SECURITY PROBLEMS FOR APPLE, FIREFOX

The Apple and Firefox evangelists won’t make eye contact with you for a while, since all the latest news of security flaws and exploits is aimed at them. Here’s a summary from Paul Thurrott, tech columnist:

“There’s a certain poetic justice in the news that Mac OS X 10.4 Tiger’s new Dashboard feature–which Apple ripped off from the cool Konfabulator folks–is responsible for one of the worst security failures to ever hit the Macintosh. If you’re not familiar with the feature, Dashboard is a secondary desktop that hosts Javascript-based widgets, such as a calculator, a weather display, and a flight tracker, that perform various tasks. There’s just one problem: Apple somehow forgot to implement even the most basic security for these widgets, making them the perfect conduit for malicious software. Hackers have already created widgets that auto-install on Tiger systems without any user interaction and, for example, directly copy Apple’s bundled widgets so users think nothing’s wrong. And thanks to a design flaw, the widgets are almost impossible to remove. A user would have to understand the Mac OS X file structure to do so. Eek.

“And speaking of a previously smug group of users, everyone’s favorite Microsoft Internet Explorer (IE) alternative is under fire this week as well. Two new vulnerabilities in Mozilla Firefox 1.0.3 have emerged and have been rated as extremely critical, which, if I’m not mistaken, is somewhere between orange and wicked critical. The reason these vulnerabilities are rated so high is that an already-existing exploit code takes advantage of the flaws.”

Security through obscurity only works if you use software that remains obscure. Once it starts to get publicized, the hackers start to work on it. Mac and Firefox users are discovering that they’re in the hands of people who can’t write code as well as Microsoft and are far more disorganized about creating and fixing their programs.

As to Apple, here’s an article about the widget problem. Paul Thurrott was kind enough not to mention the “highly critical” flaw in iTunes software (the second such flaw in iTunes in the last few months), and the release of patches for 20 different “highly critical” flaws in Mac OS X.

As to Firefox, here’s more information about its “extremely critical” vulnerabilities.