On Tuesday, security experts announced the discovery of another vulnerability in Apple's Mac OS X operating system. It is the third vulnerability found in less than a week. Security and antivirus firms have issued advisories classifying the flaw as "extremely critical."
Discovered by Michael Lehn, a graduate student and research assistant at the University of Ulm in southern Germany, the flaw affects Apple's Safari Web browser and could allow attackers to disable a Mac computer after tricking users into accessing a phony Internet site containing malicious code.
Apple has confirmed that it is aware of the problem and has indicated that it is working on a fix "so that this doesn't become something that could affect customers."
Don't Unzip It
The flaw has been classified as a critical vulnerability because the Safari browser is configured by default to run or open certain file types -- photos, movies, and compressed files -- that have been marked "safe" by Mac OS X.
Compressed .ZIP files are just one of the supposedly safe files in question. Attackers can exploit the vulnerability when a Mac user visits a Web site containing malicious software that has been disguised to look like a normally safe file. Users who download the files run the risk of opening their computers to any number of nasty, virulent programs.
According to Dave Cole, director of Symantec Security Response, Symantec has given the flaw a fairly severe rating of 8.3 out of 10 and an urgency rating of 7.3 out of 10. "We would rate this as a severe vulnerability, to put it succinctly," he said.
Unlike many other vulnerabilities that are theoretical in nature, this Safari flaw has proof-of-concept exploit code already published. However, Symantec has not seen any attempts by attackers to exploit the vulnerability as of yet. But it could happen, said Cole, who pointed out that the vulnerability is critical because attackers could easily perform an attack and "install whatever they want without a whole lot of trouble."
"We've seen plenty of instances where this has happened in the Windows world," Cole said. "Where a new vulnerability came out in a Web browser, such as Internet Explorer, and when the bad guys see that, they use it to foist whatever type of software they can -- usually some form of adware -- onto someone's machine. The possibility of someone doing this to Safari users is fairly high."
DIY Flaw Correction
Although Apple has said it is working to correct the problem, a simple change can protect Mac users from any potential exploits without waiting for a new patch, Cole explained. All a Mac user has to do is uncheck the "open safe files after downloading" option under the "general" section in Safari's preferences.
Doing so will eliminate the biggest area of risk for Mac users, Cole said. "In general, opening random .ZIP files and trying to download .ZIP files from the Internet is a pretty bad practice to begin with unless you really know what [the file] is."
Cole said that it is reasonable to expect to see some attack activity from malicious hackers attempting to exploit this vulnerability, but he emphasized that it is easy for Mac users to protect themselves from these attacks.
"With a little bit of Internet street smarts and just simply unchecking this option, it is not difficult to protect yourself," Cole said.
Apple in the Crosshairs
It is fairly unusual to see three vulnerabilities hit the Mac OS in less than a week, Cole said. It might indicate that there is a much higher level of curiosity over Mac OS X. That could be due, he said, to more people playing around with the operating system or a new interest by Internet criminals in exploiting it.
The two viruses discovered last week, "Leap" and "Inqtana," are relatively harmless in contrast to the the newly revealed vulnerability, Cole said. "The worms Inqtana and Leap are low distribution and there is fairly low risk of anyone getting these."
These attacks against Apple not only underscore the importance for every computer user to run antispyware and antivirus security software, but also the need for computer users in general to have Internet street smarts and common sense.
"[Users should] absolutely use security software and make sure they are paying attention to alerts they get," Cole advised. "But, at the end of the day, a lot of this stuff can be avoided by not opening suspicious attachments and not downloading things where you don't know how trusted the Web site is."
No one, Cole said, should feel as though they are impervious to these types of attacks -- spyware, adware, or malicious code -- just because they use a particular type of operating system or software.