After the patch, clicking on the link will trigger a warning and will no longer execute the malicious code automatically.
They just look at the icon, which can be the same typically used for innocent files," Lehn said.īefore Apple's fix, if a Mac OS X user were tricked into clicking on a malicious link via the Safari Web browser, the attacker's code would download and run automatically, without any warning. "While the Finder allows the user to find out that the file is an executable-with a right-click, for example-many users will not do that. However, it decides which application will handle the file based on information that is stored separately from the file, called metadata.Ī malicious file can be masked to look innocent-for example, like a JPEG image-yet it will run and execute when opened. The operating system assigns an identifying image, or icon, for a file based on the file extension. The unresolved vulnerability is due to a problem with the Mac OS Finder, the component of the operating system used to view and organize files, Lehn said. "Apple fixed the serious part very quick and that's good."
"In my opinion, it is better to release several security updates," he said. Lehn said it was good that Apple made the fix it did, even though it wasn't complete. Going by fan forum postings, many Apple customers believe their systems are impervious to cyberattacks.
Microsoft Windows users have grown accustomed to a seemingly incessant stream of computer worms, viruses and security vulnerabilities. "The fact that a script gets executed automatically had to be fixed immediately. "I think Apple did the right thing," said Lehn, who first disclosed the Mac OS X vulnerability. "The point of where people get the file is often through the browser and mail and instant messaging."Īpple's security fix is an important first step, said Michael Lehn, doctoral candidate and research assistant at the University of Ulm in Germany. "The tools most people use (now) have built-in validation for things before they even get to the desktop," Schiller said.
However, with its security update for Safari, Mail and iChat, Apple believes it cut off access for such Trojans. "There are Trojans in the world, I have yet to see a successful one on the Mac, but there are such things in the world as Trojans."
That's the definition of Trojans," Philip Schiller, Apple's senior vice president of worldwide product marketing, said in an interview. "It is definitely possible on the Mac and on any platform to create an application and try to pretend that it is something that its not.
Security experts urged users to disable this setting after initial details of the flaw were disclosed since it made users more vulnerable.ĬNET was alerted to the limitations of the patch by readers, who described themselves as "concerned Apple fans." Security experts confirmed the existence of an issue.Īpple acknowledged that, despite its patch, it is still possible to make a malicious file look innocent. Apple does not offer safeguards for those applications.Īlso, Safari won't display an alert for users who have disabled the "Open safe files after downloading" option in the Web browsers. However, the same is not true for other applications that let users receive files, such as the Firefox Web browser, Thunderbird e-mail client, Yahoo Messenger and LimeWire file-sharing tool. "If a user can be tricked into opening a file that looks like a picture, the user may actually be opening a malicious script."Īfter installing the Apple patch, Safari, Mail and iChat in most cases will display a warning when downloading a potentially malicious file. "While Apple added a checkpoint to the downloading and execution process, they did not eliminate this vulnerability," said Kevin Long, an analyst at security specialist Cybertrust and a Mac user for 11 years. It is now still possible for hackers to construct a file that appears to be a safe file type, such as an image or movie, but is actually an application, they said. Before that change, clicking on a link could have resulted in the automatic execution of code on a Mac.īut Apple failed to address a key part of the problem, the fix should be at a lower, operating system level, experts said. The function warns people that a download could be malicious when they click on the link.
The update added a function called "download validation" to the Safari Web browser, Apple Mail client and iChat instant messaging tool. The patch arrived after two weeks of intense scrutiny of the safety of OS X, prompted by the discovery of two worms, and the disclosure of a vulnerability that was deemed " extremely critical" by security monitoring company Secunia. The Mac maker released a security update for its operating system on Wednesday to plug 20 holes. An Apple Computer patch released last week doesn't completely fix a high-profile Mac OS X flaw, leaving a toehold for cyberattacks, experts said.