Another vulnerability in Mac OS X that could be exploited by malicious Web sites has been reported by IT security firm Secunia. The problem has been confirmed on machines fully patched using fixes Apple released last week to address two earlier holes.
The Copenhagen, Denmark-based company first issued an advisory on the new vulnerability May 22, calling it "extremely critical."
"It is still possible to execute arbitrary code on a vulnerable user's system, just as easy as before Apple issued Friday's security update for Mac OS X," said Niels Henrik Rasmussen, chief executive officer of Secunia. "What is really critical is the fact that Apple did not address the 'disk' URI vulnerability, which allows malicious Web sites to silently place code on a user's system."
Secunia has outlined two ways malicious Web sites could execute code from mounted disk images: A disk image or a volume (e.g. AFS, SMB, FTP or DAV) can register arbitrary URI handlers, which will execute code placed on the disk image when accessing the URI. Also, a disk image or a volume can change an unused URI handler (e.g. TN3270) to execute code placed on the disk image when accessing the URI.
The vulnerability has been confirmed on machines with Mac OS X versions 10.3.3 and 10.3.4 patched with the fixes in Security Update 2004-05-24 Apple released to address the "help" URI handler vulnerability.
Secunia said working exploits using the "FTP" protocol exist, but that the "AFS" protocol also seems to be a likely attack vector. It may also be possible to use "SSH" to open a connection to a remote site, allowing the remote site to gain direct access to a vulnerable system.
The core of the problem seems to be the design of URI handling in Mac OS X, the advisory said. It is likely that many other URI handlers are affected in various ways, it added.
The advisory said two steps can be taken to prevent malicious Web sites from placing code on a vulnerable system using the silent download, execution of "safe" files and "disk" URI methods. The first step is to uncheck open "safe" files after downloading. The second is to add a protocol helper application for "disk" and "disks." However, the steps do not prevent execution of code from already mounted images.
Secunia also recommended users stay away from "untrusted" Web sites and avoid surfing the Internet as a privileged user.
While Microsoft and other companies have learned the hard way that public backlash can be fierce when vulnerabilities aren't quickly and fully disclosed and fixes made available, Apple has not caught on, Rasmussen said,
"Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue," he said. "This is not possible when reading an Apple update."
Apple had not returned a request for comment at the time of this writing.