Software // Enterprise Applications
02:11 PM

Mac OS X Vulnerable To Unpatched Bugs

Security researchers have disclosed flaws in the Mac OS X operating system that allow attackers to crash the computer and possibly hijack it.

Security researchers have disclosed flaws in Apple Computer's Mac OS X operating system that allow attackers to crash the computer and possibly hijack it. Although some experts pegged the bugs as serious, others downplayed the threat.

On Monday, the "Month of Kernel Bugs" project, a month-long disclosure of operating system flaws, announced that a bug in Mac OS X's processing of DMG files -- disk images typically used to distribute software for the Mac -- could be exploited to crash a target machine. There also was the possibility that attackers could introduce additional malicious code to the compromised system to, for example, snatch control from its legitimate user.

Tuesday, the kernel bug campaign posted another Mac OS X flaw; the second bug, which also can be exploited via a malformed DMG file, involves how the operating system handles bad sectors in a disk image. A crash would be the likely result, said the online description of the flaw.

The bugs are more serious than other Mac vulnerabilities made public recently, said Symantec's Oliver Friedrichs, the director of the Cupertino, Calif., security company's security response team. "This is likely more serious because it is exploitable through the Safari browser," said Friedrichs. "Whenever there's a vulnerability in the browser, [hackers] exploit it rather quickly."

Mac users running Apple's Safari Web browser are in danger because by default the application will automatically open any downloaded DMG file. Attackers would need to entice users to a malicious Web site and convince them to download a file, however.

Danish bug tracker Secunia rated the Monday vulnerability as "Highly critical," but Friedrichs didn't think there was much cause for alarm. "We're seeing more Mac vulnerabilities, but we don't yet see active exploits. Mac users still have the luxury of not being targeted by hackers."

That pattern is often cited by Mac defenders, who admit the operating system has vulnerabilities. But they note that attackers rarely follow up with actual in-the-wild threats.

Friedrichs agreed with that position, but reminded Mac users that an exploit could appear at any time. "Mac users have a false sense of security," he said. "There's no guarantee that this will not be exploited, or even seen in targeted attacks."

Safari users can protect themselves by disabling the automatic opening of downloaded files. To turn off the features, users should select File|Preferences, then under the General tab clear the box marked "Open 'safe' files after downloading."

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
Increasing IT Agility and Speed To Drive Business Growth
Learn about the steps you'll need to take to transform your IT operation and culture into an agile organization that supports business-driving initiatives.
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.