Apple Posts Four Bug Fixes - InformationWeek
Software // Enterprise Applications
11:49 AM

Apple Posts Four Bug Fixes

The vulnerabilities were identified by the Month of Apple Bugs project.

Apple on Thursday released a security update that patches four vulnerabilities in Mac OS X and iChat.

Two of the vulnerabilities, which were all identified by the Month of Apple Bugs project, would allow a remote user to access and control the compromised computer. According to the Apple update, proof-of-concepts for the vulnerabilities have been posted on the Month of Apple Bugs Web site, but the company has not spotted working exploits in the wild.

Patches for all four flaws are available online.

Apple reports that a buffer overflow flaw in the Mac OS X's Finder feature could lead to an application crash or remote control. This problem doesn't affect systems prior to Mac OS X v10.4. Apple credits Kevin Finisterre, who participated in the Month of Apple Bugs project, for notifying them of the vulnerability.

Apple also is fixing two flaws in iChat -- one that could cause an application crash and another that could cause a crash or allow a hacker to remotely control the system.

For the first flaw, the company's advisory reports that a null pointer dereference in iChat's Bonjour message handling could allow a local network attacker to cause an application crash. A proof of concept for the flaw has been published on the Month of Apple Bugs Web site. For the second iChat flaw, Apple explains that a format-string vulnerability has been found in the iChat AIM URL handler. If a user clicks on an AIM link to a malicious site, an attacker can trigger the overflow, which may lead to an application crash or arbitrary code execution. A proof of concept for this has been published as well.

Apple also is patching a UserNotification flaw that could allow local users to gain system privileges. The flaw could allow a user to change or overwrite system files. A program that triggers this issue has been published on the Month of Apple Bugs Web site.

A pair of security researchers announced in December that they were launching a month-long bug list of zero-day Mac OS X and Apple application vulnerabilities starting Jan. 1.

The Month of Apple Bugs project, which was similar to November's Month of Kernel Bugs campaign, was hosted by the kernel bug poster who goes by the initials "LMH," and his partner, Finisterre, a researcher who has posted numerous Mac vulnerabilities and analyses on his own site.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends for 2018
As we enter a new year of technology planning, find out about the hot technologies organizations are using to advance their businesses and where the experts say IT is heading.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll