Wednesday, February 22, 2006
News: More Apple Security Warnings...
I have a mixed feeling about all these recent Mac OS X security warnings. This latest one was classfied as "Extremely Critical" by Secunia.On the one hand I am glad that these security warning are being issued, as it points out that security on a Mac should be taken seriously. The Mac is not immune to attacks, assuming so is dangerous.
On the other hand I feel the latest string of secuirty reports have been a little over hyped. This latest "Extremely Critical" security hole allows arbitrary scripts to be downloaded and run automatically through Safari. The sample code provided was a text file renamed with '.mov' to look like a Quicktime movie; and the file was set to be executable. The command in the text file is then automatically decompressed and run by Safari when downloaded. On the surface it seems quite scary, but in reality it's somewhere in between. If the script tries to access some system resource that requires a higher security clearance, it would fail.
The sample code launches the Calculator.app normally; here I have changed the permissions to Calculator.app so that my user is not allowed to execute it:
You get a 'permissions denied' message. Yes it is a security hole in Safari, but I'm not sure it warrants an "Extremely Critical" label. It almost seems like there's been a concerted effort to discredit Mac OS X's security. Until now there still have not been any virii found in the wild for Mac OS X, and the closest thing found in the wild was 1 case of malware.
All in all, Mac OS X is still quite secure out of the box, and again if you follow basic security practices you'll be fine.
Article Link posted by Jambo Consulting at 1:54 PM
