Apparently, a bug similar to one fixed by Apple in March 2006 has appeared in Leopard. More information is available from the heise Security and Dark Reading web sites.
The flaw allows attackers to create e-mail attachments that appear to be harmless—say, like a JPEG image—but are actually executables that run malicious code. In Mac OS X 10.4, users were warned that the attachment is actually an executable file. It’s doubtful that this new bug is the same bug as was fixed in earlier versions of the OS, although the end result is the same.
I have not seen any information as to a workaround for this flaw, other than to avoid opening e-mail attachments. It is my understanding that this flaw was made public right around the same time as the release of the latest security updates for Panther and Tiger and the first major update for Leopard, 10.5.1, so I don’t think that a patch for this flaw has yet been made available.
I hope that the emergence of a flaw similar to one corrected in earlier versions of the OS does not indicate a more severe security problem within Leopard or even within Apple. As it currently stands, I have concerns that Apple is not taking security seriously enough and is “resting on the laurels†that Mac OS X is already secure enough because of its UNIX underpinnings. It would be a shame for a great OS such as Mac OS X to be tarnished because Apple wasn’t willing to put forth the effort to make it as secure as it needs to be in today’s environments. Don’t get me wrong; I love the Mac, and I love Mac OS X. This kind of mistake, however, would get someone like Microsoft tarred and feathered. Why aren’t we holding Apple to the same standards? Is Apple really doing enough for Mac security?
2 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2007/11/26/is-apple-doing-enough-for-mac-security/trackback/
Monday, November 26, 2007 at 5:12 pm
Ben Finkelstein
According to the folks at Rixstep, Apple never fixed this bug in the OS X file system, which was exposed a while ago; it merely patched some of its own applications, leaving any and all third party apps vulnerable. Has Apple itself demonstrated the continued existence of this bug by forgetting to sidestep it in the latest version of its core applications?
Quoting from Rixstep’s write-up:
Oompa Loompa was a fortunate wake-up call for Apple and OS X users and luckily was not followed by further evolved exploits. Apple proceeded to plug the ‘hole’ not with a proper security system audit but by what the media in general found less than adequate: they put protective code in their own web applications but left the system itself - and everyone else’s web applications such as Firefox, Thunderbird, Camino, Eudora - wide open.
The vulnerability in Leopard Mail discovered by Edward Henning of Heise Security is the same as used by Oompa Loompa almost two years ago.
I’m not competent to judge whether Rixstep is correct or not, but it’s a pretty damning allegation!
Monday, November 26, 2007 at 5:58 pm
Mark Wilson
I love my Mac but I can’t help feeling (especially after the Safari for Windows fiasco) that Macs are secure by obscurity and that Apple is going to get a big wake up call soon.
I hope I’m wrong.
M