A critical security flaw has been uncovered in Apple’s Safari web browser and in Internet Explorer for OSX which would allow someone outside of your computer to place files onto your computer without your permission.
The vulnerability, which was classified as “Extremely Critical” by security firm Secunia, allowed the execution of malicious code on the user's computer.
Apple issued an update on May 21st which it says will fix the problem. “Apple takes security very seriously and works quickly to address potential threats as we learn of them,” said Philip Schiller, Apple’s senior vice president of Worldwide Product Marketing. “While no operating system can be completely immune from all security issues, Mac OS X’s UNIX-based architecture has so far turned out to be much better than most.”
The security flaw could be exploited on computers where the user had allowed the browser to open ‘safe’ files after download, which in Safari, is the default choice. Someone with the proper knowledge could exploit this to send a file to your computer, which would then download and open the Disk Image file (.dmg) and place the file on your computer.
The vulnerability has been confirmed using Safari 1.2.1 (v125.1) and Internet Explorer 5.2. While acknowledging the vulnerability, computer security experts say most Mac users would not be at high-risk, because exploit writers typically focus on writing malicious code targeted at higher-profile Windows-based computers.
However, leaving the problem uncorrected would allow someone to deliver a virus onto the Macintosh desktop if they wanted, so Apple is considering this a ‘critical’ update.
Security Update 2004-05-24 version 1.0 (271 kb) is available via the Software Update control panel, or at the Apple Downloads page.
May 2004
