New Safari Flaw, Worms Turn Spotlight on Apple Security

Updated: Security and anti-virus companies issue warnings about new threats that could change the way some Internet users, especially those on Mac platforms, view security.

A serious new vulnerability in Apple Computer Inc.s Safari Web browser and new worms that target Apples OS X operating system have raised awareness of the growing number of threats to computers that do not run the Windows operating system.

Security and anti-virus companies issued advisories Feb. 21 about a dangerous new hole in the Safari browser that could enable attackers to install malicious code on Apple OS X systems without any user interaction.

The warnings follow news of a slew of malicious code for OS X in the last week, including new worms known as "Leap" and "Ingtana."

The new threats may change the way that some Internet users, especially those on the Mac platform, view security, said Graham Cluley, senior technology consultant at anti-virus company Sophos PLC in the United Kingdom.

The Safari Web browser flaw is in a feature called Open Safe Files that is enabled by default.

That feature allows files such as ZIP archives and movie files to be opened and viewed automatically.

Attackers could use a security hole in the feature to run malicious programs on OS X systems without any input from the computer user, according to Johannes Ullrich, CTO of The SANS Internet Storm Center.

"Its pretty serious. Its extremely trivial to exploit," he said.

No attacks that target the hole had been identified as of Tuesday, but malicious hackers could easily use it to place malicious programs on Mac systems, or take information from those systems, Ullrich said.

"Apple takes security very seriously," a spokesperson told eWEEK. "Were working on a fix so that this doesnt become something that could affect customers."

The company advises Mac users to only accept files from vendors and Web sites that they know and trust, the spokesperson said.

News of the Safari hole follows a parade of new, non-Windows attacks began on Feb. 16, when security experts identified Leap.A, the first virus for Apples OS X operating system.

/zimages/1/28571.gifClick here to read more about new threats to Mac systems.

Leap spread over Apples iChat instant message and prevented some Mac applications from loading.

A new OS X worm, named Ingtana, appeared Feb. 17, with two more variants cropping up on Feb. 21.

Ingtana is a proof of concept worm that spreads between Macs running OS X Version 10.4 over Bluetooth wireless connections.

The worm uses a known and patched Bluetooth hole called the OBEX Push vulnerability, according to anti-virus firm F-Secure Corp. in Helsinki, Finland.

The new threats are sowing confusion among Mac users unaccustomed to the drum beat of security warnings that Windows users have long since grown familiar with.

For example, Mac users were confused about the ISCs definition of "user interaction," in regard to the Safari hole, Ullrich said.

ISC defines "no user interaction" as an exploit that doesnt require the computer user take a specific action to get infected—like opening a file attachment or clicking a Web link.

However, Apple, like Microsoft, considers the phrase "no user interaction" to mean an exploit that can work even on a computer that is idle and unattended by a human, Ullrich said.

"Its an old issue on the Windows user side. They think [a threat] is not serious if it requires user interaction, like going to a malicious Web site," he said.

Next Page: Apple security features.