Mac patch falls short of expectations
The mega-patch Apple Computer Inc. released last week to fix a variety of flaws isn't as thorough as it should be, security experts say. Among other things, the patch added a function to the Safari Web browser, iChat instant messaging program and Apple Mail client that warns users when a download is potentially malicious. But experts say the patch still leaves attackers room to ram through a malicious application that looks like a safe file on the surface.
"While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," Kevin Long, an analyst with Herndon, Va.-based security vendor Cybertrust Inc., told CNET News.com. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."
After installing the Apple patch, Safari, Mail and iChat in most cases will display a warning when downloading a potentially malicious file. But the same isn't true for other applications that let users receive files, such as the Firefox Web browser, Thunderbird e-mail client, Yahoo Messenger and LimeWire file-sharing tool, CNET News.com reported. Apple offers no safeguards for those programs.
Mac root access 'easy pickings'
In other Mac news, a hacker claims that it only took him 20-30 minutes to gain root access to an OS X machine, highlighting further security issues with Apple machines. The hacker did so in response to a hacking challenge, in which a Mac Mini was set up as a server and hackers were invited to crack the computer's security and get root control. The competition was over in a matter of hours, when the challenger posted this message on his Web site: "This sucks. Six hours later, this poor little Mac was owned, and this page got defaced." The hacker who won the challenge told ZDNet that he gained root control of the Mac in less than 30 minutes. The hacker, identified as "Gwerdna," called the process of gaining root access "easy pickings."
Microsoft Fingerprint Reader hacked
Despite the increased focus on Mac weaknesses, exploits targeting Microsoft's products are alive and well. According to IDG News Service, a researcher with the Finnish military has found that a person's fingerprint can be stolen by exploiting an omission in the Microsoft Fingerprint Reader, a PC authentication device the software giant has been shipping since September 2004.
Although the Fingerprint Reader can prevent unauthorized people from logging on to PCs, Microsoft has not promoted it as a security device, but rather as a tool for home users who want a fast way to log on to Web sites without having to remember user names and passwords. In fact, the news service said, the Microsoft.com Web site warns that the Fingerprint Reader should not be used to protect sensitive data.
Hoping to understand why Microsoft had included the caveat about sensitive data, the researcher, Mikko Kiviharju, decided to dissect the program. At last week's Black Hat Europe conference in Amsterdam, he reported that because the fingerprint image is transferred unencrypted from the Fingerprint Reader to the PC, it could be stolen using a variety of hardware and software technologies called sniffers. "The fingerprint that can be sniffed is pretty good quality," IDG News Service quoted him as saying. Once the fingerprint image has been sniffed, attackers could use it to make it look like the victim is authenticating onto a PC or a Web site using the Fingerprint Reader, Kiviharju said. But he said the attack is complex. Among other things, it requires that the attacker physically connect a second PC to the computer that is being attacked.