OS X Security Hole Bites Apple

According to the advisory, an updated OS X system can still fall victim to malicious code introduced in several ways, including through a disk image file (.dmg) or through a volume accessing files through AppleTalk Filing Protocol (AFP), File Transfer Protocol (FTP), Server Message Block (SMB), a protocol used in DOS and Windows networking, or Web-based Distributed Authoring and Versioning (DAV) URI handlers.

An Apple spokesperson told MacNewsWorld on Monday that the company could not comment any further about either these flaws or the company's inability to rectify them through last Friday's update. Moreover, in a statement released at the same time as Friday's security update, Apple labeled the Mac OS X vulnerability in its Help Viewer application "theoretical" in nature.

OS X 'Too Smart'?

"Apple takes security very seriously and works quickly to address potential threats as we learn of them -- in this case, before there was any actual risk to our customers," Philip Schiller, senior vice president of worldwide product marketing at Apple, said in Friday's statement. "While no operating system can be completely immune from all security issues, Mac OS X's Unix-based architecture has so far turned out to be much better than most."

The security release in question came several days after Secunia confirmed the flaws in version 1.2.1 of Apple's Safari browser and in version 5.2 of Microsoft's (Nasdaq: MSFT) Internet Explorer (IE). Secunia first learned of these vulnerabilities from "lixlpixel," who spoke with MacNewsWorld last week about the issue.

"The problem may be that OS X is too smart. It registers applications just by showing it to the Finder," lixlpixel told MacNewsWorld in a follow-up interview Monday.

Secunia's advisories have generated a massive number of postings on several Mac-related Internet forums. Lixlpixel said his primary concern with the outpouring of discussion online is that the threads are "pretty dangerous. [They] could easily be a how-to guide to toasting Apple [computers]."

Growing Pains

Saturday's alert was cultivated in part by information provided by Jens Jakob Jensen, a Danish programmer who runs the Web site "ozwik.dk." In an e-mail, Jensen told MacNewsWorld that he researched the problem after following the debate on these forums. According to him, it was clear that a patched system with "Safe" downloading turned off in Safari could still be exploited via the disk URI.

"After continued research on this over the weekend, I reported my findings to Apple's Product Security," Jensen wrote.

For his part, Aberdeen vice president Jim Hurley said that Apple's predicament is no different than the growing pains being felt at companies like Red Hat as these companies penetrate the enterprise market.

Hurley called this "death march experience" probably the most effective means to insure that customers are aware of such issues and receive updates for them.

"Look at Microsoft. Their customers are pretty conditioned to being notified when there are emergency updates that need immediate attention," Hurley told MacNewsWorld.

"This in contrast to IBM (NYSE: IBM) , where there is no public notification of updates unless you are a contract customer," Hurley continued, adding that, in his view, IBM's strategy is patently unacceptable.

"Apple is doing way better than a year ago, when it was nearly impossible to find specific updates to address a specific problem on their Web site," he said.

Securing Safari

According to Jensen, the safest scenario is for users to disable the protocol handlers for .dmg and FTP. He also advised setting these protocols to applications other than OS X's Finder, such as the Mac FTP client Fetch.

In addition to More Internet, Monkey Food's freeware application, which allows users to modify helper protocols, Unsanity LLC released a free program called "Paranoid Android" to patch the problem.

"Until Apple fixes this vulnerability, you should install Paranoid Android and surf safely," Unsanity's Jason Harris recommended.