UPDATED: Apple Computer issued a security
update targeting 31 flaws in its Mac OS X operating system, including a
vulnerability that could open wireless users to attack. The hole in the
original AirPort wireless networking card card also highlights a continuing feud between Apple and researchers over how security glitches should be revealed.
Along with the AirPort issue, Apple’s security update 2006-007 addresses
problems discovered in Mac OS X 10.3.9 and Mac OS X10.4.8 for both client
and server versions of the operating system.
In a statement, Apple said the AirPort issue affects eMac, iBook, iMac,
PowerBook G3 and PowerBook G4 and Power Mac G4 systems. Unlike the original
AirPort device, which supports both 802.11b/g, newer AirPort Extreme cards
are 802.11g-only and are unaffected by the vulnerability.
Secunia, a security site, ranked the vulnerability as “moderately critical,” saying it allows hackers to launch denial-of-service attacks on wireless users. The problem lies in how the original AirPort card responds while scanning for active wireless connections, according to Secunia.
Apple credited HD Moore of Metasploit with reporting the flaw.
This week’s patch follows an August Mac OS X security update that addressed 21 potential exploitable vulnerabilities.
Although McAfee and others have reported a rise in the number of
vulnerabilities discovered in Mac OS X, exploits are not also increasing, Gartner’s John
Pescatore told internetnews.com. Few companies store credit card numbers on Macs, Pescatore said. “It’s not like hackers are going to attack the graphics department.”
Yankee Group analyst Andrew Jaquith also cautioned against overreacting. “You should not turn up your threat meter to Def-Con Five,” he added.
Apple has always relied on “security through obscurity” and a general perception of a more secure operating system. But the reality doesn’t doesn’t always live up to that image, Pescatore said. Unlike Microsoft, which provides a wealth of information
about a security hole and how IT departments can implement a fix, Apple’s
announcements are terse and designed more for consumers, not enterprise.
In Pescatore’s view, if Apple wants to make inroads into the enterprise, it will need to
be more Microsoft-like when it comes to security.