ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Desktop platforms Toolkit in association with http://ad.doubleclick.net/clk;205413468;14699245;m?http://adfarm.mediaplex.com/ad/ck/2397-58840-22058-14

Apple attacked over flaw notifications

Published: 05 May 2004 08:50 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

A researcher has again taken Apple Computer to task for not adequately labelling the seriousness of the security flaws described in its advisories.

Five vulnerabilities released on Monday affect various components of the Mac OS X operating system. The greatest threat is a buffer overflow in the Apple file-sharing system that could allow a remote attacker to take over control of the system. But the company described it as a correction "to improve the handling of long passwords."

"They are not characterising the issue so that people can make a security decision about it," said Chris Wysopal, vice president of research and development at @Stake, a digital security firm that found the flaw and reported it to Apple. "It seems they think that everyone will update their computers all the time, and that is not the way the world works."

Most security companies normally classify a remotely exploitable software flaw as a "critical" vulnerability.

Wysopal is the second researcher in a week to criticise Apple for downplaying the vulnerabilities in its system. eEye Digital Security, the company that found a flaw in Apple's QuickTime multimedia player in February, also claimed that Apple is not properly characterising vulnerabilities.

Apple said the flaw in the QuickTime movie player for Mac OS X could cause the player to crash. "Playing a malformed .mov (movie) file could cause QuickTime to terminate," the company stated in an advisory it published on Friday afternoon.

However, eEye said a movie file could potentially be created that would cause malicious code to execute when the user opened the file.

"We told them that if you are not able to execute code, then talk to us, so we can show you the issues," said Marc Maiffret, chief hacking officer at eEye.

An Apple representative could not be reached for comment.

Four flaws, including the flaw in the AppleFileServer, affect Mac OS X 10.2.8, or "Jaguar." All five flaws affect Mac OS X 10.3.3, also known as "Panther."

  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
62 out of 118 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Desktop platforms



Company/Topic Alerts

Create a new alert from the list below:



Related Jobs

Senior Network Engineer - Unix/Linux- The Cloud

Network Engineer / Network Support Technician - MAC OS X Server

Technology Risk Analyst with Java

Desktop Management Benchmarking

Test Your Desktop Management Systems

How good are your company's desktop management solutions? How do they compare with those of your peers?

Take two minutes to complete our new Desktop Management and Energy Consumption benchmark, and find out what issues your business needs to focus on.