Ancient Flaws May Leave Mac OS X Vulnerable

mdeb writes "ZDNet Australia is running a story that claims Mac OS X 'contains unpatched security flaws of a type that were fixed on alternative operating systems more than a decade ago.' As an example, in August of last year, Apple patched the 'dsidentity' bug, which could easily have been exploited to grant a non-privileged user with admin rights the capability to create and remove 'root' user accounts."

Re:Big f-in deal

[i+kan+reed]

now that you've gone and said that, i went and tested it... WITH A GUEST ACCOUNT. and suprise! doesn't work.

No, he's right, personal experience

[theolein]

I, together with another guy on the MacNN boards, discovered some of the more serious aspects of the vulnerability pertaining to url types and mounting of remote volumes around two years ago, when a website could quite easily download, mount and execute an applescript or any application on your machine without you seeing it (Apple's response to this was the fact that you have to authenticate any new application the first time it's run these days, something now also in WindowsXP and Vista). We notified Apple and waited. And waited. And waited. Finally, after 3 or 4 months, Apple finally released the patch with the new functionality.

It was an extremely serious vulnerability because it was so easy to exploit and Apple really dragged their feet on that, and on other similar cases.

The guy is spot on with that comment. Apple is really slow in responding to possible exploits.