-
Russell Mickler, Principal Consultant, has over 17 years of professional experience leading and managing IT organizations.
"Hi – I’m a Mac…"
Written on September 13, 2006
Leave a Comment
|
Anyone seen these commercials?
You know them. These two guys are standing on a white screen. A hipster introduces himself as an Apple Macintosh; a nerd says he’s a PC. The hipster is energetic and sly; the nerd is business-dressed and geeky.
These commercials drive me crazy because the assertions they make are patently false. For example, the hipster says that he’s not vulnerable to viruses or attacks from hackers. Yet, Apple and Adobe just released a security advisory today that affects the vulnerabilities of the Mac platform.
Curious about this, I decided to go to the National Vulnerability Database to see what kind of vulnerabilities were identified for the Mac platform in August 2006. There were seventeen identified vulnerabilities for the Apple platform:
There are 17 matching records. Displaying matches 1 through 17.
CVE-2006-3506 VU#737204 Summary: Buffer overflow in the Xsan Filesystem driver on Mac OS X 10.4.7 and OS X Server 10.4.7 allows local users with Xsan write access, to execute arbitrary code via unspecified vectors related to “processing a path name.”
Published: 8/21/2006
CVSS Severity: 4.9 (Medium)
CVE-2006-0395 Summary: The Download Validation in Mail in Mac OS X 10.4 does not properly recognize attachment file types to warn a user of an unsafe type, which allows user-assisted remote attackers to execute arbitrary code via crafted file types.
Published: 8/4/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3505 VU#566132 Summary: WebKit in Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTML document that causes WebKit to access an object that has already been deallocated.
Published: 8/2/2006
CVSS Severity: 7.0 (High)
CVE-2006-3504 Summary: The Download Validation in LaunchServices for Apple Mac OS X 10.4.7 can identify certain HTML as “safe”, which could allow attackers to execute Javascript code in local context when the “Open ‘safe’ files after downloading” option is enabled in Safari.
Published: 8/2/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3503 VU#605908 Summary: Integer overflow in ImageIO in Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a malformed GIF image.
Published: 8/2/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3502 VU#651844 Summary: Unspecified vulnerability in ImageIO in Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted GIF image that triggers a memory allocation failure that is not properly handled.
Published: 8/2/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3501 VU#172244 Summary: Integer overflow in ImageIO for Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Radiance image.
Published: 8/2/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3500 Summary: The dynamic linker (dyld) in Apple Mac OS X 10.4.7 allows local users to execute arbitrary code via an “improperly handled condition” that leads to use of “dangerous paths,” probably related to an untrusted search path vulnerability.
Published: 8/2/2006
CVSS Severity: 7.0 (High)
CVE-2006-3499 Summary: The dynamic linker (dyld) in Apple Mac OS X 10.3.9 allows local users to obtain sensitive information via unspecified dynamic linker options that affect the use of standard error (stderr) by privileged applications.
Published: 8/2/2006
CVSS Severity: 1.6 (Low)
CVE-2006-0393 Summary: OpenSSH in Apple Mac OS X 10.4.7 allows remote attackers to cause a denial of service or determine account existence by attempting to log in using an invalid user, which causes the server to hang.
Published: 8/2/2006
CVSS Severity: 3.7 (Low)
CVE-2006-0392 VU#527236 Summary: Buffer overflow in Apple Mac OS X 10.4.7 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Canon RAW image.
Published: 8/2/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3498 VU#776628 Summary: Stack-based buffer overflow in bootpd in the DHCP component for Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to execute arbitrary code via a crafted BOOTP request.
Published: 8/2/2006
CVSS Severity: 10.0 (High)
CVE-2006-3497 VU#514740 Summary: Unspecified vulnerability in the “compression state handling” in Bom for Apple Mac OS X 10.3.9 and 10.4.7 allows user-assisted attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted Zip archive.
Published: 8/2/2006
CVSS Severity: 5.6 (Medium)
CVE-2006-3496 VU#180692 Summary: AFP Server in Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to cause denial of service (crash) via an invalid AFP request that triggers an unchecked error condition.
Published: 8/2/2006
CVSS Severity: 2.3 (Low)
CVE-2006-3495 VU#168020 Summary: AFP Server in Apple Mac OS X 10.3.9 and 10.4.7 stores reconnect keys in a world-readable file, which allows local users to obtain the keys and access files and folders of other users.
Published: 8/2/2006
CVSS Severity: 1.6 (Low)
CVE-2006-1473 VU#575372 Summary: Integer overflow in AFP Server for Apple Mac OS X 10.3.9 and 10.4.7 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via unknown vectors.
Published: 8/2/2006
CVSS Severity: 2.3 (Low)
CVE-2006-1472 Summary: Unspecified vulnerability in AFP Server in Apple Mac OS X 10.3.9 allows remote attackers to determing names of unauthorized files and folders via unknown vectors related to the search results.
Published: 8/2/2006
CVSS Severity: 2.3 (Low)
I don’t mind the commercials – they’re kind of clever, but I really don’t like being lied to. Instead of pushing Disney movies across iTunes, I’d suggest Jobs concentrate on truth in advertising next quarter: the Mac platform isn’t nigh-invulnerable – it, too, is supceptable to error, intrusion, and bugs. It’s just the wrong message to suggest that the Mac PC (yes, folks: it runs an Intel processor now…) – and Apple development practices – are somehow infalable. This assertion is patently untrue.
So the next time those guys come on the screen, I want the geek to just whack the hipster upside the head. A smug look will overcome the geek’s face. “That felt better.” Apple logo. Fade out.