Apple Computers has released a patch to fix serious flaws in Mac OS X that could allow malicious Web sites to compromise vulnerable Macintosh machines.
The Cupertino, Calif.-based company has released Security Update 2004-06-07 to address the vulnerabilities. The update adds a dialog box that lets users know when a file is being launched automatically from the Internet that hasn't run on the system before. Ken Bereskin, director of product marketing for Mac OS X, said the dialog box will help prevent exploits while maintaining the operating system's popular feature of allowing one program to be opened via a link from within another program. Users are able to send an e-mail directly through a link in a Web page using this feature.
He added that the latest update takes into account feedback the company has received from customers in the last two weeks.
"One lesson we've learned is that people have had a difficult time finding information," Bereskin said. "In this update, we included a link that takes you directly to the Apple security site. Past updates did not include the link, and this makes it easier for the user to access the full details on the vulnerabilities."
The update applies to version 10.3.4 of Mac OS X Panther, 10.2.8 of Mac OS X Jaguar and the server versions of each program.
IT security firm Secunia of Copenhagen, Denmark, issued an updated advisory on the security holes and fixes yesterday. The advisory, first released May 22, describes the vulnerabilities as "extremely critical" and said it had been confirmed on machines fully patched using fixes Apple had released earlier last month to address other holes.
Secunia outlined two ways malicious Web sites could execute code from mounted disk images: A disk image or a volume (e.g. AFS, SMB, FTP or DAV) can register arbitrary URI handlers, which will execute code placed on the disk image when accessing the URI. Also, a disk image or a volume can change an unused URI handler (e.g. TN3270) to execute code placed on the disk image when accessing the URI. It added that working exploits using the "FTP" protocol exist, but that the "AFS" protocol also seems to be a likely attack vector. It may also be possible to use "SSH" to open a connection to a remote site, allowing the remote site to gain direct access to a vulnerable system.
The firm has been critical of Apple in the past for not responding quickly enough when vulnerabilities are brought to their attention, and for offering few details of the flaws when they are acknowledged. Thomas Kristensen, Secunia's chief technology officer, noted the patch Apple released Monday is for security holes that were found back in February.
But he's encouraged by Apple's more recent efforts, and believes the company is starting to take security more seriously.
"The latest security update is better explained, has more detail and is a definite improvement," Kristensen said. "Their response time – a little more than two weeks since our last advisory – is much better."
Despite past criticisms, Bereskin said Mac OS X has racked up a successful security track record since its release three years ago. He noted that only 2% of the vulnerabilities announced in that time have been critical.
"We've taken many steps in the design to ensure security, and we're happy it has been successful to date," he said.