Apple criticized for security advisories

Patches for five vulnerabilities released Monday fix various components of the Mac OS X operating system. The greatest threat is a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take over control of the system. But the company described it as a correction "to improve the handling of long passwords."

		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

"They are not characterizing the issue so that people can make a security decision about it," said Chris Wysopal, vice president of research and development at @Stake, a digital security firm that found the flaw and reported it to Apple. "It seems they think that everyone will update their computers all the time, and that is not the way the world works."

Most security companies normally classify a remotely exploitable software flaw as a "critical" vulnerability.

Wysopal is the second researcher in a week to criticize Apple for downplaying the vulnerabilities in its system. eEye Digital Security, the company that found a flaw in Apple's QuickTime multimedia player in February, also claimed that Apple is not properly characterizing vulnerabilities.

Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash. "Playing a malformed .mov (movie) file could cause QuickTime to terminate," the company stated in an advisory it published late Friday afternoon.

However, eEye said a movie file could be created that would cause malicious code to execute when the user opened the file.

"We told them that if you are not able to execute code, then talk to us, so we can show you the issues," said Marc Maiffret, chief hacking officer at eEye.

An Apple representative could not be reached for comment.

Four flaws, including the flaw in the AppleFileServer, affect Mac OS X 10.2.8, also known as Jaguar. All five flaws affect Mac OS X 10.3.3, or Panther.