Apple patches OS X holes

Apple Computer has released a range of patches for security holes for its Mac OS X operating system, which it has advised users...

Apple Computer has released a range of patches for security holes for its Mac OS X operating system, which it has advised users to download immediately.

One security company Secunia has given the five patches a "highly critical" rating and has warned that they may allow hijacking, security bypass, data manipulation, privilege escalation, denial of service and system access.

As yet, there is not a worm exploiting the holes but the company has strongly advised users to download and install the patches as the OS could be an easy target.

Secunia has given the series of patches a "highly critical" rating which, it said was because of the Apple's dismissive attitude to one of the holes.

Secunia described a vulnerability within AppleFileServer which allows for a buffer overflow as an attempt to "improve the handling of long passwords", but security specialists @stake warned that it could lead to the full system access.

This strange habit of pretending a big problem is of no significance was also displayed last month, when Apple explained that it was "aware" of a Trojan horse that could be used to compromise its systems and was investigating it, but refused to say any more, commenting only that it has an excellent track record of patching holes.

Another "highly critical" hole in the company's Quick Time media player has also been largely ignored by Apple, with the company only releasing an advisory under pressure from the company that discovered the hole, eEye Digital Security.

Secunia remains highly suspicious of two previously unannounced holes patched. One exists within the CoreFoundation when handling environment variables and could allow for privilege escalation. The other is within RAdmin when handling large requests and could be a system compromise.

The other older holes is in Apache 2 and can be exploited by adding malicious characters into log files to cause a denial of service. The other covers two holes in IPSec that can again be used to cause a denial of service.

Kieren McCarthy writes for



Read more on IT architecture

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.