Headline Feeds
Apple (Nasdaq: AAPL) released a security update late Monday that addresses vulnerabilities in Mac OS X's Uniform Resource Identifier (URI). The company's patch, which works for both client and servers versions of Mac OS 10.3.4 (the latest version of Panther) and Mac OS 10.2.8 (the latest version of Jaguar) is accessible either through OS X's Software Update or online at Apple's Web site.
The flaw, which affected Apple's Safari Web browser and the Mac version of Microsoft's (Nasdaq: MSFT) Internet Explorer Web browser, first became public last month, when Secunia, a Danish security firm, posted an advisory on the flaw [Blane Warrene, "OS Security Flaw Plagues Web Browsers," MacNewsWorld, May 19, 2004].
Lixlpixel, the German programmer who originally discovered the OS X flaw back in February, told MacNewsWorld Tuesday that he believes Apple has effectively resolved the issue and has learned from the incident.
"The [Apple Knowledge Base] article, which is about the new update, does explain the problem very [well] and is way better than anything previously released," he said.
Apple Makes Users 'Safe Again'
Web browsers acted as the primary conduit through which malicious attacks could be executed against Mac OS X systems. Disk image files (.dmg), volumes accessing files through AppleTalk filing protocol (AFP), file transfer protocol (FTP) and other URI handlers offered those with nefarious intent access into a Mac.
A URI is a string of characters, such as "ftp:" or "http:" that points the browser window to the proper resource. Apple's Knowledge Base article discussed features that allow for the automatic mounting and execution within disk images.
Secunia was unavailable for comment. However, the firm has updated the advisory on its Web site, writing that "Apple has issued Security Update 2004-06-07, which addresses the vulnerability by presenting users with a dialog box the first time a file is launched automatically."
For his part, lixlpixel seemed satisfied with the outcome.
"I just installed the new security update from Apple -- seems like this story is finally over now and everybody is safe again," he said.
Lessons Learned
Gartner (NYSE: IT) analyst Richard Stiennon said Apple could take a page from other operating system manufacturers in addressing security.
"They can really watch Microsoft, which has been through it all," he told MacNewsWorld. "They also need to reach out to the discoverers of these vulnerabilities."
Stiennon believes that if Apple can build a rapport with the Mac community, the company would have the ability to identify and address a given vulnerability more effectively and have patches ready when the vulnerability is made public.
"The risk is in the public exposure of the vulnerability," he said.
At the same time, Stiennon said that OS X's underlying Unix architecture is simply more difficult to attack than Windows.
"Apple has a more securable platform. There are fewer entrance points for attacks," Stiennon said.
"If the tables were turned, and Apple had 97 percent market share, [OS X] would still be more secure," Stiennon argued.
Still, Stiennon thinks Apple needs to concentrate more on the sorts of worms that can take advantage of vulnerabilities than on the vulnerabilities themselves.
Talkback: 
