Mac OS X Patch Misses Mark, Causes Hiccups

Apple Computer’s latest Mac OS X security update misses several dangerous vulnerabilities and is causing system hangs and boot-up problems for some users, according to information reaching eWEEK.

Less than a week after Apple shipped a mega-update with fixes for a whopping 43 Mac OS X and QuickTime vulnerabilities, independent researcher Tom Ferris said that multiple Safari browser flaws remain unpatched.

Ferris, who has become a bit of a gadfly for Apple, reported the Safari vulnerabilities to Apple on April 19, but after testing the Security Update 2006-003, he told eWEEK the issues have not yet been addressed.

Ferris, who goes by the online moniker of “badpack3t,” said the Safari bugs causes the application to crash and may allow a malicious attacker to execute arbitrary code.

On his Security-Protocols.com Web site, Ferris has released technical information on the flaws alongside proof-of-concept code to reproduce the browser crashes.

Back in April, Ferris also flagged a heap overflow vulnerability when specially crafted “.bmp” are processed and decompressed.

Although the Mac OS X update promised a fix for that bug, Ferris insists the underlying issue has not been addressed.

“[The update] does prevent the crash when opening [my] original proof-of-concept file. But after slightly modifying that file, I was able to trigger the same issue with the latest security update installed,” Ferris said.

Ferris, who uses fuzzing techniques to identify application bugs, also plans to report several new “.tiff” flaws to Apple’s security team.

As per policy, Apple does not comment on potential security vulnerabilities in its products until a fix is available.

Meanwhile, Mac OS X users are reporting post-patch hiccups that range from system hangs and boot-up problems.

Read the full story on eWEEK.com: Mac OS X Patch Misses Mark, Causes Hiccups