Seven unpatched OS X flaws exposed

Researcher challenges Apple's security record with seven bug disclosures

Security researcher Tom Ferris has published details about seven security vulnerabilities in Apple's OS X operating system, including proof-of-concept code. 

The most severe flaw affects the Safari browser, which could be targeted by attackers to execute code on a system or cause the browser to crash.

The other flaws were found in several OS X features. An attacker could, for instance, use a specially crafted Tiff image file to cause an image viewer or editor to crash. Similar issues affect the .bmp and .gif image file formats.

An error in the way that OS X handles archives such as Zip files creates an opportunity for attackers to crash applications or to execute arbitrary code.

The researcher gave one of the flaws a severity rating of 'high' and rated the remaining six 'medium'.

Security organisations Secunia and the Sans Internet Storm Centre claimed that the vulnerabilities are "highly critical" because they allow attackers to execute code on a system or can cause a denial of service attack.

"There seem to be some problems with the claimed 'solid as a rock' Unix operating system," Ferris wrote on his website when he announced the vulnerability disclosure earlier this month. 

"Getting Safari to crash in many different spots is trivial, whereas Firefox is very tough."

Apple uses the 'Solid as a rock' slogan on its website to describe OS X's security record. 

The application has suffered only a few isolated virus attacks which have failed to cause any harm, but some experts have warned that the software will become a more attractive target as it gains market share.

Ferris said that he reported the vulnerabilities to Apple at the beginning of the year and claimed that they will be fixed in the next security release.

A spokesman for Apple said that he was aware of Ferris's report, but was unable to comment on the vulnerabilities.