CNET también está disponible en español.

Ir a español

Don't show this again

Christmas Gift Guide
Security

Apple criticized for security advisories

A second researcher takes the Mac maker to task for not adequately labeling the seriousness of security flaws in its advisories.

A researcher has again taken Apple Computer to task for not adequately labeling the seriousness of the security flaws described in its advisories.

Patches for five vulnerabilities released Monday fix various components of the Mac OS X operating system. The greatest threat is a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take over control of the system. But the company described it as a correction "to improve the handling of long passwords."


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.


"They are not characterizing the issue so that people can make a security decision about it," said Chris Wysopal, vice president of research and development at @Stake, a digital security firm that found the flaw and reported it to Apple. "It seems they think that everyone will update their computers all the time, and that is not the way the world works."

Most security companies normally classify a remotely exploitable software flaw as a "critical" vulnerability.

Wysopal is the second researcher in a week to criticize Apple for downplaying the vulnerabilities in its system. eEye Digital Security, the company that found a flaw in Apple's QuickTime multimedia player in February, also claimed that Apple is not properly characterizing vulnerabilities.

Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash. "Playing a malformed .mov (movie) file could cause QuickTime to terminate," the company stated in an advisory it published late Friday afternoon.

However, eEye said a movie file could be created that would cause malicious code to execute when the user opened the file.

"We told them that if you are not able to execute code, then talk to us, so we can show you the issues," said Marc Maiffret, chief hacking officer at eEye.

An Apple representative could not be reached for comment.

Four flaws, including the flaw in the AppleFileServer, affect Mac OS X 10.2.8, also known as Jaguar. All five flaws affect Mac OS X 10.3.3, or Panther.