Apple: Mac security flaw fixed. Expert: Wrong

Hands on with the very first Mac
Hands on with the very first Mac

Macintosh computers still have a major security flaw. Apple said it had fixed the problem -- but it didn't.

Two weeks ago, Apple (AAPL) released a security update for Mac OS X Yosemite that claimed to fix a gaping hole in the operating system's code. Without a security patch, the vulnerability could allow hackers to take control of any Macintosh.

But the update did not fix the problem, according to Patrick Wardle, a security researcher who writes a security blog called Objective-See. He said Apple's security patch "seemed a reasonable fix," but he "found a novel, yet trivial way" for any hacker to abuse the same vulnerability that Apple claimed to have ended.

Wardle says he shared the technical details of the hack with Apple, and he demonstrated the attack in a video on his blog.

Alarmingly, this issue has persisted for at least six months. Google (GOOGL) alerted Apple to the problem in October and made the security flaw public in January. Months later, there still appears to be no fix.

That's not a huge surprise, as Apple has a miserable security record.

Last year, Apple was plagued with a serious security flaw that allowed hackers to read private communications sent over Apple devices, including emails, instant messages, social media posts and even online bank transactions. But Apple waited four days to fix the "goto fail" bug on Macs after it had already patched iPhones and iPads. An app developer Roland Moriz also claims to have notified Apple about a similar bug four months before Apple fixed it.

That's nothing compared to the two months Apple waited to fix the Flashback bug -- the largest targeted attack on Macs ever In early 2012, Flashback exploited a hole in Java, and Oracle (ORCL) quickly fixed the bug. But Apple uses its own version of Java and didn't get around to patching its software right away.

And it took more than three years for Apple to fix the so-called FinFisher Trojan that allowed law enforcement to spy on iPhone users.

Apple didn't even issue automatic security upgrades until December 2014. Automatic updates for Microsoft (MSFT) Windows have been around for nearly 15 years and are a critical security feature.

Because it dominates the PC market, hackers still predominately target Windows. But Macs have gained on Windows PCs, hackers have increasingly focused on Apple as a target.

Macintoshes have "several significant weaknesses" in anti-malware protections, Wardle noted in a white paper. Many of Apple's security enhancements are "trivial to bypass," he said.

Mortgage & Savings


CNNMoney Sponsors