Comments on: Is Apple Doing Enough for Mac Security? http://blog.scottlowe.org/2007/11/26/is-apple-doing-enough-for-mac-security/ The weblog of an IT pro specializing in virtualization, storage, and servers Mon, 01 Dec 2008 19:59:36 +0000 http://wordpress.org/?v=2.6 By: Mark Wilson http://blog.scottlowe.org/2007/11/26/is-apple-doing-enough-for-mac-security/#comment-34356 Mark Wilson Mon, 26 Nov 2007 22:58:22 +0000 http://blog.scottlowe.org/2007/11/26/is-apple-doing-enough-for-mac-security/#comment-34356 I love my Mac but I can't help feeling (especially after the Safari for Windows fiasco) that Macs are secure by obscurity and that Apple is going to get a big wake up call soon. I hope I'm wrong. M I love my Mac but I can’t help feeling (especially after the Safari for Windows fiasco) that Macs are secure by obscurity and that Apple is going to get a big wake up call soon.

I hope I’m wrong.

M

]]> By: Ben Finkelstein http://blog.scottlowe.org/2007/11/26/is-apple-doing-enough-for-mac-security/#comment-34354 Ben Finkelstein Mon, 26 Nov 2007 22:12:03 +0000 http://blog.scottlowe.org/2007/11/26/is-apple-doing-enough-for-mac-security/#comment-34354 According to the folks at Rixstep, Apple never fixed this bug in the OS X file system, which was exposed a while ago; it merely patched some of its own applications, leaving any and all third party apps vulnerable. Has Apple itself demonstrated the continued existence of this bug by forgetting to sidestep it in the latest version of its core applications? Quoting from Rixstep's write-up: Oompa Loompa was a fortunate wake-up call for Apple and OS X users and luckily was not followed by further evolved exploits. Apple proceeded to plug the 'hole' not with a proper security system audit but by what the media in general found less than adequate: they put protective code in their own web applications but left the system itself - and everyone else's web applications such as Firefox, Thunderbird, Camino, Eudora - wide open. The vulnerability in Leopard Mail discovered by Edward Henning of Heise Security is the same as used by Oompa Loompa almost two years ago. I'm not competent to judge whether Rixstep is correct or not, but it's a pretty damning allegation! According to the folks at Rixstep, Apple never fixed this bug in the OS X file system, which was exposed a while ago; it merely patched some of its own applications, leaving any and all third party apps vulnerable. Has Apple itself demonstrated the continued existence of this bug by forgetting to sidestep it in the latest version of its core applications?

Quoting from Rixstep’s write-up:

Oompa Loompa was a fortunate wake-up call for Apple and OS X users and luckily was not followed by further evolved exploits. Apple proceeded to plug the ‘hole’ not with a proper security system audit but by what the media in general found less than adequate: they put protective code in their own web applications but left the system itself - and everyone else’s web applications such as Firefox, Thunderbird, Camino, Eudora - wide open.

The vulnerability in Leopard Mail discovered by Edward Henning of Heise Security is the same as used by Oompa Loompa almost two years ago.

I’m not competent to judge whether Rixstep is correct or not, but it’s a pretty damning allegation!

]]>