SCI/TECH: Apple's Vulnerabilities Concerns Continue Despite Patch

page: 1
0

log in

join

posted on May, 20 2005 @ 08:47 PM
link   
Apple has patched a vulnerability in its Tiger OS regarding widgets, or small programs that self-install after they have been downloaded, but one expert claims the problem is not solved. The problem lies with the wording in a display box that indicates that the user is approving a download, when in fact an installation is being approved. Malicious coders can write widgets that can, using administrative privileges, run undetected in the background and deliver its malicious code.
 



news.com.com
Though Apple Computer updated its latest OS this week to solve a security problem with widgets, worries persist that the small applications still pose a potentially serious risk.

Widgets, or small programs that automatically install after downloading, were introduced in Tiger for the Dashboard, which overlays the desktop. An attacker could write a malicious widget for Mac OS X 1.4 Tiger that would run invisibly in the background and hijack a user's "sudo," or administrative, privileges on a system, according to an alert distributed on the Full Disclosure mailing lists late Wednesday. With administrative privileges, the attacker would have full control over the targeted Mac.

On Monday, Apple published the Mac OS X 10.4.1 update to fix an earlier security issue related to the widgets. Before the patch, widgets would download and install without warning. Patched machines display a box that asks the PC user to confirm a download, but don't tell the user that the confirmation also triggers installation of the widget.

While the patch mitigates the risk, security issues remain with widgets, according to Jonathan Zdziarski, a software engineer and author of Wednesday's Full Disclosure posting.




Please visit the link provided for the complete story.


In my reading of late regarding the relative merits of Macs and PCs, it has been noted by some that one of the main problems with PCs is that many people, if not most, surf the web with an administrative account, not understanding the problems that can occur as a result, if malware is downloaded. Apple actually encourages developers to write widgets and over two hundred are available on Apple's web site. It does seem, however, that if Mac users are aware of the risks, they can avert danger by exercising caution.

Related News Links:
news.com.com
news.com.com


[edit on 05/5/20 by GradyPhilpott]






new topics
 
0

log in

join