Aug 14, 2007

[Security] Apple's laziness can lead to problems

Two related security issues for Apple products Mac OS X (Leopard) and iPhone were raised recently.

In this year's Black Hat Briefings conference, a security researcher claims that Mac OS X is easy to hack. The researcher highlighted three options in hacking into OS X:

1. Elevation of user privilege using suid: OS X has more than 50 suid root applications. That means 50-plus vectors of attack.

2. Safari: When opened, the browser also opens several programs, and any flaw in any of the said apps can be exploited over the Web.

3. Open source components: it seems that OS X 10.4.10 contains open source components that are out of date, and as such, are candidates for bug exploitation.

And iPhone being a Mac machine in the micro level, vectors number two and three mentioned earlier are also present on the iPhone. Apple had released patch 1.0.1 for the iPhone July 31, and a vulnerability was included in the said patch, courtesy of an outdated open source component (PCRE).

Security experts always tell users to patch systems and apps when patches are released. I guess it is time they tell Apple to do the same.

(Crossposted from here.)

No comments:

Post a Comment