While praising Apple Computer Inc. for
releasing a patch
so quickly for an OS X vulnerability discovered last week, security firm Secunia on Monday said
Mac users are still not safe.
“It is still possible to execute arbitrary code on a vulnerable user’s system, just as easy as before Apple issued Friday’s security update for Mac OS X,” Niels Henrik Rasmussen, CEO of Secunia, said in an email to MacCentral.
Apple released a patch late Friday that fixed a hole in HelpViewer — with the update installed, HelpViewer will now only process scripts that it initiated. However, Rasmussen says that other vulnerabilities have come to light.
“What is really critical is the fact that Apple did not address the “disk” URI vulnerability, which allows malicious websites to silently place code on a user’s system,” said Rasmussen. “Everything should be OK, after the “help” vulnerability has been fixed, but another very unfortunate feature has been revealed in Mac OS X disk image and volume handling, allowing a disk image to register a new URI handler and associate an application with this – obviously this application can be located on the disk image or volume.”
The result of this exploit, according to Secunia, is that malicious websites can exploit the “disk” vulnerability in the same way as the “help” URI handler, still leaving all Mac OS X systems wide open for attacks.
Representatives from Apple were not immediately available to comment for this story.