Apple Posts Four Bug Fixes - InformationWeek
Software // Enterprise Applications
11:49 AM
4 Keys to Improving Security Threat Detection
Dec 15, 2016
In this webinar, Ixia will show how to combine the four keys to improving security threat detectio ...Read More>>

Apple Posts Four Bug Fixes

The vulnerabilities were identified by the Month of Apple Bugs project.

Apple on Thursday released a security update that patches four vulnerabilities in Mac OS X and iChat.

Two of the vulnerabilities, which were all identified by the Month of Apple Bugs project, would allow a remote user to access and control the compromised computer. According to the Apple update, proof-of-concepts for the vulnerabilities have been posted on the Month of Apple Bugs Web site, but the company has not spotted working exploits in the wild.

Patches for all four flaws are available online.

Apple reports that a buffer overflow flaw in the Mac OS X's Finder feature could lead to an application crash or remote control. This problem doesn't affect systems prior to Mac OS X v10.4. Apple credits Kevin Finisterre, who participated in the Month of Apple Bugs project, for notifying them of the vulnerability.

Apple also is fixing two flaws in iChat -- one that could cause an application crash and another that could cause a crash or allow a hacker to remotely control the system.

For the first flaw, the company's advisory reports that a null pointer dereference in iChat's Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for the flaw has been published on the Month of Apple Bugs Web site. For the second iChat flaw, Apple explains that a format-string vulnerability has been found in the iChat AIM URL handler. If a user clicks on an AIM link to a malicious site, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. A proof of concept for this has been published as well.

Apple also is patching a UserNotification flaw that could allow local users to gain system privileges. The flaw could allow a user to change or overwrite system files. A program that triggers this issue has been published on the Month of Apple Bugs Web site.

A pair of security researchers announced in December that they were launching a month-long bug list of zero-day Mac OS X and Apple application vulnerabilities starting Jan. 1.

The Month of Apple Bugs project, which was similar to November's Month of Kernel Bugs campaign, was hosted by the kernel bug poster who goes by the initials "LMH," and his partner, Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll