RealTime IT News

Apple Patch Plugs AirPort Holes

UPDATED: Apple Computer issued a security update targeting 31 flaws in its Mac OS X operating system, including a vulnerability that could open wireless users to attack. The hole in the original AirPort wireless networking card card also highlights a continuing feud between Apple and researchers over how security glitches should be revealed.

Along with the AirPort issue, Apple's security update 2006-007 addresses problems discovered in Mac OS X 10.3.9 and Mac OS X10.4.8 for both client and server versions of the operating system.

In a statement, Apple said the AirPort issue affects eMac, iBook, iMac, PowerBook G3 and PowerBook G4 and Power Mac G4 systems. Unlike the original AirPort device, which supports both 802.11b/g, newer AirPort Extreme cards are 802.11g-only and are unaffected by the vulnerability.

Secunia, a security site, ranked the vulnerability as "moderately critical," saying it allows hackers to launch denial-of-service attacks on wireless users. The problem lies in how the original AirPort card responds while scanning for active wireless connections, according to Secunia.

Apple credited HD Moore of Metasploit with reporting the flaw.

This week's patch follows an August Mac OS X security update that addressed 21 potential exploitable vulnerabilities.

Although McAfee and others have reported a rise in the number of vulnerabilities discovered in Mac OS X, exploits are not also increasing, Gartner's John Pescatore told internetnews.com. Few companies store credit card numbers on Macs, Pescatore said. "It's not like hackers are going to attack the graphics department."

Yankee Group analyst Andrew Jaquith also cautioned against overreacting. "You should not turn up your threat meter to Def-Con Five," he added.

Apple has always relied on "security through obscurity" and a general perception of a more secure operating system. But the reality doesn't doesn't always live up to that image, Pescatore said. Unlike Microsoft, which provides a wealth of information about a security hole and how IT departments can implement a fix, Apple's announcements are terse and designed more for consumers, not enterprise.

In Pescatore's view, if Apple wants to make inroads into the enterprise, it will need to be more Microsoft-like when it comes to security.