Internet security firm Secunia is critical of the security software update Apple released Friday evening.
Secunia director and CEO Niels Henrik Rasmussen contacted Macworld UK this morning to warn that his company doesn't believe Apple's fix has gone far enough: "It is still possible to execute arbitrary code on a vulnerable user’s system, just as easy as before Apple issued the security update."
While the security specialists "were pleased" Apple patched the vulnerability with a week of it entering public discussion, Secunia remains critical: "Apple reportedly knew about the vulnerability back in February," the specialists say.
The company remains critical of Apple's treatment of the issue, accusing the Californian computer company of "failing to describe the severity of the issues".
The security firm points out that Apple isn't as open in discussing security as its competitors: "Microsoft and most Linux distributions have learned the lesson and properly describe the nature and the impact of (most) vulnerabilities, allowing their customers to properly estimate the severity of a fixed issue. This is not possible when reading an Apple update."
The security update itself does not go far enough, Secunia accuses. While agreeing everything "should be OK" when the patch is installed, the specialist states: "another very unfortunate feature has been revealed in Mac OS X disk-image and volume handling, allowing a disk image to register a new URI (Uniform Resource Identifier) handler and associate an application with this – obviously this application can be located on the disk image or volume."
The company warns that this leaves Mac users as vulnerable to attack as before, as this has not yet been addressed. It repeats its recommendation that Mac users do not visit untrusted Web sites and that they do not surf the Internet as a privileged user.
When releasing the update, Apple senior vice president worldwide product marketing Phil Schiller said: "Apple takes security very seriously and works quickly to address potential threats as we learn of them."
Apple recommends all users install its new Security upgrade, which is available via Software Update and from the Apple site.