Mac OS X Patch Misses Mark, Causes Hiccups

An independent security researcher reports that Apple's most recent security update fails to address well-known vulnerabilities. Also, users are reporting boot-up hiccups after the mega patch is installed.

Apple Computers latest Mac OS X security update misses several dangerous vulnerabilities and is causing system hangs and boot-up problems for some users, according to information reaching eWEEK.

Less than a week after Apple shipped a mega-update with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities, independent researcher Tom Ferris said that multiple Safari browser flaws remain unpatched.

Ferris, who has become a bit of a gadfly for Apple, reported the Safari vulnerabilities to Apple on April 19, but after testing the Security Update 2006-003, he told eWEEK the issues have not yet been addressed.

Ferris, who goes by the online moniker of "badpack3t," said the Safari bugs causes the application to crash and may allow a malicious attacker to execute arbitrary code.

On his Web site, Ferris has released technical information on the flaws alongside proof-of-concept code to reproduce the browser crashes.

Back in April, Ferris also flagged a heap overflow vulnerability when specially crafted ".bmp" are processed and decompressed.

Although the Mac OS X update promised a fix for that bug, Ferris insists the underlying issue has not been addressed.

"[The update] does prevent the crash when opening [my] original proof-of-concept file. But after slightly modifying that file, I was able to trigger the same issue with the latest security update installed," Ferris said.

Ferris, who uses fuzzing techniques to identify application bugs, also plans to report several new ".tiff" flaws to Apples security team.

As per policy, Apple does not comment on potential security vulnerabilities in its products until a fix is available.

Meanwhile, Mac OS X users are reporting post-patch hiccups that range from system hangs and boot-up problems.

/zimages/6/28571.gifResearchers chart leap in Mac vulerabilities. Click here to read more.

In an e-mail message sent to eWEEK, Mac user Stephen Bigelis said the latest security update will hang the computer upon boot for any MacBook Pro user running Adobe Vs Cue software.

"The Adobe software must be removed from the Library->Startupitems Folder in safe mode to get the computer to boot normal," Bigelis added.

On Apples support forum, there are several threads discussing the boot-up problems.

At the a MacFixIt troubleshooting site, users are also reporting problems with UnRarX and Symantecs LiveUpdate when the security patch is installed.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.