Month Of Apple Bugs Kicks Off

The "month of Apple Bugs" (MoAB) project made its launch on January 1, 2007. It began by warning a zero-day flaw in Apple's QuickTime media player. It also cautioned of an exploit that attackers could use to hack, compromise, or infect PCs operating either Windows or Mac OS X.

The MoAB will declare, each day in January, a new security flaw in Apple's operating system or other software of Mac OS X. The MoAB has come to follow the November's 2006 "Month of Kernel Bugs" campaign. A hacker, known only by the initials "LMH" and Kevin Finisterre have co-hosted the project. Finisterre is a researcher who has posted on his site a number of Mac vulnerabilities and their analyses.

The MoAB Web page projects an advisory stating that the flaw is caused by the way QuickTime runs the "real time streaming protocol" or RTSP, a media streaming communications standard. An attacker who succeeds in making an unwitting user to open a specially crafted hyperlink that starts with "rtsp://" can comfortably install illegal software on the victim's PC.

Some people within the Apple community have responded disdainfully to this saying that the pair had not been responsible since it failed to notify Apple of any security gaps.

CTO for the SANS Internet Storm Center, Johannes Ullrich remarked that the exploit seemed to be fairly strong and easy to apply. He said it is abusive to the extent it presents a severe security threat to both users of Mac and Windows.

In Ullrich's view Apple is in advantageous position because its users do not act as administrators. Even then the users' personal data are at risk. This flaw could install threats more typical to Windows PCs such as bot or keystroke logging software even if a user of Mac operates on a less powerful user account.

Apple's QuickTime was last heard of in December 2006, when fraudsters exploited a bug in the player on MySpace. That vulnerability has still not been patched.

LMH hopes to find more QuickTime attacks since his latest flaw is exposed to people's knowledge. He believes only time will augur its abuse.

Related article: Mammoth Apple OS X Update Patches 88 Flaws

» SPAMfighter News - 1/8/2007