Unpatched Mac OS X/Safari Security Flaws (Updated)

Look for a Security Update soon! Apple seems to do a good job keeping up with these problems. Ideally, they wouldn't happen in the first place, but a prompt response is the next best thing.

In the meantime, workarounds would be nice to know, other than general advice not to click to view a .mov file unless you trust the source.

I'm glad people are digging up issues that need to be brought to Apple's attention.

Some perspective:

Windows XP Home:
http://secunia.com/product/16
23 out of 116 advisories, rated up to Highly Critical, are marked as unpatched by Secunia.

XP Professional:
http://secunia.com/product/22
27 out of 131 advisories, rated up to Highly Critical, are marked as unpatched.

Internet Explorer 6.x:
http://secunia.com/product/11
19 out of 99 advisories, rated up to Moderately Critical, are marked as unpatched.

Safari 2.x:
http://secunia.com/product/5289
1 out of 3 advisories, rated up to Not Critical, are marked as unpatched.

Mac OS X:
http://secunia.com/product/96
1 out of 69 advisories, rated up to Highly Critical, are marked as unpatched.

Let's get that zero back ASAP! :)

Wait, your perspective is limited to Microsoft? :D

FreeBSD 6.x: 12 advisories, unpatched zero

Ubuntu 5.0.4: 137 advisories, unpatched zero

Ubuntu 5.10: 42 advisories, unpatched zero

Suse 9.3: 85 advisories, unpatched zero

RedHat 9: 99 advisories, unpatched one (rated not critical)

This may sound awful, but I hope at some point a major Mac virus does happen, just so that those who current do not take the issue seriously largely because it hasn't happened yet start taking it seriously.

The Mac's major reason for it not getting many virusses and worms is that the low marketshare means that any "Mac-only" malware of this type would end up hitting 20 times as many Windows PCs as it would Macs, and that would raise flags before the virus could do any significant damage, especially as those Windows PCs wouldn't pass the virus on.

There have been security holes in Mac OS X in the past, and there no doubt will be more in the future. Unless they want to rewrite OS X in Java or managed .NET, I don't see how they can avoid the obvious ones, and there are the subtle higher-level ones too that a Java rewrite wouldn't fix, such as the whole "If you send Safari a .zip, it'll download and extract, implicitly installing any application in the .zip, without the user being involved at all" thing. And, as a million email worms testify, or unsigned ActiveX malware installers also point out, social engineering will defeat virtually every technical measure.

Vigilance people, it's needed on the Mac as it is everywhere else.

This may sound awful, but I hope at some point a major Mac virus does happen, just so that those who current do not take the issue seriously largely because it hasn't happened yet start taking it seriously.

I agree. I'd like to think of it as inoculating Mac users to the idea that safe computing extends beyond just what OS you run.

The Mac's major reason for it not getting many virusses and worms is that the low marketshare means that any "Mac-only" malware of this type would end up hitting 20 times as many Windows PCs as it would Macs, and that would raise flags before the virus could do any significant damage, especially as those Windows PCs wouldn't pass the virus on.

You can define "major" any way you want, but what you say is a big and VERY helpful factor, in addition to the other big factor: better (and less bloated) OS design vs. Windows.

And neither of these factors is going to change in the foreseeable future :) The reasons for our safety run deep.

Anyway, I can't go along with "there's never been a fire, but I hope there IS one and people get hurt, so that people learn to fear fire! Otherwise people might get hurt in fires!"

I will agree to the previous comments regarding the naiveté of most Mac OS users when it comes to the prospect of trojans, malware, and viruses. A good, healthy wake up call would certainly snap most into reality, and humble the zeal a little. Don't get me wrong. I love the fact that my Mac has little threat at the moment and will revel in it for as long as it lasts. But, I also know that any system, ANY SYSTEM, attached to the network is vulnerable to compromise. A good bit of preparedness, i.e., back your data up regularly, use the firewall, etc., will keep you out of a horrible situation.

The particular post about the malformed TIFF issue is really a bit silly. I wouldn't call it a security concern, more of a bug. I can think of several malformed file formats that can cause application crashes. I wouldn't categorize an application crash as a security threat unless it opened a back door of some kind into the system, like a buffer overflow can create a vulnerability. Just seems a bit alarmist to me having read the information about it.

Does anybody else but me, sometimes have pop-up block malfunctions? Like certain websites have ads that will always pop-up even though the block
pop-up window option is clicked

Does anybody else but me, sometimes have pop-up block malfunctions? Like certain websites have ads that will always pop-up even though the block
pop-up window option is clicked

Yes, ad companies will always be looking for ways around the blockers :o

Re people who want a Mac virus "for a good cause"... here are two scenarios:

1. There is one day a big Mac virus attack, as you wish.

2. There never is.

If the only reason to wish for #1 is... to be prepared for #1, then that's circular reasoning. Better to hope for #2.

People are free to want #1 for emotional reasons though :)

Just wondering-

Does this also indicate a similar flaw in Konqueror on Linux?

:confused: