Apple Releases Patch for OS X Security Gaps

Apple (Nasdaq: AAPL) has responded to a series of security threats, including a vulnerability that might have granted would-be attackers root access and total control over systems running Mac OS X 10.3.2 and earlier versions.

That Directory Services vulnerability, patched along with other holes in a security update available from Apple, is mitigated by the fact that Apple's operating system is not heavily targeted. The number of affected Mac users pales in comparison with the number of systems that are vulnerable in the wake of an announced Windows security flaw.

However, the vulnerability does illustrate that as Apple has moved to the BSD Unix-based Mac OS X, the company also has opened the door to the possibility of introducing new security holes and attacks, iDefense malicious code intelligence manager Ken Dunham told TechNewsWorld.

"As they move into the server market and the more they are taking advantage of a common OS, if they loosen up and start incorporating other things out there, they're going to be vulnerable," Dunham said.

Dangerous Default Effect

Considered the most critical of the holes addressed in Apple's most recent security update for OS X, the Directory Services vulnerability -- found and detailed by OS X user William Carrell -- is basically "a series of seemingly innocuous default settings that can cause an affected Mac OS X machine to trust a malicious machine on a network for user, group, and volume mounting settings," Carrell wrote in an advisory on the matter.

"Anyone who can gain access to your network can gain administrator access to your computer and therefore steal your data or launch attacks upon others as soon as you reboot your machine," Carrell wrote. The issue was announced October 9th, when Apple was also notified of the security hole.

Before Apple made the patch available December 19th, administrators and other users were warned to use workarounds to keep from falling under attack.

Macs in the Breeze?

Explaining why he reported the vulnerability and published an advisory on it before Apple's patch was released, Carrell said he had already given the Cupertino, California-based company a deadline that had passed and felt he was being "strung along."

"It would not be fair of me to let Mac users hang out in the breeze for more than two months on an issue of this magnitude," Carrell wrote. He added that rediscovery of the issue and exploitation was fairly likely, "and maybe by someone less scrupulous than myself."

Bigger Bite of Apple

Dunham downplayed the significance of the Apple security issues, primarily because exploitation of the most serious vulnerability requires the user to reboot the targeted machine. He also said he does not see the Mac as a primary attack target.

"There's a lot more fish to fry and easy pickings on the PC side," Dunham said, adding that there is not a lot of exploit code for Macs.

However, the security analyst added that he expects to see more vulnerabilities and more documented attacks against Mac OS X as the operating system becomes more popular and more widely used.

"There's just no way around it," he said, also referring to the default trust of network information that was the basis of the recent hole.

Lessons from Microsoft

Dunham said that while Microsoft (Nasdaq: MSFT) must assume the position of top target as part and parcel of being at the top of the market, Apple has a chance to learn from the Redmond, Washington-based company's painful security lessons. Those include the necessity for proactive security in the development process, giving security priority over new features, and not sacrificing security to meet ship dates and achieve speed-to-market.

"These are all questions Microsoft has to assume every day -- somebody is attacking them every day from a security perspective," Dunham said.

"Apple or any other vendor has to ask, 'As we go forward, how important is security?'" he added. "They will have attacks, they will have vulnerabilities -- that's the nature of software development."