MoAB wrap-up

January is over and in addition to a twelfth of the year being gone, it means that the Month of Apple Bugs is over. Don’t think we got out without just a tad more controversy. Reader David brings us word that they intentionally crashed Safari browsers (have we found drunkenbatman’s new home?).

Let’s dive back into the world of bug reporting without any hint of maturity.

The 20th: Apple iChat aim:// URL Handler Format String Vulnerability
This is exactly like a bunch of the other vulnerabilities. Solution: use RCDefaultApp to disable the aim:// URL handler.

The 21st: System Preferences writeconfig Local Privilege Escalation Vulnerability
I’ve already shared that this is a scary problem. The workaround included also looks good.

The 22nd: Apple UserNotificationCenter Privilege Escalation Vulnerability
This issue allows a malicious InputManager (located at ~/Library/InputManagers/) to escalate a malicious program to root privileges (an application crash is all that’s necessary to trigger the problem). Watch that directory and be careful.

The 23rd: Apple QuickDraw GetSrcBits32ARGB() Memory Corruption Vulnerability
Maliciously crafted PICT files will crash applications (and they refer back to the last exploit to show how it could be used for something actually dangerous). Use the aforementioned RCDefaultApp to disable the opening of these files (not that many people use them anymore anyway).

The 24th: Apple Software Update Catalog Filename Format String Vulnerability
A file with the file extension swutmp and the proper characters in the name can crash Software Update. Solution: don’t open files with that file extension.

The 25th: Apple CFNetwork HTTP Response Denial of Service
Applications using CFNetwork unless handling error condition correctly, will crash. This isn’t exploitable, unless you count the issue from the 22nd (requiring the installation of an InputManager). By itself, this is annoying at most.

The 26th: Apple Installer Package Filename Format String Vulnerability
Like other exploits, a maliciously crafted Installer Package filename will trigger a crash that possibly could lead to arbitrary code execution.

The 27th: Telestream Flip4Mac WMV Parsing Memory Corruption Vulnerability
Telestream’s Flip4Mac can be abused by ASF files, leading to execution of code embedded into the file.

The 28th: Apple crashdump Privilege Escalation Vulnerability
crashreporterd will record crash information into the user’s local Logs directory if possible, opting for the system directory if the user one isn’t writable. It’ll also follow symlinks. However, using my advice from last time, if you’re using a regular user account, you’re safe.

The 29th: Apple iChat Bonjour Multiple Denial of Service Vulnerabilities
First, I’m not linking the description page because it’ll send Safari (and OmniWeb, probably any WebKit browser) into a seemingly infinite loop. Really immature. You can really tell LMH wants to be taken seriously. Anyway, this can totally hose your Bonjour iChat use. However, it requires the malicious user to already be inside your network (unlikely when using a NAT router).

The 30th: Multiple Apple Software Format String Vulnerabilities
No new bug (did they run out?). Instead they group all the similar bugs that they already mentioned (and which should have been grouped together anyway, if not for the commitment to a month of bugs) and embed an obnoxious song that loops. Barrel of laughs these guys.

The 31st: Stay tuned (and farewell)
Some more pissing contest type grandstanding, idle threats, and a couple shout-outs to friends. No bug though.

LMH alerted us to several important issues and reminded us to use general safe computing practices. He also illustrated what must have been the most infantile, immature way to communicate with the world at large. There’s more than enough pot calling the kettle black to make any of his criticisms of others null and void. It’s given me new found respect for Tom Ferris. Seriously, kudos Tom.