Security Hole Announced


Over on Alastair’s blog is a post that Apple has ignored a pretty bad OS X security problem since 2003. I’ve no doubts there are a lot of bugs in OS X, and that there are a lot of them that aren’t known in the white-hat circles. This is pretty bad, and hopefully we’ll see a patch to address it soon. He did it right – he gave Apple a chance to address it without public disclosure and Apple hasn’t responded. Let’s send some feedback to them to get it fixed!



I think disclosing this vulnerability was the right thing to do. Maybe the next time someone reads a post on about some cool app, he or she might think twice about entering the root passwd when checking it out.


Actually, he suggests a very simple and good solution.

When you install you tell the system a piece of secret information (‘My Father’s middle name is’). The ONLY program that would know this would be the security server. Therefore anything pretending to be the security server wouldn’t be able to display the information.

Sean Sperte

I disagree. I don’t think publishing this for the world (including those who WRITE the “malicious software” he referenced) is “right”. It’s been my experience that this type of motivational tactic rarely generates the desired result.

As long as there are ignorant people there will be security “holes” like this one. As mentioned in the article, this sort of trap can be mimicked in a variety of ways. The solution does not come from Apple but from users being smart.

Needless to say, I’ll be much more cautious when giving my password to programs requesting it using this dialog. Problem fixed.

Comments are closed.