off the Press - News & Commentary
OS X / Windows Security Holes Uncovered
November 28, 2003
OS X Panther Threatened
Noted Security Analyst William Carrel of Carrel.Org, posted
on the Internet a warning advisory of a malicious DHCP response that
can grant root access for Mac OS X 10.2 and 10.3 (Apple’s just
released Panther OS). This vulnerability affects the both the desktop
and server versions of Mac OS X and runs against Apple’s claims
of being a totally safe Operating System.
We attempted to
get a comment from Apple officials, but they failed to return phone
calls or emails.
William Carrel noted
that Apple Computer Inc. currently has no patch for the hole but may
be looking to provide an update in December. Carrel wrote that he had
notified Apple of the security issue before Panther and another November
security update were released.
Secunia , a Copenhagen Denmark-based security company, Tuesday the 25th
issued a security
advisory about 5 security vulnerabilities
in Internet Explorer
6.0. Secuna officials noted that there is a possibly of the same problems
in earlier versions of the browser as well. Together, they "can be
exploited to compromise a user's system" the advisory warns.
that users disable "active scripting" or use another browser
to avoid the vulnerabilities.
Microsoft corporate officials said that they were investigating the issue
but have not been made aware of any exploits or customer impacts of the
reported vulnerabilities.. "Upon completion of this investigation,
Microsoft will take the appropriate action to protect our customers, which
may include providing a fix through our monthly patch release process
or an out-of-cycle patch, depending on customer needs," said Stephen
Toulouse, security program manager of Microsoft's Security Response Center,
in a statement.
Open Source Browser also at risk
In addition, Secunia late last week also found vulnerabilities
in the Opera browser, Version 7.22 and earlier, that can cause a buffer
overflow. Opera this week released an update
to its browser, Opera 7.23, that fixes those security holes.