Apple has still not properly fixed the HFS+ filesystem named fork vulnerability discovered last week, according to the company that first noticed it, NetSec.
The fix put out by the company at the end of last week will only address the security flaw for OS X systems running the Apache web server which is shipped by default. Customers using other web servers such as 4D WebSTAR remain vulnerable the managed security specialist has claimed.
In addition, those running modified versions of the Apache web server on OS X would not have received the update patch automatically, but would not necessarily realise this. The vulnerability risks allowing attackers to exploit URLs to gain access to back-end data structures and carry out website defacement or information theft.
NetSec said it was not aware of any live exploits at the present time. However, it had decided to alert the Apple community to the issue after the exploit topic started being discussed on public domain sites.
“They’ve slapped a band-aid on the problem,” commented NetSec’s Tom Parker. Fixing the problem once and for all would require complex changes to the OS X kernel, he said, which might explain why the patch had turned out to be partial.
Figures for the number of customers using Apache on OS X are difficult to come by, but one source – Netcraft – notes the number of high-level servers running WebStar as approaching 60,000. Apache is by far the most popular, regardless of platform.
4D WebSTAR contacted us with the following message for its users: "Our engineers are working on fixing this potential vulnerability for 4D WebSTAR Web Servers. Meanwhile, there is a workaround that 4D has posted at www.4d.com/products/hfs_sec.html, which 4D WebSTAR administrators can easily implement to block any potential exploitation."