Software // Enterprise Applications
News
2/16/2007
11:49 AM
Connect Directly
RSS
E-Mail
50%
50%

Apple Posts Four Bug Fixes

The vulnerabilities were identified by the Month of Apple Bugs project.

Apple on Thursday released a security update that patches four vulnerabilities in Mac OS X and iChat.

Two of the vulnerabilities, which were all identified by the Month of Apple Bugs project, would allow a remote user to access and control the compromised computer. According to the Apple update, proof-of-concepts for the vulnerabilities have been posted on the Month of Apple Bugs Web site, but the company has not spotted working exploits in the wild.

Patches for all four flaws are available online.

Apple reports that a buffer overflow flaw in the Mac OS X's Finder feature could lead to an application crash or remote control. This problem doesn't affect systems prior to Mac OS X v10.4. Apple credits Kevin Finisterre, who participated in the Month of Apple Bugs project, for notifying them of the vulnerability.

Apple also is fixing two flaws in iChat -- one that could cause an application crash and another that could cause a crash or allow a hacker to remotely control the system.

For the first flaw, the company's advisory reports that a null pointer dereference in iChat's Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for the flaw has been published on the Month of Apple Bugs Web site. For the second iChat flaw, Apple explains that a format-string vulnerability has been found in the iChat AIM URL handler. If a user clicks on an AIM link to a malicious site, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. A proof of concept for this has been published as well.

Apple also is patching a UserNotification flaw that could allow local users to gain system privileges. The flaw could allow a user to change or overwrite system files. A program that triggers this issue has been published on the Month of Apple Bugs Web site.

A pair of security researchers announced in December that they were launching a month-long bug list of zero-day Mac OS X and Apple application vulnerabilities starting Jan. 1.

The Month of Apple Bugs project, which was similar to November's Month of Kernel Bugs campaign, was hosted by the kernel bug poster who goes by the initials "LMH," and his partner, Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest Septermber 14, 2014
It doesn't matter whether your e-commerce D-Day is Black Friday, tax day, or some random Thursday when a post goes viral. Your websites need to be ready.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.