Apple Computer has still not properly fixed the named
fork vulnerability discovered in its HFS+ filesystem last week,
according to the company that first found it, NetSec.
The managed security specialist said that the fix put out by the
company at the end of last week would only address the security
flaw for OS X systems running the Apache web server which is
shipped by default, and that users of other web servers such as 4D
WebStar remained vulnerable.
NetSec also said that users running modified versions of the
Apache web server on OS X would not have received the update patch
automatically.
The vulnerability could allow attackers to exploit URLs to gain
access to back-end data structures and carry out website defacement
or information theft.
NetSec said it was not aware of any live exploits at present,
but had decided to alert the Apple community after the exploit
topic started being discussed on public domain sites.
“They’ve slapped a Band-Aid on the problem,” said NetSec’s Tom
Parker. He added that fixing the problem once and for all would
require complex changes to the OS X kernel, which might explain why
the patch had turned out to be partial.
Figures for the number of customers using Apache on OS X are
difficult to come by, but Netcraft puts the number of high-level
servers running WebStar as approaching 60,000. Apache is by far the
most popular, regardless of platform.
John Dunn writes for Techworld