MoAB Disclose Two Bugs On Two Successive Days
The Month of Apple Bugs (MoAB) project posted details of a flaw on Thursday, January 4 2007, affecting Apple's iPhoto digital photo software. This was soon after it announced the cross-site scripting vulnerability of Apple's QuickTime bug on Wednesday.
The bug report of Thursday affects the iPhoto software in Apple's iLife digital content management suite. A cyber criminal could exploit this flaw by creating a rigged iPhoto photocast XML feed that changes the function of the "title" element, which could make way for execution of malicious code, said researchers of MoAB following the posting of a proof of concept code.
There are suggestions to avoid subscribing to photocasts if a user has not checked the feed for a malicious payload. However, checking the XML for a feed isn't easy as Safari deposits it straight to iPhoto. For a surfer who wants to open the feed in Firefox, he should go to the URL shown in the error message and then by choosing View>Page Source he can view the feed's XML.
When the QuickTime bug spread in December through MySpace it used a vulnerability that let hackers to plant cross-site scripting attacks. The same flaw could work similarly for cross-zone scripting attacks.
In the meantime a former Apple engineer Landon Fuller has taken an initiative to plug the security holes that the Month of Apple Bugs project has so far disclosed. Fuller is a BSD developer and the key constructor of Apple's BSD-based Darwin operating system. He said he came across MoAB project and would set right as many bugs as possible.
An advisory on the MoAB said that it found another bug in the VLC application, a Mac version of VideoLAN's free video software that hackers could exploit to gain access of an affected system.
Fuller has designed and issued a patch for this vulnerability. He has also released a patch for the serious QuickTime flaw on the same day it was uncovered. This fix will work by installing Application Enhancer.
Fuller said if he has time he will try to fix the other bugs, one a day, for the whole month.
Related article: MOAB Uncovers Mac OS X Flaw On Safari Browser
» SPAMfighter News - 09-01-2007