An Apple Computer patch released last week doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said.
The Mac maker released a security update for its operating system on Wednesday to plug 20 holes. The patch arrived after two weeks of intense scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed "extremely critical" by security monitoring company Secunia.
The update added a function called "download validation" to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The function warns people that a download could be malicious when they click on the link. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac.
But Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said.
"While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."
After installing the Apple patch, Safari, Mail and iChat in most cases will display a warning when downloading a potentially malicious file. However, the same is not true for other applications that let users receive files, such as the Firefox Web browser, Thunderbird e-mail client, Yahoo Messenger and LimeWire file-sharing tool. Apple does not offer safeguards for those applications.
Also, Safari won't display an alert for users who have disabled the "Open safe files after downloading" option in the Web browsers. Security experts urged users to disable this setting after initial details of the flaw were disclosed since it made users more vulnerable.
CNET News.com was alerted to the limitations of the patch by readers, who described themselves as "concerned Apple fans." Security experts confirmed the existence of an issue.
Apple acknowledged that, despite its patch, it is still possible to make a malicious file look innocent.
"It is definitely possible on the Mac and on any platform to create an application and try to pretend that it is something that its not. That's the definition of Trojans," Philip Schiller, Apple's senior vice president of worldwide product marketing, said in an interview. "There are Trojans in the world, I have yet to see a successful one on the Mac, but there are such things in the world as Trojans."
However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. "The tools most people use (now) have built-in validation for things before they even get to the desktop," Schiller said. "The point of where people get the file is often through the browser and mail and instant messaging."
Apple's security fix is an important first step, said Michael Lehn, doctoral candidate and research assistant at the University of Ulm in Germany.
"I think Apple did the right thing," said Lehn, who first disclosed the Mac OS X vulnerability. "The fact that a script gets executed automatically had to be fixed immediately. They just have to go further."
Microsoft Windows users have grown accustomed to a seemingly incessant stream of computer worms, viruses and security vulnerabilities. The same is not true for Mac owners. Going by fan forum postings, many Apple customers believe their systems are impervious to cyberattacks.
Lehn said it was good that Apple made the fix it did, even though it wasn't complete. "In my opinion, it is better to release several security updates," he said. "Apple fixed the serious part very quick and that's good."
The unresolved vulnerability is due to a problem with the Mac OS Finder, the component of the operating system used to view and organize files, Lehn said. The operating system assigns an identifying image, or icon, for a file based on the file extension. However, it decides which application will handle the file based on information that is stored separately from the file, called metadata.
Play video
There are currently no comments for this post.