About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Home » Industry Watch

OS X: Still Not WYSIWYG

Apple release their second security patch for Tiger.


Apple have released their second security update for OS X 10.4 Tiger less than two weeks after the first. Although many issues were addressed in both updates, most eyes were on what the Cupertino company were going to do about the holes exposed by the recent Oompa Loompa, Inqtana, and Heise exploits.

The patch is a 13.9 MB download and all told addresses issues in apache_mod_php, CoreTypes, LaunchServices, Mail, rsync, and Safari - as well as issues covered in the previous patch from 1 March.

It's the patches for CoreTypes, LaunchServices, Mail, and Safari people are most interested in. And from the looks of it, OS X is still not 'WYSIWYG' - what users see is still not what they get.

Mail

CVE-ID: CVE-2006-0396

Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Double-clicking an attachment in Mail may result in arbitrary code execution

Safari, LaunchServices, CoreTypes

CVE-ID: CVE-2006-0397, CVE-2006-0398, CVE-2006-0399

Available for: Mac OS X v10.4.5, Mac OS X Server v10.4.5

Impact: Viewing a malicious web site may result in arbitrary code execution

The following non-security issues introduced by Security Update 2006-001 are also addressed by this update:
  • Download Validation: Security Update 2006-001 could cause the user to be warned when provided with certain safe file types, such as Word documents, and folders containing custom icons. These unneeded warnings are removed with this update.

Of course Apple must try to issue 'ad hoc' patches first. After all, NeXTSTEP wasn't ruined in a day, and it's going to take time to undo all the wrongs that were done. But the basic dilemma remains - although Apple have provided temporary safeguards for their own web applications, the system as a whole is still vulnerable - and the only reason Apple have directed their work to the application level is that they don't yet have a fix for what's really wrong.

As noted here and elsewhere, the core of the issue is that the one hand of the OS X shell tells the user one thing and then the other hand goes and does the complete opposite. Files appearing to be of one type are treated at another level of the system as being of another.

So far there's no word of how Apple plan to deal with this issue, although it should be a foregone conclusion that they must and they will - eventually at any rate.

For now the old adage used to describe OS X Tiger has to be altered. 'You've come a long way, baby, but still not quite far enough.'

About | ACP | Buy | Forum | Industry Watch | Learning Curve | Search | Twitter | Xnews
Copyright © Rixstep. All rights reserved.