, SecurityFocus 2004-05-21
Apple Computer on Friday issued a patch for a security hole in Mac OS X that could have allowed hackers to take over vulnerable machines, but the company went out of its way to downplay the importance of the bug.The vulnerability in the operating system's Help View application allows attackers to craft a special URL that will execute any application, command or script on the victim's computer. To be hit by the bug, a user would have to visit a malicious website, or be lured by e-mail into following the URL. The bug works on most browsers, including Internet Explorer for Mac, Mozilla and Apple's Safari.
The hole was discovered by a German techie called "Lixlpixel," who claims to have reported the bug to Apple on February 23rd. It wasn't until nearly three months passed without any response from the Cupertino, Calif. computer maker that Lixlpixel went public with the hole, when discussions about it began showing up in
In a statement issued along with the patch Friday, Apple called the hole a "theoretical vulnerability" that never placed customers at risk.
"Apple takes security very seriously and works quickly to address potential threats as we learn of them -- in this case, before there was any actual risk to our customers," said Apple's senior vice president Philip Schiller. "While no operating system can be completely immune from all security issues, Mac OS X's UNIX-based architecture has so far turned out to be much better than most."
The bug is easy to use, and benign
Mac OS X users can install the patch through Apple's Software Update service, or through Apple's