Mac OS X patch faces scrutiny

Experts say Apple patch doesn't completely fix security flaw, leaving toehold for cyberattacks.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
6 min read
An Apple Computer patch released last week doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said.

The Mac maker released a security update for its operating system on Wednesday to plug 20 holes. The patch arrived after two weeks of intense scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia.

The update added a function called "download validation" to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac.

But Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said.

"While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."

After installing the Apple patch, Safari, Mail and iChat in most cases will display a warning when downloading a potentially malicious file. However, the same is not true for other applications that let users receive files, such as the Firefox Web browser, Thunderbird e-mail client, Yahoo Messenger and LimeWire file-sharing tool. Apple does not offer safeguards for those applications.

Also, Safari won't display an alert for users who have disabled the "Open safe files after downloading" option in the Web browsers. Security experts urged users to disable this setting after initial details of the flaw were disclosed since it made users more vulnerable.

CNET News.com was alerted to the limitations of the patch by readers, who described themselves as "concerned Apple fans." Security experts confirmed the existence of an issue.

Apple acknowledged that, despite its patch, it is still possible to make a malicious file look innocent.

"It is definitely possible on the Mac and on any platform to create an application and try to pretend that it is something that its not. That's the definition of Trojans," Philip Schiller, Apple's senior vice president of worldwide product marketing, said in an interview. "There are Trojans in the world, I have yet to see a successful one on the Mac, but there are such things in the world as Trojans."

However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. "The tools most people use (now) have built-in validation for things before they even get to the desktop," Schiller said. "The point of where people get the file is often through the browser and mail and instant messaging."

Apple's security fix is an important first step, said Michael Lehn, doctoral candidate and research assistant at the University of Ulm in Germany.

"I think Apple did the right thing," said Lehn, who first disclosed the Mac OS X vulnerability. "The fact that a script gets executed automatically had to be fixed immediately. They just have to go further."

Microsoft Windows users have grown accustomed to a seemingly incessant stream of computer worms, viruses and security vulnerabilities. The same is not true for Mac owners. Going by fan forum postings, many Apple customers believe their systems are impervious to cyberattacks.

Lehn said it was good that Apple made the fix it did, even though it wasn't complete. "In my opinion, it is better to release several security updates," he said. "Apple fixed the serious part very quick and that's good."

The unresolved vulnerability is due to a problem with the Mac OS Finder, the component of the operating system used to view and organize files, Lehn said. The operating system assigns an identifying image, or icon, for a file based on the file extension. However, it decides which application will handle the file based on information that is stored separately from the file, called metadata.

A malicious file can be masked to look innocent--for example, like a JPEG image--yet it will run and execute when opened.

"While the Finder allows the user to find out that the file is an executable--with a right-click, for example--many users will not do that. They just look at the icon, which can be the same typically used for innocent files," Lehn said.

Before Apple's fix, if a Mac OS X user were tricked into clicking on a malicious link via the Safari Web browser, the attacker's code would download and run automatically, without any warning. After the patch, clicking on the link will trigger a warning and will no longer execute the malicious code automatically.

However, because Apple hasn't addressed the problem in full, if an attacker were able to trick a user into downloading a malicious file, that file can still be masked as an innocent file. By pulling this Trojan horse-style trick, a user might believe he is getting a movie or an image, but running it could wipe all user data on the hard drive, for example.

Cybertrust's Long sounded a note of restraint about the risk posed by the remaining problem. "It's true that this security update does not translate into Macs that are invulnerable," Long said. "However, Apple has put some things in place to assist users in detecting questionable files...there's no need to freak out about this."

Apple knows about the issue with the icons, Lehn said. He and other security researchers have alerted the Cupertino, Calif.-based company, he noted.

Apple is thankful for the feedback, Schiller said. The company recognizes that adding more validation, perhaps at a deeper level in the operating system, could help protect users of applications other than Safari, Mail and iChat.

"If the method we use works for most people most of the time and some people use some other tools and would like to have some more support for validation, we think that's good feedback we'll consider for the future," he said. "We always try to make this better and stronger."

This vulnerability has actually existed for years in Mac OS, Long said. If attackers really were targeting Mac users, numerous examples of malicious code taking advantage of the flaw would be in circulation. "In fact, that is not the case," he said. "While it can be a factor in a system being compromised, this vulnerability by itself does not justify panic."

CNET News.com reader Eric also pointed out that the problem has nagged Apple for years, yet it has not been fixed. "This vulnerability derives from the exact same flaw deep inside the OS that should have been addressed by Apple several times in the past two years," wrote Eric, who asked for his last name not to be used.

The issue is similar, Eric wrote, to problems Apple had with the security of its Widgets, or small programs that were introduced in Tiger for the Dashboard. Before a security patch in May last year, widgets would download and install without warning.

One factor that makes addressing the remaining flaw important is that people aren't always as wary as they should be online. Computer users tend to click through warnings, eager to get the promised content.

"The only thing that the update does is update Safari and Mail to provide the user a warning before downloading the file," Eric wrote. "But this message is so vague and redundant for all downloads...It's second nature for any and all users to simply click 'continue.'"

Such security issues are, of course, not exclusive to the Mac. If a user can be tricked into downloading and opening a file, that user's system can be compromised. "This is true regardless of the operating system being used. It is a universal vulnerability," Long said.