Apple patches Mac OS X flaws

Mac maker fixes 10 vulnerabilities and offers a solution to a pernicious browser-based phishing threat.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
Apple Computer has released nearly a dozen fixes for flaws in its Mac OS operating system, including a script for preventing phishers from fooling users of its Safari browser.

The script, released Monday, tackles a pernicious phishing problem in browsers. The loophole could allow an attacker to use certain characters from different languages to create legitimate-looking Web addresses that actually send victims to malicious Web sites. The security problem affected all browsers that supported Internationalized Domain Names, or IDN, and is not Apple-specific.

Related feature
Have you been phished?
Check here to see whether an e-mail that appears to be from your bank or an online merchant is actually an attempt to defraud you.

"For example, the Cyrillic letter 'a' could be used in place of the Latin letter 'a,' making it difficult for a user to tell if they are at www.apple.com or a malicious imposter website that's designed to look like the real one," the company said in an advisory discussing the problem. "These sites can be used to collect account numbers, passwords and other personal information."

Other browsers affected by the IDN security issue include the Mozilla Foundation's Mozilla and Firefox, and Opera. Both Mozilla and Opera Software have issued fixes for the problem. Microsoft's Internet Explorer does not support IDN, so it is not vulnerable to such attacks. However, plug-ins that add IDN functionality to Internet Explorer do put it at risk.

The newly released patches take care of flaws in the Apple Filing Protocol server and the Samba filing-sharing server, as well as multiple issues with the Cyrus authentication software, Mailman, SquirrelMail and Cyrus mail software.

The patches can be downloaded from Apple's Web site or automatically installed via Apple's Software Update tool.