using a lower risk OS can help out.

Posted by: Bob | November 30, 2005 9:21 AM | Report abuse

It's true that there will be increased attention to the Mac platform as market share increases, but it's not an automatic more Macs = more Mac viruses assumption, either.

1. Until recently, Windows would ship with almost all of its services enabled, ports open, etc. This was why so many of those vulnerabilities were noticed- services typical users didn't need were routinely exploitable anyway. On the Mac, those services have to be enabled by the user- even if Apache is vulnerable, it isn't running on the average home Mac user's computer, so there's nothing to exploit. (To Microsoft's credit, in the last couple of years they've gotten smart about turning off unnecessary services before shipping the OS.)

2. Apache runs 70% of the servers on the Internet, and yet it's Microsoft's IIS servers that are always getting attacked. Why? Because they're easier to exploit. There will be more Macs, and there will be more attempts to exploit Macs, but a lower proportion of attempts will be successful because while there are vulnerabilities, it's still a harder system to exploit.

Posted by: Tiffany | November 30, 2005 10:02 AM | Report abuse

Yes, you are right. It must be true that Macs, because they don't automatically grant root privileges to the ordinary user, but use a sort of linux/unix sudo function for admin, are more secure than the average windows system where the default sign-on is with Administrative privileges. Doesn't apply to corporate environments of course.

But if you and your customers are lost in a sort of fog of self-congratulation for your difference and superiority, which has been Apple's trap since the early days of the 'think different' campaigns, its very easy to negate this advantage of principle by a carelessness of execution.

We'll see. My feeling is, despite the hysterical postings by Mac zealots, Macs are far more expensive than other brands for the same functionality, and mostly identical or lower quality hardware components. And we are about to find out that they are no more secure either, though differently insecure.

Posted by: Al | November 30, 2005 10:03 AM | Report abuse

I don't disagree that there is a high potential for a virus on the Mac, most likely introduced through a Trojan Horse.

The big missing piece is worms. You can convince somebody to run software through misdirection that contains a virus which is installed on your machine. But how do you get that payload to another compatible Mac OS X box?

Because as another commenter noted Windows used to have all ports open, and because even on secured Windows boxes certain available services had exploits, and because Windows email programs (in general) at one point could execute all manner of scripts (often automatically), this was the way for viruses to vector as worms. Either as a zombie randomly attacking machines on a LAN or the Internet through port scanning, or by sending email to a user's address book.

No Apple mail program, neither Apple's own Mail application nor any third-party program, can execute real program code within the program itself. Many programs will render HTML, but only a few scripting langauges, none of which seem to be able to reach up and grab the Address Book for replication.

Apple locks its ports and services down even without a firewall to a greater extent than any other modern OS due to Apple's early exposure to worms in the 1990s. When they planned their Unix variation, there's just a lot less that can be accessed, and there are a lot more sandboxes (and fewer buffer overflow errors).

So it will be interesting to see that when the inevitable day arrives whether a virus can spread to more than unsuspecting sorts who double click and agree to install it.

Posted by: Glenn Fleishman | November 30, 2005 10:15 AM | Report abuse

Great. I just reverted my os system to 10.3 yesterday because one of the updates between 10.3 and 10.3.9 jinxed the combo drive and rendered it unusable (a widespread problem judging from the apple discussion fora). Now that I have the old system back, it works fine. So I have to trade security for functionality. I'm not going to trade the mac for a peecee anytime soon, but having to choose between two serious faults is a real drag.

Posted by: Brad | November 30, 2005 10:43 AM | Report abuse

Al- Macs are priced comparably with comparable mid-range machines. They are made better than, say, E-Machines. Compare a Mac with a Toshiba or HP, comparably configured, and the prices are close.

Posted by: Joe Kerr | November 30, 2005 11:57 AM | Report abuse

Any Mac that is still running 10.2.8 is more likely 8 years old or older. Beige G3s support was dropped with Panther...


And if you can run Panther, you can run 10.3.9 (if you have problems...just bring your system and software in an Apple store and have them install it, they will happily do that for you).


Yes, there's no truly safe system. That's the nature of life...But if you add that Unix is technically the safest OS on the market, that OS X is hardware specific and more importantly that the growth in market share is NEW COMPUTERS and not old systems updated.

Not a hackers ideal environment.


Like lets say PC...where 1 out of 5 users are running an OS that's 6 years old or older.


I bet a Mactel Mini that they're unpatched.

Posted by: Toby | November 30, 2005 12:50 PM | Report abuse

Well, I'm a mac guy, pretty thick mac guy I guess. If it count's any to you windows people I admit that I really don't have a life either. But on the other hand I edit video's on a mac every day so it's related to my profession/hobby.

I do appologize for those other Mac zealot's though and their negative comments. Those are the ones who don't know they don't have a life.

With the viruses thing, there's one thing that I always come back to. The personalities of those hackers is based on pride of their accomplishments. One of the highest prize in the hacker community must be the first person to write a virus for the Mac OS. I've just got to believe those guys are chomping at the bit for that.

I think the biggest test will be this year though. Not from increased sales but that the OS is ported to Intel PC's. Now the hackers don't have to spend any green on a new box or a the cost of the OS software (pirate).

Now they'll be able to spend their free time on a new goal of breaking that puppy open. I'm sure a great deal of them is trying to do that now with the copies that are available.

What I do know though, is that Apple seems to put much greater emphasis on this than Microsoft. With that being said, that's worth spending more in my book. At least there's some sort of effort made. I really question how much Microsoft cares about that.

Posted by: Pete | November 30, 2005 1:07 PM | Report abuse

Also, I couldn't care less about the 15 to 20% higher cost. I have such piece of mind, A goregous box and OS, and some amazingly high props to the fact that the thing just works!

The other thing to mention with regards to cost is that it's like any other investment. Mac's have a higher resale value on ebay plus they don't get outdated as quickly as those PC's. Apple has been making that OS X leaner and meaner with each new version to help out the older PC's. I'll bet it comes out as a wash in the long run. At least I'll bet that that 20% higher initial cost is reduced to a 5 to 10% higher cost over the life of the computer.

This might sound like a strange annology but I bought a $200 pair of Ecco boots that I've had for 10 years, 5 of which was at a large campus university. I've put so many miles on those things. That $200 is chump change. Plus they're the most comfortable things I could find. Seems like a comparable example to me.

Posted by: Pete | November 30, 2005 1:18 PM | Report abuse

A lot of the comments are about how much more you're getting. You did use to be getting something more, or at least different. At one time you got SCSI disks, nubus, better processor, ADB. They were all way ahead of the competition. They were more expensive, but they were worth it. And total security. It wasn't just through obscurity, Classic really was basically unhackable.

Now, its not so clear. You are getting a machine which costs more, but has identical components, except lower end or less of them. Less hard drive, less memory, lower end nVidia or Radeon graphics. Absolutely standard interfaces. Off the shelf PSUs, Seagate or WD drives, the usual opticals, Samsung memory. Just pay more for them.

The cases are different and stunning. Though probably worse engineered, and noisier or hotter. Or more compromises. Look at the Cube. Or the noise from the floorstanders with all those fans.

So, are you still getting the security? Not really. Security is a mixture of user base practice and corporate paranoia. the reality of OSX is that it is the same sort of animal as Linux, but a less savvy user base. That is, its a windowmanager, toolkits and Desktop with apps, all over BSD. Its like KDE over BSD or over Linux. I'm not saying the apps are the same or worse. Just, tt has the same types of potential vulnerabilities. Its not like Classic. It is a different and much less intrinsically secure world.

Seems like on the user savvy level, Apple is no better than Windows and a lot worse than Linux. In terms of corporate paranoia, worse than Linux and even than Windows now. Those guys are wising up.

We will see. But with the switch to Intel taking away the last little bit of hardware differentiation, and I suspect the writer being right about the lack of real differentiation on security, it might be an interesting year.

Posted by: Al | November 30, 2005 6:07 PM | Report abuse

Any viruses for the Mac? No? Okay then.

Any Spyware for the Mac? No? All right.

Posted by: Chris | November 30, 2005 8:35 PM | Report abuse

First of all; I wonder if it hasn't become more difficult to write an effective virus also for an up-patched PC running XP with firewall up and loaded with anti-virus etc? What does that indicate? Simply that there are more locks and barrier to break through and that is not a work for your average script kiddie. Now, Mac OS X is based on a variable of the tried and tested UNIX and it was also developed with Internet in mind which Windows was not. And somehow, I suspect that the ghost of the original QDOS (Quick and Dirty Operative System) that Gates and da boys bought when they needed to sell an OS to IBM, is a ghost in the machine even today. In spirit, at least. It must be a terrible job to patch up such a system, considering all the bloatware which has been added to it at the same time, over the years.

Anyway, it is getting more secure although it still has the Registry which I have understood is the rotten core to lots of its problems - and it will lingers way into Vista, too, but all the same it is getting somewhat more cumbersome to break through all the new locks and barriers.

No system of the magnitude as a modern operating system is, wanting to please any whim of the imaginary customer and even adding new ones, in the hope of attracting more, can be totally secure, of course, and neither is Mac OS X. According to critics from the Linux-side, Apple is making some mistakes which can be compared to those MS has done. But simple logic would tell us that it is not just security through obscurity which is the reason that not one single virus exists for Mac OS X after five years and counting. After all, there existed a few for the Classic Mac OS.

One day someone will be smart enough to break through all the locks and barriers created by Apple although those are more and more effective than those existing on Windows, but it won't be your average script kiddie. Mac OS X will continue to be more secure than Windows, simply because it was created with security in mind from the start on.

Is that so difficult to digest?

Posted by: Will | November 30, 2005 9:01 PM | Report abuse

Tiffany wrote:
>>Until recently, Windows would ship with almost all of its services enabled, ports open, etc.

Today, WindowsXP SP2 still ships with most of its services enabled (that is to say, non-disabled), although it does ship with fewer ports open than Windows2000.
http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html

>>(To Microsoft's credit, in the last couple of years they've gotten smart about turning off unnecessary services before shipping the OS.)

Here's a non-exhaustive list of services XP SP2 still leaves non-disabled by default which keep open--or could open without warning--network ports:
DNS Client (Automatic)
IPSEC Services (Automatic)
SSDP Discovery Service (Manual)
Universal Plug and Play (Manual)
Terminal Services (Manual)
Windows Firewall/ICS (Automatic) [yes, this actually keeps a TCP port >1025 open]

On stand-alone computers which aren't locally-networked and only connect to the Internet (e.g., millions of instances of XP Home), these services are unnecessary (and the firewall is non-secure). Not smart enough yet IMHO.

Toby wrote:
>>Like lets say PC...where 1 out of 5 users are running an OS that's 6 years old or older.
>>
>>I bet a Mactel Mini that they're unpatched.

Bear in mind that "unpatched" != "insecure".

Posted by: Mark Odell | November 30, 2005 11:38 PM | Report abuse

FYI: The built in firewall in OSX is enabled by default. Users must manually disable it, or manually start & permit any services. This has been the case since at least 10.2.

Posted by: Chris_B | December 11, 2005 10:09 PM | Report abuse

http://www.mistahaack.com

Get a Mac! Nobody is hacking into our systems darnit! Getta outa here! GO back to PC land!

Sorry, I had to. Good article - Good point. Real MAC users have always known that. Trojan horses and Timbuktu are already dangers. "Viruses" seems semantically vague and misleading. Router, Hard Firewall, Soft Firewall, only use admin user when necessary, have two machines if possible ...

mistahaack

Posted by: Jonathan Haack | December 15, 2005 4:14 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company