Apple patches 'critical' OS X flaw

A combination of holes disclosed by security researchers last month could have allowed an attacker to take over a vulnerable Macintosh, though no such exploits have been reported. Apple issued a partial fix last month, but security researchers had said that the Mac remained open to attack.

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Apple executives had earlier pledged to release a more complete patch, calling the flaw the first critical security issue since Mac OS X was released three years ago.

Apple said that creating the alert dialog box was the best way to prevent a malicious attack, while still preserving a popular feature of the operating system--the ability to open one program via a link from within another program. That feature allows one to send an e-mail directly through a link in a Web page, for instance.

"We believe we found a very good simple change in a core service that prevents these unwanted risks," Apple senior vice president Phil Schiller said on Monday. "This update, to the best of our knowledge, should close off the critical risk."

The patch, which was made available via Mac OS X's Software Update, attempts to prevent such problems by warning users when a program is being launched via the Internet that has not previously been run on the system. Apple also took other steps in Mac OS X and the Safari Web browser to try to keep unintended applications or files from being opened. Apple said the update is being made available for those running version 10.3.4 of Mac OS X Panther and version 10.2.8 of Mac OS X Jaguar, as well as the corresponding server versions.

Apple is still investigating whether the flaw exists in earlier versions of the Mac OS, and Schiller said it is "too soon to tell" whether Apple will fix it in other versions.