Experts Ponder Third-Party Mac Patches

Bug, patch. Bug, patch: It's been a busy month for Apple researchers exposing vulnerabilities in Mac OS and related applications, and then releasing patches for the holes. But these third-party patches carry inherent risks of their own. (See Rift Widens Over Bug Disclosure, Apple Bug Bites OS X, Windows, and Buggin' Out?)

What's a Mac user to do? Apple so far has been mostly silent on the MOAB's findings and on the Month of Apple Fixes patches. As of this posting, Apple had not responded to a request for comment or an interview for this article.

Third-party patches are notoriously risky because they don't have the backing of the vendor itself -- in this case, Apple. So if they crash another app, or open up another hole, you're out of luck. Even the Month of Apple Fixes creator Landon Fuller admits that a vendor's update or patch is always better than a third-party one, which is limited in its testing abilities. "It is always possible that a bug in the patch could result in an instability, or potentially expose a new exploit scenario," he says on his Website. But a third-party patch may be the only way to stave off a critical threat while you await the vendor's fix, he adds.

Still, "it's never unreasonable to wait for an officially-provided vendor fix." Fuller has no plans to patch the kernel bugs found by the MOAB because it's much too risky (think file system corruption and data loss) to attempt a third-party fix for a kernel bug.

Complicating things further, the MOAB's LMH recently found a local privilege escalation flaw in the tool Fuller is using to apply his patches, Unsanity's Application Enhancer, or APE.

The bottom line is you need to evaluate whether the vulnerability applies to you or your users, security experts say.

First, decide just how risky it is to you or your organization, which will determine whether you need to install a third-party patch or not, says Randy Abrams, director of technical education for Eset.

"Decide based upon what you know about the maker of the third-party patch and whether or not changing your behaviors or computer [configuration] can protect you," he says. "For Mac users who are not security-savvy, it's probably more dangerous going to third-party patches."

Abrams says Apple should speak up and clarify its position on these third-party patches. "An OS manufacturer has an obligation to warn customers of the implications" of using third-party patches, he says. "If you use this patch, does that nullify your support [from the vendor]?"

Without any guidance from Apple, Mac users are at risk of being duped into applying malicious patches rather than safe ones, he says. "It sets up users for social engineering attacks," Abrams says. "Microsoft makes itself really clear what it thinks about third-party patches... I'm surprised Apple hasn't vocalized what its thoughts are on third-party patches."

MOAB's LMH says he's had some communication with Apple, mostly their asking him for information on the bugs he's released thus far. "If Apple fixes the issues, it will be a way of acknowledging the validity of the problems," he says. "I suspect there may be some sort of downplaying attempts."

Paul Henry, vice president of security evangelism for Secure Computing, says Apple is likely silent to avoid assigning credibility to the MOAB. And there haven't been any bugs critical enough yet to warrant a big response, he says. "If something comes out that's critical enough, perhaps Apple will come out with" patches, he says. And most of the bugs published to date by the MOAB can be handled with simple workarounds anyway, he says. "In my opinion, they didn't require having to install a third-party patch."

"I'm a little disappointed in what they've come up with so far," Henry says. "I would have expected more eye-opening vulnerabilities than what's been shown to date."

Of the first 15 bugs, he notes, a few required changing permissions, avoiding downloading files from people you don't know, or running Adobe Version 8, for instance. One was for AppleTalk, which is rarely used anymore, he says.

But the MOAB and Month of Apple Fixes are still chugging along. As a matter of fact, LMH says he's about to release a new Ruby-based binary patching engine that could be used to patch the Apple bugs. He says he didn't initially intend to release the tool, which he had developed for reverse engineering and software licensing-cracking, he says. "Due to all the hype over these third-party patches using a flawed product [APE], I'm going to provide the source code and samples for people willing to work with them [the patches]."

— Kelly Jackson Higgins, Senior Editor, Dark Reading