Apple puts out Mac OS security fix

Apple Computer has issued a security update that, among other fixes, closes a hole in Mac OS X that could have allowed hackers to take control of a computer under particular circumstances.

The patch, which the firm released late Friday, essentially changes the default settings for connecting to a Dynamic Host Communication Protocol (DHCP) server on Mac OS X 10.2.8. (aka "Jaguar"), Mac OS X 10.3.2 (aka "Panther") and the corresponding server versions of these operating systems.

A DHCP server assigns a TCP/IP address to a computer and, under the earlier default settings, a Mac running one of the above-listed OSes would accept data from DHCP servers found on a local area network.

If a hacker inserted a malicious DHCP server on a local network, he or she could then exploit Apple's earlier default setting to embed malicious software on a computer or use the computer as a drone for coordinated attacks on other systems.

An Apple representative said the probability of a hack occurring was low, because the hacker would have to be an insider.

But William Carrel, a Mac user who runs a Mac security site, said an outside hacker who broke into a corporate network could add a DHCP server to that network. At that point, the outsider could take complete control of unpatched desktops.

"Anyone who can gain access to your network can gain administrator access to your computer and therefore steal your data or launch attacks upon others, as soon as you reboot your machine," Carrel wrote on his site.

Carrel discovered the flaw in November.

Apple's security update also fixes a buffer overflow vulnerability in a file system, plugs another vulnerability in Panther that could cause denial-of-service requests and in general improves the security features of the affected OSes.

"This is a general security update," the Apple representative said. Apple credited Secure Network Operations for reporting the denial-of-service vulnerability.

Further information on the update and a link for downloading can be found here at Apple's site. In a lot of ways, 2003 was the year of the hole. Microsoft acknowledged 119 vulnerabilities this year in Windows - 47 in Windows 2000, 46 in Windows XP and 26 in Windows 2000 Server - and issued 76 security updates, according to the company.

And Linux and Apple weren't being left out. Security experts found vulnerabilities, albeit far fewer, with those operating systems this year, too. The number of flaws found in Linux will likely increase as well, according to Symantec CEO John Thompson, among others, as the target base increases.

Apple also issued security updates for Panther and Jaguar in November, regarding other vulnerabilities.

Michael Kanellos writes for CNET News.com