Print
Discuss
Send to friend
RSS feedsApple has released a security patch for a vulnerability in its iSync application bundled with the OS X operating system. But it took the vendor at least three months to release the fix.
The iSync application allows users to synchronise data such as mp3 files, address book entries or calendar appointments between a PC and mobile devices such as iPods, mobile phones or PDAs.
The patch released on Tuesday is identified as Security Update 2005-004. It followed one month after update 2005-003.
The flaw makes iSync's mRouter tool vulnerable to a buffer overflow attack. Users with local access to affected systems could then gain super-user privileges.
Apple computers running OS X version 10.2.8 through to the current version 10.3.9 are susceptible to the bug.
The flaw was discovered by Braden Thomas, an independent developer of security software and a member of the University of Southern California's Digital Security Interest Group.
Thomas went public about the security hole on 22 January, and had notified Apple even earlier. In an email to vnunet.com, Thomas explained that "three months is a long time to fix the bug".
"I was surprised that [Apple] did not include a fix in Security Update 2005-003," he wrote. "In fact, an AppleFileServer DoS bug I discovered that was disclosed in February was fixed by Update 003."
Apple did not respond to a request to provide further information about the time it took to issue the fix.
See also:
Organisers scrap $25,000 challenge to infect OS X 29 Mar 2005
Company shaken to the core as new DRM system is cracked in under 24 hours 23 Mar 2005All Applications
del.icio.us
Digg this
reddit!
