At least six zero-day vulnerabilities in Apple Computer Inc.'s Mac OS X were disclosed earlier this week by an independent researcher, who noted that all can crash applications or the operating system, and some may let attackers hijack systems.
Four of the bugs relate to how the Mac's OS parses various image file formats -- including BMP, TIFF, and GIF, one to how OS X decompresses malformed ZIP archives, and "several" affect Apple's Safari browser, said researcher Tom Ferris in numerous advisories posted Wednesday to his Security Protocols site.
All impact OS X 10.4.6 -- the most-current edition -- as well as earlier editions, said Ferris, who added that they can result in localized denial-of-service (DoS), in other words "crashes," and may be further exploitable by attackers installing their own malicious code on compromised Macs.
Danish vulnerability tracker Secunia collectively ranked the flaws as "Highly critical" on Friday. For his part, Ferris rated the Safari vulnerabilities as posing the greatest threat, and in his advisory included links to basic proof-of-concept code. Browsers are a particularly attractive target for attackers, since nearly every computer owner uses one, they contain a seemingly unlimited number of bugs, and attacks can sometimes be perpetrated without the user's knowledge through drive-by downloads.
The only remedy offered by Secunia was to avoid untrusted Web sites, and not to open ZIP or image files from other dubious locations.
Apple was notified of some of the vulnerabilities in January, others in February, but has not yet patched any of them, claimed Ferris.
Apple didn't immediately reply to a request about how it plans to deal with the zero-day bugs; typically, the Cupertino, Calif. computer maker refuses to comment on unresolved or unpatched security vulnerabilities.