Weapons of Mass DistractionMac OS X Hit by Third Vulnerability

On Tuesday, security experts announced the discovery of another vulnerability in Apple's Mac OSX operating system. It is the third vulnerability found in less than a week. Security and antivirus firms have issued advisories classifying the flaw as "extremely critical."

Discovered by Michael Lehn, a graduate student and research assistant at the University of Ulm in southern Germany, the flaw affects Apple's Safari Web browser and could allow attackers to disable a Mac computer after tricking users into accessing a phony Internet site containing malicious code.

Apple has confirmed that it is aware of the problem and has indicated that it is working on a fix "so that this doesn't become something that could affect customers."

Don't Unzip It

The flaw has been classified as a critical vulnerability because the Safari browser is configured by default to run or open certain file types -- photos, movies, and compressed files -- that have been marked "safe" by Mac OS X.

Compressed .ZIP files are just one of the supposedly safe files in question. Attackers can exploit the vulnerability when a Mac user visits a Web site containing malicious software that has been disguised to look like a normally safe file. Users who download the files run the risk of opening their computers to any number of nasty, virulent programs.

According to Dave Cole, director of Symantec Security Response, Symantec has given the flaw a fairly severe rating of 8.3 out of 10 and an urgency rating of 7.3 out of 10. "We would rate this as a severe vulnerability, to put it succinctly," he said.

Unlike many other vulnerabilities that are theoretical in nature, this Safari flaw has proof-of-concept exploit code already published. However, Symantec has not seen any attempts by attackers to exploit the vulnerability as of yet. But it could happen, said Cole, who pointed out that the vulnerability is critical because attackers could easily perform an attack and "install whatever they want without a whole lot of trouble."

"We've seen plenty of instances where this has happened in the Windows world," Cole said. "Where a new vulnerability came out in a Web browser, such as Internet Explorer, and when the bad guys see that, they use it to foist whatever type of software they can -- usually some form of adware -- onto someone's machine. The possibility of someone doing this to Safari users is fairly high."

Support Yahoo! News and read the full story here..

My opinion: It is good to see that now that another semi-mainstream OS exists out there it has problems just like Windows.

Comments: