Unpatched Mac flaws may put users at risk
Security researcher publishes details of several unpatched, potentially serious flaws in OS X. Apple plans patch.
Tom Ferris, a security researcher in Mission Viejo, Calif., published late on Thursday information on seven flaws in Apple's operating system that potentially put Mac users at risk of a cyberattack. The most serious of the flaws could let attackers surreptitiously run malicious code on users' PCs, Ferris said in an interview via instant messaging.
"We're in the process of investigating and addressing them," Bud Tribble, Apple's vice president of software technology, told CNET News.com. "I think it is important to note that although these are potential vulnerabilities, there are no known exploits to them and they are not affecting customers today."
Five of the flaws identified by Ferris relate to how Mac OS handles various image file formats--including BMP, TIFF and GIF, according to his security advisories. Another flaw involves the way OS X decompresses Zip archives. Additionally, Ferris claims to have found several bugs in Apple's Safari browser.
"The image flaws are the scariest ones, giving an attacker multiple methods of compromising a host," Ferris said. "They can be exploited to execute arbitrary code very easily and were not hard to find."
Apple silently fixed one of the flaws related to the handling of TIFF image files in update 10.4.6, Ferris said. The other bugs remain unpatched, he said, adding that he reported the issues to Apple earlier this year.
Apple believes the public disclosure of security flaws doesn't help anyone, a position shared by most software makers. "We don't feel that our customers are better served by public disclosure of potential issues," Tribble said. "We think that in the general case, people who need to know about issues are the ones that can actually fix the bugs."
Ferris in the past has released information on flaws in several Apple products, including iTunes and QuickTime, as well as the Firefox Web browser, before an official patch was made available.
Security monitoring companies Secunia and the French Security Incident Response Team, or FrSIRT, deem the latest Mac OS X issues "highly critical" and "critical," respectively.
"Multiple vulnerabilities have been identified in Apple Mac OS X, which could be exploited by attackers to execute arbitrary commands or cause a denial of service," Secunia said in an advisory. To protect against attacks, the company recommends not surfing to untrusted Web sites and not opening suspect Zip archives or images.
Apple expects to address the issues in an upcoming security update but could not say when that fix might be released. "Our target is to do it promptly," Tribble said. "How quickly that can be done depends on a lot of variables, in terms of how much information we get and how complex the things are to address."