Apple patches critical Mac OS X hole

'Theoretical vulnerability'


Apple Computer on Friday (21 May) issued a patch for a security hole in Mac OS X that could have allowed hackers to take over vulnerable machines, but the company went out of its way to downplay the importance of the bug.

The vulnerability in the operating system's Help View application allows attackers to craft a special URL that will execute any application, command or script on the victim's computer. To be hit by the bug, a user would have to visit a malicious website, or be lured by e-mail into following the URL. The bug works on most browsers, including Internet Explorer for Mac, Mozilla and Apple's Safari.

The hole was discovered by a German techie called "Lixlpixel," who claims to have reported the bug to Apple on February 23rd. It wasn't until nearly three months passed without any response from the Cupertino, Calif. computer maker that Lixlpixel went public with the hole, when discussions about it began showing up in online forums, he says. Security services firm Secunia confirmed the vulnerability and released a formal advisory on Monday. Secunia rates the bug "extremely critical."

In a statement issued along with the patch Friday, Apple called the hole a "theoretical vulnerability" that never placed customers at risk.

"Apple takes security very seriously and works quickly to address potential threats as we learn of them -- in this case, before there was any actual risk to our customers," said Apple's senior vice president Philip Schiller. "While no operating system can be completely immune from all security issues, Mac OS X's UNIX-based architecture has so far turned out to be much better than most."

The bug is easy to use, and benign demonstration scripts are freely available online. But Lixlpixel said in an email interview he's not aware of anyone having wielded it maliciously. "As far as I know there is not one single report of an exploit," he wrote.

Mac OS X users can install the patch through Apple's Software Update service, or through Apple's support website.

Copyright © 2004, SecurityFocus logo

Related stories

Windows-style security hell stalks Mac OS X? Yeah, you wish
Vuln exposes soft underbelly of Mac OS X
Buggy software on the rise


Other stories you might like

  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover scramble

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading

Biting the hand that feeds IT © 1998–2022