[alphasubzero949]

http://secunia.com/advisories/19686/

[tooki]

*yawn*

The chances of this actually being exploited in the wild are extremely low.

tooki

[ghporter]

I like Secunia's "solution" to the posted flaws: don't mess with untrusted sites, and don't open anything you download from them. DUH!

[Tomchu]

Wasn't everyone all up in arms when that PNG file vulnerability popped up in the Windows world?

I'd say this is pretty critical if someone manages to make "good" use of it.

[rickey939]

Bah.

[eevyl]

AFAIK, the image ones seems to be the ones that crashes Safari/Preview when viewing them, so I dare say it has zero to do with security, rather with stability.

It's critical, but not security wise.

[Tomchu]

They say that if properly utilized, it can potentially lead to a system compromise. I'd call that a security issue, and a serious one at that.

[CharlesS]

Well, it doesn't say exactly what can be done with these errors, but if it's something like a buffer overflow, then, yeah, that's bad. That would mean you could get someone's computer to run arbitrary code just from viewing a malformed HTML tag, which obviously is something we do not want to be possible.

[real]

Originally Posted by rickey939

Bah.

Never the less Apple needs to get on this. Its not one of those things where its good to say

"We will cross that bridge when we get there"

by then its too late.

IMHO

real

[lkrupp]

Originally Posted by Tomchu

Wasn't everyone all up in arms when that PNG file vulnerability popped up in the Windows world?

I'd say this is pretty critical if someone manages to make "good" use of it.

The key word in your response is "if". It hasn't happened yet with ANY of the published vulnerabilities. None, zero, zip, nada, and this will be no different. For whatever reasons the criminal element hasn't noticed OS X yet. Or doesn't care because the other OS offers such easy pickins'.

[Tomchu]

Originally Posted by lkrupp

The key word in your response is "if". It hasn't happened yet with ANY of the published vulnerabilities. None, zero, zip, nada, and this will be no different. For whatever reasons the criminal element hasn't noticed OS X yet. Or doesn't care because the other OS offers such easy pickins'.

You'd never get a job as a security researcher with such a complacent attitude.

One day a vulnerability like this *will* get exploited on a large scale, and people like you are going to be in for a nasty surprise. :-P

[alphasubzero949]

^ Think Oompa Loompa. Even though it was on a small scale limited to one forum, it went to show just how complacent and smug the Mac user base is when it comes to security.

Considering that most of these vulnerabilities affect EVERY version of OS X, this is not good. And no, I won't be waiting for Leopard in order to get the fixes.

[JKT]

Bear in mind that this isn't the first time that such issues have been found in the image handling routines of Mac OS X (e.g. see past security issues for Quicktime). There have been several instances over the years. What is different this time is that, at the moment, the publicity surrounding any flaw (minor or major) found in OS X is either way over the top and/or a wake-up call for users (depending on your perspective).

[eevyl]

These "if used properly" HUUUUUUGE security flaws amazes me a bit. The report linked just not expose any "if", it explains a bug and then goes speculation mode and says that it could, maybe, be a security risk if maybe it could hopefully in a who knows how enviroment be used somehow maliciously. That's a long shot, not a "huge security flaw".

If it showed some facts about it being actually exploitable, would be much more useful, less FUD and I would treat it more seriously, as other OS X flaws report have appeared in the past.

You could probably say the same about any bug of OS X or OS X app that uses the net. Maybe, if, who knows how but could be exploited to do random stuff. Sure, that's why bugs and errors in networked applications are more dangerous than local apps. But that there is a crash in Safari does not automatically mean a buffer overflow can be exploited.

[eevyl]

Originally Posted by eevyl

These "if used properly" HUUUUUUGE security flaws amazes me a bit. The report linked just not expose any "if", it explains a bug and then goes speculation mode and says that it could, maybe, be a security risk if maybe it could hopefully in a who knows how enviroment be used somehow maliciously. That's a long shot, not a "huge security flaw".

If it showed some facts about it being actually exploitable, would be much more useful, less FUD and I would treat it more seriously, as other OS X flaws report have appeared in the past.

You could probably say the same about any bug of OS X or OS X app that uses the net. Maybe, if, who knows how but could be exploited to do random stuff. Sure, that's why bugs and errors in networked applications are more dangerous than local apps. But that there is a crash in Safari does not automatically mean a buffer overflow can be exploited.

They say that if properly utilized, it can potentially lead to a system compromise. I'd call that a security issue, and a serious one at that. [/Tomchu]

(I save you the trouble of posting Tomchu, with <3 )

[CharlesS]

If a hole can be exploited to do evil stuff, then I'd say it's an equally big security hole regardless of whether or not it actually is exploited.

With that said, though, the article is pretty vague on whether it actually is known to be exploitable or not.

[eevyl]

Well, those are my thoughts in a much nicier and concise form. CharlesS++

[Shekwan]

Apple was notified months ago about those holes. Whether it has been exploited or not don't you think it's more than time to correct this?

[Person Man]

Originally Posted by Shekwan

Apple was notified months ago about those holes. Whether it has been exploited or not don't you think it's more than time to correct this?

Ever stop to think that these fixes are taking time to prepare and properly test? Or that there could be more serious ones Apple wants to fix first?

[eevyl]

Like, ones that actually have a definitive way of being exploited? Oh wait, those are already patched

[Tomchu]

Originally Posted by eevyl

They say that if properly utilized, it can potentially lead to a system compromise. I'd call that a security issue, and a serious one at that. [/Tomchu]

(I save you the trouble of posting Tomchu, with <3 )

Thanks. :-)

I can only reiterate the same point so many times before it gets annoying.

[Shekwan]

Originally Posted by Person Man

Ever stop to think that these fixes are taking time to prepare and properly test? Or that there could be more serious ones Apple wants to fix first?

They were reported to Apple at the beginning of the year, it's like almost five months. Meanwhile, Apple users try to rationalize the lack of fixes and dismiss the report as speculation. Business as usual.

[jasong]

You'd think if they were so critical and exploitable, 5 months would be enough time to do so. Not that I am advocating complacency or saying Apple shouldn't fix these, but part of the reason Mac users are so blase is because of those of you predicting the death of Mac OS X every time a flaw is found.

[real]

It seems to me that Apple needs to treat this like a bug fix in OS X.


Its a problem and needs to be fixed, bottom line. I still feel safe useing OS X, I am not going to jump ship, Windows has 1000's of problems but millions use that OS everyday.

[ghporter]

Problem? Yes

Highly critical? Maybe-depends on your definition

Exploitable? Maybe...but there's not much motivation to mess with Macs at any time, so it's hard to say whether someone could manage to exploit these issues.

A serious security risk? Probably not. It looks like the biggest impact of any of these is that they may cause incorrect display of some files and/or crash the app that's trying to display them. They do not seem to give the attacker the ability to do anything else to the target computer, and particularly they do not appear to allow an attacker to run ANY code on the target computer. So it's possible for a malicious site to provide files that could give you problems, but not really hurt your computer or your data.

(And Safari needs a full-blown overhaul anyway, so Apple should indeed get cracking on that, and fix these issues while they're at it. If they haven't been incorporated in one of the recent security updates, that is.)