search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Apple Mac OS X with Bluetooth enabled may allow file exchange without prompting users

Vulnerability Note VU#258390

Original Release Date: 2005-05-09 | Last Revised: 2005-05-16

Overview

Apple Mac OS X with Bluetooth support may unintentionally allow files to be exchanged with other systems by default.

Description

Mac OS X includes support for the Bluetooth networking protocol suite. Bluetooth is a communication technology that enables short-range communication between devices.

The default Bluetooth settings in OS X may allow files to be exchanged with other devices unknowingly. The default location for files that are exchanged may also be used by other applications, resulting in unintended information disclosure.

Impact

Remote attackers may be able to exchange files with a Bluetooth-enabled system running Mac OS X, resulting in unintended information disclosure.

Solution

Apply An Update

Apple has addressed the issue in Security Update 2005-005.


As a workaround, users can manually disable the Bluetooth file sharing service or change the default location used for file transfers.

Vendor Information

258390
 
Affected   Unknown   Unaffected

Apple Computer Inc.

Updated:  May 05, 2005

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Apple has addressed the issue in Security Update 2005-005.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to Apple Product Security for reporting this vulnerability, who in turn credit Kevin Finisterre with reporting the issue.

This document was written by Ken MacInnis.

Other Information

CVE IDs: CVE-2005-1332
Severity Metric: 2.03
Date Public: 2005-05-03
Date First Published: 2005-05-09
Date Last Updated: 2005-05-16 16:13 UTC
Document Revision: 7

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.