Apple issues patch for Mac OS X hole

Apple Computer releases a security update that, among other fixes, closes a hole in Mac OS X that could have allowed hackers to take control of a computer under particular circumstances.

Michael Kanellos Staff Writer, CNET News.com
Michael Kanellos is editor at large at CNET News.com, where he covers hardware, research and development, start-ups and the tech industry overseas.
Michael Kanellos
2 min read
Apple Computer has issued a security update that, among other fixes, closes a hole in Mac OS X that could have allowed hackers to take control of a computer under particular circumstances.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The patch, which the Cupertino, Calif.-based manufacturer released late Friday, essentially changes the default settings for connecting to a Dynamic Host Communication Protocol (DHCP) server on Mac OS X 10.2.8. (aka "Jaguar"), Mac OS X 10.3.2 (aka "Panther") and the corresponding server versions of these operating systems.

A DHCP server assigns a TCP/IP address to a computer and, under the earlier default settings, a Mac running one of the above-listed OSes would accept data from DHCP servers found on a local area network.

If a hacker inserted a malicious DHCP server on a local network, he or she could then exploit Apple's earlier default setting to embed malicious software on a computer or use the computer as a drone for coordinated attacks on other systems.

An Apple representative said the probability of a hack occurring was low, because the hacker would have to be an insider.

But William Carrel, a Mac user who runs a Mac security site, said an outside hacker who broke into a corporate network could add a DHCP server to that network. At that point, the outsider could take complete control of unpatched desktops.

Invite Michael Kanellos into your in-box
Senior department editor Michael Kanellos scrutinizes the hardware industry in a weekly column that ranges from chips to servers and other critical business systems. Enterprise Hardware every Wednesday.

"Anyone who can gain access to your network can gain administrator (highest-level) access to your computer and therefore steal your data or launch attacks upon others, as soon as you reboot your machine," Carrel wrote on his site.

Carrel discovered the flaw in November.

Apple's security update also fixes a buffer overflow vulnerability in a file system, plugs another vulnerability in Panther that could cause denial-of-service requests and in general improves the security features of the affected OSes.

"This is a general security update," the Apple representative said. Apple credited Secure Network Operations for reporting the denial-of-service vulnerability.

Further information on the update and a link for downloading can be found at Apple's site. In a lot of ways, 2003 was the year of the hole. Microsoft acknowledged 119 vulnerabilities this year in Windows--47 in Windows 2000, 46 in Windows XP and 26 in Windows 2000 Server--and issued 76 security updates, according to the company.

And Linux and Apple weren't being left out. Security experts found vulnerabilities, albeit far fewer, with those operating systems this year, too. The number of flaws found in Linux will likely increase as well, according to Symantec CEO John Thompson, among others, as the target base increases.

Apple also issued security updates for Panther and Jaguar in November, regarding other vulnerabilities.